Federal Energy Regulatory Commission (FERC) staff recently offered recommendations to help users, owners, and operators of the bulk power system improve their compliance with the mandatory Critical Infrastructure Protection (CIP) reliability standards as well as their overall cybersecurity posture.
The annual report on lessons learned from non-public CIP audits of registered entities found most of the cybersecurity protection processes and procedures adopted by the entities met the mandatory requirements of the CIP reliability standards. In addition to assessing compliance with the CIP reliability standards, the report includes recommendations regarding cybersecurity practices that are voluntary.
The lessons learned from the audits completed in fiscal year 2020 can help entities assess their risk and compliance with mandatory reliability standards and, more generally, facilitate efforts to improve the security of the nation's electric grid.
Staff from the FERC's Office of Electric Reliability and Office of Enforcement conducted the audits in collaboration with staff from the North American Electric Reliability Corp. (NERC) and its regional entities.
The report's recommendations are as follows:
- Ensure that all cyber assets are properly identified and that all substation cyber systems are properly categorized as high, medium, or low impact;
- Inspect all physical security perimeters periodically to ensure that no unidentified physical access points exist;
- Ensure that backup and recovery procedures are updated in a timely manner and that all remediation plans and steps taken to mitigate vulnerabilities are documented; and
- Consider evaluating the security controls implemented by third parties regularly and implement additional controls where needed when using a third party to manage cyber system information.