FERC Requires New NERC Reliability Standards for Reporting Cyber Incidents

Linn Freedman
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

The Federal Energy Regulatory Commission (FERC) announced on July 19, 2018, that it is directing the North American Electric Reliability Corporation (NERC) “to develop and submit modifications to the NERC Reliability Standards to augment the mandatory reporting of cybersecurity incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system (BES).”

The rule will become effective 60 days after it is published in the Federal Register.

The 64 page Final Rule requires NERC to develop and submit modifications to the Reliability Standards to require the reporting of cybersecurity incidents “that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS)” Presently reporting entities are only required to report cyber incidents that have “compromised or disrupted one or more reliability tasks.” The change is to “improve awareness of existing and future cybersecurity threats and potential vulnerabilities.”

The Final Rule consists of “four elements intended to augment” the current reporting requirements:

  1. “Responsible entities must report cybersecurity incidents that compromise, or attempt to compromise, a responsible entity’s ESP or associates EACMS:
  2. Required information in cybersecurity incident reports should include certain minimum information to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information;
  3. Filing deadlines for cybersecurity incident reports should be established once a compromise or disruption to reliable BES operation, or an attempted compromise or disruption, is identified by a responsible entity; and
  4. Cybersecurity incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than the Commission, but the reports should also be sent to the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).”

The Final Rule also requires NERC to file an annual, public, and anonymized summary of the reports filed by entities with the Commission.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide