Cybersecurity and Physical Security

FERC staff report details lessons learned from reliability audits

Federal Energy Regulatory Commission staff on Oct. 4 issued a report offering recommendations to help users, owners and operators of the bulk-power system improve their compliance with mandatory Critical Infrastructure Protection (CIP) standards as well as their overall cybersecurity posture.

FERC said that the findings in the report are based on non-public CIP audits of registered entities that found most of the cybersecurity protection process and procedures adopted by the entities met the mandatory requirements of the standards.

FERC staff said the lessons learned from the audits completed in fiscal year 2019 can help entities assess their risk and compliance with mandatory reliability standards and, more generally, can facilitate efforts to improve the security of the nation’s electric grid.

Staff from FERC’s Office of Electric Reliability and Office of Enforcement conducted the audits in collaboration with staff from the North American Electric Reliability Corporation and its regional entities.

The report said that audit fieldwork primarily consisted of data requests and reviews, webinars and teleconferences, and a site visit to each entity’s facilities.

Prior to a site visit, staff issued data requests to gather information pertaining to an entity’s CIP activities and operations and held webinars and teleconferences to discuss the audit scope and objectives, data requests and responses, technical and administrative matters, and compliance concerns.

During a site visit, staff interviewed an entity’s subject matter experts, observed operating practices, processes, and procedures used by its staff in real-time and examined its functions, operations, practices, and regulatory and corporate compliance culture.

Additionally, staff interviewed employees and managers responsible for performing tasks within the audit scope and analyzed documentation to verify compliance with requirements, conducted several field inspections and observed the functioning of applicable cyber assets identified by an entity as high, medium, or low impact.  Staff also interviewed compliance program managers, staff, and employees responsible for day-to -day compliance and regulatory oversight.

The data, information, and evidence provided by an entity were evaluated for sufficiency, appropriateness, and validity.

In addition to assessing compliance with the CIP reliability standards, the report includes recommendations regarding cybersecurity practices that are voluntary.

Among the report’s recommendations:

  • Consider all generation assets, regardless of ownership, when categorizing bulk electric system cyber systems associated with transmission facilities;
  • Ensure that all employees and third-party contractors complete the required training and that the training records are properly maintained;
  • Verify employees’ recurring authorizations for using removable media; and
  • Review all firewalls to ensure there are no obsolete or overly permissive firewall access control rules in use.

The report, which is available here, also reviews recommendations from the FERC staff’s 2018 Lessons Learned Report and the 2017 Lessons Learned Report.