Recognizing the growing cyber threats facing the country's bulk electric system, the Federal Energy Regulatory Commission (the Commission) recently issued a rule that will increase the reporting requirements for those entities with assets that make up the nation's bulk electric system. In Order No. 848, issued on July 19, the Commission directs the North American Electric Reliability Corp. (NERC) to develop modifications to its Reliability Standards to expand mandatory reporting of cyber security incidents, including attempts that might facilitate subsequent efforts to harm reliable operation of the electric system.
NERC, the electric reliability organization for North America, has established mandatory Critical Infrastructure Protection (CIP) Reliability Standards designed to secure the cyber assets required for operating North America's bulk power system. Those requirements include Reliability Standard CIP-008-5 (Cyber Security — Incident Reporting and Response Planning), but those reporting requirements currently apply only for cyber incidents that "compromised or disrupted one or more reliability tasks." The Commission concluded that with such limited reporting requirements, the true scope of cyber-related threats facing the North America grid is understated.
There is wide recognition and numerous reports documenting the increasing frequency and complexity of these cyber security threats. For example, the National Cybersecurity and Communications Integration Center (NCCIC) recently outlined ongoing activity by Russian government actors characterized as:
a multi-stage intrusion campaign by  cyber actors who targeted small commercial facilities' networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).
Given its concern with the growing threats to the power grid, the Commission in Order No. 848 directs that NERC implement the following four changes to strengthen the current Cyber Security Incident reporting requirement: (1) each responsible entity must report Cyber Security Incidents that compromise, or attempt to compromise, that entity's Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS); (2) information in Cyber Security Incident reports must include certain minimum information designed to improve the quality of reporting and to allow for ease of comparison by ensuring that each report includes specified fields of information; (3) deadlines for filing Cyber Security Incident reports must be established based on when the responsible entity identifies a compromise or disruption to reliable operation of its facilities in the bulk electric system; and (4) Cyber Security Incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than the Commission, but the reports should also be sent to the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Further, the Commission requires that NERC annually file with the Commission a public, anonymized summary of the reports received over the past year.
Providing more specificity on the content of Cyber Security Incident reports, Order No. 848 directs that the minimum set of attributes to be reported to NERC include (1) the functional impact, where possible, that the Cyber Security Incident achieved or attempted to achieve; (2) the attack vector that was used to achieve or attempted to achieve the Cyber Security Incident; and (3) the level of intrusion that was achieved or attempted. NERC may also augment the list should it determine that additional information would benefit situational awareness of cyber threats.
These modifications that the Commission has directed NERC to make could have significant implications for responsible entities and their existing reporting processes. Registered entities should ensure their familiarity with these modified, mandatory standards and work to ensure adequate cyber awareness, monitoring and reporting capabilities.
Day Pitney's Energy & Utilities and Cybersecurity & Data Protection practices will continue to monitor developments in this area and inform our clients and friends as appropriate. If you have questions, please call any of us.
 Cyber Security Incident Reporting Reliability Standards, Final Rule, 164 FERC ¶ 61,033 (2018) (Order No. 848). Order No. 848 takes effect 60 days after publication in the Federal Register. NERC must submit the directed modifications within six months of that effective date.
 See United States Computer Emergency Readiness Team, Alert TA18-074A (revised Mar. 16, 2018), available here. NCCIC is currently conducting a series of webinars on Russian government cyber activity against critical infrastructure.
 The NERC Glossary defines “ESP” as “[t]he logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.” The NERC Glossary defines “EACMS” as “Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.”
 Order No. 848 at P 88.
Day Pitney Alert
Day Pitney Alert
On March 23, Day Pitney Partner Joseph Fagan served on the panel, "FERC Enforcement and Compliance," for the Connecticut Power and Energy Society (CPES).
On February 10, Joseph Fagan spoke at the Northeast Energy and Commerce Association (NECA) webinar, "Natural Gas: The Next Phase."
On February 3, partner Joseph Fagan served as a panelist for the Energy Bar Association webinar, "Rumble in the Regulatory Jungle: Rockefeller v. Hart, A Comparison of the NGA and ICA."
Day Pitney and FH+H’s new strategic alliance was featured in Law360, and highlights how it will help clients from both firms, from defense contractors to wealthy families and individuals, navigate the evolving national security industry and other fields.
Day Pitney’s strategic alliance with FH+H, a midsize Northern Virginia-based law firm, was featured in Bloomberg Law’s Business & Practice section.
Day Pitney Press Release
The firm’s strategic alliance with FH+H, a Virginia law group, to provide expanded services and capabilities was profiled in the Hartford Business Journal.
Day Pitney Press Release