FERC conference: a cybersecurity paradigm shift in the energy sector?

Remarkable ideas were presented at the Federal Energy Regulatory Commission’s (FERC) annual Reliability Technical Conference on 30 September.

In light of the paradigm shift in the electricity system, with an emphasis on the rise of distributed generation, IT-OT convergence, and more frequent attacks on supply chains, FERC is inclined to rethink cybersecurity regulation in the energy sector. Unsurprisingly, this process has been triggered most notably by the SolarWinds/Orion attacks, which affected up to 25% of electric utilities, and the Colonial Pipeline attacks.

The current practice is that the level of security requirements is determined by the size of the installation. FERC is considering a move to a classification based on risk assessment and impact assessment.

Also of note was the opinion of Ben Miller, Dragos’ Vice President for Research and Development, who said that the current NERC regulations are too prevention-oriented. Too little attention is paid to response, recovery and monitoring. Around 70% of NERC’s CIP standards cover prevention, while “everything else” is regulated in the remaining 30%.

Some content related to the conference is available HERE and HERE.

The above observations should be assessed in the context of the turbulence generated by the Biden administration’s seemingly determined and far-reaching – paradigm-shifting (?) – measures and initiatives. It is a logical step for FERC to rethink the cybersecurity regulation of critical infrastructure by going back to the basics.

Pro domo:

SeConSys, among other things, has precisely set out to help address the issues raised by current events by providing expert answers and suggestions. One of the triggers of the “redesign” process initiated at NERC – the rise of distributed generation more so, IT-OT convergence less so – is also present in our country. Fortunately, the other trigger – SolarWinds/Orion and Colonial Pipeline caliber attacks – is not (yet) present.

That said, it would not be useless for those in authority to review the possible domestic implications of these developments.

Messages either agreeing or disagreeing with the above are welcome. Reacting to these, e.g. in a new post, could even lead to a substantive exchange of views.