FERC Issues New CIP Compliance Recommendations

Morgan Lewis
Contact

Morgan Lewis

FERC Staff issued an October 4 report on Commission-led critical infrastructure protection (CIP) reliability audits completed during fiscal year 2019. The report provides lessons learned and identifies voluntary practices that FERC Staff observed during those audits that could improve the protection of electric infrastructure from cyberattacks.

The report includes seven new lessons learned, primarily focused on enhancing electronic access control measures and implementing robust processes for managing employee and contractor access authorizations:

  1. Consider all generation assets, regardless of ownership, when categorizing BES Cyber Systems associated with transmission facilities.
  2. Ensure that all employees and third-party contractors complete the required training and that the training records are properly maintained.
  3. Verify employees’ recurring authorizations for using removable media.
  4. Review all firewalls to ensure there are no obsolete or overly permissive firewall access control rules in use.
  5. Limit access to employee’s PINs used for accessing PSPs using a least privilege approach.
  6. Ensure that all ephemeral port ranges are within the Internet Assigned Numbers Authority (IANA) recommended ranges.
  7. Clearly mark Transient Cyber Assets and Removable Media.

Some of this year’s lessons learned—such as the item addressing BES Cyber System categorization—reflect more specific guidance on prior recommendations from FERC Staff. However, this year’s report also addresses new areas of focus, such as best practices for the secure use of Removable Media and Transient Cyber Assets.

Even though some of the report’s recommendations go beyond what is necessary to comply with the mandatory CIP reliability standards, FERC Staff is likely to view implementation of these recommendations as evidence of a utility’s strong cybersecurity posture. That can, in turn, have positive ramifications for utilities undergoing cybersecurity reviews by FERC, NERC, or their Regional Entities.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Morgan Lewis

Written by:

Morgan Lewis
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Morgan Lewis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide