Author: Bill Hawk | November 17, 2020

In its 2020 Report on CIP Reliability Audits, the Federal Energy Regulatory Commission (FERC) found that most of the cybersecurity protection processes and procedures adopted by utilities met the mandatory CIP requirements for protecting the Bulk Electric System (BES). However, there are lessons learned and guidance for improvements that can better facilitate efforts to improve power system security.

Related Services

View All Services

Trc’s Clients Are Encouraged to Read the Report in Its Entirety

Several of the Lessons Learned are simply “good housekeeping” or industry-standard cybersecurity practices – above and beyond the requirements of NERC CIP compliance, but strongly recommended by Infosec practitioners.

However, our experts have noted that Lessons Learned 3, 5, 9, and 11 in particular are areas where utilities may benefit from independent review and perspective in order to improve security.

The report includes references to lessons learned from prior annual reports going back to 2017.

  • Ensure that all cyber assets are properly identified and that all substation cyber systems are properly categorized as high, medium, or low impact.
  • Inspect all physical security perimeters periodically to ensure that no unidentified physical access points exist.
  • Ensure that backup and recovery procedures are updated in a timely manner and that all remediation plans and steps taken to mitigate vulnerabilities are documented; and
  • Consider evaluating the security controls implemented by third parties regularly, and implement additional controls where needed when using a third party to manage cyber system information.
  1. Ensure that all BES Cyber Assets are properly identified.
  2. Ensure that all substation BES Cyber Systems are properly categorized as high, medium, or low impact.
  3. Ensure that electronic access to BES Cyber System Information (BCSI) is properly authorized and revoked.
  4. Consider having a dedicated visitor log at each Physical Security Perimeter (PSP) access point.
  5. Consider locking BES Cyber Systems’ server racks where possible.
  6. Inspect all Physical Security Perimeters (PSPs) periodically to ensure that no unidentified physical access points exist.
  7. Review security patch management processes periodically and ensure that they are implemented properly.
  8. Consider consolidating and centralizing password change procedures and documentation.
  9. Ensure that backup and recovery procedures are updated in a timely manner.
  10. Ensure that all remediation plans and steps taken to mitigate vulnerabilities are documented.
  11. Ensure that all procedures for tracking the reuse and disposal of substation assets are reviewed and updated regularly.
  12. Consider evaluating the security controls implemented by third parties regularly and implement additional controls where needed when using a third party to manage BES Cyber System Information (BCSI).

Resources

picture_as_pdf_24dp-black FERC Staff – 2020 Lessons Learned from Commission-Led CIP Reliability Audits

Published October 2, 2020

download filesim_card_download_24dp-black
picture_as_pdf_24dp-black TRC Physical and Cyber Security Services

Published

download filesim_card_download_24dp-black
picture_as_pdf_24dp-black TRC NERC Compliance Services

Published

download filesim_card_download_24dp-black
GettyImages-1785752228-1-scaled

About TRC’s Security and Cybersecurity Solutions:

TRC’s approach to security, including cybersecurity, balances solutions that incorporate appropriate standards, regulatory requirements, best practices and operational goals and budgets. Our successful application of technological solutions in a constantly evolving business and regulatory landscape will provide you with confidence regarding your security programs.  Our security and power system experts help you stay ahead of changing regulatory expectations because they stay engaged with the regulatory process and know how to plan, design and install programs that address your financial, technical and scheduling goals including compliance with changing NERC Security standards and guidelines as well as industry “best practices” and the latest technology developments

This regulatory update is a service to TRC’s utility clients, helping keep you informed of issues that impact your company’s electric system security risks along with related topics regarding future regulatory developments to help you achieve your company’s business goals.

Contact Us

trc-bill-hawk
Bill Hawk

Bill Hawk is TRC’s Director of Private Networks Engineering. He is a Professional Engineer with over 35 years of experience in the planning, design and implementation of all aspects of utility networks and communications systems, security systems and Smart Grid/Distribution Automation systems. His areas of expertise include technology, project planning, requirements definition, project team management and project coordination. Bill has successfully completed numerous large telecommunications and security projects with local, municipal and state utilities, governments, school districts, commercial and industrial businesses, universities and university systems. Contact Bill at BHawk@trccompanies.com.