On June 20, 2019, the Federal Energy Regulatory Commission (FERC) expanded the reporting requirements for bulk electric system cyber security incidents.
The new Critical Infrastructure Protection Reliability Standard CIP-008-6 (Cyber Security – Incident Reporting and Response Planning) now requires the reporting of non-disruptive cyber security incidents in addition to incidents that compromise the cyber systems associated with electronic security perimeters, physical security perimeters, and electronic access control/monitoring systems.
The prior Standards required entities to report only when one or more reliability tasks were compromised or disrupted by a cyber security incident. The expanded reporting requirements now encompass any attempt or effort to put the operation of the grid at risk.
The new Standard gives responsible entities some flexibility to identify cyber security incidents with criteria appropriate for their systems.
The expansion of the Standard builds on FERC Order 848, which warned the North American Electric Reliability Corp. (NERC) not to underestimate the real scope of threats to harm the operation of the grid.