FERC outlined several recommendations for registered entities to improve their compliance with NERC’s Critical Infrastructure Protection (CIP) standards in a report released last week.
The commission based the recommendations in the Lessons Learned from Commission-Led CIP Reliability Audits report on findings from the latest round of audits performed by commission staff during fiscal year 2022, which ended Sept. 30. NERC and the regional entities also took part, as they have since FERC began conducting CIP audits in 2016.
As with previous years, details about the audits — such as how many audits were performed and which utilities were visited — were not disclosed. According to the report, the fieldwork “primarily consisted of data requests and reviews, webinars and teleconferences, and virtual on-site visits.” During the virtual visits, commission staff interviewed the utilities’ subject matter experts and the utilities demonstrated operating practices, processes and procedures. FERC also interviewed employees and managers who performed tasks within the audit scope and examined entities’ compliance documentation.
This year’s audits produced just five recommendations, the fewest since FERC began issuing the reports and a drop of nearly two thirds from the 14 produced last year. Report authors did not acknowledge the decline in lessons learned or suggest any reason for it, stating only that “most of the cyber security protection processes and procedures adopted by the registered entities met the mandatory requirements of the CIP standards, [although] potential noncompliance and security risks remained.”
FERC’s suggestions encompassed three standards. For CIP-003-8 (Cyber security, security management controls) the commission recommended that utilities re-evaluate their policies, procedures and controls for low-impact cyber systems and related assets.
The report’s authors noted that “certain entities” had misinterpreted the standard’s requirement that utilities test their cybersecurity incident response plan at least once every 36 calendar months. Some utilities had concluded that they did not have to test their plans until 36 months after registration. FERC asserted that this is incorrect: Plans must be tested before registration and at least once every 36 months thereafter.
CIP-003-8 also requires that entities identify all transient cyber assets (TCA) — removable media — that they manage, as well as those managed by third parties, to mitigate the risk of infiltration through inadvertent code transfers from unauthorized sources. This “may not be fully understood,” FERC staff said. The report warned utilities that failure to address these assets poses a “serious risk” of compromise to the bulk electric system.
Detailing the issues with CIP-007-6 (Cyber security, systems security management), FERC staff “noted multiple instances where the treatment of end-of-life or end-of-service … BES cyber assets created potential security and compliance risks.” Some entities were found not to have a patch management process or mitigation plans for these assets or were unaware of the extent of assets on their system that were vulnerable in this way. The authors also discovered that not all entities correctly followed the standard’s requirement that they implement a malicious code prevention program on their cyber systems.
For CIP-010-4 (Cyber security, configuration change management and vulnerability assessments), the report found deficiencies in entities’ adherence to the requirement that they have a vulnerability assessment program. Although utilities “generally included multiple vulnerability assessment elements,” at times they neglected “key elements” in the process, potentially leaving them unaware of dangerous vulnerabilities, FERC said.
Finally, staff reiterated the standard’s recommendation that entities “review and validate controls used to mitigate software vulnerabilities and malicious code on TCAs managed by a third party,” noting that “some entities accepted attestations from third parties without performing due diligence” to validate the TCAs’ risk level.