The Federal Energy Regulatory Commission (FERC) recently signaled that it is exploring ways to improve the cybersecurity of the U.S. electricity grid.  On June 18, 2020, FERC issued a Notice of Inquiry (NOI) regarding whether some of its reliability standards regarding cybersecurity must be enhanced and whether the focus of its standards must change due to the threat of a coordinated cyberattack targeting geographically distributed generation resources.  On June 18, 2020, FERC also issued a staff paper that suggests a framework for providing incentives in transmission rates for cybersecurity investments.

These FERC actions may presage regulatory actions that could have material operational and cost implications for all grid participants.  Accordingly, FERC is seeking comments on both documents with deadlines of August 24, 2020 for the NOI and August 17, 2020 for the staff paper.  Major grid participants would be well advised to evaluate the NOI and staff paper and consider responding to FERC’s request for comments.

The notice of inquiry

FERC has oversight responsibility for approving and enforcing standards to ensure the reliability of the U.S. electricity grid.  Included among those standards are Critical Infrastructure Protection (CIP) Reliability Standards, which require certain users, owners, and operators of the Bulk Electric System (BES)[1] to comply with requirements to safeguard critical cyber assets.  These standards have been updated on multiple occasions to adapt to the changing cybersecurity landscape.

FERC approved the first set of CIP Reliability Standards in 2008 and instructed the North American Electric Reliability Corporation (NERC), the organization charged with developing reliability standards, to look to the U.S. National Institute of Standards and Technology (NIST) as a source for improving those standards.  Since then, NIST developed the Cybersecurity Framework[2] (NIST Framework) to reduce cyber risks to critical infrastructure.

The first aspect of FERC’s inquiry is whether certain NIST Framework categories are not adequately addressed by current CIP Reliability Standards.  The NOI identifies three categories of the NIST Framework that may not be adequately addressed in the CIP Reliability Standards, and thus could reflect potential reliability gaps.

Cybersecurity risks pertaining to data security.  This category specifies activities to manage information and records (i.e., data) consistent with an organization’s risk strategy to protect the confidentiality, integrity, and availability of data and systems.  FERC specifically identifies two gaps.  First, according to the NOI, the NIST category requiring adequate capacity to ensure that data and systems remain available (i.e. data and systems are accessible to authorized parties when needed) does not appear to be addressed by the reliability standards. Second, the NIST category requiring processes to verify software, firmware, and information integrity is only partially addressed, resulting in the possible exposure of systems to malicious actors who could bypass existing security controls without detection.

Detection of anomalies and events.  This category identifies security controls to detect anomalous activity and assess the potential impact to BES Cyber Systems.[3]  The NOI highlights that the CIP Reliability Standard regarding incident reporting and response planning (CIP-008-5) is only applicable to medium and high impact BES Cyber Systems.  Thus, if a low impact BES Cyber System is compromised and an analysis is not performed, a grid participant may not be in a position to respond appropriately if a threat uses a low impact system to gain access to medium and high impact systems.

Mitigation of cybersecurity events.  This category specifies activities to prevent the expansion of a cybersecurity event, mitigate its effects, and resolve the incident.  According to the NOI, the CIP Reliability Standard that requires responsible entities to document their cybersecurity incident response plans and procedures that address incident handling (CIP-008-5) does not specifically require incident containment or mitigation as outlined in the NIST Framework and does not apply to low impact systems.  Thus, the improper containment or mitigation of low impact systems could result in the impact of medium and high impact systems.  In addition, the reliability standard that addresses the need to mitigate newly identified vulnerabilities (CIP-010-2) does not apply to low impact systems.

FERC asks for comments on whether the current CIP Reliability Standards adequately address aspects of the NIST Framework that support bulk electric system reliability as well as current and projected cybersecurity risks. In comments, the NOI poses specific questions to address.

The second aspect of FERC’s inquiry is whether the current focus of cybersecurity protections on larger generation plants should be modified.  Only generation resources categorized as medium or high impact BES Cyber Systems are required to comply with all CIP Reliability Standards.

Since the first CIP Reliability Standards were established in 2008, the U.S. generation resource mix has shifted away from larger, centralized generation resources to smaller, geographically distributed generation resources.  Accordingly, an increasing number of generation resources are categorized as low impact BES Cyber Systems and thus are not required to comply with all CIP Reliability Standards.

