FERC looks to address new cyber threats in updated reliability standards
- FERC has proposed a series of modifications to its critical infrastructure protection reliability standards, designed to address growing concerns that the nation's bulk generation and transmission systems remain vulnerable to cyberattacks.
- The commission wants the utility industry to develop new security protocols, including standards for data flowing across unsecured third-party networks.
- However, industry observers say third-party players in the utility space pose a challenge because FERC does not regulate vendors, meaning utilities will have to guard against malware coming in on systems they contract.
Amid growing concern that a significant cyber attack on the U.S. Electric system could do billions in damage – if not more – FERC has issued a notice of proposed rulemaking seeking comment on ways to bolster grid security.
According to the Notice of Proposed Rulemaking, the changes are “designed to mitigate the cybersecurity risks to bulk electric system facilities, systems, and equipment, which, if destroyed, degraded, or otherwise rendered unavailable as a result of a cybersecurity incident, would affect the reliable operation of the Bulk-Power System.”
The new security standards would apply to “supply chain management,” FERC said, would need to take several factors into account: not require renegotiation of contracts; allow for exceptions; be specific enough so that compliance is clear and enforceable; and address only entities FERC regulates.
Only twice before gas the commission proposed to require the development of a new standard, Commissioner Cheryl LaFleur said in a statement, highlighting the severity of the issue.
Recent events have “highlighted potential security risks for the electric industry,” she wrote. “Understanding the evolving threats and how best to respond to them is of critical importance.”
But EnergyWire reports that there could be difficulties in implementing new standards.
"It's acknowledged that NERC and FERC don't have authority over the vendors. Utilities have a limited ability to impose conditions on vendors," Nadya Bartol, a senior cybersecurity strategist at the Utilities Telecom Council, told EnergyWire. "It needs to be done through a productive dialogue."
Lloyd's of London issued a report recently which estimated the total economic loss from a wide scale power outage in the United States could range from $243 billion up to $1 trillion in the most damaging scenarios. Researchers have shown that hackers could potentially damage generators by opening and closing certain circuit breakers to ultimately push a machine's rotating parts out of alignment.
Follow Robert Walton on Twitter