{"id":27503,"date":"2025-05-30T17:18:59","date_gmt":"2025-05-30T17:18:59","guid":{"rendered":"https:\/\/www.trccompanies.com\/?post_type=news-and-insights&p=27503"},"modified":"2025-05-30T20:15:50","modified_gmt":"2025-05-30T20:15:50","slug":"enhance-security-planning-and-reporting-with-key-takeaways-from-nercs-2024-cyber-report","status":"publish","type":"news-and-insights","link":"https:\/\/www.trccompanies.com\/fr\/insights\/enhance-security-planning-and-reporting-with-key-takeaways-from-nercs-2024-cyber-report\/","title":{"rendered":"Enhance Security Planning and Reporting with Key Takeaways from NERC\u2019s 2024 Cyber Report\u00a0"},"content":{"rendered":"\n\n
\n
\n \n
\n
\n

NERC has issued its 2024 Cyber Security Report, reviewing reported incidents related to Reliability Standard CIP-008-6. The details of cyber incidents provide important lessons learned that can help all utilities adapt their security and compliance programs and better protect reliability for their customers. <\/span>\u00a0<\/span><\/p>\n

2024 Incidents\u00a0<\/span><\/h2>\n

NERC recorded three CIP-008-6 cybersecurity events reported in 2024 \u2013 one in the Northeast Power Coordinating Council region, one in the Reliability First Region and one in the Western Electricity Coordinating Council region. None of these incidents compromised or functionally impacted bulk power system reliability or security. In most cases, the entity\u2019s controls were sufficient to identify and mitigate the attacks, blocking traffic from threatening IP addresses.\u00a0\u00a0<\/span>\u00a0<\/span><\/p>\n

The first incident was generated after a responsible entity received 20 alerts from its Security Information and Event Monitoring (SIEM) for failed login attempts to a medium impact bulk electric cyber system (BCS). This attempt to compromise tracked two IP addresses from Wyoming and Florida, both attempting to login with the same username, leading to the conclusion they were from the same attacker.\u00a0<\/span>\u00a0<\/span><\/p>\n

The second incident consisted of two attempts to compromise. The first was a failed brute force attack from foreign IP addresses, documented by AbuseIPDB and Talos, locking an unspecified number of user accounts and likely serving as a precursor to a second attack. Nearly a month later, was a<\/span><\/span><\/span> second<\/span><\/span><\/span> brute force attack<\/span><\/span><\/span>, <\/span>the responsible entity <\/span>observed<\/span> a large volume of failed authentication attempts on the same <\/span>Virtual Private Network (VPN)<\/span><\/span> , this time locking about 20 accounts. While not gaining the intended access to the BCS, the entity reported these attacks strained operational efficiency and IT resources needed to unlock the impacted accounts. These two attempts were attributed to the same internet service provider.\u00a0<\/span>\u00a0<\/span><\/p>\n

The third incident was also an attempt to compromise that occurred when a Responsible Entity observed a foreign IP address attempting to perform an active MITRE ATT&CK14 scan of its SCADA network. Based on a log review, the attacker only made initial connections to the network and then was blocked by the entity\u2019s firewall. The attack remains under investigation to determine the source of the attack.<\/span>\u00a0<\/span><\/p>\n

These three incidents are considered attempts to compromise. The number of reports from 2023 to 2024 remained the same. Two of the three 2024 attacks originated from IP addresses in foreign countries, and there was an increased level of sophistication using multiple IP addresses in two of the attempted attacks. Unlike the reports of 2022 and 2023, none of the reports mentioned involved third-party or contracted employees. However, based on recent trends, it is still important to remain vigilant regarding systems operated by both utilities and made available to contracted third parties.<\/span><\/p>\n

