On September 14th, 2020, staff from FERC and the North American Electricity Reliability Corporation (NERC) published a report on cyber planning for response and recovery entitled “Cyber Planning for Response and Recovery Study” (CYPRES), which emphasizes best practices for the electric utility industry.
The combined personnel of FERC and NERC, and the NERC Regional Entities, collaborated to develop the report after interviewing experts on this matter from eight electric utilities of different sizes and functions. Included in the staffs’ report are observations on the organizations’ defensive capabilities and on the effectiveness of their Incident Response and Recovery (IRR) plans.
The report identifies shared elements within the IRR plans. These common elements define their scope, computer security events, staff functions and responsibilities, and levels of empowerment to respond. The shared elements indicate reporting requirements and guidelines for external communications and information sharing, as well as procedures to assess performance.
The report also highlighted best practices, concluding that effective IRR plans must:
have well-defined personnel functions, encourage accountability, give personnel the authority to act without unnecessary delays, and use supporting technology and automated tools while recognizing the importance of human performance
require well-qualified personnel who continually sharpen their skills and stay mindful of lessons learned from past events or simulated challenges
use specific standards so personnel can detect substantial deviations from regular operations
eliminate all outside connections when activated and consider the risk that a containment strategy may cause predefined damaging actions by the malware. The plans use evidence gathering and ongoing analysis to determine if an event indicates a greater compromise
consider the resource implications of incident responses of unknown length
implement lessons learned from prior incidents and simulated events
The teams concluded that effective IRR plans are vital resources for addressing cyber threats. They therefore determined that effective IRR plans should be established, and response teams should be ready to detect, contain, and eliminate cyber threats before they do harm to utility operations.