On December 21, 2017, the Federal Energy Regulatory Commission (“FERC”) issued a Notice of Proposed Rulemaking (“NOPR”) aimed at expanding mandatory reporting obligations in relation to cybersecurity incidents. In particular, FERC’s NOPR would direct the North American Electric Reliability Corporation (“NERC”) to develop modifications to certain Critical Infrastructure Protection (“CIP”) Reliability Standards so that those standards require mandatory reporting of cybersecurity incidents that compromise or attempt to compromise a responsible entity’s Electronic Security Perimeter (“ESP”) or associated Electronic Access Control or Monitoring Systems.
Currently, the CIP Reliability Standards require cybersecurity incidents to be reported only if they have actually disrupted one or more reliability tasks, so unsuccessful attempts to penetrate an ESP – or successful attempts that do not disrupt reliability tasks – would not need to be reported. FERC’s staff noted in the presentation of the NOPR that the existing reporting threshold for cybersecurity incidents “may understate the true scope of cyber-related threats facing the bulk electric system,” citing the fact that there were zero reported cybersecurity incidents in either 2015 or 2016 under the current reporting requirements. This lack of reported cybersecurity incidents stands in contrast with the 59 cybersecurity incidents within the Energy Sector to which the Department of Homeland Security responded in 2016 alone.
In addition to broadening the scope of the mandatory reporting requirements, the NOPR also seeks to improve the quality of the reports themselves by specifying the information that is required to be included in cybersecurity incident reports in an effort to facilitate comparative analysis. NERC would also be required to file with FERC an anonymized, aggregated annual public summary of the reports.
Comments on the NOPR must be filed with FERC within 60 days after it is published in the Federal Register.