New Federal Rule strengthens cybersecurity for local electric utilities

May 1, 2024

CISA issues long-awaited critical infrastructure reporting requirements

The Cybersecurity and Infrastructure Security Agency (CISA) recently posted a notice setting forth stringent guidelines to protect critical infrastructure from cyber threats. The proposed rule, published on April 4, will enhance cybersecurity for municipal electric utilities.

Jen Easterly, director of CISA

Under the rule, covered entities are required to adhere to cybersecurity standards, including robust authentication measures and regular risk assessments. This ensures better protection against cyberattacks, which have increasingly targeted essential services.

It also aims to improve coordination among federal authorities in responding to threats and sharing essential information with industry and government partners.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) required cyber incidents be reported within 72 hours and ransom payments within 24 hours. In response, industry groups and others sent a joint letter to CISA requesting clarity on reporting requirements to prevent overwhelming security operations and avoid incomplete intelligence.

“CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure,” said CISA Director Jen Easterly. “It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats. We look forward to additional feedback from the critical infrastructure community as we move towards developing the Final Rule.”


Grid security strengthened

The rule comes amid growing concerns over cyber threats, particularly targeting municipal electric utilities. By enforcing these regulations, authorities aim to minimize the risk of disruptions to electricity supply.

Local governments and utilities must assess their cybersecurity frameworks promptly to comply with the new rule. Non-compliance may lead to penalties, highlighting the importance of prioritizing cybersecurity.

Industry experts stress proactive measures to safeguard critical infrastructure. Investing in advanced technologies and collaboration between stakeholders is essential to combat evolving cyber threats effectively.

This rule signifies a significant step in protecting vital utilities from cyber disruptions. It reflects a concerted effort to bolster cybersecurity and ensure uninterrupted services for communities nationwide.

The proposed rule is estimated to cost $2.6 billion, potentially affecting over 316,000 entities. A 60-day comment period is underway to collect written responses from the public.