The Federal Energy Regulatory Commission (“FERC”) issued a Notice of Inquiry (“NOI”) and Final Rule at the end of July to address several urgent cybersecurity issues affecting the bulk electric system. FERC is taking these actions in the face of increasingly sophisticated threats to our power grid, including in response to an actual cyber-attack against Ukraine’s electricity system last year.
In the NOI, the Commission seeks comments on possible modifications to the Critical Infrastructure Protection (“CIP”) Reliability Standards developed and managed by the North American Electric Reliability Corporation (“NERC”) pursuant to Section 215 of the Federal Power Act. These modifications would require isolation between the Internet and certain critical cyber systems in control centers performing transmission operator functions “through use of physical (hardware) or logical (software) means.” The modifications would also require the use of application whitelisting for the same critical systems in all control centers. Application whitelisting is a security practice in which only specifically authorized applications are able to execute on a particular computer.
Notably, both of these potential modifications to the CIP standards were recommended in a report by a team from the Electricity Information Sharing and Analysis Center and SANS Industrial Control Systems on a series of cyber attacks perpetrated against Ukraine in December 2015. These cyber attacks resulted in “power outages that affected at least 225,000 customers” and are “the first publicly acknowledged [cyber attacks] to result in power outages.”
In the Final Rule (deemed Order No. 829), the Commission directs NERC to develop a new or modified Reliability Standard concerning “supply chain risk management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations.” While the Final Rule provides NERC with flexibility as to how to meet FERC’s requirements, its new or modified Reliability Standard must meet certain minimum criteria. This includes the creation of a plan by jurisdictional electric utilities addressing four security objectives: (1) software integrity and authenticity, (2) vendor remote access, (3) information system planning, and (4) vendor risk management and procurement controls.
The Final Rule was also issued, in part, in response to the malware attacks on Ukraine. In particular, the Commission points to two alerts issued by ICS-CERT concerning malware focused campaigns “based on the injection of malware while a product or service remains in the control of the hardware or software vendor, prior to delivery to the customer.” One of these alerts concerns potential connections to the same BlackEnergy malware used in the previously discussed attacks on Ukraine’s power grid.
FERC directs NERC to submit a new or modified Reliability Standard for the Commission’s review within one year.