FERC identified several areas where registered entities can improve their compliance with NERC’s Critical Infrastructure Protection (CIP) standards in audits conducted over the past year, the commission said in a report released this week.
The Lessons Learned from Commission-Led Reliability Audits report is the latest in a series released each year since 2016. Each report covers the preceding fiscal year, which runs from Oct. 1 to Sept. 30. During the fiscal year, FERC staff conduct audits with select utilities, which comprise “data requests and reviews, webinars and teleconferences, [and] virtual and on-site visits,” FERC said in the document. Staff from NERC and the regional entities participated in the audits along with FERC’s Office of Electric Reliability and Office of Enforcement.
Both in-person and virtual visits required interviewing entities’ subject matter experts and observing staff operating practices, processes and procedures. Auditors spoke with employees and managers who handled tasks within the audit scope and reviewed documentation to verify CIP compliance. As in previous years, details about the audits — such as how many audits were performed and which utilities were visited — were not disclosed.
In addition, FERC and ERO staff conducted field inspections remotely to observe the functioning of cyber assets — referring to programmable electronic devices including hardware, software and data — that the entity classified as high-, medium- or low-impact as required by the CIP standards. The criteria for identifying a cyber system’s impact level are found in CIP-002-5.1a (Bulk electric system cyber system categorization).
The report’s authors found that, overall, “most of the cybersecurity protection processes and procedures adopted by the registered entities met the mandatory requirements of the CIP standards.” However, FERC also noted common missteps that could result in “potential noncompliance and security risks.”
FERC discussed five lessons learned in the report, one more than in last year’s assessment but the same as in the 2022 report. (See FERC’s CIP Report Finds Fewer Issues Again.) The issues identified relate to four standards:
Two lessons in the report arose from CIP-002-5.1a, specifically requirement R1. The requirement directs entities to identify cyber systems and assets, and determine the impact that their loss, compromise or misuse could have on grid reliability.
FERC said auditors found some cases in which entities installed cyber assets — specifically, firewalls — whose risks were not properly categorized. The report said there was a chance that if these devices failed to operate correctly, they would fail “closed,” meaning network traffic could not flow to maintain normal network behavior.
While the devices were outside the entities’ electronic security perimeter (ESP) and thus did not technically meet the definition of cyber asset, the report said they may affect cyber assets to the point of impacting reliability. FERC recommended entities consider enhancing their categorization procedures to catch such assets and ensure their potential impacts are noted.
The standard also requires entities to evaluate segmented control centers at a single location as a single control center in their asset identification and categorization procedures. FERC said some entities improperly segmented a single control center into multiple centers that “were logically segmented by electronic access controls.”
The report said entities had done this in order to “reduce the compliance risk associated with the … CIP reliability controls [but] were not fully aware of the limitations of segmentation within the CIP standards.” If cyber systems are not properly classified, FERC said, entities “may not apply the require controls consistent with the risk.”
‘Multiple Instances’ of Cyber Risk
For the remaining standards, the commission identified a single lesson learned for each. CIP-010-4 requires that entities include “all intentionally installed, commercially available software on each cyber asset” in their cyber asset baselines, including both standalone applications and related browser extensions. However, FERC noted cases in which entities did not specify whether the standalone application or the extension was installed on a system.
FERC said this practice could create problems when an entity experiences issues and needs to restore a system from backup. It warned that if baseline documentation is incomplete or incorrect, proper restoration could become “challenging, if not impossible.” Inaccurate documentation could also affect the accuracy of the entity’s security posture.
Next, the commission turned to CIP-011-2, and its requirement that entities “implement controls to protect [grid] cyber system information … to mitigate the risks posed by unauthorized disclosure and unauthorized access.” Audit staff did not go into details of noncompliance with the standard, saying only that “in some cases, not all entities consistently implemented adequate controls to identify, protect and securely handle” cyber system information. The report said staff found “multiple instances” of cyber information-related risk in their audits.
The final lesson learned was from CIP-012-1, which mandates that entities identify and address the possibility of unauthorized disclosure or modification of real-time data transmitted between control centers within a single network, ESP or other environment.
FERC said that while entities “generally had strong processes and procedures for” identifying relevant communications, “some failed to recognize or categorize the communications paths internal to their own networks.” In particular, the commission said some entities did not realize the connection between their primary and backup control centers is covered by the CIP-012-1 requirements. The report’s authors said entities should expand their identification of real-time communications to include all control centers, including those within their own environments.