Written by Martin P.J. Kratz QC, FCIPS and Stephen D. Burns
A quote famously attributed to then FBI Director, Robert Mueller, in March 2012 advised that: “There are only two types of companies: those that have been hacked, and those that will be.”
With the rapid increase in the current plague of cyberattacks, a key issue for regulators continues to be the protection of critical infrastructure. In recent years, various U.S. regulatory agencies have established (and periodically update) standards to improve the ability to detect, mitigate and respond to the increasing cybersecurity threats to critical infrastructure. Canadian regulatory agencies and industry participants, particularly in sectors where there are cross-border connections, have also established (and periodically update) their related standards.
As a result, Canadian electrical infrastructure operators are well advised to watch the recent developments in the United States where the Federal Energy Regulatory Commission (FERC) has, on December 21, 2017, released a draft notice of proposed rulemaking responding to the cybersecurity threat.
The FERC proposed that, under section 215(d)(5) of the Federal Power Act, to modify the NERC Critical Infrastructure Plan (CIP) reliability standards to improve mandatory reporting of cybersecurity incidents. The concern FERC identifies is that the current reporting threshold for cybersecurity incidents may result in the understating of the true scope of such threats facing the bulk electrical system.
The proposed rule would require modifications to the NERC CIP reliability standards to include mandatory reporting of cybersecurity incidents “that compromise or attempt to compromise,” the electronic security perimeter, electronic access control or monitoring system of applicable entities.
The proposed reporting also targets the reporting standards to both improve the quality of such reporting and facilitate the comparison and analysis of incidents. A deadline for the filing of such reports is proposed, as is annual reporting to FERC.
As such, Canadian electrical industry participants are well advised to consider if these proposed U.S. developments will result in similar changes to the applicable critical infrastructure standards in Canada.