United States: FERC Staff Provides "Lessons Learned" From Critical Infrastructure Protection Reliability Standard Audits

In October 2021, Federal Energy Regulatory Commission (FERC) staff issued its annual report on "recommendations to help users, owners and operators of the bulk-power system improve their compliance with the [North American Electric Reliability Corporation (NERC)] mandatory Critical Infrastructure Protection (CIP) reliability standards and their overall cybersecurity posture." The CIP reliability standards are intended to "mitigate the cyber security and physical security risks to . . . facilities, systems, and equipment, which, if destroyed, degraded, or otherwise rendered unavailable as a result of a security incident, would affect the reliable operation of the Bulk-Power System." The report, in turn, is intended to "help entities assess their risk and compliance with mandatory reliability standards and, more generally, . . . facilitate efforts to improve the security of the nation's electric grid."

The report is based on nonpublic audits of NERC "registered entities"¹ subject to the CIP reliability standards that were conducted by FERC's Office of Electric Reliability and Office of Enforcement, in collaboration with NERC and its regional reliability entities. In addition, while FERC's Office of Energy Infrastructure Security (OEIS) was not involved in the audits, its Office of Electric Reliability "consulted with OEIS" in preparing the report. OEIS is responsible for "identification and implementation of best practices to address current and emerging defense and mitigation strategies for advanced cyber and physical threats to not only the Bulk-Power System but all energy infrastructure" under FERC's jurisdiction.

This year, FERC staff "found that while most of the cybersecurity protection processes and procedures adopted by the registered entities met the mandatory requirements of the CIP Reliability Standards, there were also potential compliance infractions." Such infractions can create significant risk and result in penalties that vary depending on the severity of the risk they present. FERC staff "also identified practices not required by the CIP Reliability Standards that could improve security." The report includes those as "voluntary cyber security recommendations." These recommendations are relevant not only for registered entities, but "may be generally beneficial to the utility-based cybersecurity community" to improve the security of the bulk electric system.

The report's overview of "lessons learned" lists 14 principal recommendations, including:

• "Enhanc[ing] policies and procedures to include evaluation of Cyber Asset misuse and degradation during asset categorization."²
• "Properly document[ing] and implement[ing] policies, procedures and controls for low-impact transient cyber assets."
• "Enhanc[ing] recovery and testing plans to include a sample of any offsite backup images in the representative sample of data used to test the restoration of bulk-electric system cyber systems."
• "Improv[ing] vulnerability assessments to include credential-based scans of cyber assets."
• "Enhanc[ing] internal compliance and controls programs to include control documentation processes and associated procedures pertaining to compliance with the CIP Reliability Standards."

For each of its 14 recommendations, the report discusses the related audit findings and ties each recommendation to the specific CIP reliability standard(s) and requirement(s) to which it applies. The report also provides the "lessons learned" from four prior annual reports, illustrating how FERC staff's audit findings and recommendations have evolved over time. This year's report highlights FERC's and NERC's ongoing focus on registered entities' compliance with the CIP reliability standards and should be required reading for both registered entities and other owners and operators of assets on the U.S. electric grid in connection with the development and implementation of their cybersecurity programs.

Footnotes

1 As FERC staff explained in the report, "[a]ll Bulk-Power System users, owners and operators are required to register with NERC and, once registered, are commonly referred to as 'registered entities.'"

2The NERC Glossary defines "Cyber Assets" as "programmable electronic devices, including the hardware, software, and data in those devices."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.