FERC to Expand Cybersecurity Reporting Requirements

Earlier this week the DOE’s Federal Energy Regulatory Commission published an order (final rule) on their web site (it will become official when published, probably next week, in the Federal Register) directing the North American Electric Reliability Corporation (NERC) “to develop and submit modifications to the NERC Reliability Standards to augment the mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system (BES).” The notice of proposed rulemaking for this order was published in December of last year.

I am not going to go into a great deal of detail about this rule here; the complex relationships between FERC, NERC and the electric grid are just a little too byzantine for my simple mind to understand. The interesting take away here for the rest of the control system security community is that the new rules to be written by NERC will expand ‘Cyber Security Incidents’ (capitalized and not hyphenated in FERC SPEAK) to include some sort of measure of near misses and they will include a requirement to notify ICS-CERT of those incidents in addition to the current requirement to notify the Electricity Information Sharing and Analysis Center (E-ISAC).

Expanded Definition

Currently the NERC Reliability Standard CIP-008-05 requires the reporting of Cyber Security Incidents only if they have “compromised or disrupted one or more reliability tasks.” While such incidents are certainly worth reporting they leave a whole slew of potential preparatory ‘attacks’ and compromises outside of the mandatory reporting structure and completely ignore the salutatory effects of sharing information about ‘near misses’ or almost successful attacks.

With this order NERC will be required to recraft CIP-008 to include “Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity’s [Electronic Security Perimeter] ESP or associated [Electronic Access Control or Monitoring Systems] EACMS” in the reporting requirements.

ICS-CERT

In the NPRM it was noted that the DOE noted only two Cybersecurity Incident Reports in 2015/2016 while in the same time frame the DHS ICS-CERT responded to 125 cybersecurity incidents in 2014/2015. Ignoring the whole apples and rocks comparisons here, it becomes apparent that some sort of reporting is already underway to ICS-CERT. The FERC order would formalize that and make it a reporting requirement.

Commentary

The expansion of the reporting requirements for Cyber Security Incidents (and I AM NOT going to do another ‘CSI’ acronym; can’t do it, sorry) cannot help but be a good thing; except….

Okay, we have no idea how many new reports this requirement will generate. IF the industry complies with the intent of the rule (an open question) the number of reports could be quite large. Does NERC (who owns E-ISAC) have the necessary number of analysts necessary to review, catalogue, cross-reference, and then deduce attack information from such submissions and then produce properly anonymized information to share with the remainder of the community in a timely manner. Because of the lack of a reasonable estimate of the potential number of reports, and the apparently expanding interest in probing/compromising the grid, I suspect not.

Then there is the whole issue of the quality of information that will be submitted to E-ISAC. Obviously, the more complete the information, particularly on attempted attacks, the easier it will be for E-ISAC to establish actionable information to share with the other E-ISAC members; poor quality or inaccurate information means the information ultimately shared is less useful and potentially even counter-productive.

That leads to the question of who will train facility control system engineers to recognize, isolate and document cyber-attacks. Oh, sorry, control system engineers will not be doing that, it will be the Security Operations Center with its staff of forensically trained experts. I forgot that those existed at each facility in the Bulk Electric System (SIGH).

Actually, I suspect that this is the reason that the Order includes a requirement to report to ICS-CERT. I do not expect (that is my guess, I certainly do not know) that E-ISAC has fly-way teams of control system experts to investigate these incidents. That is not a complaint, it is just not what one should probably expect from any ISAC.

The problem that arises from this is has anyone looked at the capability of ICS-CERT to expand the operations of its fly-away teams to respond to an increasing number of incidents. Who is going to pay for the additional costs of the investigations of the new reports? FERC has no control of ICS-CERT either directly nor through the DOE, so is there a memorandum of understanding between the two organizations about how ICS-CERT is supposed to respond to these newly required reports?

All sorts of interesting questions being raised by this relatively simple final rule, but I will ask but one more (really); how are the Critical Electrical Infrastructure Information (CEII) regulations going to affect the information submitted by owners to ICS-CERT? Owners can request that sensitive security information submitted to FERC or NERC be protected by CEII disclosure rules, but not information directly submitted to ICS-CERT. Information submitted to ICS-CERT by NERC or FERC could be so protected, but there are no provisions for information submitted directly from the private sector to ICS-CERT. Another important quandary to be considered stumbling down the road to information sharing.