OUR APPROACH

At FirstEnergy, we are committed to protecting the ongoing reliability of our electric system. We recognize that threats to our critical energy infrastructure could jeopardize public safety and potentially leave millions of customers without electricity. As physical threats become increasingly common and cyberattacks escalate in number and sophistication, we are working continuously to reinforce our grid defenses and protect our systems.

We work closely with law enforcement and intelligence partners to identify physical and cybersecurity risks, exchange information and put safeguards in place to comply with strict reliability and security standards. We maintain compliance with NERC's Critical Infrastructure Protection (CIP) industry standards, and we meet all mandates and standards set by the states in which we operate.

We also collaborate with peer groups in the electric utility industry. For example, we participate in the Electric Information Sharing and Analysis Center, a key industry group that serves as a security information clearinghouse and notifies electric utilities of threats in the industry. In addition, as part of our participation in the North American Transmission Forum, we collaborate with our peer utilities on defenses against evolving cyberattacks and take part in peer reviews and assessments, which help us to evaluate and strengthen best practices. We also participate in the Northeast Ohio Cyber Consortium, a cross-sector information-sharing and cyber-analysis organization formed to address and mitigate escalating cyber threats across various industries.

Although we have comprehensive cyber and physical security plans in place, we don't publicly disclose details about these measures as doing so could facilitate plans to harm our infrastructure, customers or employees.

CYBERSECURITY OVERSIGHT

Cybersecurity is a key enterprise risk, with both Board- and executive-level oversight.

Board-Level Oversight

The Board of Directors is responsible for overseeing cybersecurity and receives updates from CIO or CISO of Cyber and Physical Security at each regularly scheduled Board meeting.

The Board's Audit Committee reviews cybersecurity performance and risk management practices, primarily through reports provided by management, and reviews the steps taken to monitor, control and mitigate cybersecurity exposure.

Executive-Level Oversight

The CISO, CIO and/or SVP of Cyber and Physical Security provide regular cybersecurity reports to the Board of Directors at scheduled Board meetings and regularly update the Audit Committee on a range of cybersecurity topics.

A collaborative cross-departmental committee, comprised of leaders from various business units, including Risk, Internal Audit, Information Security and others, meets monthly to review and assess security metrics, major security projects and security-related industry trends.

Cybersecurity Team

Led by the CISO of Cyber and Physical Security, this team is responsible for managing and implementing the cybersecurity strategy, as well as training and education for all employees and contractors.

The team is tasked with incident response and root cause analysis; vulnerability and risk assessments; regulatory compliance and patch management oversight; security application support; and support and configuration of cybersecurity hardware and software.

CYBERSECURITY STRATEGY AND PROCESS

FirstEnergy leverages industry best practices to protect its information assets and employs a layered defense-in-depth cybersecurity strategy. The concept behind this strategy is that if one layer of defense does not stop an attack, there are other layers of additional security measures in place.

We are continuously and proactively identifying and mitigating cybersecurity threats – not simply reacting to them. As part of our cybersecurity efforts, we are:

Deploying devices that provide physical and electronic protections, logging and monitoring.
Increasing the use of data analytics to help predict, prepare for and mitigate threats.
Implementing third-party tests that use "friendly" hackers to attack our network, so we can validate our technical cybersecurity control effectiveness and address any deficiencies we identify.
Conducting an independent assessment of every aspect of our cybersecurity program to identify improvements and define our cybersecurity roadmap.

To support the need for continuous monitoring and detection, our Transmission Security Operations Center (TSOC) uses a unique set of technologies to assess security events from a physical, cyber and operational technology perspective. The TSOC is responsible for performing threat analysis; conducting investigations; analyzing security metrics and trends; reporting to company leadership and our Board Audit Committee; and sharing security information with industry, government and regional partners.

CYBERSECURITY EDUCATION AND TRAINING

Education and training for employees is critical to our cybersecurity process. All employees are required to successfully complete annual cybersecurity awareness training and annual anti-phishing training. These courses teach employees to recognize phishing attempts and other attack methods, protect their credentials and passwords, and abide by our internal controls, processes and procedures at all times.

In addition to these required annual trainings, we test employees continuously with simulated phishing scams to help ensure they can identify and avoid such attacks. Additional training is assigned as needed.

Cybersecurity policy training and elevated user training is required for all employees who are approved for elevated level of access to systems or information as a required function of their job.

Beyond official training, we strive to regularly educate our employees on cybersecurity matters. We provide ongoing educational content through our internal employee portal and periodic lunch-and-learn sessions.

MITIGATING PHYSICAL AND CYBER RISK EXPOSURE

Over the past several years, we have witnessed a significant increase in the frequency, scope and sophistication of physical and cybersecurity attacks on critical infrastructure. FirstEnergy invests heavily in innovative and layered security measures that use both technological and physical barriers to protect critical transmission facilities and our digital communications networks.

As we modernize the grid with smart technologies, for example, the operational benefits come with increased risk of potential threats. Digital systems like Supervisory Control and Data Acquisition (SCADA) devices (used to remotely monitor our systems in real time), smart meters and internet-enabled streetlights offer significant improvements in operations. But they also increase the number of points where malicious actors can try to gain access and compromise larger systems. To mitigate these potential threats, we build in additional safeguards to separate our networks.

Threats don't always come directly from the internet. Physical access to critical systems is also closely monitored. We regularly perform vulnerability assessments at sites across our footprint. Critical locations are monitored around the clock and are protected by both digital and physical barriers.

INFORMATION SECURITY

FirstEnergy has several policies and programs in place for the protection of sensitive information and the retention of the company’s records. Employees are trained on and required to comply with the following policies:

Corporate Policy 104 – Enterprise Records Retention Policy: guides employees on the proper retention and disposition of company records.
Corporate Policy 804 – Secure Disposal of Sensitive Information: educates employees on how to securely dispose of physical media that may contain sensitive information that is no longer needed.
Corporate Policy 808 – Sensitive Information: guides employees on the identification and classification of sensitive information.
RIM STD 2.05 – Sensitive Information Management: educates employees on how to protect information classified as sensitive.
Identity Theft Prevention Program: reflects the commitment of FirstEnergy to comply with the Fair and Accurate Credit Transactions Act of 2003 (also known as the “Red Flags Rule”).