The Federal Energy Regulatory Commission (FERC) detailed its “efforts to address cybersecurity challenges facing the nation’s energy infrastructure.” This has been one of FERC’s ongoing priorities. Several organizational changes were detailed that are intended to help FERC better focus its resources on the “quickly evolving cyber challenges including creation of a new security-focused group within the Office of Energy Projects’ Division of Dam Safety and Inspections. The group will address cyber, as well as physical, security concerns at jurisdictional hydropower facilities.”
FERC Chairman Neil Chatterjee announced that FERC’s Office of Electric Reliability would realign “its functions to establish one division focused exclusively on cybersecurity.”
· “Maintaining technical expertise, mentoring, and performing as team leaders for analyses and resolution of cyber and physical security issues for the Commission’s Dam Safety Program.
· “Performing special security inspections, both physical and cyber, and participating as an evaluator during security exercises.
· “Conducting surveys and risk analyses to assess security needs, identifying and assessing the degree of vulnerability, and ensuring that selected protection measures are implemented effectively.”
“At FERC, we are charged with overseeing the development and enforcement of cybersecurity standards for the nation’s high-voltage transmission system and jurisdictional hydroelectric facilities,” Chatterjee said. “These two developments will help FERC staff more efficiently focus its efforts on cybersecurity. This new security group in OEP and the realignment in OER will consolidate the cybersecurity staff into a division that focuses solely on cyber.”
The FERC staff “identified five areas where Commission staff will strategically and collectively focus efforts to address critical cybersecurity challenges. The five focus areas are:
- “Supply Chain/Insider Threat/Third-Party Authorized Access;
- “Industry access to timely information on threats and vulnerabilities;
- “Cloud/Managed Security Service Providers;
- “Adequacy of security controls; and
- “Internal network monitoring and detection.”
FERC also detailed outreach activities and initiatives they intend to prioritize next year. “In particular, staff will closely monitor supply chain security implementation and the industry’s adoption of new technologies and services to address cyber infrastructure implementation, maintenance and/or management. In addition, the Office of Energy Infrastructure Security continues to build on its existing outreach initiatives, including offering voluntary network architecture assessments and the Office of Electric Reliability will continue to conduct and participate in audits.”