The North American Electric Reliability Corp. (NERC) recently adopted the Cyber Security – Incident Reporting and Response Planning CIP-008-6 directive (Directive), which creates new cybersecurity incident reporting obligations for bulk electric systems (BES) categorized as high or medium impact in North America. The Directive also emphasizes the importance of cyber planning and preparedness and is set to be implemented in December 2020.
Given that NERC standards are mandatory in several Canadian provinces, the new Directive will have implications for organizations on both sides of the Canada-U.S. border. Organizations governed by NERC standards are advised to review these requirements carefully and update their cybersecurity incident response plans and frameworks accordingly.
On December 21, 2017, the U.S. Federal Energy Regulatory Commission (FERC) passed a notice of proposed rulemaking (NPRM), directing the NERC to develop enhanced cybersecurity incident reporting requirements. Specifically, the NPRM sought to expand existing requirements to include:
- Reporting cybersecurity incidents that compromise or attempt to compromise an Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS)
- Standardizing incident reports for easier comparison
- Sending incident reports to organizations to ensure they are best equipped to assess threats and communicate them to industry.
These concerns came to light after the White House published a report in 2017 titled “Assessment of Electricity Disruption Incident Response Capabilities”, which identified significant gaps in the current cybersecurity framework that could compromise U.S. national security considering emerging cybersecurity threats.
INCIDENT REPORTING REQUIREMENTS
The requirements outlined in the Directive are broken down into four parts:
Part 1: Cybersecurity Incident Response Plan Specifications
Organizations must develop a process that allows for the identification and classification of, and response to, cybersecurity incidents. They must also define criteria to determine whether a cybersecurity incident (or an attempted incident) is a reportable event as well as define the roles and responsibilities of those in charge of the incident response. Finally, organizations must establish incident handling procedures such as written documentation on containment, eradication and incident resolution.
Part 2: Implementation and Testing
Organizations are required to test their response plan every 15 months either by responding to an actual reportable incident, a paper drill or tabletop exercise. The response plan must be employed when responding to a cybersecurity incident and organizations must document and retain records of the incident as well as any deviations from the response plan.
Part 3: Update and Communication
No later than 90 days after completion of a test or response to a cybersecurity incident, organizations must document any lessons learned, update the response plan and notify those in charge of the incident response of same.
Part 4: Notification and Reporting for Cybersecurity Incidents
Organizations are required to report attempts to compromise as well as actual compromises to the Electricity Information Sharing and Analysis Center (E-ISAC) and where applicable, to the United States National Cybersecurity and Communications Integration Center (NCCIC). The report should also include the functional impact, the attack vector used and the level of intrusion. If such information is subject to change, updates must be provided within seven calendar days.
The Directive includes a section on compliance that details the monitoring and enforcement process to be implemented by the Compliance Enforcement Authority or regional entity in the Directive, including compliance audits, self-certification, spot checking, compliance investigations, self-reporting and complaints. It also outlines prohibited conduct and corresponding violation security levels, which range from low to severe. In Canada, compliance and enforcement is regulated at the provincial level and in certain provinces, fines may be imposed in cases of non-compliance.
The release of the Directive highlights the continued focus on cybersecurity risks in North America, especially as it relates to the electrical energy sector and its key stakeholders.
Canadian organizations subject to NERC standards should ensure the appropriate mechanisms are in place for compliance. Specifically, it is recommended that organizations revise their cybersecurity incident response plans and frameworks to reflect these new requirements under the Directive – ranging from meeting prescribed timelines, having the correct criticality matrix, etc. Organizations should also consider implementing tabletop exercises to test the robustness of these plans.