FERC asks whether a sophisticated threat actor could initiate a coordinated cyberattack targeting geographically distributed generation resources, posing an unacceptable risk to reliability.  Such a coordinated cyberattack would present itself as a “common mode failure,” which could be similar in risk to a wide-scale disruption to fuel supplies, such as an attack on a natural gas pipeline.  FERC references the following recent studies that assessed the potential reliability impacts of a coordinated cyberattack on geographically distributed targets:

  • NERC’s 2019 Supply Chain Risk Assessment. Based on information obtained through a  data request to industry, the assessment concludes that a coordinated cyberattack could greatly affect bulk electric system reliability beyond the local area and recommends modifying the supply chain reliability standards to include low impact BES Cyber Systems with remote electronic access connectivity.
  • NERC’s Lessons Learned — Risks Posed by Firewall Firmware Vulnerabilities. This document addresses a denial-of-service attack against multiple remote generation sites whose BES Cyber Systems are categorized as low impact.  The particular attack exploited a known vulnerability in the web interface of a vendor’s firewall, allowing an unauthenticated attacker to cause unexpected reboots of the devices. This resulted in brief communications outages (i.e., less than five minutes) between field devices at the generation sites, as well as between the generation sites and the control center.
  • Worldwide Threat Assessment of the Intelligence Community. This report by the U.S. Office of the Director of National Intelligence found that both Russia and China have the ability to execute cyberattacks in the United States that generate “localized, temporary disruptive effects” on critical infrastructure.

Accordingly, FERC asks for comments on the potential risk of a coordinated cyberattacks on geographically distributed targets and whether FERC action, including potential modifications to the CIP Reliability Standards, would be appropriate to address such risk.  Again, specific questions are posed for a commenter to address.

Comments on the NOI are due August 24, 2020, and reply comments are due September 22, 2020.  After comments are received, FERC could hold a technical conference to gather more information or could issue a proposed rule on this subject matter.

The staff paper

Among other things, FERC regulates the rates of transmission of electricity in interstate commerce.  While the staff paper generally provides a background discussion regarding the cybersecurity challenges on the Bulk Electric System, the existing CIP Reliability Standards, the importance of infrastructure security, and the Commission and staff’s efforts to incentivize energy infrastructure security to date, the primary purpose for the staff paper is to discuss a framework for providing incentives in transmission rates for qualifying cybersecurity investment.

Rates for transmission service are generally based on the provider’s incurred cost of service, including a return of, and on, investment.  FERC allows certain rate incentives for transmission investments that improve reliability or reduce grid congestion.  These incentives include allowing costs to be included in rates while facilities are constructed, accelerated depreciation, and a higher return on equity (ROE).  The staff paper notes that these legacy incentives may be less beneficial to cybersecurity investments due to their fast deployment times and relatively lower capital costs compared to transmission projects.  The paper also questions the impact of accelerated depreciation, given that there may be a relatively short depreciation life for most cybersecurity investments.

Rather than rely on legacy incentives, the staff paper suggests an option for incentivizing cybersecurity investment by allowing utilities to defer and amortize eligible costs that are typically recorded as expenses associated with third-party hardware, software, and computing and networking services over a shorter period.  However, an incentive approach would also need to have a way of identifying the cybersecurity investments that it seeks to incentivize.  The staff paper also suggests that incentives could be available only for voluntary cybersecurity investments that exceed the CIP Reliability Standards.  Investments made only to comply with mandatory standards would not be eligible.  FERC specifically proposes two approaches for identifying eligible voluntary investments: (1) a utility voluntarily applies certain CIP Reliability Standard requirements to transmission facilities that are not subject to those requirements, and (2) a utility voluntarily implements portions of the NIST Framework.

Comments on the staff paper are due on August 17, 2020 and reply comments are due September 1, 2020.

[1] The Bulk Electric System is the electrical generation resources, transmission lines, interconnections, and associated equipment, generally operated at voltages of 100 kV or higher.

[2] The NIST Framework (v1.0) was released in February 2014 and was later updated (v1.1) in April 2018.

[3] The CIP Reliability Standards require an entity to categorize its cyber systems in terms of low, medium, and high impact to the grid. See CIP-002-5.1a. These impact ratings determine which requirements in CIP Reliability Standards apply.