News Release: March 29, 2019
Federal Energy Regulatory Commission (FERC) staff today issued a report offering recommendations to help users, owners and operators of the bulk-power system assess their risks, compliance efforts and overall cyber security posture.
The recommendations in the report are based on lessons learned in fiscal year 2018 from non-public audits of several registered entities of the Bulk Electric System and staff reviews of emerging advanced cyber and physical threats to energy infrastructure.
These lessons learned will help improve the security of the nation’s electric grid, strengthen cyber security and help facilitate compliance with mandatory reliability standards. Staff observations from audits in fiscal years 2016 and 2017 can be found here .
FERC’s Office of Electric Reliability, with assistance from its Office of Enforcement, conducted the audits in collaboration with the North American Electric Reliability Corporation (NERC) and its regional entities.
Additionally, FERC’s Office of Energy Infrastructure Security assisted with analyzing the audit data. Among the report’s recommendations:
- Consider implementing valid Security Certificates within the boundaries of BES Cyber Systems with encryption sufficiently strong enough to ensure proper authentication of internal connections;
- Consider implementing encryption for Interactive Remote Access that is sufficiently strong enough to protect the data sent between the remote access client and the BES Cyber System’s Intermediate System; and
- Consider replacing or upgrading “End-of-Life” system components of an applicable Cyber Asset.
The audits evaluated the registered entities’ compliance with the applicable Critical Infrastructure Protection (CIP) Reliability Standards and identified other possible areas for improvement not specifically addressed by the CIP reliability standards.