The irony of FERC approving cybersecurity measures to protect bulk power system reliability on the day its website went down, and in a week with a broad government cybersecurity breach, was not lost on a few folks on Twitter.
The FERC website was only affected briefly in the afternoon of December 17, but on a meeting day when many are searching for orders and decisions, it was noticed by energy market participants on Twitter. They referred to a cybersecurity compromise at the Department of Energy (DOE), though FERC spokeswoman Mary O’Driscoll on December 18 dismissed any connection with the DOE incident and the SolarWinds software.
“The issues with the [FERC] website were not related to the report of the DOE cyberattack,” O’Driscoll said in an email.
DOE, which includes the National Nuclear Security Administration (NNSA), national laboratories and other functions, reported a cyber incident December 17, shortly after federal investigators said malware and tactics to penetrate government computer networks pose a grave risk to government, state and private critical infrastructure entities. “The investigation is ongoing and the response to this incident is happening in real time,” said DOE spokeswoman Shaylyn Hynes.
The cybersecurity breach at DOE was first reported by Politico, a day or so after the Department of Defense and other government agencies indicated hackers had affected certain networks.
Hynes said malware was isolated to DOE business networks only, and did not affect the national security functions at DOE or NNSA. “When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network,” she said in a statement.
That is consistent with a directive from the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence. In a December 16 statement, the three agencies said they are aware of a significant and ongoing cybersecurity campaign, and formed a Cyber Unified Coordination Group to oversee a whole-of-government response to the incident. CISA issued an emergency directive for civilian agencies “to immediately disconnect or power down affected SolarWinds Orion products from their network.”
Cybersecurity officials outside of government have told media outlets that the penetration of government networks could take months to eradicate and address fully. The SolarWinds software patches are believed to be connected with Russian hackers trying to gain access to U.S. government computer systems.
Hynes noted that DOE has been in constant communication with energy sector partners, including subsector coordinating councils, dubbed Information Sharing and Analysis Centers, for the oil and natural gas, downstream natural gas and electricity sectors.
At FERC, commissioners noted that enhanced cybersecurity measures and ensuring that North American Electric Reliability Corp. (NERC) standards are up to speed, which was discussed at the December 17 meeting, could not be more timely.
A notice of proposed rulemaking (NOPR) adopted at the meeting would allow utilities to gain favorable rate treatment for cybersecurity investments that go beyond the mandatory Critical Infrastructure Protection (CIP) standards of NERC. The NOPR (RM21-3) follows a June white paper by FERC staff on cybersecurity investments and the proposed rule recognizes that the utility sector faces numerous cybersecurity challenges in new and changing attacks, FERC staff said during a presentation at the meeting.
Utilities would be eligible for two types of rate recovery incentives for cybersecurity investments deemed to be appropriate by FERC under the NOPR. The incentives are a return on equity adder of 200 basis points or deferred cost recovery for certain cybersecurity expenses, FERC staff explained at the meeting.
Chairman James Danly and Commissioner Richard Glick concurred on the order and wrote a joint concurring statement, questioning whether FERC should better address cyber threats by directing NERC to expand its CIP standards. “Although we appreciate the appeal of an incentives-based approach, the importance of cybersecurity demands us to at least consider whether we should mandate the best practices contemplated in this NOPR rather than simply trying to induce public utilities to adopt them,” Danly and Glick wrote in the joint statement.
During the meeting, Commissioner Neil Chatterjee raised a similar point in questioning with FERC staff. Cybersecurity threats evolve quickly and may not be able to coincide with the CIP standards development process at NERC, staff told Chatterjee. It can take years before certain CIP standards are developed by NERC and approved by FERC, staff pointed out.
Chatterjee said the voluntary rate incentive approach in the NOPR can serve as a useful complement to the CIP standards at NERC.
Some of the information sought from utilities could be deemed sensitive and confidential, which can be an issue when incentive rate treatment is involved and transparency is needed, Chatterjee noted. The NOPR seeks comments on the type of information that would be shielded from public disclosure, FERC staff said.
Glick said FERC needs to ask why the cybersecurity investments addressed in the NOPR may not be made today, and he encouraged parties to address that in their comments on the proposal.
Comments on the NOPR are due 60 days after publication in the Federal Register.
By Tom Tiernan email@example.com