By Rich Heidorn Jr.
FERC on Thursday ordered expanded reporting of cybersecurity incidents, saying attempts not currently reported could lead to bigger, more successful attacks.
The commission gave NERC six months to revise its critical infrastructure protection (CIP) reliability standards to mandate reporting of incidents that compromise, or attempt to compromise, a responsible entity’s electronic security perimeter (ESP) or associated electronic access control or monitoring systems (EACMS) (RM18-2).
FERC said the new rules will improve threat awareness by covering the installation of malware and other “incidents that might facilitate subsequent efforts to harm the reliable operation of the [bulk electric system].”
Under the current CIP-008-5 (Cyber Security – Incident Reporting and Response Planning), incidents must be reported only if they “compromised or disrupted one or more reliability tasks.”
The final rule adopts the Notice of Proposed Rulemaking the commission issued in December, which concluded that “the current reporting threshold may understate the true scope of cyber-related threats facing the bulk power system, particularly given the lack of any reportable incidents in 2015 and 2016.” (See FERC Orders Tightened Cyber Reporting Rules.)
The commission’s order also calls for standardizing cybersecurity incident reports to improve the quality of reporting and allow easier comparisons and analyses. The reports will require information on the impact, or intended impact, of the intrusion; the attack “vector” used; and the level of intrusion achieved or attempted.
In addition to continuing to send the reports to the Department of Energy’s Electricity Information Sharing and Analysis Center (E-ISAC), the reports would also be distributed to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). NERC will be required to file an annual report with the commission with anonymized summaries of the reports.
Seeking Balance
In its 2017 State of Reliability Report, NERC recommended redefining reportable incidents “to be more granular and include zero-consequence incidents that might be precursors to something more serious.” Although NERC received no reports of cybersecurity incidents during 2016, it noted that DOE’s Electric Disturbance Reporting Form OE-417 included two suspected cyberattacks and two actual attacks for the same period and that ICS-CERT responded to 59 cybersecurity incidents in the energy sector in 2016.
“Our directive is intended to result in a measured broadening of the existing reporting requirement in reliability standard CIP-008-5, consistent with NERC’s recommendation, rather than a wholesale change in cyber incident reporting that supplants or otherwise chills voluntary reporting, as some commenters maintain,” the commission wrote. “Indeed, as NERC contends, we believe that the new ‘baseline understanding, coupled with the additional context from voluntary reports received by the E-ISAC, [will] allow NERC and the E-ISAC to share that information broadly through the electric industry to better prepare entities to protect their critical infrastructure.’”
The ESP is defined by NERC as the “logical border surrounding a network to which BES cyber systems are connected using a routable protocol.” EACMS include firewalls, authentication servers, security event monitoring systems, intrusion detection systems and alerting systems.
“Since responsible entities are already required to monitor and log system activity under reliability standard CIP-007-6, the incremental burden of reporting of the compromise or attempted compromise of an EACMS that performs the identified functions should be limited, especially when compared to the benefit of the enhanced situational awareness that such reporting will provide,” the commission said.
Report Preferable to Data Request
The commission concluded a reporting requirement is preferable to a “perpetual” data request to collect the same information, saying it is “more aligned with the seriousness and magnitude of the current threat environment, and more likely to improve awareness of existing and future cybersecurity threats and potential vulnerabilities.”
It noted that “the commission will have the ability to review and ultimately approve the standard, as opposed to the opportunity for informal review that the commission would have of a data request.”
Timelines
The commission told NERC that it should consider the threat posed by attacks in developing its reporting thresholds and timelines.
“Higher risk incidents, such as detecting malware within the ESP and associated EACMS or an incident that disrupted one or more reliability tasks, could trigger the report to be submitted to the E-ISAC and ICS-CERT within a more urgent time frame, such as within one hour, similar to the current reporting deadline in reliability standard CIP-008-5. For lower risk incidents, such as the detection of attempts at unauthorized access to the responsible entity’s ESP or associated EACMS, an initial reporting time frame between eight and 24 hours would provide an early indication of potential cyberattacks. For situations where a responsible entity identifies other suspicious activity associated with an ESP or associated EACMS, a monthly report could, as NERC states, assist in the analysis of trends in activity over time.”
Top Challenge
Commissioner Neil Chatterjee said protecting the grid from cybersecurity threats is one of FERC’s top challenges. “Both the Department of Homeland Security and Federal Bureau of Investigation have issued multiple public reports describing intrusion campaigns by Russian government cyber actors against our critical infrastructure, including the electric grid,” he said in a statement. “While thankfully none of these intrusions have resulted in an actual power outage, they do represent an unsettling uptick in attempts to undermine America’s critical infrastructure systems.”
“Cyber threats to the bulk power system are ever changing, and they are a matter that commands constant vigilance,” added Chairman Kevin McIntyre.
Split Ruling on NERC Rules of Procedure
In a separate order, FERC also approved in part and denied in part NERC’s proposed revisions to its Rules of Procedure (RR17-6).
The commission approved NERC’s proposed revisions to Section 900 to clarify the scope and governance structure of its training and continuing education programs.
But it ordered NERC to restore sections of its personnel certification rules the safety organization had proposed for deletion from Section 300. The commission said it disagreed with NERC’s contention that the sections, pertaining to procedures for suspending an operator’s certification, dispute resolution and disciplinary action were “programmatic detail” that can be transferred to NERC manuals.
“If these provisions were removed from the NERC Rules of Procedure and remain only in a NERC manual, they would be subject to further change with minimal, if any, stakeholder input and without commission review,” FERC said. “This is not appropriate because changes in the provisions for suspension, dispute resolution or disciplinary actions could have a significant impact on a stakeholder’s or individual’s rights and obligations.”