FERC staff today offered recommendations to help users, owners and operators of the bulk electric system (BES) improve compliance with mandatory Critical Infrastructure Protection (CIP) reliability standards and overall cybersecurity postures.
The report, 2024 Lessons Learned from Commission-Led Reliability Audits, finds most of the registered entities’ cybersecurity protection measures meet the mandatory requirements of the CIP reliability standards. The report identifies potential noncompliance and security risks that remain, and offers recommendations to mitigate those risks.
The annual report can help entities assess their risk and compliance with mandatory reliability standards while facilitating efforts to improve the broader security of the nation’s electric grid. Staff from FERC’s offices of Electric Reliability and Enforcement conducted the audits in collaboration with staff from the North American Electric Reliability Corporation and its regional entities.
The report discusses the following lessons:
- Assess the risk to operations presented by associated Cyber Assets, such as electronic access control or monitoring systems, protected cyber assets and physical access control systems, and consider additional security controls beyond those that are required by their categorization (CIP-002-5.1a, R1).
- Ensure logically segmented Control Centers at a single site location are evaluated as a single Control Center in BES Asset identification and categorization procedures (CIP-002-5.1a, R1).
- Ensure that Cyber Asset baselines include all intentionally installed, commercially available software on each Cyber Asset, including browser extensions and stand-alone applications (CIP-010-4, R1.1.2).
- Identify, monitor and implement controls to protect BES Cyber System Information (BCSI) to mitigate the risks posed by unauthorized disclosure and unauthorized access (CIP-011-2, R1).
- Ensure the risks of unauthorized disclosure and unauthorized modification of real-time data transmitted between Control Centers within a single environment (Networks, electronic security perimeters) are identified and addressed (CIP-012-1, R1).