The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

Post

A Nationwide 911 System for Reporting Cybersecurity Incidents CIRCIA

image credit: Shown in image bottom left
Richard Brooks's picture
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Dick Brooks is the inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software...

  • Member since 2018
  • 1,505 items added with 652,840 views
  • Nov 20, 2022
  • 202 views

On September 14, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) issued a Request for Information (RFI) to receive input from the public as CISA develops proposed regulations required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Among other things, CIRCIA directs CISA to develop and oversee implementation of regulations requiring covered entities to submit to CISA reports detailing covered cyber incidents and ransom payments.

The comment period ended on November 14, 2022 with 69 independently filed comments listed on regulations.gov from across industries involved in critical infrastructure operations and suppliers to operators of critical infrastructure. I’ve reviewed 15 of these comment filings, focusing primarily on Energy industry filers and IT/OT supplier filings.

I’ve observed two general philosophies expressed in these comments:

  • Entities that are already reporting cybersecurity incidents within their closed communities are resistant to make changes and introduce CISA into the reporting process. Preferring instead to continue reporting to their industry specific contact, i.e. NERC’s E-ISAC was strongly supported as the status quo, recommending these “intermediary” entities be the recipient of incident reports which would be forwarded to CISA. This is the electric industry position.
  • Entities that are not already committed to an existing cybersecurity incident reporting program are more open to the concept of a harmonized “single, national point of contact for the operator to report all cyber incidents.” I think of this as a Nationwide 911 service for cybersecurity incident reporting. This is the approach expressed by the Natural Gas industry and Exelon (working in both electric and NG industries)

The IT industry commenters were more focused on keeping the responsibility for cybersecurity incident reporting on the end users of their products, as opposed to having producers of software products report all known cybersecurity incidents reported by all of their customers to CISA.

If you are looking to see these two philosophical positions more clearly then I suggest reading:

I’ve long supported having CISA serve as a “Nationwide 911 Operator”, primary point of contact to receive incident reports and disseminate information on vulnerabilities and assist critical infrastructure operators with cybersecurity best practices based on guidance from our cybersecurity experts at NIST.

I fully endorse and support Exelons recommendation:

Harmonization of requirements and, where possible, a single, national point of contact for the operator to report all cyber incidents.

What I find truly interesting is one of the most compelling reasons to consolidate cyber incident reporting under CISA is actually provided by NERC in footnote 6 on page 4 of their filing (right after acknowledging duplicative reporting to E-ISAC and CISA happens today within CIP-008-6):

"NERC’s incident reporting requirements do not apply to all cyber systems used by NERC registered
entities, only those associated with bulk power system operations (i.e., operational technology systems not
information technology systems). For example, a corporate accounting system that is isolated from an entity’s
operational technology systems would not be subject to the CIP standards. CIRCIA reporting requirements
applicable to those corporate systems would not overlap with NERC’s reporting requirements."

I hope to meet some colleagues at the December 7 FERC-DOE Technical Conference on Supply Chain Risk Management, held at FERC’s HQ.

Discussions

No discussions yet. Start a discussion below.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »