FERC Issues Final Rule on Cyber Security Incident Reporting

On July 19, 2018, in Docket No. RM18-2-000, FERC issued a final rule (Order No. 848) requiring expanded Cyber Security Incident reporting. Order No. 848 directs NERC to develop and submit modifications to NERC Reliability Standards related to Cyber Security Incident reporting. The Commission’s directive consists of four elements: (1) responsible entities must report Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter (ESP) or Electronic Access Control and Monitoring Systems (EACMS) associated with an ESP, (2) required information in Cyber Security Incident reports should include certain minimum information to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information, (3) the filing deadline for Cyber Security Incident reports should be established once a compromise or disruption to reliable BES operation, or an attempt to compromise or disrupt, is identified by a responsible entity, and (4) Cyber Security Incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than the Commission, but the reports should also be sent to DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Finally, NERC must file an annual, public, and anonymized summary of the reports with the Commission. NERC is required to develop modifications to the Reliability Standards within six months.

To view FERC’s final rule, click here.

To view the press release, click here.