FERC staff report on cybersecurity lessons learned

Most of the cyber security protection processes and procedures adopted by entities subject to U.S. electric grid reliability regulation meet those reliability standards' mandatory requirements when audited, according to a recent federal report -- but recent audits also found "potential compliance infractions", as well as voluntary cybersecurity practices that could improve security.

During the Federal Energy Regulatory Commission's 2019 fiscal year, its staff conducted a series of non-public audits of a number of "registered entities" subject to the North American Electric Reliability Corporation's mandatory Critical Infrastructure Protection (CIP) standard. Staff from the Commission's Office of Electric Reliability and Office of Enforcement conducted the audits, in collaboration with staff from the North American Electric Reliability Corporation and its regional entities.

On October 4, 2019, Commission staff issued a report, " Lessons Learned from Commission-Led CIP Reliability Audits". According to a press release accompanying the report, "most of the cybersecurity protection process and procedures adopted by the entities met the mandatory requirements of the standards."

The staff report also identifies voluntary actions, learned from the report, that regulated entities and other users, owners and operators of the bulk-power system could take to improve their compliance with mandatory CIP standards and their overall cybersecurity posture. These recommendations include:
  • Considering all generation assets, regardless of ownership, when categorizing bulk electric system cyber systems associated with transmission facilities;
  • Ensuring that all employees and third-party contractors complete the required training and that the training records are properly maintained;
  • Verifying employees’ recurring authorizations for using removable media;
  • Reviewing all firewalls to ensure there are no obsolete or overly permissive firewall access control rules in use;
  • Limiting access to employee’s PIN numbers used for accessing Physical Security Perimeters using a least-privilege approach;
  • Ensuring that all ephemeral port ranges are within the Internet Assigned Numbers Authority (IANA) recommended ranges; and
  • Clearly marking Transient Cyber Assets and Removable Media.
NERC registered entities, as well as other businesses with cyber assets, might consider these recommendations in strengthening their overall cybersecurity posture.