Last Thursday, the Federal Energy Regulatory Commission (FERC) “directed the North American Electric Reliability Corp. (NERC) to develop, within six-months of the effective date of this final rule, modifications to the Critical Infrastructure Protection Reliability Standards to improve mandatory reporting of cyber security incidents, including attempts that might facilitate subsequent efforts to harm reliable operation of the nation’s bulk electric system.” (Emphasis added).

The FERC guidance gives NERC the capability to define reporting thresholds based on the criticality of the BES System. However, little is guidance given to what actually counts as an “attempt to breach a perimeter of a network”? Does a utility now have to document every NMAP or Shodan scan looking for open ports? One could argue so since that is probing, gathering intelligence and “preparing the battlefield”.

In my opinion, the bureaucrats are not leveraging/listening to practitioners/ex-practitioners enough before pressing these “pie in the sky” regulations. If organizations are forced to allocate the majority of their resources (which WILL be the consequence of this) to this type of regulatory overhead, how are they supposed to actually secure their environments? If this comes to fruition, the burden of meeting this regulation will be, quite frankly, ridiculous. Furthermore, the cost of doing so, will be passed on to the customer. There is a reason that being compliant != being secure.

For the full text of the order go to

Need help making sense of this? Leave a comment or contact us HERE.