On March 29, the Federal Energy Regulatory Commission (FERC) issued a report that had recommendations to help the “users, owners and operators of the bulk-power system assess their risks, compliance efforts and overall cyber security posture.” The suggestions in the report are all based upon the lessons FERC learned during the 2018 fiscal year from “non-public audits of several registered entities of the Bulk Electric System and staff reviews of emerging advanced cyber and physical threats to energy infrastructure.” Those lessons will help FERC improve security for “the nation’s electric grid, strengthen cyber security and help facilitate compliance with mandatory reliability standards.”
“FERC’s Office of Electric Reliability, with assistance from its Office of Enforcement, conducted the audits in collaboration with the North American Electric Reliability Corporation (NERC) and its regional entities.” The FERC Office of Energy Infrastructure also assisted with analyzing the data obtained by the audit.
The report’s recommendations are:
- “Enhance documented processes and procedures for security awareness training to consider NIST SP 800-50, ‘Building an Information Technology Security Awareness and Training Program’ guidance.
- Consider implementing valid Security Certificates within the boundaries of BES Cyber Systems with encryption sufficiently strong enough to ensure proper authentication of internal connections.
- Consider implementing encryption for Interactive Remote Access (IRA) that is sufficiently strong enough to protect the data that is sent between the remote access client and the BES Cyber System’s Intermediate System.
- Consider Internet Control Message Protocol (ICMP) as a logical access port for all the BES Cyber Assets.
- Enhance documented processes and procedures for incident response to consider the NIST SP 800-61, “Computer Security Incident Handling Guide.”
- Consider the remote configuration of applicable Cyber Assets via a TCP/IP-toRS232 Bridge during vulnerability assessments.
- Consider the use of secure administrative hosts to perform administrative tasks when accessing either Electronic Access Control or Monitoring Systems (EACMS) or Physical Access Control Systems (PACS).
- Consider replacing or upgrading “End-of-Life” system components of an applicable Cyber Asset.
- Consider incorporating file verification methods, such as hashing, during manual patching processes and procedures, where appropriate.
- Consider using automated mechanisms that enforce asset inventory updates during configuration management.”
The report also notes some lessons they previously learned:
- “Conduct a thorough review of CIP Reliability Standards compliance documentation to identify where the documented instructional processes are inconsistent with actual processes employed.
- For each remote cyber asset conducting IRA, disable all other network access outside of the connection to the applicable Cyber System that is being remotely accessed, unless there is a documented business or operational need.
- Enhance documented processes and procedures for identifying BES Cyber System Information to consider the NERC Critical Infrastructure Protection Committee guidance document, ‘Security Guideline for the Electricity Sector: Protecting Sensitive Information.’”
“The audits evaluated the registered entities’ compliance with the applicable Critical Infrastructure Protection (CIP) Reliability Standards and identified other possible areas for improvement not specifically addressed by the CIP reliability standards.”