Critical Infrastructure Security, Industry Regulations

FERC, US government looks to update cybersecurity requirements for energy utilities

Eric Hetrick, 52, substation operations supervisor at Mira Loma grid management center, poses for a photograph on June 5, 2020 in Ontario, California as employees work to keep operations up during the COVID-19 pandemic. The Federal Energy Regulatory Commission is looking to revamp cybersecurity regulations for bulk electric systems while its CIO ad...

The Federal Energy Regulatory Commission is asking input on information collection regulations for companies related to more than a dozen different cybersecurity practices affecting bulk electric systems, while its Chief Information Officer warned earlier this month that regulated energy utilities will likely have to follow recent government actions around implementing zero trust architectures.

In a Federal Register notice this week, the agency laid out 13 different reliability standards that govern what companies supplying bulk electric systems must safeguard. The standards and requirements themselves are not new and have been codified in law for more than a decade.

What is new is that FERC is now explicitly asking industry and the public for feedback on how to tweak or adjust them after a decade in which attacks and probing against energy companies have exploded and views around the interplay between government and the energy sector around cyber threats has evolved considerably.  

“Comments are invited on (1) Whether the collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility; (2) the accuracy of the agency's estimate of the burden and cost of the collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility and clarity of the information collection; and (4) ways to minimize the burden of the collection of information on those who are to respond, including the use of automated collection techniques or other forms of information technology.”

The standards include 13 different requirements that entities “must follow to ensure the cyber and physical security of the Bulk-Power System.” These include: categorizing assets according to their impact on reliable operations, specifying consistent and sustainable security management controls, giving security trainings to staff, implementing firewalls around BES systems, undertaking software system security practices, specifying backup and recovery plans, securing data, specifying configuration change management and vulnerability assessment requirements to detect unauthorized changes, protecting assessment and monitoring data between control centers and implementing security controls for supply chain management.

There are also two other standards related to securing physical buildings and cyber assets related to the BES systems. A table included in the notice estimates the total financial burden of these regulations on the energy sector at more than $69 million and 817,437 worker hours.

The agency is accepting public input until Oct. 14.

The request for input on these standards come as executives at energy companies and the government have both expressed a desire to cooperate, share resources and further flesh out the parts of the electric grid that should be prioritized or receive enhanced or proactive security resources.

Tom Fanning, CEO of Southern Company, a multi-billion dollars gas and electric utility, argued Friday that while all aspects of the energy sector need help and protection, there needs to be more prioritization of “systemically important critical infrastructure” or assets or systems that could have cascading effects across the energy and other sectors if they’re compromised or disrupted.

“Let’s evaluate the importance of that infrastructure, let’s not try to boil the ocean but rather in essence create a triage evaluation for America, [ask] what are the most important say 50-100 things we can do, and then identify the assets,” said Fanning during an event hosted by the Carnegie Endowment for National Peace. “I think we have to go down the asset level. When you get down to that level you will understand very quickly that the nature of protection and resilience…is different for every asset and so you’ve got to get down to that level. Let’s start there and we identify therefore what is systemically most important.”

It also comes as the Biden administration has pushed out new requirements on federal agencies like FERC to implement zero trust architecture and security protections within their own environment.

Earlier this month, Mittal Desai, CIO for FERC, told SC Media Editor-in-Chief Jill Aitoro that companies regulated by FERC will likely have to move towards implementing a similar architecture to respond to today’s threat landscape. Some of those actions include “looking at the device, what’s the inventory and the environment we use, what are authorized devices and unauthorized devices in respect to your BYOB strategy” as well as modernizing legacy systems and applications.

“Those partnerships, understanding where the federal government, even from a federal government IT perspective is going, is going to be very similar to how some of these energy utilities are going to have to model their requirements as well,” said Desai, who previously worked as FERC’s chief security officer.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.