FERC staff today offered recommendations to help users, owners and operators of the bulk electric system improve their compliance with mandatory Critical Infrastructure Protection (CIP) reliability standards and their overall cybersecurity postures.
The report, 2023 Lessons Learned from Commission-Led Reliability Audits, finds most of the registered entities’ cybersecurity protection measures meet the mandatory requirements of the CIP reliability standards. The report identifies potential noncompliance and security risks that remain, and also offers recommendations to mitigate those risks.
The annual report can help entities assess their risk and compliance with mandatory reliability standards while facilitating efforts to improve the broader security of the nation’s electric grid. Staff from FERC’s offices of Electric Reliability and Enforcement conducted the audits in collaboration with staff from the North American Electric Reliability Corporation and its regional entities.
Their report recommends:
- Identifying and categorizing all bulk-electric cyber systems and their associated cyber assets;
- Reporting all cyber security incidents, and attempts to compromise that were identified as cyber security incidents, to the Electricity Information Sharing and Analysis Center and the Cybersecurity and Infrastructure Security Agency;
- Restricting all inbound and outbound access permissions, including the reason for granting access, and denying all other access by default;
- Enhancing supply chain risk management programs to include evaluating the risks of existing vendors, and developing a plan to respond to risks that are identified.
R24-4