Electric Grid Cybersecurity: A Victory for the Secure the Grid Coalition

Coalition plays the long game on electric grid cybersecurity

On June 20, 2019, the Federal Energy Regulatory Commission (FERC) approved the electric grid cybersecurity reliability standard CIP-008-6 (Cyber Security—Incident Reporting and Response Planning). The Secure The Grid Coalition has been fighting this battle now for several years. The result of our efforts is an improved Critical Infrastructure Protection (CIP) Standard—a victory for electric grid cybersecurity, citizen activism and the American people.

A law called the Administrative Procedure Act (APA) says that “each agency shall give an interested person the right to petition for the issuance, amendment, or repeal of a rule.” This means that the public can file a petition with an agency to add, delete or change a regulation. This is how the Foundation for Resilient Societies picked this fight on January 13, 2017. In a “Petition for Rulemaking” to FERC, Resilient Societies forced the federal government to finally face the fact that electric grid cybersecurity is lacking.

Electric Industry: “Move along, nothing to see here…”

Specifically, “the grid” reported only 3 cybersecurity incidents in 2014 and none (zero) in 2015 and 2016. Meanwhile, on April 14, 2016, the U.S. House of Representatives held a hearing and the Committee noted that:

“The DHS reports that the energy sector is the target of more than 40 percent of all reported cyberattacks. In 2014, the National Security Agency (NSA) reported that the agency had tracked intrusions into industrial control systems by entities with the technical capability ‘to take down control systems that operate U.S. power grids, water systems and other critical infrastructure’.” (Page vii. Internal citations omitted.)

Obviously there was a huge disconnect. DHS and the NSA say that 40% of all cyber attacks are directed at the energy sector. Moreover, DHS and the NSA say that hackers have penetrated the grid and could take down the critical infrastructure.

But “the grid” reports few or no cyber related incidents during the same periods.

Another issue was that there was no requirement for malware detection, mitigation and removal. (Malware is what took down the electric gird in the Ukraine in 2015 and 2016.)

The Petition for Rulemaking forced FERC to initiate the long process which resulted in what is known as a Notice of Proposed Rulemaking (or “NOPR”) on December 28, 2017. The NOPR said:

“The Foundation for Resilient Societies filed a petition asking the Commission to require additional measures for malware detection, mitigation, removal and reporting. We decline to propose additional Reliability Standard measures at this time for malware detection, mitigation and removal, based on the scope of existing Reliability Standards, Commission- directed improvements already being developed and other ongoing efforts. However, we propose to direct broader reporting requirements. Currently, incidents must be reported only if they have ‘‘compromised or disrupted one or more reliability tasks,’’ and we propose to require reporting of certain incidents even before they have caused such harm or if they did not themselves cause any harm.”

While we were (and remain) disappointed that the malware detection, mitigation issue was shelved, FERC agreed that the reporting requirements needed improvement. In the NOPR, FERC proposed to order the industry “to improve the reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system.”

The grid tries to go minimal on cybersecurity

The catch is that the electric utility industry writes their own standards through their mouthpiece, the North American Electric Reliability Corporation (NERC). So even though FERC directed NERC to improve the standard, the process frequently takes years and the industry—which does not want to be regulated—took a minimal approach to this standard as they have in past standards.

And if nobody intervened, history shows that they may have gotten away with it.

But we did something about it. The fight subsequently played out in FERC Docket RM18-2-000. Many members of the coalition submitted comments to FERC in the rulemaking process. We urged FERC to order NERC to improve electric grid cybersecurity reporting standards.

Not surprisingly, the usual suspects from the industry, including industry lobbyist Edison Electric Institute—whose members include the government of the People’s Republic of China—replied that this would all be “unduly burdensome” and “unnecessary.”

Click HERE for a PDF file with all the comments on this electric grid cybersecurity docket. (Be patient—it is a large PDF file). In the chart to the right, you can see in green are the comments in favor of better cybersecurity reporting standards. The comments in red are against better cybersecurity reporting standards. Many of the green comments are from members of the Secure the Grid Coalition.

When the smoke cleared, FERC issued the final order (“Order 848“) on July 19, 2018.

