The Federal Energy Regulatory Commission approved a revised and expanded cyber incident standard that creates broad, mandatory reporting requirements that could lead to exacting fines, overreporting, and significant increases in compliance costs.
The standard will require attention, coordination and planning by regulated utilities, generator owners, and generator operators of covered facilities.
Companies should quickly begin revamping their cybersecurity plans and retraining their response teams in order to be ready for the Jan. 1, 2021, effective date.
Report Hacking Attempts
The key distinction between the old and new standard is that utilities and other power producers will now have to report hacking attempts in addition to successful cybersecurity attacks.
FERC had previously directed the North American Electric Reliability Corp. (NERC) to develop a stronger standard because of fears that the previous one—focused only on successful attacks—understated the true scope of threats to the nation’s electric grid.
On June 20, FERC announced it was approving NERC’s new approach, called the Critical Infrastructure Protection Reliability Standard CIP-008-6 (Cyber Security – Incident Reporting and Response Planning).
The standard applies to facilities subject to mandatory NERC reliability standards. Those entities will have to report both compromises and “attempts” to compromise their cyber systems (technically called Electronic Security Perimeters, Electronic Access Control or Monitoring Systems, and Physical Security Perimeters associated cyber systems).
The leap from actual compromises to attempts to compromise is a vast one.
From our experience both in-house and representing energy companies, cyber “knocks at the door” can be daily occurrences. While companies and NERC (which handles the day-to-day grid reliability for FERC) have been in touch about examples of those attempts on a voluntary basis before, requiring mandatory reporting of every attempt is a significant change.
That is especially true when you consider the tight deadlines companies will have to report incidents to NERC. NERC will require companies to report attempts to compromise their systems by the end of the next calendar day and actual compromises within one hour.
FERC estimates the broader standard will impose one-time costs of nearly $1.2 million and take 14,400 hours of work across the system. It estimates the ongoing costs to be around $750,000 and 9,200 hours.
However, those estimates are based on only 12 responses per entity each year, which raises questions about whether FERC will count the knocks at the door as attempts that trigger reporting. Regardless of FERC’s estimates, the impact is real and affected entities should prepare accordingly.
Time, Resources Needed to Comply
As FERC has increased its focus—and fines—related to cybersecurity in recent years, utilities and other power producers have implemented response programs. Nevertheless, despite past efforts and existing compliance processes, compliance with the expanded cybersecurity standard will require time and resources.
These cyber response programs vary in detail by company but often require executive and board oversight.
The programs identify different categories of “incidents” that require different levels of action by the information technology, legal, executive, and other departments for different levels of intrusion.
Most do not currently require every incident to rise to the level of a further review by the full executive team, but companies may change that now that many more incidents will require reporting and thus face NERC scrutiny.
NERC is providing companies some flexibility in how they define “incidents,” so a critical first step in revising cyber response plans is devising a clear demarcation line as to when you have “determined” an “incident” has taken place.
Who will make that initial determination? Who is the backup if that person is not immediately available? How will the entire response teamwork within the tighter deadlines? What process will companies set up to make sure they do not miss a required report? Those are a few of the important questions to answer and document in an updated plan.
From there, companies will need to religiously adhere to the demarcation line they set to avoid violating their own response plans and the new rule, which comes with potential penalties—penalties that based on other NERC settlements could be substantial.
Companies will also want to invest time retraining their response team, including running them through practice drills if possible.
In addition, companies should think through their current contracts and arrangements with vendors or customers, as applicable, to address increased compliance costs.
Big picture, the new standard creates an opportunity for companies to review their overall process for keeping up with evolving NERC standards, cyber or otherwise.
NERC standards tend to be living, breathing things that are updated frequently, even if it’s with more of a tweak than a wholesale change. The more routine and mapped out companies can make their process of tracking and adapting to those changes, the stronger position they will be in for the next change.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Ashley Cooper is a partner at Parker Poe and former chief compliance officer of a Fortune 500 energy company in South Carolina..
Jane Lewis-Raymond is an attorney and former chief compliance officer of a publicly traded energy company in North Carolina.