This has not been a joyful winter for energy industry executives. They have repeatedly awoken to alerts that substations in the Northwest and Southeast have been physically attacked and that a major engineering firm was the subject of a ransomware cyberattack that may have compromised utility data.
Federal regulators are taking notice. On December 7, the Federal Energy Regulatory Commission (FERC) and the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) held a joint technical conference to discuss supply chain risk management in light of increasing threats to the Bulk Power System. Multiple government participants identified the possible need to normalize the use of software bill of materials and hardware bill of materials in the electric industry. Several days later, FERC directed the North American Electric Reliability Corporation (NERC) to re-examine its Physical Security Reliability Standard, CIP-014-1. Congress, for its part, responded to growing cybersecurity threats to energy infrastructure by increasing CESER’s budget by almost 7.5% in the recent omnibus appropriations bill and appropriating $20 million for the Cyber Testing for Resilient Industrial Control Systems program.
Cybersecurity attacks on distributed energy resources (DERs) including electric vehicles are also proliferating. In its recent report, Cybersecurity Considerations for Distributed Energy Resources on the U.S. Electric Grid, CESER identified the cybersecurity threat to DER operators, vendors, developers, owners and aggregators as posing a significant and growing risk. The Department of Energy will also soon release a report, mandated by Congress in the Infrastructure Investment and Jobs Act, identifying policies and procedures for enhancing the physical and cybersecurity of distributed resources and the electric distribution system.
The recent physical and cybersecurity incidents targeting critical infrastructure have exposed significant vulnerabilities of some companies, and both customers and the federal government are pushing the private sector to mitigate those threats as a condition for doing business. The federal government, in particular, expects their private sector partners to adopt better security hygiene, assess supply chain risks, and prepare for quick responses to incidents, including rapid notifications to customers, regulators and the public. Here are some best practices for energy sector companies to have on their radar for 2023:
- Compliance with NERC’s Critical Infrastructure Protection (CIP) Standards. Violations of applicable NERC CIP reliability standards subject users, owners and operators of bulk power system facilities to civil penalties of up to $1,496,035 per violation, per day.
- Comprehensive Assessments of Key IT and OT Systems. Conducting comprehensive assessments of current and potential system vulnerabilities is a leading cybersecurity industry practice that energy sector companies may consider adopting. They can do so by, for example, engaging in regular inventory of Information Technology and Operational Technology systems, including by assessing patch management processes, performing information security and physical risk assessments, and documenting and regularly reviewing system security plans and related operational documents.
- Clear Roles and Responsibilities. Establishing clear cybersecurity-related roles and responsibilities can help position the enterprise to respond efficiently and effectively to cyber risk, for example by ensuring that corporate executives, the legal team, and key personnel such as the as the Chief Information Security Officer, the Chief Information Officer, the Chief Compliance Officer, and the Chief Privacy Officer are on notice of their respective roles and have clear guidance as to their duties both during “business as usual” operations and in the event that a potential cybersecurity incident occurs.
- Cybersecurity Incident Response Plans. Developing a cybersecurity Incident Response Plan (or “IRP”) is a leading cybersecurity industry practice and may even be a regulatory requirement for certain companies. IRPs are “playbooks” that are developed prior to a cybersecurity incident occurring to provide guidance for responsible stakeholders to respond to a potential incident and guide the company through that response in an organized and effective way. IRPs typically include key components, such as individuals’ and teams’ roles and responsibilities, contact lists, details about the internal escalation process (e.g., regarding notifications to government entities), and guideposts for technical teams. Companies may supplement their IRPs with supporting materials, for example check lists for key executives and personnel, and take steps to integrate their IRPs with other related policies, such as all-hazards crisis management plans and communications plans.
- Cybersecurity Tabletop Exercises. Tabletop exercises are simulations designed to test a company’s response to a potential cybersecurity incident and application of their Incident Response Plan. These exercises are often facilitated by counsel and conducted under privilege. Notably, the Ponemon Institute, in a report issued by IBM Security, reported that companies that had incident response teams and tested their Plans with tabletop exercises or simulations incurred an average of $2.66 million less in data breach-related costs than those that did not.
- Supply Chain Risk Mitigation. A company’s supply chain can heighten exposure to cyber threats, including data leaks, supply chain breaches, and malware attacks; however, strategies to mitigate these risks are available, for example implementing protocols to continually assess and monitor third-party risk, understanding and controlling who has access to the company’s most valuable and sensitive data, and ensuring that third-party contracts include cybersecurity requirements. The federal government has acknowledged the importance of addressing such supply chain risk, and 2021 Executive Order 14028, Improving the Nation’s Cybersecurity, and a 2022 OMB Memorandum both impose standards on governmental entities for the security and integrity of the software supply chain, and also require third-party software suppliers to comply with standards issued by the National Institute of Standards and Technology whenever their software is used on government information systems or affects government information, including that shared with government contractors.
- Information Sharing Opportunities. Last March, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requiring critical infrastructure to report significant cyber incidents and ransomware payments to the Cybersecurity & Infrastructure Security Agency (CISA) within tight time frames. Although CISA has not yet promulgated the rules to implement CIRCIA, it has provided stakeholders with guidance about sharing cyber event information that emphasized the importance of information sharing to our collective defense and for strengthening cybersecurity for the nation. In addition to federally mandated information sharing requirements, companies may also consider sharing information in a trusted setting, including with their Information Sharing and Analysis Centers (ISACs).
For further information, please contact:
Tyler A. O’Connor, Partner, Crowell & Moring
toconnor@crowell.com