Search

 

OUR APPROACH

FirstEnergy is committed to protecting its employees, customers, facilities and the ongoing reliability of the electric system. We work closely with state and federal agencies and our peers in the electric utility industry to identify physical and cybersecurity risks, exchange information and put safeguards, including training, in place to comply with strict reliability and security standards. From a security standpoint, the electric utility sector is one of the most regulated industries. We have comprehensive cyber and physical security plans in place, but we do not publicly disclose details about these measures that could aid those who want to harm our customers, our employees, or our assets. 

 

CYBERSECURITY OVERSIGHT

FirstEnergy seeks to protect its customers, employees, facilities and the ongoing reliability of the electric system. FirstEnergy works closely with state and federal agencies and its peers in the electric utility industry to identify physical and cyber security 24 risks, exchange information, and put safeguards in place to comply with strict reliability and security standards. From a security standpoint, the electric utility sector is one of the most regulated industries.

FirstEnergy has established a broad framework to assess, identify and manage material risks from cyber security threats. This program is established at the executive level, with regular reporting to, and oversight by, the Board as described below. At the highest level, FirstEnergy’s program includes multi-layered governance by management, the Audit Committee, the Operations and Safety Committee, and the Board, as described below and in greater detail within the Annual 10-K.

Board-Level Oversight

     
Board of Directors is responsible for overseeing cybersecurity and receives updates from the Vice President, Cyber Security and Chief Information Security Officer (CISO) at a scheduled cadence.

The Board's Audit Committee reviews cybersecurity risk management practices and the Operations and Safety Oversight Committee reviews cybersecurity operational performance, primarily through reports provided by management, and reviews the steps taken to monitor, control and mitigate cybersecurity risks.

downward arrow

Executive-Level Oversight

     
The Vice President, Cyber Security and CISO provides regular cybersecurity reports to the Board of Directors at scheduled Board meetings and regularly updates the Audit Committee and Operations and Safety Oversight Committee on a range of cybersecurity topics.

A collaborative cross-departmental committee, comprised of leaders from various business units, including Risk, Internal Audit, Information Security and others, meets monthly to review and assess security metrics, major security projects and security-related industry trends.

downward arrow

Cybersecurity Team


     
Led by the Vice President, Cyber Security and CISO, this team is responsible for managing and implementing the cybersecurity strategy, as well as training and education for all employees and contractors.

The team is tasked with incident response and root cause analysis; vulnerability mangement; risk assessments; regulatory compliance; security application support; monitoring and alerting; and support and configuration of cybersecurity hardware and software.

 

 

CYBERSECURITY STRATEGY AND PROCESS

FirstEnergy leverages industry best practices to protect its information assets and employs a layered defense-in-depth cybersecurity strategy. The concept behind this strategy is that if one layer of defense does not stop an attack, there are other layers of additional security measures in place.

We are continuously and proactively identifying and mitigating cybersecurity threats – not simply reacting to them. As part of our cybersecurity efforts, we are:

  • Deploying devices that provide physical and electronic protections, logging and monitoring.
  • Using data analytics to help detect and mitigate potential threats.
  • Implementing third-party tests that use “friendly” hackers to attack our network, so we can validate our technical cybersecurity control effectiveness and address any deficiencies we identify.
  • Leveraging available threat intelligence to monitor for the latest techniques used by attackers.

To support the need for continuous monitoring and detection, our Transmission Security Operations Center (TSOC) uses a unique set of technologies to assess security events from a physical, cyber and operational technology perspective. The TSOC is responsible for performing threat analysis; conducting investigations; analyzing security metrics and trends; reporting to company leadership and our board Audit Committee; and sharing security information with industry, government and regional partners.

 

CYBERSECURITY EDUCATION AND TRAINING

Education and training for employees is critical to our cybersecurity program. All employees are required to successfully complete annual cybersecurity awareness training, which includes education on email and text-based phishing.

In addition to these required annual trainings, we test employees continuously with simulated phishing scams to help ensure they can identify and avoid such attacks. Additional training is assigned as needed.

Cybersecurity policy training and elevated user training is required for all employees who are approved for elevated levels of access to systems or information as a required function of their job.

Beyond official training, we strive to regularly educate our employees on cybersecurity matters. We provide ongoing educational content through our internal employee portal and periodic educational presentations.

 

MITIGATING PHYSICAL AND CYBER RISK EXPOSURE

Over the past several years, we have witnessed a significant increase in the frequency, scope and sophistication of physical and cybersecurity attacks on critical infrastructure. FirstEnergy invests heavily in innovative and layered security measures that use both technological and physical barriers to protect critical transmission facilities and our digital communications networks.

As we modernize the grid with smart technologies, for example, the operational benefits come with increased risk of potential threats. Digital systems like Supervisory Control and Data Acquisition (SCADA) devices (used to remotely monitor our systems in real time), smart meters and internet-enabled streetlights offer significant improvements in operations. But they also increase the number of points where malicious actors can try to gain access and compromise larger systems. To mitigate these potential threats, we build in additional safeguards to protect our networks.




Threats don't always come directly from the internet. Physical access to critical systems is also closely monitored. We regularly perform vulnerability assessments at sites across our footprint. Substations and other critical infrastructure locations are increasingly protected with special fencing, monitors, intrusion alarms, and around-the-clock monitoring at our Security Operations Center.

 

 

 

INFORMATION SECURITY

FirstEnergy has several policies and programs in place for the protection of sensitive information and the retention of the company’s records. These guide employees on how to identify, classify and dispose of company records. Examples of these include an Enterprise Records Retention Policy, and Sensitive Information and Secure Disposal of Sensitive Information Policies. In addition to these practices and programs, FirstEnergy also has Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) programs in place to enforce reliability standards for the North American bulk-power system and meet compliance requirements for the protection of sensitive information.

Last Modified: June 7, 2024