The Good News

We won the battle on getting broader reporting requirements. The final order “directed NERC to develop and submit modifications to the Reliability Standard to require the reporting of Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS).” In English, FERC did not buy the industry’s argument that reporting attacks on these critical components was “unduly burdensome.”

That was the good news.

The Bad News

The bad news was that FERC did not require a standard for malware detection, mitigation and removal as Foundation for Resilient Societies initially proposed. However, FERC states that malware falls within the reporting requirement:

“In addition, we do not agree with Resilient Societies that the detection of malware infecting a responsible entity’s ESP or associated EACMS would fall outside the new reporting requirement. While Resilient Societies asserts that a malware infection would not meet the threshold of a compromise, breach, impact, or disruption, we believe that it would fall within the parameters of an attempted compromise.” (Order 848, page 25.)

So, there is no requirement to detect, mitigate or remove malware. But if a utility bumbles across it, they are at least required to report it.

(Why am I not relieved?)

NERC Submitted the modified reliability standard CIP-008-6 (Cyber Security—Incident Reporting and Response Planning) on March 7, 2019 and FERC issued the order approving CIP-008-6 on June 20, 2019.

The final bit of bad news is that FERC bought off on NERC’s 18-month implementation period. This means the new standard is not effective until January 21, 2021—four years after the Foundation for Resilient Societies submitted the petition for rulemaking.

Fixing electric grid cybersecurity needs a great deal more work

Although perhaps not as strong a rule as we would have liked, citizens in this docket (largely members of the Secure the Grid Coalition) moved the needle significantly.  First, citizens started this process with a petition for rulemaking. (None of this ever would have happened but for Foundation for Resilient Societies initiating it.)  Second, citizens through their participation in the regulatory process, forced the industry to make a stronger rule than the industry initially proposed.

However, there is still much work to be done.

“Publicity is justly commended as a remedy for social and industrial diseases. Sunlight is said to be the best of disinfectants; electric light the most efficient policeman.” – Justice Louis D. Brandeis

1. The industry (enabled by FERC) is covering up the names of regulatory violators from the public, investors, Congress and state regulators. (Read more HERE.)
2. Data and analysis on the effectiveness of the regulatory system covering the electric grid is not publicly available. (Read more HERE.)
3. The Critical Infrastructure Protection (CIP) Standards are still lacking in several areas, requiring the intervention of the public and watch-dog groups. (Read more HERE.)

Members of the Secure the Grid Coalition are working hard on these and other initiatives to secure the nation’s critical infrastructures. Most of us do not get paid. We have actual “day jobs” that pay the mortgage and we volunteer our time and expertise to protect and serve our country. And we are fighting a multi-billion dollar industry with armies of lawyers, lobbyists and over 150 million last year in political donations and congressional influence.

To protect the grid—and your family, we need your help.

What you can do to help secure the grid

There are two things you can do to help:

1. Take Action. Click on our Take Action Page to see specific things you can do to help.
2. Make a tax-deductible donation to the Secure The Grid Coalition. Click HERE to donate.

If it bothers you that the country is in such grave danger, please do something about it!

###

Reference Materials:

• FERC Order issued on June 20, 2019 Approving CIP-008-6 (Docket RD19-3-000). https://elibrary.ferc.gov/idmws/common/OpenNat.asp?fileID=15278927
• Petition of the North American Electric Reliability Corporation for Approval of Proposed Reliability Standard CIP-008-6 (Docket RD19-3-000). (Large file—be patient)  https://elibrary.ferc.gov/idmws/common/OpenNat.asp?fileID=15180084
• FERC Order 848 issued on July 19, 2018 (Docket RM18-2-000). https://ferc.gov/whats-new/comm-meet/2018/071918/E-1.pdf
• Comments Submitted in Docket RM18-2-000. (Large file—be patient) https://securethegrid.com/wp-content/uploads/2018/03/RM18-2-Comments.pdf
• FERC Notice of Proposed Rulemaking (NOPR) issued on December 28, 2017 (Docket RM18-2-000). https://www.gpo.gov/fdsys/pkg/FR-2017-12-28/pdf/2017-28083.pdf
• Foundation for Resilient Societies Petition for Rulemaking submitted on January 13, 2017: https://www.resilientsocieties.org/uploads/5/4/0/0/54008795/resilient_societies_petition_for_rulemaking_ad17-9.pdf