Jul 192019

FERC Enhances Reporting Requirements for Cyber Attacks on Power Grid

Robin Wright Cleary and Curtis Hart
, , , , , ,

On June 20, 2019, the Federal Energy Regulatory Commission (“FERC”) approved a North American Electric Reliability Corp. (“NERC”) petition to adopt Reliability Standard CIP-008-6 to strengthen the reporting requirements for attempts to compromise the operation of the United States’ bulk electric system.  The prior Critical Infrastructure Protection (“CIP”) Reliability Standards only required reporting where an incident compromised or disrupted one or more reliability tasks.  The new standard applies to all registered entities subject to the CIP Reliability Standards.

The NERC petition was a product of Order No. 848, in which FERC ordered NERC, the nation’s Electric Reliability Organization, to revise the requirements for cybersecurity incident reporting.  That order had highlighted a growing concern that older Reliability Standards may underestimate the threat posed to the power grid.  Reliability Standard CIP-008-6 expands reporting requirements to include compromises or attempts to compromise Electric Security Perimeters, Electronic Access Control or Monitoring Systems, and Physical Security Perimeters associated cyber systems.  Reliability Standard CIP-008-6 also encompasses disruptions or attempted disruptions to the operation of a bulk electric system.

Each entity has some flexibility in developing criteria for suspicious activity based on its system architecture.  Once a responsible entity has determined that a cybersecurity incident meets the criteria for an attempted compromise of an applicable system, the entity must report the incident by the end of the next calendar day to the Electricity Information Sharing and Analysis Center and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center.  Reliability Standard CIP-008-6 also addresses the information to be included in cybersecurity incident reports and requires a responsible entity to initiate an incident response plan following an attempt to compromise cyber systems.

FERC’s efforts to bolster the security of the power grid reflect increasing concerns about cyberattacks targeting critical infrastructure.  Ukraine’s power grid blackout in 2016, which caused Kiev to lose power for about an hour, underscored the vulnerability of power grids.

Robin Wright Cleary

rwright@sidley.com

Curtis Hart

Washington, D.C.

chart@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.