By Rich Heidorn Jr.
FERC’s fourth round of Critical Infrastructure Protection audits still found room for improvement, with the commission’s Oct. 4 report listing seven “lessons learned.”
Based on “several” audits, the Office of Electric Reliability’s (OER) Division of Reliability Standards and Security, assisted by the Office of Enforcement’s Division of Audits and Accounting, concluded that most of the cybersecurity protection processes and procedures adopted by registered entities met CIP standards, although potential compliance infractions were observed. Staff from NERC and the regional entities also participated.
FERC officials elaborated on the report in an interview with ERO Insider on Oct. 17.
OER Deputy Director David Ortiz declined to say how many audits were conducted, saying it was “more than two, less than 10.”
The first recommendation was that entities consider all generation assets when categorizing bulk electric system (BES) cyber systems associated with their transmission facilities, not just generation they own.
“While entities generally categorized BES cyber systems effectively, in some cases entities did not consider all generation facilities as required,” the report said.
“You may have a situation where you have other parties that own generation within your footprint,” explained FERC IT specialist Alan Herd. “And in that situation, you want to make sure that you’re fully evaluating any potential impact to your transmission facility [from] the generation that’s owned by you or owned by a third party. … The risk is there if you’re not considering all potential assets of impact.”
The auditors also found that some entities did not maintain complete training records for their third-party contractors or verify employees’ recurring authorizations for using removable media. “While entities consistently verified employees’ recurring authorizations to electronic security perimeters (ESPs) and physical security perimeters (PSPs), entities did not always verify access to removable media in such reviews,” it said.
They also found some instances in which entities had “overly permissive” firewall access internet protocol (IP) ranges and loose controls on access to employee’s PIN numbers used for accessing PSPs.
“Entities commonly use a key card and PIN authentication as the two different physical access controls. However, some entities do not limit access to PIN numbers to the minimum number of necessary employees,” FERC said. “For example, staff has observed some registered entities store their employee PIN numbers as plain text within the [physical access control systems] management system and allow a broad range of employees (e.g., system operators or administrators) to have access to view the employee PIN numbers.”
It also recommended entities use color covers or labels to clearly mark transient cyber assets and removable media.
“While entities generally only used transient cyber assets and removable media to access BES cyber systems, staff observed several instances in which ‘unmanaged’ cyber assets or storage media were used by accident,” FERC said.
FERC said its recommendations concerned practices that could improve security but are not necessarily required by the CIP Reliability Standards.
Would FERC like to see these recommendations made mandatory?
“When staff makes these observations … they tend to reflect implementation practices. …The standards are objective-based and typically don’t cover implementation issues,” said Ortiz. “We don’t have an opinion on whether or not they should be requirements. We’re just highlighting them as possible ways to improve security in light of the standards. Every one of the recommendations ties back to a specific requirement.”
FERC began conducting the audits in fiscal year 2016. Its first report, covering FY16 and FY17, included 21 recommendations. The “lessons learned” count dropped to 10 in its FY18 report.
OER Director Andy Dodge said the new report is meant to supplement the previous findings, which he said FERC still backs.
“The seven items that we identified as lessons learned … were new this year [in] that we may not have identified [them] in previous years. It’s not any indication that there’s less opportunities for improvement or to improve the security of the bulk electric system,” Dodge said.
Has CIP compliance improved since FERC began doing the audits?
“I think it’s difficult to say just because [of] the differences between each of the entities that we do,” said Herd. “We typically try to get a variety of different types of entities, different registrations, sizes, footprint. I’d say it’s difficult to compare them against each other.”
“But we have found in general … that since 2016 when [CIP] version 5 was implemented, that generally security staffs and [subject matter experts], utility operators have a much stronger understanding of CIP standards than” before, he added.
Kenneth McIntyre, NERC’s vice president of standards and compliance between May 2016 and April 2019, wrote a 2015 commentary defending FERC’s audits when they were initiated.
At the time, McIntyre noted, NERC was rolling out CIP version 5.
As with the previous versions, McIntyre wrote, “much effort has been devoted to figuring out loopholes and work-arounds to circumvent compliance obligations.
“… Based on industry’s track record, it is easy to assume that FERC may have concerns that there is still too much ‘minimization’ of scope for the CIP Standards throughout the industry,” he continued. “Additionally, FERC does have legitimate concerns around the lack of consistent interpretations from region to region and NERC themselves.”
McIntyre, now executive director for MISO, did not respond to a request for comment.
Ortiz declined to comment on McIntyre’s observations. “What I will say is that version 5 of the CIP standards was a significant change in the overall approach to cybersecurity. Principally, it went to this risk-based system [in] which the main standard, CIP 2, which required classification of assets, was really critical. And an understanding that that was a big shift in the standards was the primary motivation for FERC undertaking its own audits—not to get around the entities or go around NERC. We do all these, we lead them, but we do them in collaboration with NERC and the relevant entity.”
FERC said it plans to conduct additional CIP audits in FY 2020.