FERC expands reporting requirements for cybersecurity incidents
The Federal Energy Regulatory Commission (FERC) recently expanded the reporting requirements for cybersecurity incidents involving attempts to compromise the operation of the grid.
The new Critical Infrastructure Protection Reliability Standard CIP-008-6 (Cyber Security – Incident Reporting and Response Planning) requires the reporting of cybersecurity incidents that either compromise or attempt to compromise Electronic Security Perimeters, Electronic Access Control or Monitoring Systems and Physical Security Perimeters associated cyber systems. The new standard also includes disruptions or attempts to disrupt the operation of a bulk electric system cyber system.
The standard requires each responsible entity to establish criteria for identifying attempts to compromise a cyber asset and apply those criteria in its cybersecurity incident identification process. This approach provides entities the flexibility to develop criteria appropriate to their systems, FERC said.
The new standard also addresses the information to be included in Cyber Security Incident reports, their dissemination and deadlines for filing. It requires entities to send reports and updates to the Electricity Information Sharing and Analysis Center and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center.
“Defending our nation’s electric grid against cybersecurity threats is one of the Commission’s most pressing challenges,” FERC Chairman Neil Chatterjee said. “It is vital that we ensure that NERC and the Department of Homeland Security have all the information needed to understand the evolving threat landscape for industrial control systems.”
Previously, under the Critical Infrastructure Protection Reliability Standards, entities were only required to report incidents that compromised or disrupted one or more reliability tasks.
FERC previously directed the North American Electric Reliability Corporation (NERC) to enhance the reporting of cybersecurity incidents, citing concerns that existing standards may understate the scope of threats by excluding incidents from reporting that could facilitate subsequent efforts to harm the reliable operation of the grid.
