FERC staff today offered recommendations to help users, owners and operators of the bulk-power system improve their compliance with the mandatory Critical Infrastructure Protection (CIP) reliability standards and their overall cybersecurity posture.
Today’s annual report on lessons learned from non-public CIP audits of registered entities found most of the cybersecurity protection processes and procedures adopted by the entities met the mandatory requirements of the CIP reliability standards. In addition to assessing compliance with the CIP reliability standards, the report includes recommendations regarding cybersecurity practices that are voluntary.
The lessons learned from the fiscal year 2021 audits can help entities assess their risk and compliance with mandatory reliability standards and, more generally, can facilitate efforts to improve the security of the nation’s electric grid.
Staff from FERC’s Office of Electric Reliability and Office of Enforcement conducted the audits in collaboration with staff from the North American Electric Reliability Corporation and its regional entities.
Among the report’s recommendations:
- Enhance policies and procedures to include evaluation of Cyber Asset misuse and degradation during asset categorization;
- Properly document and implement policies, procedures and controls for low-impact transient cyber assets;
- Enhance recovery and testing plans to include a sample of any offsite backup images in the representative sample of data used to test the restoration of bulk-electric system cyber systems;
- Improve vulnerability assessments to include credential-based scans of cyber assets; and
- Enhance internal compliance and controls programs to include control documentation processes and associated procedures pertaining to compliance with the CIP Reliability Standards.