FERC moves to shore up potential cyber vulnerabilities
- Federal regulators have approved revisions to cybersecurity rules surrounding "transient electronic devices," such as thumb drives and laptops, in the latest effort by the energy sector to shore up its defenses.
- The Federal Energy Regulatory Commission on Thursday issued a final rule approving a revised Critical Infrastructure Protection reliability standard. The rule directs the North American Electric Reliability Corp. to make changes to standards to "further mitigate the risk of malicious code" from some transient devices.
- The power industry is increasingly on alert in the face of growing cyber threats, and federal regulators have been refining rules and requirements. But NERC did not report any cyber incidents in 2015 and 2016, and as a result FERC, is also considering changes to mandatory reporting of cybersecurity issues.
FERC directed NERC to revise security standards for third-party transient electronic devices connected to low impact bulk electric system (BES) cyber systems. The devices are among a wide array of potential threats to the electric grid, along with spear phishing attacks and efforts to compromise industrial control systems.
In a statement, NERC said the revised standard represents "the next stage in cyber security standards, improving base-line cyber security posture of responsible entities."
But FERC did not adopt a proposal to "provide clear, objective criteria for electronic access controls for low impact BES Cyber Systems."
Regulators in their order wrote that the current standard for such access controls already "provides a clear security objective that establishes compliance expectations." Regulators declined to adopt the proposal, which had been included in the initial Notice of Proposed Rulemaking directing NERC to update their Critical Infrastructure Protection standards.
Federal officials have been warning of cyber threats increasing in sophistication, and are worried NERC's reporting standards do not reflect the growing threat. The low threshold for reporting cyber incidents is “an enormous gap,” Thomas Popik, chairman and president of the Foundation for Resilient Societies, told Utility Dive in an interview.
In March, an alert from the U.S. Computer Emergency Readiness Team warned Russian hackers have mounted a methodical, long-term campaign to infiltrate and surveil critical U.S. infrastructure, including energy and nuclear. That alert followed warnings from private security firm Dragos, which reported a rise in targeted attempts to infiltrate utility systems coming from North Korea-related hackers.
Most recently, the communications network utilized by Energy Transfer Partner's pipeline system faced a cyberattack and was shut down, along with other gas pipelines. Hackers infiltrated a communications platform provided by Energy Services Group LLC, which impacted five pipelines and resulted in possible late bills for some Duke Energy customers in Ohio.
Follow Robert Walton on Twitter