On October 2, FERC published recommendations to help users, owners, and operators of the bulk-power system improve their compliance with the mandatory Critical Infrastructure Protection (CIP) reliability standards as well as their overall cybersecurity stance. Staff from FERC’s Office of Electric Reliability and Office of Enforcement partnered with staff from the North American Electric Reliability Corporation and its regional entities to perform the audits.
The 2020 “Staff Report Lessons Learned from Commission-Led CIP Reliability Audits” report covers CIP reliability standards, audit scope and methodology, an overview and discussion of lessons learned. The annual report concluded that nearly all of the entities’ adopted procedures and cybersecurity protection processes met the mandatory requirements of the CIP reliability standards. Along with gauging compliance with the CIP reliability standards, the report offers recommendations related to voluntary cybersecurity practices. This current report’s recommendations:
guarantee that all cyber assets are properly identified and that all substation cyber systems are properly classified as high, medium, or low impact
review all physical security perimeters regularly to make sure that no unidentified physical access points exist
confirm that backup and recovery procedures are revised in a timely manner and that all solutions and steps taken to mitigate vulnerabilities are documented
consider assessing the security controls implemented by third parties consistently and implement additional controls where needed when using a third party to manage cyber system information
FERC anticipates lessons learned from the audits completed in fiscal year 2020 will help entities evaluate their risk and compliance with mandatory reliability standards and be able to facilitate efforts to improve the security of the nation’s electric grid.