Search
December 5, 2025
FERC CIP Audits Find Ongoing Cloud Issues

Listen to this Story Listen to this story

Shutterstock
Oct 28, 2025 | Holden Mann
FERC staff warned in a report that third-party cloud services pose an ongoing risk to the security of the electric grid.

Electric utilities trying to use cloud services to enhance their business continue to face “challenges” complying with NERC’s Critical Infrastructure Protection (CIP) standards, FERC staff said in a report on the commission’s 2025 audits for CIP compliance.

The authors of the 2025 Lessons Learned from Commission-led CIP Reliability Audits report also highlighted issues arising from entities’ failure to ensure CIP compliance from third-party contractors and to consider distributed energy resources and distribution-connected generation when categorizing their control centers.

FERC has conducted CIP audits since 2016 for each fiscal year, which runs from Oct. 1 to Sept. 30 of the following year. During the fiscal year, staff from FERC, NERC and the regional entities conduct audits with select utilities, comprising “data requests and reviews, webinars and teleconferences, and virtual and on-site visits.” The visits include interviews with entities’ subject matter experts, employees and managers; demonstrations of operating practices and procedures; and field inspections of high-, medium- or low-impact cyber assets.

As in previous years, details of the audits, such as how many audits were performed and which utilities were visited, were not disclosed in the report. The authors wrote that “while most of the [entities’] cybersecurity protection processes and procedures … met the mandatory requirements of the [CIP] standards, potential noncompliance and security risks remained.”

The warnings about cloud services came in a discussion of two instances where entities used cloud services to perform the functions of electronic access control or monitoring systems (EACMS) and physical access control systems (PACS). FERC staff observed that the CIP standards were originally “developed prior to the advent of cloud services [when] registered entities housed their cyber assets and cyber systems on premises.”

While efforts are underway to incorporate cloud technology into the CIP standards through Project 2023-09 (Risk management for third-party cloud services), the standards as they currently stand “simply do not contemplate cloud services,” the authors wrote. This fact creates “challenges demonstrating CIP compliance” for entities trying to use such services.

For example, FERC staff observed that CIP-004-7 (Cybersecurity – personnel and training) requires entities to conduct and demonstrate personnel risk assessments, including identity verification and background checks, for all individuals with electronic or physical access to grid-connected cyber systems. However, if cloud services are used, then this category would include employees of the cloud service provider, and entities may not be able to conduct investigations into such people.

CIP-010-4 (Cybersecurity – configuration change management and vulnerability assessments) presents another challenge, the authors wrote, because it “requires the development, maintenance and documentation of a baseline [system] configuration,” including multiple levels of hardware and software. This would be difficult to produce in a cloud system, where hardware and system-level configurations are often abstracted, and the integrity and source of software can be hard to verify.

To address these risks, FERC staff said entities should ensure that their high- and medium-impact cyber systems do not use cloud services. Low-impact systems may use cloud services, but entities should monitor their status and be prepared to mitigate compliance risk associated with the cloud if the impact rating changes.

Third-party Compliance Outsourcing Risks

Third parties were also mentioned in another section of the report that discussed utilities’ use of outside entities to help meet their compliance duties. Staff wrote that auditors “observed several instances where registered entities did not perform due diligence when relying on third parties.”

In one case, auditors saw that a utility did not properly oversee a firewall update that it contracted to a third party, and that party did not complete the task. This left unnecessary inbound and outbound electronic access within the entity’s firewall, a violation of CIP-003-8 (Cybersecurity – security management controls).

Another entity contracted with a vendor to install, test and maintain a cloud-based PACS, including the recurring 24-month testing required by CIP-006-6 (Cybersecurity – physical security of BES cyber systems). However, the vendor did not conduct the testing, and the utility lacked oversight controls to tell whether the vendor had done so.

Finally, a utility hired a third party to conduct vulnerability scanning, review scanned results and prioritize mitigation plans as part of the vulnerability assessment required by CIP-010-4. However, the entity did not participate in all phases of these activities. FERC staff did not indicate whether the third party failed to perform these tasks but observed that by failing to participate, the entity was already in violation of the standard.

Staff said that entities could mitigate the risk posed by outsourcing compliance functions to third parties by implementing compensating controls such as contractual agreements, internal controls to provide oversight, and ensuring third-party staff, infrastructure and data are located within the continental U.S.

DER Classification Oversights

The last issue flagged in the report had to do with the impact rating assigned by utilities to control centers as required by CIP-002-5.1a (Cybersecurity – BES cyber system categorization). Auditors found that some entities “failed to consider DERs and distribution-connected generation in their calculations” of the impact rating of a control center performing generator operator functions.

This oversight meant that operators lacked insight into the true level of generation on their systems, FERC staff wrote, especially because in some cases DERs — though small individually — accounted for large amounts of generation in the aggregate. Failing to properly categorize these systems meant entities might not apply the proper controls.

FERC staff recommended that entities “assess and document generation resources holistically, including DERs,” and ensure that they are assigned the impact rating commensurate with their true capacity.

CIP
KeywordsCIP-002-5.1aCIP-003-8CIP-004CIP-006CIP-010-4cloud-based computingcritical infrastructure protection (CIP)cybersecurityFederal Energy Regulatory Commission (FERC)North American Electric Reliability Corp. (NERC)
Holden Mann
ISAC Speakers Tout Cross-sector Partnerships
More From This Author

Leave a Reply

Your email address will not be published. Required fields are marked *

We Recommend

1
West Needs Unified IBR Approach, WIRAB Says
Dec 3, 2025CAISO/WEIMHenrik Nilsson
2
CISA Publishes Guide for AI Critical Infrastructure Integration
Dec 3, 2025FERC & FederalHolden Mann
3
Power Industry Asks Congress to Authorize Cyber Defense Programs
Dec 2, 2025Public PolicyJames Downing
4
ISAC Speakers Tout Cross-sector Partnerships
Dec 2, 2025Standards/ProgramsHolden Mann
5
CISA Releases Drone Security Guides for Infrastructure Operators
Nov 25, 2025FERC & FederalHolden Mann

Popular Stories

1
NERC Winter Reliability Assessment Finds Many Regions Facing Elevated Risk
Nov 18, 2025ResourcesJames Downing
2
FERC Winter Outlook Warns of ‘Tight’ Conditions
Nov 20, 2025Public PolicyHolden Mann
3
FERC Ends Nonpublic Investigations into Winter Storm Uri
Nov 20, 2025MarketsJames Downing
4
GridEx Participants Report No Disruption from Shutdown
Nov 17, 2025Standards/ProgramsHolden Mann
5
NARUC Report Seeks to Make Headway on Gas-electric Challenges
Nov 13, 2025Public PolicyRobert Mullin

Industry Gatherings


Upcoming Event

Upcoming Event

Upcoming Event