\"Cyber<\/a><\/p>\n

\"Attack<\/a><\/p>\n

Key Takeaways from Attempts to Compromise\u00a0<\/h2>\n

While none of the reported events compromised the BCS or impacted reliability, NERC\u2019s findings illustrate several important trends that should not be ignored. The threat landscape is clearly advancing, with two of the three attacks originating from multiple foreign IP addresses and demonstrating a higher level of sophistication than previous years.<\/span>\u00a0<\/span><\/p>\n

Even though the attempts failed, they still carry operational consequences like locked accounts and increased pressure on IT staff, reinforcing the fact that even failed attacks can disrupt day-to-day operations and erode cyber readiness. Although the current detection and mitigation controls proved effective, the growing complexity of threats means those controls must continue to strengthen. Utilities must continue investing in stronger internal controls, staff training and real-time monitoring to stay ahead of increasingly advanced attacker capabilities and ensure their systems stay vigilant and protected.\u00a0<\/span>\u00a0<\/span><\/p>\n

TRC clients are encouraged to contact our security experts to assist with the development of internal controls and processes for investigating cybersecurity events. The CIP-008-6 mandatory standard has very prescriptive, time-bound reporting and compliance record keeping requirements.<\/span>\u00a0<\/span><\/p>\n

Next Steps: Prepare for Incident Reporting Changes\u00a0<\/h2>\n

To enhance cyber security reporting requirements, NERC is continuing its standards development project, <\/span>Project 2022-05 \u2013 Modifications to CIP-008 Reporting Threshold<\/span><\/a>, which resulted from efforts to assess the implementation of CIP 008-6. By establishing clearer expectations for identifying and reporting attempted compromises, the updated standard will help ensure that more consistent, timely and actionable data is shared across the industry.<\/span>\u00a0<\/span><\/p>\n

The Electricity Information Sharing and Analysis Center (E-ISAC), operated by NERC, serves as a central hub for cyber and physical threat information. When responsible entities submit qualifying incidents to the E-ISAC, they contribute to a broader picture of emerging threats, helping promote industry-wide situational awareness and enabling the development of proactive security resources. Ultimately, these efforts will strengthen the collective ability of asset owners and operators to detect vulnerabilities earlier and respond more effectively, reducing risk across the bulk power system.\u00a0<\/span>\u00a0<\/span><\/p>\n

Resources\u00a0<\/h2>\n

NERC report on 2024 Cyber Security Incidents<\/span><\/a><\/p>\n

FERC Order 848<\/span><\/a>\u00a0<\/span><\/p>\n

CIP-008-6<\/span><\/a>\u00a0<\/span><\/p>\n

CIP-008-6 Reporting Threshold Standards Authorization Request<\/span><\/a>\u00a0<\/span><\/p>\n

TRC Cybersecurity Services<\/span><\/a>\u00a0<\/span><\/p>\n

OT-Cyber-Security.pdf<\/span><\/a>\u00a0<\/span><\/p>\n

About TRC\u2019s NERC Security Practice\u00a0<\/h2>\n

TRC\u2019s approach to power system security balances solutions that incorporate appropriate standards, regulatory requirements, best practices and operational goals and budgets. Our work for public and private sector utility clients is a testament to our understanding of NERC compliance related aspects of your business. Our successful application of technology solutions in a constantly evolving business and regulatory landscape will provide you with confidence regarding your power system compliance programs. Our power system security experts help you stay ahead of changing regulatory expectations because they stay engaged with the regulatory process and know how to plan, design and install programs that address your financial, technical and scheduling goals including compliance with changing NERC standards and guidelines as well as industry \u201cbest practices\u201d and the latest technology developments<\/span>\u00a0<\/span><\/p>\n

This regulatory update is a service to TRC\u2019s utility clients, helping keep you informed of issues that impact your company\u2019s compliance risks along with related topics regarding future regulatory developments to help you achieve your company\u2019s business goals.\u00a0<\/span>\u00a0<\/span><\/p>\n <\/div>\n

\n
\n
\n

Related Services<\/h4>\n