FERC Cybersecurity Report Provides Recommendations to Improve Compliance With Reliability Standards

The Federal Energy Regulatory Commission issued a report on Oct. 4 finding that most of the cyber security protection processes and procedures adopted by registered entities of the bulk power system met the mandatory requirements of the Critical Infrastructure Protection, or CIP, Reliability Standards during fiscal year 2019. The report, based on audits of registered entities, provides recommendations to help responsible entities improve compliance, as well as their overall cyber security levels.

The commission staff found potential compliance infractions and also observed practices that could enhance security but are not necessarily required by the reliability standards. To this end, the report offers recommendations regarding voluntary practices. A discussion of lessons learned recommends that entities consider all generation assets, irrespective of ownership,  including transmission facilities when categorizing cyber systems. Entities are encouraged to ensure that employees and third-party contractors complete the required training and to maintain training records; verify employees’ recurring authorizations for using removable media; and review firewalls to avoid “obsolete or overly permissive firewall access control rules.”

The CIP standards are designed to mitigate the cybersecurity and physical security risks to BES facilities, systems, and equipment, which, if “destroyed, degraded, or otherwise rendered unavailable” would affect the reliable operation of the system. Since 2008, these standards have undergone multiple revisions to address commission directives and respond to emerging cybersecurity issues