Recognizing the growing cyber threats facing the country's bulk electric system, the Federal Energy Regulatory Commission (the Commission) recently issued a rule that will increase the reporting requirements for those entities with assets that make up the nation's bulk electric system. In Order No. 848, issued on July 19, the Commission directs the North American Electric Reliability Corp. (NERC) to develop modifications to its Reliability Standards to expand mandatory reporting of cyber security incidents, including attempts that might facilitate subsequent efforts to harm reliable operation of the electric system.
NERC, the electric reliability organization for North America, has established mandatory Critical Infrastructure Protection (CIP) Reliability Standards designed to secure the cyber assets required for operating North America's bulk power system. Those requirements include Reliability Standard CIP-008-5 (Cyber Security — Incident Reporting and Response Planning), but those reporting requirements currently apply only for cyber incidents that "compromised or disrupted one or more reliability tasks." The Commission concluded that with such limited reporting requirements, the true scope of cyber-related threats facing the North America grid is understated.
There is wide recognition and numerous reports documenting the increasing frequency and complexity of these cyber security threats. For example, the National Cybersecurity and Communications Integration Center (NCCIC) recently outlined ongoing activity by Russian government actors characterized as:
a multi-stage intrusion campaign by  cyber actors who targeted small commercial facilities' networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).
Given its concern with the growing threats to the power grid, the Commission in Order No. 848 directs that NERC implement the following four changes to strengthen the current Cyber Security Incident reporting requirement: (1) each responsible entity must report Cyber Security Incidents that compromise, or attempt to compromise, that entity's Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS); (2) information in Cyber Security Incident reports must include certain minimum information designed to improve the quality of reporting and to allow for ease of comparison by ensuring that each report includes specified fields of information; (3) deadlines for filing Cyber Security Incident reports must be established based on when the responsible entity identifies a compromise or disruption to reliable operation of its facilities in the bulk electric system; and (4) Cyber Security Incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than the Commission, but the reports should also be sent to the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Further, the Commission requires that NERC annually file with the Commission a public, anonymized summary of the reports received over the past year.
Providing more specificity on the content of Cyber Security Incident reports, Order No. 848 directs that the minimum set of attributes to be reported to NERC include (1) the functional impact, where possible, that the Cyber Security Incident achieved or attempted to achieve; (2) the attack vector that was used to achieve or attempted to achieve the Cyber Security Incident; and (3) the level of intrusion that was achieved or attempted. NERC may also augment the list should it determine that additional information would benefit situational awareness of cyber threats.
These modifications that the Commission has directed NERC to make could have significant implications for responsible entities and their existing reporting processes. Registered entities should ensure their familiarity with these modified, mandatory standards and work to ensure adequate cyber awareness, monitoring and reporting capabilities.
Day Pitney's Energy & Utilities and Cybersecurity & Data Protection practices will continue to monitor developments in this area and inform our clients and friends as appropriate. If you have questions, please call any of us.
 Cyber Security Incident Reporting Reliability Standards, Final Rule, 164 FERC ¶ 61,033 (2018) (Order No. 848). Order No. 848 takes effect 60 days after publication in the Federal Register. NERC must submit the directed modifications within six months of that effective date.
 See United States Computer Emergency Readiness Team, Alert TA18-074A (revised Mar. 16, 2018), available here. NCCIC is currently conducting a series of webinars on Russian government cyber activity against critical infrastructure.
 The NERC Glossary defines “ESP” as “[t]he logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.” The NERC Glossary defines “EACMS” as “Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.”
 Order No. 848 at P 88.
Paul Belval will be co-presenting a webinar, "Developing and Financing Wind Energy Projects: Contract Provisions, Protecting Developer and Landowner Interests," for Strafford.
On June 13, Beth Barton and Harold Blinderman spoke at the Connecticut Business & Industry Association (CBIA) 2019 Energy & Environment Conference in Cromwell, CT.
On June 13, Sebastian Lombardi will be moderating a panel, "Northeast Updates on Tackling Fuel Security," at the 2019 Energy Bar Association (EBA) Northeast Chapter Annual Meeting in Washington, DC.
Alex Judd will be moderating a panel, "Future Cities: Building Projects from the Green Up," at the 2019 New England Energy Conference & Exposition (NEECE), a joint conference of the Northeast Energy and Commerce Association and the Connecticut Power and Energy Society being held at the Mystic Marriott in Groton, CT.
On April 4, Joe Fagan will be speaking at Natural Gas & Pipeline Issues, a 50th Anniversary Master Class presented by the Environmental Law Institute (ELI) and held in Washington, D.C.
Josh Cohen, chair of Day Pitney's Bankruptcy and Restructuring practice group was quoted extensively in an article, "FERC Rebuke Won't Be Last Word In PG&E Power Deals Fight," published by Law360.
David Doot, Steven Cash and James Blackburn, IV authored an article, "Risk and Opportunity with the Industrial Internet of Things," which was published in the July-August 2019 issue of The Journal of Robotics, Artificial Intelligence & Law.
Day Pitney Press Release
Partners Josh Cohen and Dave Doot were quoted in an analysis article, "PG&E's Ch. 11 Brings Rift With FERC Over Power Deals," published by Law360.
Day Pitney associate Alexander W. Judd has been elected to serve as Chair of the Energy, Public Utility and Communications Law Section of the Connecticut Bar Association (CBA).