A US legislator plans to introduce a bill that would require power grid operators to notify the Department of Energy (DoE) of cyber incidents within 24 hours of their detection. The Critical Electric Infrastructure Cybersecurity Incident Reporting Act would give DoE the responsibility of establishing guidelines for determining which incidents must be reported and for establishing ways for the operators to report the incidents.
- The problem is consistency. The Critical Infrastructure Act of 2022 set the reporting interval at 72 hours, which may be a bit long for critical infrastructure, and having new legislation now saying 24 hours is likely to confuse operators without clear definitions about which timeline applies. Even then, you may not be prepared to report that quickly. Now is the time to make sure you are aware of the criteria applied to your organization and what you need to do to meet existing reporting requirements, then look at how you would implement a shortened window. It’s better to have that worked out before regulators come knocking.
- On the face of it 24 hours seems like a relatively short time for critical infrastructure operators to provide specifics on cyber breaches. The reality is that national news reporting will have already picked up on the power grid outage. It doesn’t matter whether the outage is the result of equipment failure, physical attack [most recent outages in both North Carolina and Washington] or cyberattack—it will make the 24-hour news cycle. The draft bill does provide flexibility in allowing the Department of Energy to define specifics on what incidents require reporting to the federal government. That said, at a minimum we should at least be consistent in both cyber breach reporting requirements (24 – 72 hours) and responsibility for establishing reporting guidelines (DoE – DHS).
- Many attacks against the grid, e.g., ransomware, will announce themselves. The interesting breaches are those that are quiet, undetected, that are intended for exploitation in the future, during times of conflict.
Read more in