Groups Urge Risk-Based Approach for Covered Entities for Cyber Incident Reporting

by Paul Ciampoli
APPA News Director
November 10, 2022

The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) should define “covered entities” for cyber incident reporting in a risk-based manner, the American Public Power Association (APPA) and the Large Public Power Council (LPPC) said in response to a request for information (RFI) issued by CISA on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

“While the whole electric sector is critical to national and economic security, not all electric utilities have the same risk profile,” APPA and LPPC said in their comments.

“Acknowledgement of this fact is of particular importance to public power utilities, as APPA’s and LPPC’s members have widely different risk profiles ranging from an electric utility with transmission assets that serves millions of customers to a very small distribution electric utility without an industrial control system serving 200 customers,” they said.

Moreover, APPA and LPPC strongly encouraged CISA to utilize previous efforts to identify the most critical of critical systems and assets as it determines what constitutes a covered entity under the law.

APPA and LPPC believe that such a targeted definition of “covered entity” — especially in this initial implementation period — has the dual benefit of ensuring that entities with the highest risk profiles begin incident reporting immediately, thereby increasing national security, and keeping the number of entities covered under the law to a limited, more manageable level, allowing CISA and industry to more easily work out any implementation kinks.

APPA and LPPC also recommended that CISA tightly limit the definition of “covered cyber incident” to significant and substantial incidents that impact critical systems or services.

For example, a large electric utility that is a covered entity should have to report if it discovers an industrial control system breach at a generation plant or transmission facility. “A covered entity should not have to report a phishing attempt on the email of an accountant that has no connection or control of the operating technology for the electric system,” APPA and LPPC said.

“Critical infrastructure entities are the targets of malicious cyber actors millions of times a day. An overly broad definition of covered cyber incidents would present enormous compliance challenges for utilities, and even if these challenges could be overcome, the result would be a deluge of reports that would make it difficult, if not impossible, for CISA to determine a signal through the noise.”

Balancing Situational Awareness and Cyber Incident Response

The groups also argued that as CISA considers reporting processes and reporting content, it is important that it considers the ultimate purpose of this reporting, which is not to over burden victims for the sake of reporting, but to assist critical infrastructure and the federal government in identifying, addressing, or responding to cyber security threats. 

Some critical infrastructure sectors are already covered by federal mandatory reporting of certain cyber incidents, in addition to state laws for reporting of data breach incidents. “In implementing CIRCIA’s incident reporting standards, APPA and LPPC strongly encourage DHS CISA to harmonize any new obligations with utilities’ existing requirements to avoid confusion and conflict between CIRCIA obligations and other mandatory reporting channels.”

Additionally, some sectors, like the electric sector, also have active voluntary reporting and machine-to-machine sharing already taking place. “CISA should recognize and take into consideration these voluntary reporting pathways and associated sector focused analysis, given the value these mechanisms currently provide to critical infrastructures.”

Existing Reporting

A covered entity is exempt from reporting under CIRCIA if it is already required to make reports on similar information to another federal agency, within a similar timeframe, if there is an agreement in place between CISA and that other federal agency, the groups pointed out.

Given the existing incident reporting regimes overseen by the Federal Energy Regulatory Commission and the Department of Energy, “CISA should engage in direct and deep consultation with FERC and DOE as it works to implement CIRCIA.”

Moreover, CISA must take into account existing data breach reporting requirements at the state level, they added.

“To improve the threat landscape and associated awareness of it, it will be critical to work with existing infrastructures wherever possible to allow single-point reporting with the government being responsible for sharing information internally in a need-to-know environment, rather than imposing multiple reporting obligations on an impacted entity, which may also be dealing with a live cybersecurity event.”

Cost Impacts

APPA and LPPC also said that CISA must be mindful of the cost of any new rule on smaller entities.

“The cost of electric service is a key factor in the nation’s economic health, and the reality of varying, but finite resources and budgets suggests that overspending on security measures may compromise grid reliability in other respects. This is especially important to consumer-owned, not-for-profit public power utilities,” they said.