CIP reliability standards

Following its ​​annual commissioner-led Reliability Technical Conference, the Federal Energy Regulatory Commission (FERC) released Friday its recommendations to help users, owners and operators of the bulk-power system (BPS) improve their compliance with the mandatory CIP reliability standards and their overall cybersecurity posture. The lessons learned from the fiscal year 2021 audits can help entities assess their risk and compliance with mandatory reliability standards and, more generally, can facilitate efforts to improve the security of the nation’s electric grid.

The CIP reliability standards cover the reliability requirements for energy and utility companies operating within the Bulk Electric System to protect critical cyber assets and minimize risk and manipulation by bad actors seeking to cause damage to the nation’s electric grid. The CIP (critical infrastructure protection) covers prior planning and preparation within organizations and government agencies to deal with threats to the effective and timely functioning of national and regional critical infrastructure.

In its 2021 Staff Report ‘Lessons Learned from Commission-Led CIP Reliability Audits,’ the agency advised enhancing policies and procedures to include evaluation of cyber asset misuse and degradation during asset categorization, properly document and implement policies, procedures and controls for low-impact transient cyber assets, and enhance recovery and testing plans to include a sample of any offsite backup images in the representative sample of data used to test the restoration of bulk-electric system cyber systems.

The report also proposed improving vulnerability assessments to include credential-based scans of cyber assets, and boosting internal compliance and controls programs to include control documentation processes and associated procedures pertaining to compliance with the CIP reliability standards. Staff from FERC’s Office of Electric Reliability and Office of Enforcement conducted the audits in collaboration with staff from the North American Electric Reliability Corporation (NERC) and its regional entities.

During the CIP audits, staff found that while most of the cyber security protection processes and procedures adopted by the registered entities met the mandatory requirements of the CIP Reliability Standards, there were also potential compliance infractions, the report said. Staff also identified practices not required by the CIP Reliability Standards that could improve security, which this report includes as voluntary cybersecurity recommendations.

The report also pointed out that Section 215 of the Federal Power Act (FPA) requires a Commission-certified Electric Reliability Organization (ERO) to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently. The Commission established a process to select and certify an ERO, and subsequently certified NERC.

The baseline CIP Reliability Standards have been designed to mitigate the cybersecurity and physical security risks to BES facilities, systems, and equipment, which, if destroyed, degraded, or otherwise rendered unavailable as a result of a security incident, would affect the reliable operation of the BPS, according to the report.

Pursuant to section 215 of the FPA, on Jan. 28, 2008, the Commission approved an initial set of eight mandatory CIP Reliability Standards pertaining to cybersecurity. In addition, the Commission directed NERC to develop certain modifications to the CIP Reliability Standards. Since 2008, the CIP Reliability Standards have undergone multiple revisions to address Commission directives and respond to emerging cybersecurity issues, it added.

The FERC document failed to address recent reports on the presence of Chinese equipment or systems currently in use in the American electric grid and BPS. There have been calls for the agency to conduct a comprehensive survey of all registered entities in the BPS to determine what Chinese equipment or systems are currently in use in the BPS, and how they are being used. The concern gets amplified as the equipment identified could also be used in other critical infrastructures, including water and wastewater systems, pipelines, oil and gas, and manufacturing sectors.

In August, a private citizen, Michael Mabee, who conducts public interest research on the security of the electric grid called for the issuance of an appropriate order to the Electric Reliability Organization (ERO) to strengthen the security of the bulk power systems. Mabee also said that U.S. entities in the bulk power systems and the electric grid, are buying critical equipment from China to install into the U.S critical electric infrastructure that the regime’s state-sponsored and state-supported hackers are already probing and attacking.

The lessons learned from the fiscal year 2021 audits can help entities assess their risk and compliance with mandatory reliability standards and, more generally, can facilitate efforts to improve the security of the nation’s electric grid.

A few of them include, enhancing policies and procedures to include evaluation of cyber asset misuse and degradation during asset categorization, accurately document and implement policies, procedures and controls for low-impact transient cyber assets, and enhance recovery and testing plans to include a sample of any offsite backup images in the representative sample of data used to test the restoration of bulk-electric system cyber systems.

It also sought to improve vulnerability assessments to include credential-based scans of cyber assets, and enhance internal compliance and controls programs to include control documentation processes and associated procedures pertaining to compliance with the CIP reliability standards.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on whatsapp

Author

Join over 5,000 Industrial OT & Cyber professionals

Weekly Newsletter direct to your inbox