FERC Provides Recommendations to Improve Compliance With Infrastructure Protection Standards

The Federal Energy Regulatory Commission on Oct. 14 issued a report providing recommendations to improve compliance with Critical Infrastructure Protection, or CIP, reliability standards based on lessons learned from audits of registered entities for fiscal year 2022.

The findings show that most of the cybersecurity protection measures adopted by the entities satisfied the mandatory requirements. Recommendations in the report address remaining potential noncompliance and security risks, including cybersecurity practices comprising processes, procedures and technical controls to reduce those risks.

The CIP audit revealed several findings regarding the state of risk preparedness and mitigation measures of registered entities. In the course of the CIP audit, commission staff discovered that even though most of the cyber security protection standards, procedures and processes adopted by the registered entities complied with the compulsory regulations of the CIP Standards, security risks remained. The audit discovered that there was a misinterpretation of the requirement to carry out a cybersecurity incident response plan at least once in 36 months. In order to detect, deter or forestall malware for non-windows bulk-power system cyber assets entities depended on control protocols other than antivirus to deter, detect, or prevent malware that did not provide the most effective malware protection, thereby exposing security loopholes. Also, failure to conduct a comprehensive review of systems vulnerability could lead to these assets being compromised which may impair reliability.

Among the key recommendations, the report suggests re-evaluation of policies, procedures, and controls pertaining to low-impact cyber systems and related cyber assets. The report recommends a comprehensive malicious code prevention program for assets within a bulk electric system cyber system and a vulnerability assessment processes assets where applicable. Further, the staff recommend a review and validation of controls used to address software vulnerabilities and malicious code on transient cyber assets that are managed by a third party.

The commission carried out a Critical Infrastructure Protection audit of many U.S.-based entities registered by the North America Electric Reliability Corporation, the federally-designated electric reliability organization that develops and enforces mandatory standards for reliable planning and operation of the power system. The CIP standards were developed to ensure the integrity and reliability of critical infrastructure and mitigate the physical and cybersecurity risks to equipment and bulk electric systems; if attacked, compromised or destroyed, it could affect the integrity and reliability of the bulk power system.