FERC proposes expanded mandatory reporting requirements for cybersecurity incidents
The Federal Energy Regulatory Commission (FERC) recently issued a Notice of Proposed Rulemaking (NOPR) that would direct the North American Electric Reliability Corporation (NERC) to submit revisions to broaden mandatory reporting requirements for cybersecurity incidents.
The proposal would expand reporting requirements to include incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter or associated Electronic Access Control or Monitoring Systems (EACMS).
The revised Critical Infrastructure Protection (CIP) Reliability Standard would also specify the information required in incident reports as well as establish a deadline for filing a report once a responsible entity identifies an incident.
The NOPR would also require that the reports be sent to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) as well as continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC). It would also require NERC to file an annual, public and anonymized summary of the reports with FERC.
“Cybersecurity is critical to protecting the nation’s energy infrastructure, and we need to be vigilant and proactive in doing so,” FERC Chairman Kevin J. McIntyre said. “To that end, this proposal is an important part of improving our awareness of existing as well as future cybersecurity threats and potential vulnerabilities.”
