Cybersecurity

FERC bumps up cyber reporting for utilities

Shutterstock photo ID: 200726867 By chuyuss 

The Federal Energy Regulatory Commission has ordered the group that ensures the safety and reliability of North American power grids to tighten up rules for power companies' cybersecurity incident reporting.

Under FERC's final rule issued on July 19, the North American Electric Reliability Corporation (NERC) will require reporting of cyber-intrusions that bump up against electrical providers' perimeter cyber defenses or associated Electronic Access Control or Monitoring Systems, but don't actually get into providers' primary systems.

Current rules for electrical providers require reporting cyber incidents only if they have actually compromised or disrupted "one or more reliability tasks" at provider facilities, on the grounds that such attempts could be precursors of future incursions.

The rule would require providers to send reports to the Electricity Information Sharing and Analysis Center, as well as the Department of Homeland Security's Industrial Control Emergency Response Team. It would also require NERC to file an annual, anonymized summary of the incident reports with FERC.

FERC said it believes current threshold reporting requirements can understate the scope of the threat to bulk power systems. According to the agency, that understatement may have been reinforced because there were no reportable incidents in 2015 and 2016.

FERC Commissioner Neil Chatterjee said reports from federal law enforcement describing Russian government-backed cyber campaigns "represent an unsettling uptick in attempts to undermine America’s critical infrastructure systems."

FERC began drafting the new reporting requirements in a notice of proposed rulemaking begun last December. NERC has six months to develop and submit the modifications to its standards.

Chatterjee said he supported the new rule because it provides NERC with flexibility to work with industry "to ensure that it and DHS receive the timely, accurate, and actionable information they need without dictating an overly prescriptive and burdensome approach."

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.