On March 29, the Federal Energy Regulatory Commission (FERC) issued a report that had recommendations to help the “users, owners and operators of the bulk-power system assess their risks, compliance efforts and overall cyber security posture.” The suggestions in the report are all based upon the lessons FERC learned during the 2018 fiscal year from “non-public audits of several registered entities of the Bulk Electric System and staff reviews of emerging advanced cyber and physical threats to energy infrastructure.” Those lessons will help FERC improve security for “the nation’s electric grid, strengthen cyber security and help facilitate compliance with mandatory reliability standards.”

“FERC’s Office of Electric Reliability, with assistance from its Office of Enforcement, conducted the audits in collaboration with the North American Electric Reliability Corporation (NERC) and its regional entities.” The FERC Office of Energy Infrastructure also assisted with analyzing the data obtained by the audit.

The report’s recommendations are:

• “Enhance documented processes and procedures for security awareness training to consider NIST SP 800-50, ‘Building an Information Technology Security Awareness and Training Program’ guidance.
• Consider implementing valid Security Certificates within the boundaries of BES Cyber Systems with encryption sufficiently strong enough to ensure proper authentication of internal connections.
• Consider implementing encryption for Interactive Remote Access (IRA) that is sufficiently strong enough to protect the data that is sent between the remote access client and the BES Cyber System’s Intermediate System.
• Consider Internet Control Message Protocol (ICMP) as a logical access port for all the BES Cyber Assets.
• Enhance documented processes and procedures for incident response to consider the NIST SP 800-61, “Computer Security Incident Handling Guide.”
• Consider the remote configuration of applicable Cyber Assets via a TCP/IP-toRS232 Bridge during vulnerability assessments.
• Consider the use of secure administrative hosts to perform administrative tasks when accessing either Electronic Access Control or Monitoring Systems (EACMS) or Physical Access Control Systems (PACS).
• Consider replacing or upgrading “End-of-Life” system components of an applicable Cyber Asset.
• Consider incorporating file verification methods, such as hashing, during manual patching processes and procedures, where appropriate.
• Consider using automated mechanisms that enforce asset inventory updates during configuration management.”

The report also notes some lessons they previously learned:

• “Conduct a thorough review of CIP Reliability Standards compliance documentation to identify where the documented instructional processes are inconsistent with actual processes employed.
• For each remote cyber asset conducting IRA, disable all other network access outside of the connection to the applicable Cyber System that is being remotely accessed, unless there is a documented business or operational need.
• Enhance documented processes and procedures for identifying BES Cyber System Information to consider the NERC Critical Infrastructure Protection Committee guidance document, ‘Security Guideline for the Electricity Sector: Protecting Sensitive Information.’”

“The audits evaluated the registered entities’ compliance with the applicable Critical Infrastructure Protection (CIP) Reliability Standards and identified other possible areas for improvement not specifically addressed by the CIP reliability standards.”

On February 21, the Federal Energy Regulatory Commission (FERC) issued two final rules revising regulations in order to conform to recent changes made by Congress to the Federal Power Act (FPA), in relation to FERC’s review of hydropower permits and public utility mergers.

The rule related to mergers “implements statutory changes to FPA section 203 by amending FERC regulations requiring a public utility to seek authorization to merge or consolidate jurisdictional facilities so that such authorization is required only when those facilities are valued at more than $10 million.”

These revisions will also require public utility companies to tell FERC about “mergers or consolidations if the facilities are valued at more than $1 million but less than $10 million.” It will also “reduce the regulatory burden on utilities for lower-value transactions, and the final action comes within the 180-day period set by Congress.”

The rule about hydropower “conforms the Commission’s regulations to the America’s Water Infrastructure Act of 2018, which amended sections of the FPA related to preliminary permits, qualifying conduit hydropower facilities, and start for payment of annual charges. Under the Act and the Commission’s amended rules, FERC can issue preliminary permits for four years and extend a permit once for an additional four years, instead of three-year terms for preliminary permits with a possible two-year extension.”

This rule also now allows FERC to “issue a second four-year extension if warranted by extraordinary circumstances.” FERC also increased the “maximum installed capacity for qualifying conduit exemptions is increased from five megawatts (MW) to 40 MW.”

FERC was authorized by the Act to “to issue extensions of the start of construction deadline for licenses for up to eight years, which affects the start of the payment of annual charges … Annual charges will begin two years after a license is issued or any extension deadline expires.”

The third rule FERC issued was to clarify and update the “requirements related to interlocking officers and directors.” FERC’s position on “late-filed applications and informational reports” was also clarified.