ERCOT Submits NPRR To Require Market Participants To Notify ERCOT Of Cybersecurity Incidents
March 21,2019
ERCOT has submitted a Nodal Protocol Revision Request (NPRR 928) to establish Market Participant notification responsibilities with respect to Cybersecurity Incidents.
Under this NPRR, a Market Participant must notify ERCOT of a malicious or suspicious act, "that compromises or disrupts a computer network or system, which could jeopardize the reliability or integrity of the ERCOT System or ERCOT market operations," according to a description of the NPRR
These notification requirements extend to malicious or suspicious acts that, "compromise or disrupt the computer network or system of a Market Participant’s agent that transacts with ERCOT," according to a description of the NPRR
The NPRR includes a requirement that each Market Participant designate and maintain a Cybersecurity Contact with ERCOT by utilizing the Notice of Change of Information form in Protocol Section 23.
Cybersecurity Incident information identifiable to a specific Market Participant is considered Protected Information under the NPRR. Although such information shall be considered Protected Information under the Protocols, if ERCOT determines that there is a need to inform a state or federal law enforcement agency for the purpose of ensuring the safety and/or security of the ERCOT System or ERCOT market operations, the NPRR allows ERCOT to disclose information concerning the Cybersecurity Incident, as well as the identity of the notifying Market Participant, as long as ERCOT obtains adequate assurance from the receiving law enforcement agency that it will maintain the confidentiality of the Cybersecurity Incident.
Finally, this NPRR provides that in the event ERCOT determines a Cybersecurity Incident could impact networks or systems of ERCOT or other Market Participants, ERCOT may, in its discretion, issue a Market Notice with information regarding the Cybersecurity Incident; any such Market Notice will not identify the notifying Market Participant or Critical Energy Infrastructure Information (CEII). Notably, this provision extends to Cybersecurity Incidents that ERCOT identifies on an ERCOT network or system. ERCOT proposes to maintain discretion concerning the issuance of a Market Notice concerning a Cybersecurity Incident to avoid revealing sensitive information that could compromise ongoing cybersecurity measures or investigations.