NRECA will work to ensure that future cybersecurity reporting requirements from the Department of Homeland Security allow authorities to zero in on real threats and not overburden electric cooperatives already following strong notification protocols.
The recently enacted Cyber Incident Reporting for Critical Infrastructures Act of 2022 requires the electric sector to report to the Cybersecurity and Infrastructure Security Agency at DHS within 72 hours of a “substantial cyber incident” and within 24 hours if a ransomware payment is made.
CISA now must develop reporting requirements and procedures via a rulemaking process within two years.
NRECA will engage with CISA during the rulemaking process to streamline implementation, limit the number of electric co-ops impacted, prevent burdensome requirements and set a clear trigger for reporting.
Many electric co-ops already participate in cybersecurity reporting, including North American Electric Reliability Corp regulations. Some are under state requirements, while others voluntarily report to the Electricity Information Sharing and Analysis Center. This agency provides analysis and rapid sharing of security information for the electricity industry to the FBI or other federal agencies.
The forthcoming mandates from CISA could end up placing NERC-regulated co-ops under a lower bar for reporting and are likely to cover other co-ops for the first time, said Bridgette Bourge, NRECA legislative affairs director for cybersecurity.
“We will work to make sure the requirements are reasonable, feasible and appropriate,” she said. “Too much reporting can create white noise with DHS receiving millions of pings a day. We will advocate for not oversharing where the value of sharing gets lost.”
Explore NRECA’s resources on cybersecurity.