Welcome to the new Energy Central — same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

Intelligent Utility
Richard "Dick" Brooks
Richard "Dick" Brooks
Expert Member
Top Contributor
 · Posted in Intelligent Utility

FERC SCRM Conference March 20 The Canary in the Coal Mine for harmonized cybersecurity standards for critical infrastructure

There have been Congressional hearings on the need for harmonized cybersecurity standards across US critical infrastructure. The first real test of the potential for harmonized cybersecurity standards comes on March 20 at the FERC SCRM meeting. In my opinion, this is the canary in the coal mine moment for harmonized cybersecurity standards and the determination of which culture will prevail across the cybersecurity community, the Status Quo Frat House culture or Club House culture #42 where the best players are put on the field to face a very capable and determined cyber-adversary committed to succeding in disrupting US critical infrastructure. There is a lot at stake and many open questions remain for this important meeting to resolve. NERC is the regulator for cybersecurity standards enforcement, which strikes fear of "regulatory retaliation" in many who dare not speak. The new administration may offer the best opportunity to remove the fear of regulatory retaliation with cybersecurity. Let industry decide what is best for cybersecurity standards using an ex-parte process that is free of regulatory retaliation concerns and fears. FERC may find it easier to engage an independent party to adopt cybersecurity guidelines and best practices for industry using an ex-parte process that does not include the enforcement arm of cybersecurity regulations in order to enable a more open dialogue.

The testimonial comments provided by EEI are worth repeating here:

EEI’s comments recognized that cybersecurity regulations must keep pace with the evolving
threat landscape. Because industry owns, operates, and secures the majority of the energy grid,
the federal government should incorporate industry’s subject matter expertise in developing and
implementing new regulations and streamline processes from which new regulations may
emerge. EEI’s comments also provided examples of cybersecurity regulatory conflicts,
inconsistencies, redundancies, challenges, and opportunities. Some of the key points that EEI
made include:
• Effective communication between government and industry is paramount to reconciling
existing and future cybersecurity regulations;
• Harmonization is needed to address the high costs and inefficiencies caused by existing
regulations or standards, or both;
• Harmonization efforts also must address third-party business partners;
• In addition to federal regulations, EEI members also are subject to (and must comply
with) many state, local, tribal, and territorial cybersecurity requirements and standards;
and,

Additional matters to help harmonize cybersecurity regulations, such as:
o Voluntary information sharing and protection;
o Privacy laws and regulations;
o Information handling;
o Cloud security;
o Contract terms; and,
o Government coordination.

Harmonizing existing and proposed cybersecurity requirements is vital.4

4 Comment Submitted by Edison Electric Institute, REGULATIONS.GOV, (July 5, 2024). 

Â