Cyberattacks on U.S. energy infrastructure have been on the rise
in 2024. According to the 2024 Thales Data Threat Report, 42% of
critical infrastructure companies, including those in the energy
sector, suffered data breaches this year. Between November 2023 and
April 2024, 29 cyberattacks targeting U.S. energy
infrastructures' industrial control systems were reported. In
July 2024, the Federal Bureau of Investigation ("FBI")
issued a Private Industry Notification highlighting the
increased risk of malicious cyberattacks on the U.S. renewable
energy industry, including attacks that could target solar
infrastructure and microgrids.
Amid these growing concerns over the grid's vulnerability to
malicious cyberattacks, on September 19, 2024, the Federal Energy
Regulatory Commission ("FERC") issued two proposed rules that aim to enhance
cybersecurity standards for the U.S. bulk-power system. In the
first Notice of Proposed Rulemaking
("NOPR") (Docket No. RM24-4-000), FERC proposes to
require new or modified critical infrastructure protection
("CIP") standards to address ongoing risks posed by
malicious actors seeking to compromise the reliable operation of
the bulk electrical system. This proposal directs the North
American Electric Reliability Corporation ("NERC") to
submit standards requiring entities to:
- identify their current supply chain risks to their grid-related cybersecurity systems at specified intervals;
- assess and take steps to validate the accuracy of the information received from vendors during the procurement process; and
- document, track, and respond to these risks to their systems.
FERC also directs NERC to extend the applicability of the supply
chain standards to include a category of products known as
protected cyber assets ("PCAs").
The second NOPR (Docket No. RM24-7-000) proposes to
approve a CIP reliability standard submitted by NERC in compliance
with a prior FERC directive, which would require entities to
implement internal network security monitoring within a defined
electronic security perimeter. FERC also proposes to direct NERC to
develop modifications to the internal network security monitoring
standard to extend those protections outside the electronic
security perimeter to electronic access control or monitoring
systems and physical access control systems.
These two NOPRs demonstrate FERC's continued focus on
cybersecurity reliability standards, building upon recent actions taken by it, other federal
agencies, and NERC:
- Earlier this year, we reported on the U.S. Department of Energy's ("DOE's") support for the release of cybersecurity baselines for electric distribution systems and distributed energy resources ("DERs").
- In June 2024, DOE rolled out new Supply Chain Cybersecurity Principles, which establish best practices for cybersecurity throughout the energy infrastructure supply chain.
- Last November, NERC conducted its biennial GridEx simulated grid attack exercise with more than 250 organizations to gauge utility responses, communications protocol, and cross-sector coordination. NERC issued a report on the exercise in April 2024 and urged greater cooperation and communication between utilities and non-federal government partners.
Both FERC NOPRs require NERC to submit responsive new or revised standards to FERC within 12 months of the effective date of a final rule. FERC seeks comments on all aspects of both proposed rules, which are due within 60 days after their forthcoming publication in the Federal Register.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.