Privacy & Information Security Law Blog

At its October monthly meeting, the Federal Energy Regulatory Commission (the “Commission”) adopted new reliability standards addressing cybersecurity risks associated with the global supply chain for Bulk Electric System (“BES”) Cyber Systems. The new standards expand the scope of the mandatory and enforceable cybersecurity standards applicable to the electric utility sector. They will require electric utilities and transmission grid operators to develop and implement plans that include security controls for supply chain management for industrial control systems, hardware, software and services. 

As reported in the Hunton Nickel Report:

Recent press reports indicate that a cyber attack disabled the third-party platform used by oil and gas pipeline company Energy Transfer Partners to exchange documents with other customers. Effects from the attack were largely confined because no other systems were impacted, including, most notably, industrial controls for critical infrastructure. However, the attack comes on the heels of an FBI and Department of Homeland Security (“DHS”) alert warning of Russian attempts to use tactics including spearphishing, watering hole attacks, and credential gathering to target industrial control systems throughout critical infrastructure, as well as an indictment against Iranian nationals who used similar tactics to attack private, education, and government institutions, including the Federal Energy Regulatory Commission (“FERC”). These incidents raise questions about cybersecurity across the U.S. pipeline network.

The U.S. Department of Justice (the “DOJ”) has unsealed an indictment accusing nine Iranian nationals of engaging in a “massive and brazen cyber assault” against at least 176 universities, 47 private companies and 7 government agencies and non-governmental organizations, including the Federal Energy Regulatory Commission (“FERC”). According to the DOJ, the nationals worked for Mabna Institute, an Iranian-based company, as “hackers for hire,” stealing login credentials and other sensitive information to sell within Iran and for the benefit of the Iranian government.

On January 18, 2018, the Federal Energy Regulatory Commission (“FERC”) issued a Notice of Proposed Rulemaking (“NOPR”) that proposes the adoption of new mandatory Reliability Standards designed to mitigate cybersecurity risk in the supply chain for electric grid-related cyber systems. The Reliability Standards were developed by the North American Electric Reliability Corporation (“NERC”) in response to FERC Order No. 829, which ordered the development of standards to address supply chain risk management for industrial control system hardware, software and computing and networking services.

On December 21, 2017, the Federal Energy Regulatory Commission (“FERC”) issued a Notice of Proposed Rulemaking (“NOPR”) aimed at expanding mandatory reporting obligations in relation to cybersecurity incidents. In particular, FERC’s NOPR would direct the North American Electric Reliability Corporation (“NERC”) to develop modifications to certain Critical Infrastructure Protection (“CIP”) Reliability Standards so that those standards require mandatory reporting of cybersecurity incidents that compromise or attempt to compromise a responsible entity’s Electronic Security Perimeter (“ESP”) or associated Electronic Access Control or Monitoring Systems.

On January 19, 2017, the North American Electric Reliability Corporation (“NERC”) released a draft Reliability Standard CIP-013-1 – Cyber Security – Supply Chain Risk Management (the “Proposed Standard”). The Proposed Standard addresses directives of the Federal Energy Regulatory Commission (“FERC”) in Order No. 829 to develop a new or modified reliability standard to address “supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations.” 

Last month, the Federal Energy Regulatory Commission (“FERC”) published its final Regulations Implementing FAST Act Section 61003-Critical Electric Infrastructure Security and Amending Critical Energy Infrastructure Information (the “CEII Regulations”). The CEII Regulations, which differ little from the notice of proposed rulemaking that FERC issued in June 2016, were approved unanimously on November 17, 2016, by FERC’s three sitting Commissioners (recent retirements have left the two other FERC seats vacant).

On July 16, 2015, the Federal Energy Regulatory Commission (“FERC”) issued a new Notice of Proposed Rulemaking (“NOPR”) addressing the critical infrastructure protection (“CIP”) reliability standards. The NOPR proposes to accept with limited modifications seven updated CIP cybersecurity standards. The NOPR also proposes that new requirements be added to the CIP standards to protect supply chain vendors against evolving malware threats and addresses risks to utility communications networks.

The absence of congressional action on cybersecurity legislation has spurred efforts by various entities to exert influence over cybersecurity policy. This client alert focuses on some of those efforts, including the Federal Energy Regulatory Commission’s (“FERC’s”) creation of a new cybersecurity office, North American Electric Reliability Corporation (“NERC”) action on cybersecurity Critical Infrastructure Protection (“CIP”) standards, continuing legislative developments concerning cybersecurity and anticipated White House executive orders on cybersecurity.

As we reported last week, on May 12, 2011, the Obama administration announced a comprehensive cybersecurity legislative proposal in a letter to Congress.  The proposal, which is the culmination of two years of work by an interagency team made up of representatives from multiple departments and agencies, aims to improve the nation’s cybersecurity and protect critical infrastructure.  If enacted, this legislation will affect many government and private-sector owners and operators of cyber systems, including all critical infrastructure, such as energy, financial systems, manufacturing, communications and transportation.  In addition, the proposal includes a wide-reaching data breach notification law that is intended generally to preempt the existing state breach laws in 46 states plus Washington, D.C., Puerto Rico and the U.S. Virgin Islands.

The United States Congress is currently considering several bills addressing cybersecurity issues.  Below are brief summaries of four such bills.

The Grid Reliability and Infrastructure Defense (“GRID”) Act

The GRID Act was passed by the House of Representatives on June 9, 2010. This bill would amend the Federal Power Act to grant the Federal Energy Regulatory Commission (“FERC”) authority to issue emergency orders requiring critical infrastructure facility operators to take actions necessary to protect the bulk power system. Prior to FERC issuing such an order, the President would have to issue a written directive to FERC identifying an imminent threat to the nation’s electric grid.  FERC would be required to consult with federal agencies or facility operators before issuing an emergency order only “to the extent practicable” in light of the nature of the threat. The GRID Act is being considered by the Senate Committee on Energy and Natural Resources at this time.