Cyberattacks targeting U.S. energy infrastructure have significantly increased in 2024. A report from Thales Data Threat reveals that 42% of critical infrastructure companies, including energy sector firms, experienced data breaches. Between November 2023 and April 2024, 29 cyberattacks specifically impacted U.S. energy industrial control systems. In response to this growing threat, the FBI issued a Private Industry Notification in July 2024, warning of heightened risks to the U.S. renewable energy sector, including solar infrastructure and microgrids.
In response to these escalating threats, the Federal Energy Regulatory Commission (FERC) proposed two new rules on September 19, 2024, aimed at enhancing cybersecurity standards for the U.S. bulk-power system. The first proposal (Docket No. RM24-4-000) suggests requiring the implementation of critical infrastructure protection (CIP) standards to address supply chain risks, including validation of vendor-provided information, tracking risks, and ensuring that protected cyber assets (PCAs) are adequately secured.
The second proposed rule (Docket No. RM24-7-000) would mandate the implementation of internal network security monitoring within a defined perimeter, extending protections to include systems outside the electronic security perimeter. This move builds upon prior FERC directives and previous initiatives from other agencies like the U.S. Department of Energy (DOE), which introduced cybersecurity baselines for electric distribution systems and new supply chain principles in June 2024.
These FERC proposals represent an ongoing effort to strengthen cybersecurity standards in the energy sector. In addition to these new rules, recent exercises and reports, such as NERC’s biennial GridEx and the DOE’s cybersecurity baselines, underscore the importance of cooperation between utilities and non-federal entities to effectively address cyber threats. Public comments on these proposed rules are due within 60 days of their publication in the Federal Register.
Reference: