FERC on Tuesday announced it has accepted NERC’s latest compliance filing from May, approving the changes it contained to NERC’s Rules of Procedure (ROP) regarding the organization’s use of All Points Bulletins (APB), and its clarification of NERC’s relationship with the Electricity Information Sharing and Analysis Center (E-ISAC). (RR19-7)
The commission ordered NERC’s compliance filing in January as a follow-up to NERC’s five-year performance review, attempting to address concerns about its information-sharing arrangement with the E-ISAC. (See FERC Orders Audits of All REs by 2023.) The changes to section 1003 of the ROP also pertain to the E-ISAC, requiring it to “share all APBs with [FERC] staff no later than at the time of issuance,” in accordance with FERC’s January order. (See NERC Clarifies Information Sharing, APBs in Compliance Filing.)
FERC’s order stemmed from NERC’s previous compliance filing in September 2020, which clarified various aspects of the APB process, including the threshold for sending the bulletins and procedures for approving them. (See NERC Files ROP Changes with FERC.) At the time, NERC said its current practice is to share APBs with FERC at the time of issuance, if not before, but the commission requested that NERC make that practice an explicit requirement.
E-ISAC Info Sharing Clarified
The rest of NERC’s compliance filing dealt with whether the E-ISAC violates registered entities’ confidentiality when sharing information with the ERO Enterprise to assist in standards development. Specifically, FERC ordered NERC to provide more clarity on its intention to use data provided by the E-ISAC in reliability gap analyses that would “determine whether any modifications to the CIP [Critical Infrastructure Protection] standards are necessary to address a security risk.”
NERC’s compliance filing in June 2020 claimed that E-ISAC personnel are generally prohibited from sharing any voluntarily reported information with non-ISAC staff at NERC, with limited exceptions. Anonymized and aggregated E-ISAC data — or data about specific companies that is publicly available through other avenues — may be used to inform development of reliability standards.
The May filing provided more detail about these information exchange procedures, along with information about their evolution. Since the information sharing was launched last year, physical and cyber security analysts from the E-ISAC have met every month with NERC’s reliability standards staff and CIP experts to discuss the “security threat landscape.” Discussions typically cover industry-wide security trends and threats or incidents from the previous month.
During these meetings, E-ISAC staff “take care to only share information consistent with the code of conduct,” such as anonymized and aggregated data.
Along with these meetings, the E-ISAC now regularly shares reports, APBs and other issuances with CIP standards development personnel; when this information concerns specific entities, it is subject to restrictions in the code of conduct. Data such as reports on specific threats or vulnerabilities “provided by [a] government partner or security vendor,” which does not concern specific entities, may also be provided.
NERC’s reliability standards development personnel use this information:
- to advise active standards drafting teams about emerging threats that they should try to address in their work;
- as data points for evaluating proposed changes to the CIP standards; and
- to evaluate the overall adequacy of the CIP standards to address “emerging security threats and vulnerabilities.”
FERC noted that “no adverse comments” were received in response to NERC’s compliance filing, though requests for rehearing may be filed with 30 days of issuance of the commission’s order. Barring outside intervention, Tuesday’s order “constitutes final agency action.”
