Data Dive

On January 19, 2023, the Federal Energy Regulatory Commission (FERC or the “Commission”) issued a Final Rule directing the North American Electric Reliability Corporation (NERC) to file for FERC review new or modified Reliability Standards that require internal network security monitoring (INSM) within trusted Critical Infrastructure Protection (CIP) network environments for certain Bulk Electric System (BES) Cyber Systems.¹ The Final Rule, as we described here when first proposed, targets a gap in the current NERC CIP Reliability Standards. Specifically, its main goal is to ensure that registered entities adopt INSM capable of addressing “situations where vendors or individuals with authorized access are considered secure and trustworthy but could still introduce a cybersecurity risk, as well as other attack vectors that can exploit this gap,”² and to “increase the probability of early detection and allow for quicker mitigation and recovery from an attack.”³ Such was the style of the SolarWinds attack in 2020,⁴ which FERC said shows “how an attacker can bypass all network perimeter-based security controls traditionally used to identify the early phases of an attack” by leveraging the technology of a trusted vendor.⁵

On March 10, 2022, the U.S. Department of Transportation’s (DOT) National Highway Traffic and Safety Administration (NHTSA) issued a first-of-its-kind final rule updating occupant safety requirements to account for vehicles that lack the traditional manual controls associated with a human driver.¹

Akin Gump published a client alert on January 6, which discusses that the Transportation Security Administration (TSA), within the Department of Homeland Security (DHS), announcing two new Directives (the Directives) on December 2, 2021 mandating cybersecurity measures for critical surface transportation systems. The Directives’ requirements cover owners and operators of high-risk freight railroads, passenger rail and transit. TSA also issued an information circular calling for low risk rail owners and operators and over the road bus owners and operators (those not covered by the first two Directives) to voluntarily adopt the same cybersecurity measures.