CIP Reliability Audit Lessons Learned

Monday, October 9, 2017 @ 03:10 PM gHale


There is now a tool available for users, owners and operators employing bulk-power systems to assess their risk, compliance and overall cybersecurity.

The findings of the report, released by the Federal Energy Regulatory Commission (FERC), are based on lessons learned from several non-public audits of registered entities.
RELATED STORIES
Utility Execs Fear Grid Attacks: Report
Power Grid Compromise

AI to Prevent Grid Failures
Race Against Time: Quantum Computers

These lessons learned can help facilitate compliance with mandatory reliability standards and will also facilitate efforts to improve the security of the nation’s electric grid.

Staff from FERC’s Office of Electric Reliability and Office of Enforcement conducted the audits in collaboration with staff from the North American Electric Reliability Corporation (NERC) and its regional entities.

The audits assessed compliance with version 5 of NERC’s Critical Infrastructure Protection (CIP) standards and also identified possible areas for improvement not specifically addressed by the CIP reliability standards. The audits ended up conducted in fiscal years 2016 and 2017.

The report describes the lessons learned from the audits, including insights into the cybersecurity and CIP compliance issues encountered by the audited entities. These lessons learned will help other entities improve their compliance with the CIP reliability standards as well as their overall cyber security.

Among staff’s recommendations:
• Ensure all shared facility categorizations are coordinated between the owners of the shared facility through clearly defined and documented responsibilities for CIP reliability standards compliance
• Ensure policies and testing procedures for all electronic communications protocols are afforded the same rigor
• For each remote cyber asset conducting interactive remote access, disable all other network access outside of the connection to the bulk electric system cyber system that is being remotely accessed, unless there is a documented business or operational need

Staff found most of the cybersecurity protection processes and procedures adopted by the audited entities met the mandatory requirements of the CIP Reliability Standards. Staff also found instances of potential compliance infractions. In addition, staff identified possible areas of improvement in the security posture of audited entities that are not specifically addressed by the CIP Reliability Standards.

The audits afforded audited entities opportunities to learn of areas for improvement in their security posture and staff recommended proposals to addresses the matters.

Click here for more details on the report.



Leave a Reply

You must be logged in to post a comment.