Cyberattacks on U.S. energy infrastructure have been on the rise in 2024. According to the 2024 Thales Data Threat Report, 42% of critical infrastructure companies, including those in the energy sector, suffered data breaches this year. Between November 2023 and April 2024, 29 cyberattacks targeting U.S. energy infrastructures' industrial control systems were reported. In July 2024, the Federal Bureau of Investigation (“FBI”) issued a Private Industry Notification highlighting the increased risk of malicious cyberattacks on the U.S. renewable energy industry, including attacks that could target solar infrastructure and microgrids.
Amid these growing concerns over the grid’s vulnerability to malicious cyberattacks, on September 19, 2024, the Federal Energy Regulatory Commission (“FERC”) issued two proposed rules that aim to enhance cybersecurity standards for the U.S. bulk-power system. In the first Notice of Proposed Rulemaking (“NOPR”) (Docket No. RM24-4-000), FERC proposes to require new or modified critical infrastructure protection (“CIP”) standards to address ongoing risks posed by malicious actors seeking to compromise the reliable operation of the bulk electrical system. This proposal directs the North American Electric Reliability Corporation (“NERC”) to submit standards requiring entities to:
- identify their current supply chain risks to their grid-related cybersecurity systems at specified intervals;
- assess and take steps to validate the accuracy of the information received from vendors during the procurement process; and
- document, track, and respond to these risks to their systems.
FERC also directs NERC to extend the applicability of the supply chain standards to include a category of products known as protected cyber assets (“PCAs”).
The second NOPR (Docket No. RM24-7-000) proposes to approve a CIP reliability standard submitted by NERC in compliance with a prior FERC directive, which would require entities to implement internal network security monitoring within a defined electronic security perimeter. FERC also proposes to direct NERC to develop modifications to the internal network security monitoring standard to extend those protections outside the electronic security perimeter to electronic access control or monitoring systems and physical access control systems.
These two NOPRs demonstrate FERC's continued focus on cybersecurity reliability standards, building upon recent actions taken by it, other federal agencies, and NERC:
- Earlier this year, we reported on the U.S. Department of Energy’s (“DOE’s”) support for the release of cybersecurity baselines for electric distribution systems and distributed energy resources (“DERs”).
- In June 2024, DOE rolled out new Supply Chain Cybersecurity Principles, which establish best practices for cybersecurity throughout the energy infrastructure supply chain.
- Last November, NERC conducted its biennial GridEx simulated grid attack exercise with more than 250 organizations to gauge utility responses, communications protocol, and cross-sector coordination. NERC issued a report on the exercise in April 2024 and urged greater cooperation and communication between utilities and non-federal government partners.
Both FERC NOPRs require NERC to submit responsive new or revised standards to FERC within 12 months of the effective date of a final rule. FERC seeks comments on all aspects of both proposed rules, which are due within 60 days after their forthcoming publication in the Federal Register.
