Midwest Cyber: Energy Regulators Respond to Increasing Cyber Threats to the Grid
As anyone who even casually watches the nightly news can tell you, breaches of customer and corporate data can cause serious financial, legal, and reputational harm to a company. But, for energy companies that own and operate physical assets that comprise the nation’s power grid, understanding and complying with the federal government’s complex and constantly evolving cyber regulations for the energy industry is part of a larger effort to prevent cyber attacks that could cause devastating power disruptions. A recent report from Lloyd’s suggested that the economic havoc resulting from a cyber attack on the grid could exceed $1 trillion.
The complexity and sheer size of the U.S. electric grid make it vulnerable to threats from a variety of potential bad actors, including hacktivists, cyber criminals, terrorists, nation states, or even disgruntled employees. There also is mounting evidence that the nation’s electric system is being targeted with increased frequency.
The Department of Homeland Security repeatedly has identified the energy sector as the most heavily targeted sector of our country’s critical infrastructure; a June 2015 Congressional Research Service report chronicled a number of recent attacks; and a recent USA Today analysis of federal records revealed that the grid is struck by either a physical or cyber attack approximately once every four days.
Energy regulators have taken note, and are looking to update the rules that energy companies must follow to protect the country’s electric system. In July, the Federal Energy Regulatory Commission or “FERC” proposed its latest set of revisions to its Critical Infrastructure Protection or “CIP” regulations for the power grid. The CIP regulations, first adopted in 2008 and repeatedly revised since then, cover issues such as personnel and training, physical and network security, and incident reporting and disaster recovery. The North American Electric Reliability Corporation or “NERC” (a quasi-governmental entity charged with ensuring the reliable operation of the grid) has been delegated authority from FERC to monitor and enforce compliance with the CIP regulations.
