FERC Issues Annual Report on Critical Infrastructure Protection (CIP) Reliability Audits

In its 2020 Report on CIP Reliability Audits, the Federal Energy Regulatory Commission (FERC) found that most of the cybersecurity protection processes and procedures adopted by utilities met the mandatory CIP requirements for protecting the Bulk Electric System (BES). However, there are lessons learned and guidance for improvements that can better facilitate efforts to improve power system security.

In general, FERC Staff advise that utilities should:

• Ensure that all cyber assets are properly identified and that all substation cyber systems are properly categorized as high, medium, or low impact.
• Inspect all physical security perimeters periodically to ensure that no unidentified physical access points exist.
• Ensure that backup and recovery procedures are updated in a timely manner and that all remediation plans and steps taken to mitigate vulnerabilities are documented; and
• Consider evaluating the security controls implemented by third parties regularly, and implement additional controls where needed when using a third party to manage cyber system information.

The report specifically identified the following activities to improve compliance and improve a company’s overall cyber security posture:

1. Ensure that all BES Cyber Assets are properly identified.
2. Ensure that all substation BES Cyber Systems are properly categorized as high, medium, or low impact.
3. Ensure that electronic access to BES Cyber System Information (BCSI) is properly authorized and revoked.
4. Consider having a dedicated visitor log at each Physical Security Perimeter (PSP) access point.
5. Consider locking BES Cyber Systems’ server racks where possible.
6. Inspect all Physical Security Perimeters (PSPs) periodically to ensure that no unidentified physical access points exist.
7. Review security patch management processes periodically and ensure that they are implemented properly.
8. Consider consolidating and centralizing password change procedures and documentation.
9. Ensure that backup and recovery procedures are updated in a timely manner.
10. Ensure that all remediation plans and steps taken to mitigate vulnerabilities are documented.
11. Ensure that all procedures for tracking the reuse and disposal of substation assets are reviewed and updated regularly.
12. Consider evaluating the security controls implemented by third parties regularly and implement additional controls where needed when using a third party to manage BES Cyber System Information (BCSI).

TRC’s clients are encouraged to read the report in its entirety.  Several of the Lessons Learned are simply “good housekeeping” or industry-standard cybersecurity practices – above and beyond the requirements of NERC CIP compliance, but strongly recommended by Infosec practitioners.

However, our experts have noted that Lessons Learned 3, 5, 9, and 11 in particular are areas where utilities may benefit from independent review and perspective in order to improve security.

The report includes references to lessons learned from prior annual reports going back to 2017.

Resources:

• FERC Staff – 2020 Lessons Learned from Commission-Led CIP Reliability Audits
• TRC Physical and Cyber Security Services
• TRC NERC Compliance Services

About TRC’s Security and Cybersecurity Solutions:

TRC’s approach to security, including cybersecurity, balances solutions that incorporate appropriate standards, regulatory requirements, best practices and operational goals and budgets. Our successful application of technological solutions in a constantly evolving business and regulatory landscape will provide you with confidence regarding your security programs.  Our security and power system experts help you stay ahead of changing regulatory expectations because they stay engaged with the regulatory process and know how to plan, design and install programs that address your financial, technical and scheduling goals including compliance with changing NERC Security standards and guidelines as well as industry “best practices” and the latest technology developments

This regulatory update is a service to TRC’s utility clients, helping keep you informed of issues that impact your company’s electric system security risks along with related topics regarding future regulatory developments to help you achieve your company’s business goals.