The Edison Electric Institute is warning federal regulators that a recently proposed cybersecurity standard will increase the risk of the U.S. utility industry's most sensitive data falling into the hands of a nation-state or bad actor.
Edison Electric Institute, or EEI, is the nation's investor-owned electric utility trade group. It issued the warning in March 15 comments about revised cybersecurity standards (RD22-3) that the North American Electric Reliability Corp. filed with the Federal Energy Regulatory Commission in February.
Audits have historically been conducted on-site when evidence is collected to demonstrate compliance with a reliability standard for safeguarding the nation's most important transmission stations and substations. Under NERC's proposal, however, evidence would be transmitted to a secure evidence locker developed by NERC and six regional entities.
NERC asserted that its evidence locker is "highly secure, isolated, and on-premises," with advanced technology that allows entities to securely submit evidence through encrypted sessions. Moreover, on-site audits "continue to be difficult in light of ongoing pandemic conditions," NERC said in its proposal.
The proposal also included alternative means of compliance allowing entities to develop their own secure evidence lockers subject to NERC's approval.
Not a 'risk-free' environment
EEI pushed backed on NERC's reasoning, arguing that "ease of access cannot take precedence over the safety, security and reliability of the electric grid, especially for the most sensitive data."
Citing "continued geopolitical conflicts and potential for unauthorized access," the trade group argued that NERC's regional entities should continue to review compliance evidence "only on-site at the registered entities for the most sensitive data."
Russia's invasion of Ukraine, for example, has U.S. electric utilities bracing for cyberattacks after the U.S. Department of Homeland Security issued a "Shields Up" alert last month.
EEI specifically said NERC's proposal understates the risks of retaining information in a centralized environment.
The organization's secure evidence locker "is not a risk-free, '100% assurance' environment," EEI said. "By accumulating this data in the [secure evidence locker], [NERC] itself becomes a more attractive target for sophisticated attackers who no longer need to attack multiple targets to gain comprehensive multi-company views of critical energy information and assets."
EEI also took issue with the proposal's alternative compliance framework, which allows entities to appeal disputed submissions to the vice president of compliance of the applicable regional entity. That provision does not provide for further recourse if the vice president denies an appeal, EEI noted.
"While EEI members appreciate NERC's concerns about the challenges of having auditors on-site, there are alternative methods for sharing sensitive information besides in-person review or via a centralized collection," the trade group said.
NERC's proposal is still pending at FERC.
S&P Global Commodity Insights produces content for distribution on S&P Capital IQ Pro.