A quote famously attributed to then FBI Director, Robert Mueller, in March 2012 advised that: “There are only two types of companies: those that have been hacked, and those that will be”.
With the rapid increase in the current plague of cyber attacks, a key issue for regulators continues to be the protection of critical infrastructure. In recent years, various US regulatory agencies have established (and periodically update) standards to improve the ability to detect, mitigate and respond to the increasing cyber security threats to critical infrastructure. Canadian regulatory agencies and industry participants, particularly in sectors where there are cross border connections, have also established (and periodically update) their related standards.
As a result, Canadian electrical infrastructure operators are well advised to watch the recent developments in the United States where the Federal Energy Regulatory Commission (FERC) has, on December 21, 2017, released a draft notice of proposed rulemaking responding to the cyber security threat.
FERC proposed that, under Section 215(d)(5) of the Federal Power Act, to modify the NERC Critical Infrastructure Plan (CIP) reliability standards to improve mandatory reporting of cyber security incidents. The concern FERC identifies is that the current reporting threshold for cyber security incidents may result in the understating of the true scope of such threats facing the bulk electrical system.
The proposed rule would require modifications to the NERC CIP reliability standards to include mandatory reporting of cyber security incidents “that compromise or attempt to compromise,” the electronic security perimeter, electronic access control or monitoring system of applicable entities.
The proposed reporting also targets the reporting standards to both improve the quality of such reporting and facilitate the comparison and analysis of incidents. A deadline for the filing of such reports is proposed, as is annual reporting to FERC.
As such, Canadian electrical industry participants are well advised to consider if these proposed US developments will result in similar changes to the applicable critical infrastructure standards in Canada.