FERC staff’s audits for compliance with NERC’s Critical Infrastructure Protection (CIP) standards this year produced the fewest recommendations for improvement yet, indicating that North American utilities’ cybersecurity practices largely meet the standards’ mandatory requirements.
As in previous years, however, the commission identified several aspects in which registered entities’ compliance needs improvement, as well as voluntary actions to improve cybersecurity protections in general.
FERC has been performing the CIP audits since 2016. Each audit covers the preceding fiscal year, which runs from Oct. 1 to Sept. 30. Audits comprise “data requests and reviews, webinars and teleconferences, and virtual and on-site interview sessions,” FERC said in the audit report.
Auditors spoke with entities’ subject matter experts, along with employees and managers responsible for CIP compliance tasks, and watched as personnel demonstrated the utilities’ operations. Audits also included reviews of relevant documentation, remote field inspections and observations of relevant cyber assets in operation. Staff from NERC and the regional entities participated in the audits alongside FERC personnel.
Details about the audits, such as how many audits were performed and which utilities were selected for examination, were not disclosed.
This year’s report included four lessons learned from the audits, relating to seven specific CIP standards. This is the fewest lessons learned since the commission began issuing the annual reports. Last year’s report produced five lessons learned, after 14 the previous year. (See FERC Report Finds CIP Issues Declining.)
The first lesson concerns identification and categorization of grid cyber systems and associated cyber assets. Requirement R1 of CIP-002-5.1a (Cybersecurity — BES cyber system categorization) mandates that registered entities identify cyber systems and assets whose “loss, compromise or misuse … could [impact] the reliable operation of the” electric grid. The report’s authors observed such identification “forms the foundation of the CIP … standards [because] miscategorization … can lead to the application of inadequate cybersecurity controls, or no controls at all.”
Utilities’ procedures for identifying applicable cyber systems were “generally … strong,” FERC staff found; however, auditors did find some cases in which systems were not categorized properly. In particular, some entities did not correctly classify hypervisors — software used to operate virtual machines — by the highest impact level of the virtual assets they manage. In addition, medium-impact cyber systems at some utilities were not identified as critical to derivation of interconnection reliability operating limits and associated contingencies.
Incident Notification Challenges
FERC’s next lesson learned relates to cybersecurity incident notification, the subject of several CIP standards.
CIP-008-6 (Cybersecurity — incident reporting and response planning) requires entities with medium- and high-impact cyber systems to notify the Electricity Information Sharing and Analysis Center (E-ISAC) in the event of a reportable cybersecurity incident, as identified in the standard. CIP-003-8 (Cybersecurity — security management controls) mandates that entities with low-impact cyber systems determine whether incidents at such systems compromised or disrupted reliability tasks and to notify the E-ISAC if so.
The commission found several incidents that entities did not properly identify or report to the E-ISAC. In one case, the entity discovered malware on a cyber system that it did not report as required by its incident response plan because the entity determined it was not compromised.
Another entity found malicious code on an installer in a cyber system’s recycle bin, a situation not covered by its incident response plan. The utility decided its system had not been compromised and no report was necessary; however, FERC staff said the malware still had “potential to perform malicious actions” and CIP-008-6 required such incidents to be reported.
FERC’s report emphasized that unreported incidents make it harder for grid operators to identify security risks, leading to compromised situational awareness for all entities. Recommendations included “developing more holistic criteria” for incident identification and improving the processing and investigation of CIP-related events.
The next lesson involves restriction of inbound and outbound access permissions as required in CIP-005-7 (Cybersecurity — electronic security perimeters). Requirement R1 mandates that utilities deny all access attempts that lack such permission.
Audit staff found that the standard was “generally” followed, but in some cases, entities either did not restrict access permissions, did not document the reason for granting access or both. Staff observed that “allowing [traffic] throughout the network without valid reason and oversight could lead to possible security compromise.” Recommendations included reviewing access configurations on a quarterly basis to ensure access is denied by default and all exceptions are documented.
Finally, the auditors noted that some entities’ supply chain risk management plans had not been updated with responses to identified risks in contracts negotiated with vendors after the effective date of CIP-013-1 (Cybersecurity — supply chain risk management).
While the standard (which has since been replaced with CIP-013-2) does not require entities “to renegotiate or abrogate existing contracts,” FERC staff noted that inadequate risk assessment can affect reliable grid operations if entities use vulnerable products. Staff urged entities to review contracts that have not already been examined for potential risks — whether negotiated before or after the effective date of CIP-013-1 — and ensure that their plans address such risks.