cybersecurity

On March 3, 2023, the United States Environmental Protection Agency (“EPA”) published a memorandum requiring states to evaluate the cybersecurity of operational technology used by public water systems (“PWSs”) “when conducting PWS sanitary surveys or through other state programs.”  EPA’s memorandum “interprets the regulatory requirements relating to the conduct of sanitary surveys to require that when a PWS uses operational technology (“OT”), such as an industrial control system (“ICS”), as part of the equipment or operation of any required component of a sanitary survey, then the sanitary survey of that PWS must include an evaluation of the adequacy of the cybersecurity of that operational technology for producing and distributing safe drinking water.”  Specifically, “EPA’s interpretation clarifies that the regulatory requirement to review the ‘equipment’ and ‘operation’ of a PWS necessarily encompasses a review of the cybersecurity practices and controls needed to maintain the integrity and continued functioning of operational technology of the PWS that could impact the supply or safety of the water provided to customers.” Continue Reading EPA Requires States to Address the Cybersecurity of Public Water Systems

The Federal Energy Regulatory Commission (“FERC”) issued a final rule (Order No. 887) directing the North American Electric Reliability Corporation (“NERC”) to develop new or modified Reliability Standards that require internal network security monitoring (“INSM”) within Critical Infrastructure Protection (“CIP”) networked environments.  This Order may be of interest to entities that develop, implement, or maintain hardware or software for operational technologies associated with bulk electric systems (“BES”).

The forthcoming standards will only apply to certain high- and medium-impact BES Cyber Systems.  The final rule also requires NERC to conduct a feasibility study for implementing similar standards across all other types of BES Cyber Systems.  NERC must propose the new or modified standards within 15 months of the effective date of the final rule, which is 60 days after the date of publication in the Federal Register.  Continue Reading FERC Orders Development of New Internal Network Security Monitoring Standards

On April 20, 2022, the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom—the so-called “Five Eye” governments—announced the publication of Alert AA22-110A, a Joint Cybersecurity Advisory (the “Advisory”) warning critical infrastructure organizations throughout the world that the Russian invasion of Ukraine could expose them “to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups.”  The Advisory is intended to update a January 2022 Joint Cybersecurity Advisory, which provided an overview of Russian state-sponsored cyber operations and tactics, techniques, and procedures (“TTPs”).

In its announcement, the authorities urged critical infrastructure network defenders in particular “to prepare for and mitigate potential cyber threats by hardening their cyber defenses” as recommended in the Advisory.Continue Reading International Cybersecurity Authorities Issue Joint Advisory on Russian Cyber Threats to Critical Infrastructure

The Federal Energy Regulatory Commission (FERC) recently signaled that it is exploring ways to improve the cybersecurity of the U.S. electricity grid.  On June 18, 2020, FERC issued a Notice of Inquiry (NOI) regarding whether some of its reliability standards regarding cybersecurity must be enhanced and whether the focus of its standards must change due to the threat of a coordinated cyberattack targeting geographically distributed generation resources.  On June 18, 2020, FERC also issued a staff paper that suggests a framework for providing incentives in transmission rates for cybersecurity investments.

These FERC actions may presage regulatory actions that could have material operational and cost implications for all grid participants.  Accordingly, FERC is seeking comments on both documents with deadlines of August 24, 2020 for the NOI and August 17, 2020 for the staff paper.  Major grid participants would be well advised to evaluate the NOI and staff paper and consider responding to FERC’s request for comments.
Continue Reading FERC Requests Comments on Grid Cybersecurity Initiatives

On Monday, the 2015 G-7 Summit ended with the President and other Leaders of the G-7 focused generally on a wide range of economic, security, and development issues, and specifically discussing the energy sector’s cybersecurity posture.  According to the White House, the Leaders “launched a new cooperative effort to enhance cybersecurity of the energy sector