FERC terminates cyber security inquiry

Tuesday, October 3, 2017

Federal energy regulators have terminated a proceeding opened last year seeking comment on the need for, and possible effects of, modifications to national reliability standards to address the cybersecurity of control centers used to monitor and control the bulk electric system.

A 2015 cyber attack in Ukraine significantly disrupted Ukraine's electric grid, in what has been called "the first publicly acknowledged cyber incident to result in power outages."  According to a U.S. Department of Homeland Security bulletin, in that incident remote cyber intrusions at three regional electric power distribution companies caused widespread outages on December 23, 2015.

Domestically, U.S. energy regulators responded by considering whether to modify cybersecurity reliability standards.  On July 21, 2016, the Federal Energy Regulatory Commission issued a Notice of Inquiry in Docket No. RM16-18-000, pursuant to section 215 of the Federal Power Act, seeking comment on the need for, and possible effects of, modifications to the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) Reliability Standards.

In that Notice of Inquiry, the Commission sought comment on possible modifications to the CIP Reliability Standards, and potential operational impacts thereof, involving the following cyber strategies:
(1) isolating BES Cyber Systems in control centers performing transmission operator functions from the Internet; and
(2) using computer administration practices that prevent unauthorized programs from running (i.e., “application whitelisting”) for cyber systems in control centers.
In response, the Commission received 18 comments, which it characterized as "generally opposing modifications to the CIP Reliability Standards at this time."

On October 2, 2017, the Commission decided to exercise its discretion to terminate the proceeding.  According to the Commission, the current standards "allow responsible entities flexibility on how to implement various required security controls ... including, when appropriate, isolation and whitelisting," but the record did not support requiring the use of isolation or whitelisting in the standards at this time.  The Commission noted that while "isolation and whitelisting can be effective strategies under certain circumstances, these strategies also present certain risks" and could be difficult to translate into a standard given the diversity of configurations existing across the Bulk-Power System.

At the same time, the Commission noted that it will "continue to support attention to isolation and segmentation, whitelisting, and other cybersecurity strategies," including through Commission staff engagement with NERC, industry, and other stakeholders.

No comments:

Post a Comment