By Rich Heidorn Jr.
FERC on Thursday expanded NERC’s cyber incident reporting requirements, closing what it said was a gap in the critical infrastructure protection (CIP) reliability standards.
The new standard, CIP-008-6 (Cyber Security – Incident Reporting and Response Planning), revises the definitions of “cybersecurity incident” and “reportable cybersecurity incident.”
It requires reporting of incidents — now classified as “cybersecurity incidents” — that compromise, or attempt to compromise, electronic security perimeters (ESP), electronic access control or monitoring systems (EACMS) or physical security perimeters associated with high- and medium-impact bulk electric system (BES) cyber systems and attempts to disrupt operation of a BES cyber system (RD19-3).
A “reportable cybersecurity incident” refers to an action that actually compromises or disrupts one or more reliability tasks on the BES.
The new standard is a response to a July 2018 FERC ruling in which the commission criticized the existing reporting threshold, which only required reporting cyber incidents that have “compromised or disrupted one or more reliability tasks.” Noting that NERC did not identify any reportable incidents in 2015 and 2016, FERC said the threshold understated the risks and could lead to bigger, more successful attacks. (See FERC Orders Expanded Cybersecurity Reporting.)
The new rule would require, for example, reporting on malware installed on a BES cyber system that performs one or more reliability tasks even if the system still operates.
The rule will apply to EACMS that perform authentication; monitoring and logging; access control; interactive remote access; and alerting.
It also specifies the minimum information that must be reported: the functional impact that the incident achieved or attempted to achieve, the attack vector used and the achieved or attempted level of intrusion.
The reports will be sent to the Electricity Information Sharing and Analysis Center (E-ISAC) and the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Initial reports must be made within one hour of the responsible entity’s determination of a “reportable cybersecurity incident” and by the end of the next calendar day after determination of an attempt to compromise a BES cyber system, an ESP or an EACMS — or a “cybersecurity incident.”
FERC Chair Neil Chatterjee praised NERC’s speed in revising the standard and noted that no comments were filed in opposition.
Commissioner Cheryl LaFleur said the increased requirements will allow entities to learn from near misses and help the commission “identify emerging issues where we may need to enhance” standards.
“There is a well-documented statistical relationship — documented first as a safety pyramid in the industrial safety area, but applied to reliability in all kinds of industrial systems — between near misses and actual events. So, it’s very important that we learn from experience,” she said. “The expanded reporting will promote a culture of attention to cybersecurity, including all the details that make a network secure.”
Commissioner Bernard McNamee said cybersecurity “is so important that it has yet to be politicized in this town.”
“[It] is clear that everybody realizes that there are real threats out there [and] that industry and government … need to work together, and that constant vigilance is important to ensuring the security of our grid,” he said.
FERC estimated that 288 of the 1,414 unique NERC registered entities as of May 24, 2019, will be affected by the increased reporting requirements.
Single Points of Failure
The commission also issued a Notice of Proposed Rulemaking to adopt reliability standard TPL-001-5 (Transmission System Planning Performance Requirements), NERC’s proposal for addressing single points of failure of protection systems. It also responds to the commission’s directives on planned maintenance outages and stability analyses for spare equipment (RM19-10).
But the NOPR also would direct NERC to modify the standard to require corrective action plans for protection system single points of failure in combination with a three-phase fault if planning studies indicate the potential for cascading outages.
NERC’s proposal would require planning authorities and transmission planners to perform annual planning assessments considering a variety of system conditions and contingencies. For scenarios considered likely, known as “planning events,” the planning entity must develop a corrective action plan if it determines its system would experience performance issues. For scenarios considered to be less likely that could result in severe impacts such as cascading outages (“extreme events”), the planning entity must conduct an analysis to understand the potential impacts and identify potential mitigation measures.
FERC said the proposed standard will require more comprehensive study of the potential impacts of protection system single points of failure — nonredundant components of a protection system whose failure would affect normal clearing of faults.
“In particular, the modifications reflected in proposed reliability standard TPL-001-5 address the commission’s concern that the exclusion of known outages of less than six months in currently effective reliability standard TPL-001-4 could result in outages of significant facilities not being studied,” the commission said.
Not Extreme?
But the commission disagreed with NERC’s categorization of protection system single points of failure in combination with a three-phase fault as an “extreme event” that only requires study and not a corrective action plan. The NOPR would direct NERC to modify the standard to require corrective action plans for such events if planning studies indicate the potential for cascading.
NERC told FERC that its review of more than 12,000 protection system misoperations since 2011 showed that only 28 involved three-phase faults (10 breakers that failed to operate and 18 breakers that were slow to operate). NERC said none of the 10 failure-to-trip scenarios resulted in events that required reporting.
FERC, however, said the 10 incidents average to about one event every eight months. “Although we recognize that three-phase faults constitute a relatively small subset of all protection system operations, under the following measure of one protection system single point of failure every eight months, the occurrence of three-phase faults with misoperations could reasonably be viewed as regular occurrences.
“Based on the present record, it is unclear whether such contingencies are as rare as NERC maintains,” FERC continued. It cited a 2009 NERC Industry Advisory on three system disturbances over five years that were initiated by a protection system single point of failure in combination with a single-line-to-ground fault. “According to the Industry Advisory and supporting documentation, all three events evolved into either a multiphase fault or a three-phase fault with cascading,” FERC said.
It also cited a 2012 informational filing in which NERC “reported that it is not uncommon for a single-line-to-ground fault to evolve into a multiphase fault and … stated that studies solely on single-line-to-ground faults may understate the reliability risk of single points of failure of protection systems.”
The commission said the first draft of proposed standard TPL-001-5 included a requirement would have addressed protection system single points of failure in combination with a three-phase fault, but that the proposal was dropped because the team said, “industry comments . . . were particularly negative.”
The order noted a disagreement over whether mitigation measures addressing the issue could be costly.
“While we are aware of the potential for increased cost under this proposal, we understand that there are likely cost-effective actions. … For example, a corrective action plan … could add a redundant lockout relay in the control circuitry of a protection system, which would eliminate occurrence of those events reported in the 2009 NERC Industry Advisory. As another option, an entity could add control center monitoring and reporting functions to a DC battery bank or to a communication system of a communication-aided protection scheme so that system operators are aware of their failure.”
The commission asked for comments on the issue. Comments will be due 60 days after publication in the Federal Register.