By Tom Kleckner
ERCOT is seeking more time to hash out the details around a Nodal Protocol revision request that would establish notification responsibilities for the grid operator and its market participants during cybersecurity incidents.
During a workshop Tuesday, ERCOT staff said they will ask stakeholders to table NPRR928 in order to allow more time for comments on the proposal, which outlines a process for market participants to notify the grid operator about cybersecurity incidents. ERCOT is seeking to increase its awareness about the vulnerabilities of third-party systems that interact with its own systems, with an eye toward preventing interruptions to the grid.
A second workshop on the rule change will be scheduled in August or September, staff said.
ERCOT defines a cybersecurity incident as a malicious or suspicious act that “compromises or disrupts” a computer network or system belonging to ERCOT, a market participant or its agent that transacts with the grid operator that “could foreseeably jeopardize the reliability or integrity of the ERCOT system or … market operations.”
“Does an incident compromise or disrupt? Does it jeopardize the reliability or integrity of ERCOT systems or market operations?” Senior Corporate Counsel Brandon Gleason said. “We’re interested in things that are going to have an impact on something. ERCOT’s perspective is we want to know actual events that are occurring and have the potential to impact others.”
“We’re interested in anyone who has access into our system,” General Counsel Chad Seeley said. “We’ve tried to capture every access point into the system.”
Staff said that while ERCOT shares information with various government oversight groups “depending on the nature of the event,” it has no legal requirement to report cyber incidents as they are occurring.
Under NPRR928, the grid operator would send market notices, if necessary, to alert the market to an incident and actions being taken, while also disclosing the identity of any law enforcement agency notified about the event.
The protocol change will help cover those market participants that are not NERC registered entities. ERCOT has 939 market participants, less than 25% of which (191) are registered with NERC and subject to its reliability standards, including CIP-008.
Non-registered entities “don’t have reliability nexuses, but they do have market nexuses,” Gleason said.
FERC on June 20 approved a new NERC cybersecurity rule that expands reporting requirements beyond just those incidents that actually compromise or disrupt reliability tasks on the bulk electric system.
CIP-008-6 now requires NERC entities to report any incidents that compromise, or attempt to compromise, electronic security perimeters, electronic access control or monitoring systems, or physical security perimeters associated with high- and medium-impact BES cyber systems and attempts to disrupt operation of a BES cyber system. (See FERC OKs Cyber Reporting Rule.)
In Texas, the state’s Public Utility Commission, Department of Public Safety, Department of Information Resources and Cybersecurity Council all have cybersecurity oversight over ERCOT. At the federal level, oversight agencies include the departments of Homeland Security, Justice and Energy, the FBI, and FERC, in addition to NERC and others.
The Texas Legislature recently passed three cybersecurity-related bills, none of which affected NPRR928:
- Senate Bill 64, effective Sept. 1, directs the PUC to establish a program to monitor utilities’ cybersecurity efforts that provide guidance on best practices and facilitate the sharing of information between utilities. It also requires ERCOT to conduct an internal cybersecurity risk assessment and submit an annual compliance report to the PUC.
- SB 475, effective immediately, establishes the Texas Electric Grid Security Council to facilitate the creation, aggregation, coordination and dissemination of best security practices. It is composed of the PUC chair, ERCOT CEO and Texas governor (or designated representative).
- SB 936, effective Sept. 1, requires the PUC to engage a cybersecurity monitor to manage outreach, research, develop and facilitate best practices and training, review voluntary self-assessments, and report back to the commission on preparedness.