To assist utilities with assessing and responding to cyber risks, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) recently issued a report on best practices to respond to and recover from cybersecurity incidents in the utility industry.

Like other industries, the utility industry is at high risk for cyber-attacks by bad actors or nation states. Following the cyber-attack against a pipeline earlier this year, [view related post], FERC and NERC issued the guidance based upon the National Institute of Standards and Technology (NIST) cybersecurity incident response lifecycle of preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.

According to the report, an incident response plan should provide personnel responsible for incident response with well-defined roles, so they can respond quickly and effectively and include personnel with appropriate skills and support to respond, mitigate, contain and learn from a cyber incident. The guidance is helpful in outlining the elements of an Incident Response Plan and providing suggestions on how to develop and implement one, which is crucial for utilities to continue operating in the event of an attack.

In addition to attacks by bad actors and nation states, the utility and energy industries are also at risk for attacks through vendors. Therefore, in addition to developing and implementing an incident response plan, a vendor management plan can assist utilities and oil and gas companies to assess and manage the risk of a cyber-attack through vendors.

The Department of Energy’s Office of Energy Efficiency and Renewable Energy (EERE) recently announced a multi-year plan to accelerate cybersecurity research and development in the renewable energy, manufacturing, buildings and transportation sectors. According to EERE, “Cyber threats targeting EERE technologies present an immediate risk to the integrity and availability of energy infrastructure and other systems critical to the nation’s economy, security and well-being.”

These efforts are designed to assess and prevent cyber incidents against critical infrastructure and to respond and mitigate the effects of a cyber incident in these industries, which would have a serious and potentially devastating effect on the U.S. population.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.