Federal Energy Regulatory Commission (FERC) staff recently issued a report offering recommendations to help users, owners, and operators of the bulk power system improve their compliance with mandatory Critical Infrastructure Protection (CIP) standards as well as their overall cybersecurity posture.
The findings in the report are based on non-public CIP audits of registered entities that found most of the cybersecurity protection processes and procedures adopted by the entities met the mandatory requirements of the standards. Staff said the lessons learned from the audits completed in fiscal year 2019 can help entities assess their risk and compliance with mandatory reliability standards, and more generally, can facilitate efforts to improve the security of the nation’s electric grid.
Staff from the FERC’s Office of Electric Reliability and Office of Enforcement conducted the audits in collaboration with staff from the North American Electric Reliability Corp. (NERC) and its regional entities. In addition to assessing compliance with the CIP reliability standards, the report includes recommendations regarding cybersecurity practices that are voluntary.
Among the report’s recommendations are:
- All generation assets, regardless of ownership, should be considered when categorizing bulk electric cyber systems associated with transmission facilities;
- All employees and third-party contractors should complete the required training, and training records should be properly maintained;
- Employees’ recurring authorizations should be verified for using removable media; and
- All firewalls should be reviewed to ensure there are no obsolete or overly permissive firewall access control rules in use.