The Federal Energy Regulatory Commission (FERC) has been working to upgrade the cyber security for the power grid, and on June 20 they announced that they had boosted the cyber security for the nation’s bulk electric system. They did this “by expanding the reporting requirements for incidents involving attempts to compromise operation of the grid.” FERC reports that this helps to close “a gap in the prior Critical Infrastructure Protection Reliability Standards,” which had previously only required groups to report if an incident disrupted or compromised reliability tasks.
The North American Electric Reliability Corp. (NERC) had already been tasked by FERC to make changes to the “reporting of cyber security incidents out of concern that the existing standards may understate the true scope of threats by excluding from reporting incidents that could facilitate subsequent efforts to harm the reliable operation of the grid.”
FERC Chairman Neil Chatterjee said that “Defending our nation’s electric grid against cyber security threats is one of the Commission’s most pressing challenges. It is vital that we ensure that NERC and the Department of Homeland Security have all the information needed to understand the evolving threat landscape for industrial control systems.”
This new Critical Infrastructure Protection Reliability Standard will require reporting for incidents that “either compromise or attempt to compromise Electronic Security Perimeters, Electronic Access Control or Monitoring Systems, and Physical Security Perimeters associated cyber systems.” The new standard also covers “disruptions or attempts to disrupt the operation of a bulk electric system cyber system.”
The individual entities in charge of parts of the bulk power system will have to develop their own criteria for how they will identify attempts to “compromise a cyber asset and then apply those criteria during its cyber security incident identification process.” This is intended to give the entities some flexibility in the development of their criteria as it applies to their systems.
The new standards will also address “the information to be included in Cyber Security Incident reports, their dissemination, and deadlines for filing. Reports and updates will be sent to the Electricity Information Sharing and Analysis Center and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center.”
FERC said in their presentation of the changes that they believe the new standards will give them an “accurate picture of the rapidly changing cyber threat landscape.”