On December 12, 2023, FERC staff offered information and recommendations to help registered entities (i.e., users, owners, and operators of the bulk electric system) improve their compliance with mandatory Critical Infrastructure Protection (“CIP”) reliability standards and their overall cybersecurity postures (the “Report”). The recommendations are based on FERC staff’s non-public CIP audits of U.S.-based North American Electric Reliability Corporation (“NERC”) registered entities during Fiscal Year 2023, which included the participation of NERC and the regional entities. FERC staff found that registered entities generally met the mandatory requirements of the CIP Standards, although potential noncompliance and security risks remained. FERC staff also identified and made recommendations concerning other voluntary best practices that could improve cybersecurity. FERC staff explained that the CIP standards aim to mitigate cybersecurity and physical security risks to the bulk electric system’s facilities and equipment. The Commission approved the first set of eight mandatory CIP standards on cybersecurity on January 28, 2008, and has since revised the standards to respond to emerging cybersecurity issues. FERC began its CIP standards audit program for registered entities in 2016 and has conducted CIP audits each year since.
To determine compliance with the CIP standards, FERC staff issued data requests and conducted virtual and on-site interviews of employees and managers responsible for performing cyber asset protection related tasks. Prior to the interview sessions, staff issued data requests to gather information pertaining to entities’ CIP activities and operations, while interviews were used to observe demonstrations of operating practices, processes, and procedures used by the entities’ personnel. Additionally, FERC staff analyzed documentation in the form of policies, procedures, e-mails, logs, studies, and data. In sum, the data, information, and evidence provided by the entities were evaluated for sufficiency, appropriateness, and validity with CIP standards and requirements.
FERC staff found that while entities generally had strong procedures in place to identify their bulk electric cyber systems as either low, medium, or high impact assets, in some cases, the cyber systems were not identified or categorized properly. The misidentification and categorization, FERC staff explained, could lead to the application of inadequate cybersecurity controls, or no controls at all, which weakens the security of the system. FERC staff also found that while entities generally reported (1) the processes to identify, classify, and respond to cybersecurity incidents and (2) the criteria to evaluate and define a reportable cyber security incident to the Electric Information Sharing and Analysis Center (“E-ISAC”) and the Cybersecurity and Infrastructure Security Agency (“CISA”), in some instances, entities did not submit required cybersecurity incident reports to E-ISAC or CISA in accordance with those documented processes. FERC staff also found that while entities generally restricted inbound and outbound access permissions at electronic access points, in some cases entities failed to document the reasons for granting access. Staff explained that allowing certain communications to come through without valid reason and oversight could lead to possible security compromises such as the “Ping of Death,” where an attacker attempts to compromise the network by sending malformed or oversized packets using a simple ping command, or “distributed denial of service” attacks, where the attacker attempts to disrupt a network by flooding the network with internet traffic. Lastly, FERC staff found that while entities generally maintained supply chain risk management plans to assess cyber risks associated with new vendors, in some cases, they did not develop risk responses for the risks identified by those plans.
As a result, FERC staff recommends that utilities adopt the following recommendations to further compliance with the CIP standards:
- Identify and categorize all bulk electric cyber systems and their associated cyber assets;
- Report all cyber security incidents, and attempts to compromise that were identified as cyber security incidents, to E-ISAC and CISA;
- Restrict all inbound and outbound access permissions, including the reason for granting access, and deny all other access by default; and
- Enhance supply chain risk management programs to include evaluating the risks of existing vendors, and developing a plan to respond to risks that are identified.
FERC staff’s Report can be found here.