The electric industry is recognized as the most critical of critical infrastructures. Consequently, one would expect that incident reporting would be important and trusted. Unfortunately, this is not occurring as can be seen by the discrepancies between the DOE OE-417 reporting and the NERC submittal to FERC. It is evident the DOE and NERC CIP reporting requirements are quite different. This is not the first time that NERC has misled Congress, the utilities, and the public on grid cyber security. According to the NERC submittal, there were only eight cyber incident submittals to the ES-ISAC in 2022. Of those, there were no issues identified on the OT EMS/SCADA network. How is that possible when the OE-417’s identified 35 complete losses of monitoring or control capability at staffed Bulk Electric System control centers for 30 continuous minutes or more? NERC stated there was no evidence that any of the reported incidents were coordinated. Yet, the OE-417 data included a cyberattack that affected a utility’s multi-state grid operations. NERC’s definition of cyber incidents effectively allowed NERC to exclude many real incidents because they didn’t meet the NERC cyber incident definition. It is evident that NERC’s reporting system obscures the truth about cyber incidents. By information sharing of “sanitized” incidents, utilities’ OT, IT, and engineers could become more aware of the risk and be better enabled to take appropriate prevention measures. Congress should mandate in these increasingly risky geopolitical times that FERC have much stronger direct regulatory, oversight, and penalty authority over the utility industry and that NERC should be re-constituted to be more accountable to national and economic security. As a minimum, FERC should mandate NERC to disclose what is disclosed in the OE-417s.
