Current rules only require the reporting of a cyber incident if one or more reliability tasks have been disrupted or compromised. NERC will now develop rules that require incident reporting under significantly broader scenarios.
FERC Chairman Kevin J. McIntyre said the modified standard “will improve awareness of existing and future cybersecurity threats.”
The order directs NERC to update rules focused on incident reporting and response planning. The new rules would require a report if an entity’s Electronic Security Perimeter or associated Electronic Access Control or Monitoring System (EACMS) are compromised — or if there is an attempt to compromise them.
The new rules also call for standardizing cybersecurity incident reports and sharing them with another agency. Each year, NERC will file a public and anonymized summary of the reports with FERC.
Incident reports will continue to be sent to the Electricity Information Sharing and Analysis Center and will be shared with the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team.
NERC will have some discretion in developing the reporting rules; FERC’s order directs it to “develop requirements based on the function of the EACMS and the nature of the attempted compromise or successful intrusion.”
Reporting timelines will also need to be developed that correspond to the potential impact of an intrusion.
“Prioritizing incident reporting will allow responsible entities to devote resources to reporting the most significant Cyber Security Incidents faster than less significant events,” FERC said.
Thomas Popik, Chairman, and President of the Foundation for Resilient Societies, previously told Utility Dive in an interview that the low threshold for reporting cyber incidents is, in fact, “an enormous gap,” that can lead to a false sense of security.
As the cyber threat to the grid becomes more widespread and persistent, regulators are rushing to make the power system as secure as possible. In April, FERC approved revisions to cybersecurity rules surrounding “transient electronic devices,” such as thumb drives and laptops.