Recognizing the growing cyber threats facing the country's bulk electric system, the Federal Energy Regulatory Commission (the Commission) recently issued a rule that will increase the reporting requirements for those entities with assets that make up the nation's bulk electric system. In Order No. 848, issued on July 19, the Commission directs the North American Electric Reliability Corp. (NERC) to develop modifications to its Reliability Standards to expand mandatory reporting of cyber security incidents, including attempts that might facilitate subsequent efforts to harm reliable operation of the electric system.
NERC, the electric reliability organization for North America, has established mandatory Critical Infrastructure Protection (CIP) Reliability Standards designed to secure the cyber assets required for operating North America's bulk power system. Those requirements include Reliability Standard CIP-008-5 (Cyber Security — Incident Reporting and Response Planning), but those reporting requirements currently apply only for cyber incidents that "compromised or disrupted one or more reliability tasks." The Commission concluded that with such limited reporting requirements, the true scope of cyber-related threats facing the North America grid is understated.
There is wide recognition and numerous reports documenting the increasing frequency and complexity of these cyber security threats. For example, the National Cybersecurity and Communications Integration Center (NCCIC) recently outlined ongoing activity by Russian government actors characterized as:
a multi-stage intrusion campaign by  cyber actors who targeted small commercial facilities' networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).
Given its concern with the growing threats to the power grid, the Commission in Order No. 848 directs that NERC implement the following four changes to strengthen the current Cyber Security Incident reporting requirement: (1) each responsible entity must report Cyber Security Incidents that compromise, or attempt to compromise, that entity's Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS); (2) information in Cyber Security Incident reports must include certain minimum information designed to improve the quality of reporting and to allow for ease of comparison by ensuring that each report includes specified fields of information; (3) deadlines for filing Cyber Security Incident reports must be established based on when the responsible entity identifies a compromise or disruption to reliable operation of its facilities in the bulk electric system; and (4) Cyber Security Incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than the Commission, but the reports should also be sent to the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Further, the Commission requires that NERC annually file with the Commission a public, anonymized summary of the reports received over the past year.
Providing more specificity on the content of Cyber Security Incident reports, Order No. 848 directs that the minimum set of attributes to be reported to NERC include (1) the functional impact, where possible, that the Cyber Security Incident achieved or attempted to achieve; (2) the attack vector that was used to achieve or attempted to achieve the Cyber Security Incident; and (3) the level of intrusion that was achieved or attempted. NERC may also augment the list should it determine that additional information would benefit situational awareness of cyber threats.
These modifications that the Commission has directed NERC to make could have significant implications for responsible entities and their existing reporting processes. Registered entities should ensure their familiarity with these modified, mandatory standards and work to ensure adequate cyber awareness, monitoring and reporting capabilities.
Day Pitney's Energy & Utilities and Cybersecurity & Data Protection practices will continue to monitor developments in this area and inform our clients and friends as appropriate. If you have questions, please call any of us.
 Cyber Security Incident Reporting Reliability Standards, Final Rule, 164 FERC ¶ 61,033 (2018) (Order No. 848). Order No. 848 takes effect 60 days after publication in the Federal Register. NERC must submit the directed modifications within six months of that effective date.
 See United States Computer Emergency Readiness Team, Alert TA18-074A (revised Mar. 16, 2018), available here. NCCIC is currently conducting a series of webinars on Russian government cyber activity against critical infrastructure.
 The NERC Glossary defines “ESP” as “[t]he logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.” The NERC Glossary defines “EACMS” as “Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.”
 Order No. 848 at P 88.
Day Pitney LLP and Ansonia co-hosted an invitation-only 2019 Roundtable Event: The Balance of Power at the Grand Lobby of the Hippodrome in New York City.
On October 30, Alexander Judd will be moderating a panel, "Financing Renewable Energy Projects in New England," at the Future of Energy: What's the Deal?, the 20th Annual Connecticut Power and Energy Society (CPES) Conference and Exposition.
On October 16, Sophia Browning spoke on a breakout session, entitled “Drafting and Negotiating a Power Purchase Agreement,” at the 2019 Energy Bar Association Mid-Year Energy Forum in Washington, DC.
On October 7, Steven Cash spoke at "Cybersecurity: Tension Between Innovation and Security," an event presented by the Connecticut Power and Energy Society (CPES) and held at Yale University in New Haven, CT.
Day Pitney Alert
Alexander Judd has been elected to serve as Vice President of the Connecticut Power and Energy Society (CPES), an association of energy professionals dedicated to generating information, sharing ideas and educating Connecticut about the energy industry.
Day Pitney Press Release
Firm Ranked Tier 1 Nationally for Energy Law and Trusts and Estates Law
Josh Cohen, chair of Day Pitney's Bankruptcy and Restructuring practice group was quoted extensively in an article, "FERC Rebuke Won't Be Last Word In PG&E Power Deals Fight," published by Law360.
Day Pitney Press Release
Partners Josh Cohen and Dave Doot were quoted in an analysis article, "PG&E's Ch. 11 Brings Rift With FERC Over Power Deals," published by Law360.