FERC Approves Heightened Cyber Incident Reporting Standards
- Filter By Cybersecurity
On July 19, 2018, the Federal Energy Regulatory Commission (FERC) issued a final rule (Order No. 848) directing the North American Electric Reliability Corporation (NERC) to develop and submit modifications to NERC Reliability Standards related to Cyber Security Incident reporting. FERC recognized that, under the current Cyber Security Incident reporting Reliability Standard, incidents are only required to be reported if they have compromised or disrupted one or more reliability tasks. FERC issued Order No. 848 to strengthen Cyber Security Incident reporting requirements.
The Commission’s directive consists of four elements:
- Responsible entities must report Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter (ESP) or Electronic Access Control and Monitoring Systems (EACMS) associated with an ESP;
- Required information in Cyber Security Incident reports should include certain minimum information to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information;
- The filing deadline for Cyber Security Incident reports should be established once a compromise or disruption to reliable BES operation, or an attempt to compromise or disrupt, is identified by a responsible entity; and
- Cyber Security Incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than the Commission, but the reports should also be sent to DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Finally, NERC must file an annual, public, and anonymized summary of the reports with the Commission.
FERC also suggested that NERC develop a flexible reporting timeline that reflects the severity of a Cyber Security Incident to help address the administrative burden of reporting attempted compromises.
NERC is required to develop modifications to the Reliability Standards within six months. The final rule will take effect 60 days after publication in the Federal Register.
View FERC’s final rule here.