FERC NPRM to Increase Cybersecurity Incident Reporting

Today the Federal Energy Regulatory Commission (FERC) published a notice of proposed rulemaking (NPRM) in the Federal Register (82 FR 61499-61505) proposing to require the North American Electric Reliability Corporation (NERC) to improve mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system.

New Reporting Requirements

Because of the way that FERC utilizes NERC as the actual regulatory agency for the bulk electric system, this NPRM does not include any actual regulatory language. Instead it proposes to require NERC to develop changes to the Critical Infrastructure Protection (CIP) Reliability Standards, specifically CIP-008-5. This NPRM proposed that FERC would direct NERC to modify the CIP Reliability Standards to:

• Include the mandatory reporting of Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity's Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring System (EACMS);

• Specify the required content in a Cyber Security Incident report;

• Establish requirements outlining deadlines for filing a report once a compromise or disruption to reliable bulk electric system operation, or an attempted compromise or disruption, is identified by a responsible entity; and

• Require that the reports submitted under the enhanced mandatory reporting requirements would be provided to E-ISAC, similar to the current reporting scheme, as well as ICS-CERT.

Public Comments

FERC is soliciting public comments on this NPRM. Comments may be submitted via the FERC eFiling page (registration required). Comments should be filed by February 26^th, 2018.

Commentary

The FERC/NERC relationship is more than a little odd as compared to the rest of the federal government. Readers who work in and/or around the bulk electrical system are probably used to this, but for a relative outsider like myself, the quirks of the rulemaking process are just a tad byzantine.

For example, the notice states that: “the Commission certifies that this Notice of Proposed Rulemaking will not have a significant economic impact on a substantial number of small entities”. They can get away with saying that because, technically, the NPRM only will affect NERC; nobody else will have to take any actions because of this rulemaking. Of course, once NERC modifies CIP-008-05, bunches of other folks (including some number of ‘small entities’) will have to make changes to the way they operate, but that is years down the road.

One of the interesting aspects of this NPRM is that it uses the FY 2016 ICS-CERT Year in Review as part of the justification for the increased reporting requirements. Apparently in 2016 CERC reported that there were no cybersecurity incidents reported to it while ICS-CERT reported investigating 59 incidents in the 'Energy Sector’ (which may or may not have – but probably did - included anyone in the bulk electric systems).

As I pointed out in a blog post about that report (and in numerous other posts over the years) there is a problem with the ICS-CERT incident reporting numbers, it is based upon a non-existent (but apparently very broad) definition of the term incident. This problem is not unique to ICS-CERT and is actually addressed in this NPRM.

After discussing the issue FERC would actually add a new term; ‘a reportable cybersecurity incident’. Unfortunately, the NPRM does not contain a specific definition of the term. Rather it generally describes the issue by stating: “we believe it is reasonable to establish the compromise of, or attempt to compromise, an ESP or its associated EACMS as the minimum reporting threshold”. Because the NERC CIPs are in effect the regulations that this NPRM is attempting to modify, we will have to see what definition that NERC will establish for the ‘reportable cybersecurity incident’ terminology.

One requirement that is not explicitly explained in the NPRM is why FERC wants ICS-CERT to be included as a recipient of any cybersecurity incident report. While I completely agree (and have advocated such reporting requirements for other sectors as well), it would have been helpful to have FERC explicate their reasoning. For me, the inclusion of ICS-CERT would help to ensure that compromises of control system components (including software and firmware) that are also used in other sectors are shared with those sectors. I suspect that the FERC reasoning is similar, but it would have been helpful to have this spelled out.