Any new cyber incident reporting requirements for critical infrastructure must be carefully drafted to avoid overlap with existing regulations, NERC and the regional entities told the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) in comments submitted earlier this month.
The ERO Enterprise was responding to the request for information that CISA issued in September. The RFI was inspired by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), part of the omnibus spending bill passed by Congress and signed by President Biden in March.
CIRCIA requires entities in critical infrastructure sectors — including energy — to report relevant cyber incidents to CISA within 72 hours after they occur, as well as when they make a ransom payment to the perpetrators of a ransomware attack. (See Budget Mandates Cyber Reporting for Critical Infrastructure.)
But authority for defining which incidents are subject to reporting and which additional sectors, if any, are covered by the requirements, along with other details, is left to CISA’s director. The RFI said industry input would help to shape the agency’s final rule.
Worries Over Possible CIP Overlap
In their response, NERC and the REs pointed out that two of NERC’s reliability standards — CIP-008-6 (Cybersecurity — incident and reporting and response planning) and CIP-003-8 (Cybersecurity — security management controls) — require reporting of cyber incidents by various electric industry stakeholders. These requirements are “similar to the reporting requirements set out in CIRCIA,” the ERO said, requiring coordination between NERC and CISA “to ensure harmonization” between the two regimes.
CIP-008-6 requires responsible entities to create cyber incident response plans that they will follow to detect and respond to events affecting cyber systems connected to higher-risk transmission and generation assets, along with control centers. These plans must include reporting of certain cyber incidents to both CISA and the Electricity Information Sharing and Analysis Center (E-ISAC). CIP-003-8 deals with lower-risk transmission and generation assets and similarly requires entities to have response plans that may include reporting incidents to the E-ISAC.
NERC and the REs expressed concern about potential inconsistencies between NERC and CISA’s requirements; for example, CISA’s reporting regulations might have a different timeline for reporting than NERC’s standards, and may require different information. To “avoid duplicative and inconsistent reporting requirements … that could hinder incident response,” the ERO asked that CISA work with NERC and the E-ISAC to ensure the final rule does not cause unneeded friction.
In addition, the ERO drew on its experience with the critical infrastructure protection (CIP) standards to give CISA some advice as it drafts its final rule. The organizations counseled CISA that it should take care in defining “covered cyber incident” and “substantial cyber incident,” as these will play a role in determining what incidents must be reported under the new rules. Care is needed, the ERO said, to ensure these reports produce enough actionable information.
“In developing its incident reporting requirements, the ERO Enterprise initially required entities to report only incidents that had operational impact. … Over the years, however, there were very few incidents reported,” the ERO said. “While receiving few reportable incidents is a positive insofar as it means that there were very few cyber incidents that had an impact on electric utility operations, it could also miss reporting on significant cyber activity, leaving industry unaware of emerging threats and vulnerabilities that have yet to have operational impact.”
While defining reportable incidents too narrowly may prevent the agency from gathering useful data, NERC and the REs said that making the definition too broad would likely result in the opposite problem, with CISA “inundated with reports” that require “significant effort to separate the noise from actionable information.”
Finally, the ERO suggested that CISA’s final rule include “a mechanism for sharing the reports submitted” with the E-ISAC and its counterparts in other critical infrastructure sectors. The organizations pointed out that ISACs are “uniquely positioned … to amplify CISA’s analysis throughout their respective sectors” because of their “established communication mechanisms and protocols.”
If privacy is an issue with sharing sensitive information, the ERO said that CISA can develop a process for either obtaining consent to share such information or removing identifiable data before it is shared.