Enterprise Security

Our Approach

At FirstEnergy, we are committed to protecting the ongoing reliability of our electric system. We recognize that threats to our critical energy infrastructure could jeopardize public safety and potentially leave millions of customers without electricity. As physical threats become increasingly common and cyberattacks escalate in number and sophistication, we are working continuously to reinforce our grid defenses and protect our systems. Although we have comprehensive cyber and physical security plans in place, we don’t publicly disclose details about these measures that could aid those who want to harm our infrastructure, customers or employees.

We work closely with law enforcement and intelligence partners to identify physical and cybersecurity risks, exchange information and put safeguards in place to comply with strict reliability and security standards. We maintain compliance with NERC’s Critical Infrastructure Protection (CIP) industry standard, and we meet all mandates and standards set by the states in which we operate.

We also collaborate with peer groups in the electric utility industry. For example, we participate in the Electric Information Sharing and Analysis Center, a key industry group that serves as a security information clearinghouse and notifies electric utilities of threats in the industry. In addition, as part of our participation in the North American Transmission Forum, we collaborate with our peer utilities on defenses against evolving cyberattacks and take part in peer reviews and assessments, which help us to evaluate and strengthen best practices. We also participate in the Northeast Ohio Cyber Consortium, a cross-sector information-sharing and cyber-analysis organization formed to address and mitigate escalating cyber threats across various industries.

Cybersecurity Oversight

Cybersecurity is a key enterprise risk, with both Board and executive-level oversight.

Board-Level Oversight

The Board of Directors is responsible for overseeing cybersecurity and receives updates from CIO or VP of Cyber and Physical Security at each regularly scheduled Board meeting.
The Board's Audit Committee reviews cybersecurity performance and risk management practices, primarily through reports provided by management, and reviews the steps taken to monitor, control and mitigate cybersecurity exposure.

Executive-Level Oversight

The CIO and/or VP of Cyber and Physical Security provide regular cybersecurity reports to the Board of Directors at scheduled Board meetings and regularly update the Audit Committee on a range of cybersecurity topics.
A collaborative cross-departmental committee, comprised of leaders from various business units, including Risk, Internal Audit, Information Security and others, meets monthly to review and assess security metrics, major security projects and security-related industry trends.

Cybersecurity Team

Led by the VP of Cyber and Physical Security, this team is responsible for managing and implementing the cybersecurity strategy, as well as training and education for all employees and contractors.

The team is tasked with incident response and root cause analysis; vulnerability and risk assessments; regulatory compliance and patch management oversight; security application support; and support and configuration of cybersecurity hardware and software.

Cybersecurity Strategy
and Process

FirstEnergy leverages industry best practices to protect its information assets and employs a layered defense-in-depth cybersecurity strategy. The concept behind this strategy is that if one layer of defense does not stop an attack, there are other layers of additional security measures in place.

We’re proactively identifying and mitigating cybersecurity threats—not simply reacting to them. As part of our cybersecurity efforts, we are:

To support the need for continuous monitoring and detection, our Transmission Security Operations Center (TSOC) uses a unique set of technologies to assess security events from a physical, cyber and operational technology perspective. The TSOC is responsible for performing threat analysis; conducting investigations; analyzing security metrics and trends; reporting to company leadership and our Board Audit Committee; and sharing security information with industry, government and regional partners.

Cybersecurity Education
and Training

Education and training for employees is critical to our cybersecurity process. All employees are required to successfully complete annual cybersecurity awareness training and annual anti-phishing training. These trainings teach employees to recognize phishing attempts and other attack methods, protect their credentials and passwords, and abide by our internal controls, processes and procedures at all times.

In addition to these required annual trainings, we test employees quarterly with phishing scams to ensure they can identify and avoid such attacks. Additional training is assigned as needed.

Cybersecurity policy training and elevated user training is required for all employees who are approved for elevated information access resulting from a change in position or other circumstance.

Beyond official training, we strive to regularly educate our employees on cybersecurity matters. We provide ongoing educational content through our internal employee portal and periodic lunch-and-learn sessions.

Mitigating Physical
and Cyber Risk Exposure

Over the past several years, we witnessed a significant increase in the frequency, scope and sophistication of physical and cybersecurity attacks on critical infrastructure. FirstEnergy invests heavily in innovative and layered security measures that use both technological and physical barriers to protect critical transmission facilities and our digital communications networks.

Through our FE Forward business improvement initiative, we combined cyber and physical security, enabling us to take a comprehensive approach to protecting critical infrastructure and adapting to the evolving landscape of physical and cyberthreats. It also enables us to mitigate risks as our business, our industry, and the world around us change.

As we modernize the grid with smart technologies, for example, the operational benefits come with increased risk of potential threats. Digital systems like Supervisory Control and Data Acquisition (SCADA) devices (used to remotely monitor our systems in real time), smart meters and internet-enabled streetlights offer significant improvements in operations. But they also increase the number of points where malicious actors can try to gain access and compromise larger systems. To mitigate these potential threats, we build in additional safeguards to separate our networks.

Threats don't always come directly from the internet. Physical access to critical systems is also closely monitored. We regularly perform vulnerability assessments at sites across our footprint. Critical locations are monitored around the clock and are protected by both digital and physical barriers.

Preventing Increased Phishing Activity

In addition, the COVID-19 pandemic created new security threats, as we transitioned more than half of our employees to remote work. The number one way that hackers try to enter a system is by tricking an employee into clicking on an email or providing their ID and password. At the onset of the COVID-19 pandemic in early 2020, the number of phishing emails increased by a reported 667%, according to a major network security firm. One of the most important preventions against this kind of attack is our phishing training and testing. To bolster our success with foiling these increasingly frequent, international cyber threats, FirstEnergy blocks suspicious traffic at the email gateway and also prevents FirstEnergy emails from being sent to suspicious destinations.

Information Security

FirstEnergy has several policies and programs in place for the protection of sensitive information and the retention of the company’s records. Employees are trained on and required to comply with the following policies:

Close button for share