In its latest round of Critical Infrastructure Protection (CIP) audits, FERC noted registered entities have made significant progress in meeting or exceeding the reliability standards’ mandatory requirements.

However, the commission still noted several “potential compliance infractions” and other areas for improvement.

FERC’s “Lessons Learned from Commission-Led CIP Reliability Audits” report is based on audits carried out during the federal government’s 2020 fiscal year, which began on Oct. 1, 2019, and ended Sept. 30. The number of audits performed, which also involved staff from regional entities and NERC, was not disclosed in the report; the audited entities’ identities were also kept confidential.

FERC has been conducting CIP audits since FY 2016. Audit fieldwork includes data requests, webinars and teleconferences, and site visits to registered entities’ facilities. During site visits, audit staff interview utilities’ subject matter experts, along with employees and managers responsible for performing tasks within the audit scope; observe operating practices in real time; and examine entities’ “regulatory and corporate compliance culture.”

Recommendations up from Previous Report

This year’s report produced 12 lessons learned, intended to “help responsible entities improve their compliance with the CIP reliability standards and their overall cybersecurity posture.” The commission’s first report covered FY16 and FY17, and included 21 recommendations; the number of lessons learned dropped to 10 in the FY18 report and seven last year. (See FERC: Room for Improvement on CIP Compliance.)

Despite the rise in recommendations, FERC’s report emphasized that “most of the … processes and procedures adopted by the registered entities met the mandatory requirements” of the CIP standards. As a result, the lessons learned reflect “practices that could improve security but are not required by the [standards],” in addition to mandatory fixes to bring entities back in line with requirements.

The suggested improvements covered the following standards:

• CIP-002-5.1a — Bulk electric system cyber system categorization
• CIP-004-6 — Personnel and training
• CIP-006-6 — Physical security of BES cyber systems
• CIP-007-6 — Systems security management
• CIP-009-6 — Recovery plans for BES cyber systems
• CIP-010-2 — Configuration change management and vulnerability assessments
• CIP-011-2 — Information protection

For CIP-002-5.1a, staff observed that some entities did not properly identify BES cyber assets; for example, in some cases, cyber assets such as switches and protocol converters were recorded as communication equipment. This is incorrect, as such equipment “may pose an impact … within 15 minutes of their misuse.”

Auditors also found some instances in which substation BES cyber systems that should have been considered medium-impact were instead recorded by utilities as low-impact because staff “did not properly consider” the effect that all the relevant equipment might have when operated collectively.

Recommendations for CIP-004-6 include ensuring that electronic access to BES cyber system information is properly authorized and revoked, following auditors’ discoveries that several entities had not followed their procedures consistently. In some cases, access was granted verbally without filing the necessary documentation, while in others, the access of terminated employees was not deactivated by the end of the calendar day following their departure.

Improvements for physical security — covered by CIP-006-6 — include dedicated visitor logs at each physical access point, locking BES cyber systems’ server racks where possible and periodic inspections of physical security perimeters to ensure there are no unidentified physical access points. Consistent practices are also endorsed in the recommendations for CIP-007-6, which include periodic review of security patch management processes, as well as consolidating and centralizing password change procedures.

Under CIP-009-6, auditors noted that some entities “failed to update their backup and recover procedures in a timely manner,” for instance by failing to establish a new process following a critical event in violation of the standard’s requirement. Entities were also found to have neglected to “report any information to remediate and mitigate vulnerabilities identified in vulnerability assessments,” as mandated in CIP-010-2.

Finally, staff noted that several entities could not “demonstrate that they properly disposed of” substation devices removed from services as required by their asset reuse and disposal policies, and that others relied entirely on security controls provided by third-party vendors without verifying their sufficiency. Both issues could constitute a violation of information protection requirements in CIP-011-2.

In several places, staff also recommended that entities “consider the guidance” of the National Institute of Standards and Technology’s Security and Privacy Controls for Federal Information Systems and Organizations report. While implementing these recommendations would not contribute to compliance, they would enhance the culture of security among utility staff, they said.