The Federal Energy Regulatory Commission (FERC) announced on July 19, 2018, that it is directing the North American Electric Reliability Corporation (NERC) “to develop and submit modifications to the NERC Reliability Standards to augment the mandatory reporting of cybersecurity incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system (BES).”

The rule will become effective 60 days after it is published in the Federal Register.

The 64-page Final Rule requires NERC to develop and submit modifications to the Reliability Standards to require the reporting of cybersecurity incidents “that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS).” Presently, reporting entities are only required to report cyber incidents that have “compromised or disrupted one or more reliability tasks.” The change is intended to “improve awareness of existing and future cybersecurity threats and potential vulnerabilities.”

The Final Rule consists of “four elements intended to augment” the current reporting requirements:

  1. “Responsible entities must report cybersecurity incidents that compromise, or attempt to compromise, a responsible entity’s ESP or associates EACMS:
  2. Required information in cybersecurity incident reports should include certain minimum information to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information;
  3. Filing deadlines for cybersecurity incident reports should be established once a compromise or disruption to reliable BES operation, or an attempted compromise or disruption, is identified by a responsible entity; and
  4. Cybersecurity incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than the Commission, but the reports should also be sent to the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).”

The Final Rule also requires NERC to file an annual, public, and anonymized summary of the reports filed by entities with the Commission.