Utilities will have stricter cybersecurity reporting requirements under new ruling

U.S. regulators are laying down stricter reporting requirements for electrical utilities that experience cybersecurity lapses.

The Federal Energy Regulatory Commission (FERC) said Thursday that utilities will have to report attempts by attackers, even if they don’t have an immediate effect, that ultimately make it easier to “harm reliable operation of the nation’s bulk electric system.” Current requirements only make utilities report incidents that result in an actual compromise or disruption.

“Cyber threats to the bulk power system are ever changing, and they are a matter that commands constant vigilance,” FERC Chairman Kevin McIntyre said in a statement. “Industry must be alert to developing and emerging threats, and a modified standard will improve awareness of existing and future cyber security threats.”

The new standards will come by way of the North American Electric Reliability Corporation (NERC), a quasi-governmental body that implements FERC’s rulings for electrical utilities.

NERC will have to develop standards that require companies to report when attackers attempt to breach the perimeter of their networks. NERC is also being directed to standardize incident reports that come from utilities so that reports that come from different entities can be compared and analyzed easily.

Additionally, utilities will have to start sending their reports to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). They currently only have to send them to the Electricity Information Sharing and Analysis Center (E-ISAC).

DHS has been paying increasing attention to grid cybersecurity, as officials have warned that Russian hackers have been targeting U.S. critical infrastructure. The U.S. recently issued sanctions for such activity.

“While thankfully none of these intrusions have resulted in an actual power outage, they do represent an unsettling uptick in attempts to undermine America’s critical infrastructure systems,” said FERC Commissioner Neil Chatterjee in a statement. “I believe it’s imperative that we ensure our colleagues at the North American Reliability Corporation and DHS have adequate information to understand the evolving threat landscape for industrial control systems.

NERC will have six months to modify its Critical Infrastructure Protection Reliability Standard to comply with FERC’s order.