In October, the Federal Energy Regulatory Commission (FERC) released its “2020 Staff Report Lessons Learned from Commission-Led CIP Reliability Audits.” The report summarizes the Commission’s observations from Critical Infrastructure Protection (CIP) audits performed in conjunction with staff from Regional Entities and the North American Electric Reliability Corporation (NERC). It is intended to inform both the community that’s subject to the CIP reliability standards and the public of lessons learned from audits performed in 2020. In doing so, the report is careful to point out that while a majority of the cyber security elements adopted by the audited utilities met the minimum requirements of the standards, potential compliance infractions still came to the surface. Additionally, the report includes recommendations that are outside the guise of the CIP requirements.

Lessons Learned

The report cites twelve lessons learned from the audits. They are transcribed here:

  1. Ensure that all BES Cyber Assets are properly identified.
  2. Ensure that all substation BES Cyber Systems are properly categorized as high, medium, or low impact.
  3. Ensure that electronic access to BES Cyber System Information (BCSI) is properly authorized and revoked.
  4. Consider having a dedicated visitor log at each Physical Security Perimeter (PSP) access point.
  5. Consider locking BES Cyber Systems’ server racks where possible.
  6. Inspect all Physical Security Perimeters (PSPs) periodically to ensure that no unidentified physical access points exist.
  7. Review security patch management processes periodically and ensure that they are implemented properly.
  8. Consider consolidating and centralizing password change procedures and documentation.
  9. Ensure that backup and recovery procedures are updated in a timely manner.
  10. Ensure that all remediation plans and steps taken to mitigate vulnerabilities are documented.
  11. Ensure that all procedures for tracking the reuse and disposal of substation assets are reviewed and updated regularly.
  12. Consider evaluating the security controls implemented by third parties regularly (Read more...)