FERC Issues a Report Recommending Ways For The Bulk- Power System to Improve Compliance in The CIP Standards and Cybersecurity

FERC Issues a Report Recommending Ways For The Bulk- Power System to Improve Compliance in The CIP Standards and Cybersecurity

The Federal Energy Regulatory Commission (FERC) hasissued areport with recommendations for the “users, owners and operators of the bulk-power system improve their compliance with mandatory Critical Infrastructure Protection (CIP) standards as well as their overall cybersecurity posture.”

The findings shared in the report were based upon the “non-public CIP audits of registered entities that found most of the cybersecurity protection process and procedures adopted by the entities met the mandatory requirements of the standards.” FERC reported that the lessons they learned from conducting “audits completed in fiscal year 2019 can help entities assess their risk and compliance with mandatory reliability standards and… can facilitate efforts to improve the security of the nation’s electric grid.”

The lessons FERC staff learned in the audits were:

1.       “Consider all generation assets, regardless of ownership, when categorizing BES Cyber Systems associated with transmission facilities.

2.       “Ensure that all employees and third-party contractors complete the required training and that the training records are properly maintained.

3.       “Verify employees’ recurring authorizations for using removable media.

4.       “Review all firewalls to ensure there are no obsolete or overly permissive firewall access control rules in use.

5.       “Limit access to employee’s PIN numbers used for accessing PSPs using a least-privilege approach.

6.       “Ensure that all ephemeral port ranges are within the Internet Assigned Numbers Authority (IANA) recommended ranges.

7.       “Clearly mark Transient Cyber Assets and Removable Media.”

FERC staff from the “Office of Electric Reliability and Office of Enforcement conducted the audits in collaboration with staff from the North American Electric Reliability Corporation and its regional entities. In addition to assessing compliance with the CIP reliability standards, the report includes recommendations regarding cybersecurity practices that are voluntary.”

The recommendations in the report include:

  • “Consider all generation assets, regardless of ownership, when categorizing bulk electric system cyber systems associated with transmission facilities;
  • “Ensure that all employees and third-party contractors complete the required training and that the training records are properly maintained;
  • “Verify employees’ recurring authorizations for using removable media; and
  • “Review all firewalls to ensure there are no obsolete or overly permissive firewall access control rules in use.”