Data Protection Report - Norton Rose Fulbright

On July 23 and 25, 2018, the U.S. Department of Homeland Security (DHS) held public briefings about an attempt by a state-sponsored Russian hacking group to target control systems for U.S. electrical grids and power plants. DHS’ webinar explained that the hackers obtained access to vendors providing computer services to electric utilities companies. This initial access enabled the hackers to gain entry to power company control systems through a complex series of security compromises lasting quite some time.

The hackers used tactics such as phishing emails and watering-hole attacks. These attacks trick victims into entering passwords and other personal information, giving hackers access to corporate networks. DHS reported that the group used these tactics to target “hundreds of victims” in 2017 alone. Concerns about cyberattacks targeting power plants are nothing new. In response to such concerns, regulatory agencies are increasing reporting requirements for cyberattacks targeting the energy sector.

In the July 31, 2018 Federal Register (Vol. 83, No. 147, at 37727-36741), the Federal Energy Regulatory Commission (FERC), which regulates the energy sector, recently directed that the power industry’s regulating body, the North American Electric Reliability Corp. (NERC) to modify the Critical Infrastructure Protection Reliability Standards to require heightened reporting obligations for cyber incidents affecting the electric grid.

Under the current regulatory regime, responsible entities must only report incidents that have actually compromised or disrupted a “core activity” toward maintaining the reliability of the electric grid. The new rule expands the reporting requirement to include incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS). The “attempt to compromise” requirement generated a number of comments relating to the sheer volume of attempts every organization suffers as a daily occurrence.

FERC agreed that there is a need to refine the scope of the reporting requirement, and offered guidance that the reporting obligation include “a malicious act or suspicious event that has compromised, or attempted to compromise, a responsible entity’s EACMS that perform any of these five functions”:

(1)        Authentication;

(2)        Monitoring and logging;

(3)        Access control;

(4)        Interactive remote access; and

(5)        Alerting.

Further, the rule requires that reports be standardized for easier analysis and comparison, and will also require entities to send incident reports to organizations such as the Electricity Information Sharing and Analysis Center (E-ISAC) as well as the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), that will assess threats and communicate them to the industry. NERC would file an annual, public and anonymized summary of the reports with FERC.

For each reportable incident, FERC directed that the reports should include at a minimum:

(1)        The functional impact, where possible, that the Cyber Security Incident achieved or attempted to achieve;

(2)        The attack vector that was used to achieve or attempted to achieved by the Cyber Security Incident; and

(3)        The level of intrusion that was achieved or attempted or as a result of the Cyber Security Incident.

The timing of the reports was also left to NERC, but FERC provided some guidance. First, there should be “notice based upon the severity of the event and the risk to BES reliability, with updates to follow initial reports.” Second,

(1)        For “higher risk incidents, such as detecting malware within the ESP and associated EACMS or an incident that disrupted one or more reliability tasks,” FERC suggested a report “within one hour;

(2)        For “lower risk incidents, such as the detection of attempts at unauthorized access to the responsible entity’s ESP or associated EACMS, an initial reporting timeframe between eight and twenty-four hours: and

(3)        For “other suspicious activity associated with an ESP or associated EACMS, a monthly report.

FERC noted its support for an online reporting tool.

NERC must complete modification of the Critical Infrastructure Protection Reliability Standard within six months (January 31, 2019).