FERC report finds non-compliance and security risks exist across BES cyber assets, protected cyber assets

Staff at the Federal Energy Regulatory Commission (FERC) found that most of the registered entities’ cybersecurity protection processes and procedures met the mandatory requirements of the Critical Infrastructure Protection (CIP) standards, but potential non-compliance and security risks remained. Audits of non-public CIP audits of several U.S.-based North American Electric Reliability Corporation (NERC) registered entities were completed, covering BES cyber assets and protected cyber assets within the BES (bulk electric system) cyber environment. 

The annual report comprises lessons learned from the non-public CIP audits of registered entities and includes findings that most of the cybersecurity protection measures adopted by the entities met the mandatory requirements of the CIP reliability standards. The report also identifies and makes recommendations to address remaining potential noncompliance and security risks and recommends cybersecurity practices that include processes, procedures, and technical controls to mitigate those risks.

Applicable cyber assets consisted of BES cyber assets and protected cyber assets within a BES cyber system or associated cyber assets mainly, but not always, outside the BES cyber systems, such as Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS). The data, information, and evidence provided by the entities were evaluated for sufficiency, appropriateness, and validity. Documentation submitted in policies, procedures, e-mails, logs, studies, and data were validated and substantiated as appropriate. 

Lessons learned from the fiscal year 2022 audits will help registered entities assess their risk and compliance with the mandatory standards while facilitating further efforts to improve the cybersecurity of the nation’s electric grid. The audits were conducted by FERC’s Office of Electric Reliability and Office of Enforcement with the NERC and its regional entities.

The FERC report intends to help registered entities improve compliance with the CIP Standards and their overall cyber security posture. The lessons learned are presented in CIP-003-8, Requirement R2 which covers the re-evaluation of policies, procedures, and controls for low-impact cyber systems and associated cyber assets, and CIP-007-6, Requirement R2.3, and CIP-010-4, Requirement 3.4 that address risks posed by BES cyber assets that have reached the manufacturer-determined end of life/service and are no longer supported by vendors. 

It also covers CIP-007-6, Requirement R3, which deploys a comprehensive malicious code prevention program for all cyber assets within a BES cyber system. CIP-010-4, Requirement R3 to implement comprehensive vulnerability assessment processes for applicable cyber assets, and CIP-010-4, Requirement R4 that reviews and validates controls to mitigate software vulnerabilities and malicious code on Transient Cyber Assets (TCAs) managed by a third party.

The FERC report identified that across all U.S.-based registered entities from 2016 through 2022, identified 21 audit findings by the regional entity, NERC, and Commission-led CIP compliance audits related to Reliability Standard CIP-003 Requirement R2. Additionally, the audit staff’s analysis of historical findings and experience from recent Commission-led CIP audits reveal that security and compliance risks remain. 

“In general, audit staff found entities established policies, procedures, and controls for Low Impact Cyber Systems consistent with CIP-003-8, Requirement R2,” the FERC report said. “However, some entities implemented policies, procedures, and controls to protect Low Impact Cyber Systems and associated Cyber Assets that could benefit from regular re-evaluations to ensure continued effectiveness, particularly for Cyber Security Incident Response and TCAs.”

During the Commission-led audits conducted in 2022, audit staff learned that the requirement to test a Cyber Security Incident Response plan at least once every 36 calendar months was misinterpreted by certain entities, the report said. “Specifically, audit staff observed that some entities misinterpreted the requirement to mean Cyber Security Incident Response Plans are not required to be tested until 36 months from registration. The latter is contrary to the NERC Rules of Procedure that requires entity compliance with all applicable Reliability Standards at the time of registration. Thus, the correct understanding of the provision is for an entity to complete a test of its Cyber Security Incident Response Plans prior to registration and to re-test them at least once every 36 calendar months,” it added.

Reliability Standard CIP-003-8, Requirement R2, Attachment 1 section 5 requires entities to implement one or more plan(s) to mitigate the risk of introducing malicious code to low-impact BES cyber systems through the use of TCA or removable media. 

Audit staff learned that the requirements for TCAs, as they pertain to low-impact cyber systems, may not be fully understood, the FERC report said. “Entities must identify all TCAs that it manages as well as those managed by third parties to effectively mitigate the risk, as required by the entity’s documented policy and plan associated with those TCAs managed by third parties.”

The report adds that TCAs are recognized as a common vector for malicious code transfer into networks and information systems. Failure to implement controls to mitigate the risk of malicious code transfer to BES cyber systems presents a serious risk that the BES cyber systems may be exposed to and compromised by malicious code. The need to implement such controls extends to TCAs not managed by the entity, such as TCAs used by a contractor to gain access to the entity’s BES cyber system(s).

The FERC report disclosed that there were 99 audit findings identified across all U.S.-based registered entities from 2016 through 2022 during CIP Compliance Audits related to CIP-007 Requirement R2. These findings trended upward from 2017 through 2020. In addition, audit staff analysis of historical findings and experience from recent Commission-led CIP audits demonstrates that security and compliance risks remain.

During the Commission-led audits conducted in 2022, audit staff found that entities’ security patch management and vulnerability assessment programs complied with the requirements, the report said. “However, staff noted multiple instances where the treatment of end-of-life or end-of-service (EOL/EOS) BES Cyber Assets created potential security and compliance risks.” 

FERC staff identified that some entities did not implement a patch management process or create dated mitigation plans for their EOL/EOS BES cyber assets without an applicable patch source. They also did not document and inventory EOL/EOS BES cyber assets and hence unaware of the extent of vulnerable BES cyber assets on their system that had reached the end of life. Additionally, the entities did not have dated action plans to address those EOL/EOS assets as a vulnerability, according to CIP-010 Requirement R3.4.

The FERC report also detected 25 audit findings across all U.S.-based registered entities from 2016 through 2022 during CIP Compliance Audits related to CIP-007 Requirement R3. These findings trended upward from 2017 through 2019 and are decreasing; however, the security and compliance risk remains. This remaining risk is evident from the audit staff’s analysis of historical findings and experience from recent Commission-led CIP audits. 

During Commission-led CIP audits conducted in 2022, audit staff found entities established processes and controls to deter, detect, and prevent malicious code within the CIP environment. However, in some instances, audit staff observed processes and controls that entities could have implemented more consistently. 

Specifically, some entities could improve their malicious code prevention programs by implementing additional controls and practices to detect and mitigate malware and improving methods to deter, detect, or prevent malicious code for non-BES cyber assets. Audit staff also found that some entities implemented methods to deter, detect, or prevent malware for BES cyber systems that did not have comprehensive and proactive methods to manage, review, and process malware events. 

The FERC staff also found that some entities relied on controls other than anti-virus to deter, detect, or prevent malware for non-windows BES cyber assets that did not provide the most effective malware protection, thus exposing security gaps. These controls include network controls on non-windows BES cyber assets such as allow-listing solutions or intrusion detection/prevention solutions that were not consistently configured to provide adequate malware protection, asset hardening techniques that were not implemented fully to ensure malware controls were enabled, protections to deter, detect, or prevent malicious code did not exist, and in some cases, compensating controls could not be applied due to EOL/EOS hardware or software. 

The FERC report said that there were 41 audit findings identified across all U.S.-based registered entities from 2016 through 2022 during CIP Compliance Audits related to CIP-010-2 and CIP-010-3 Requirement R3. These findings have been trending upward consistently since 2016. As a result, the security risks remain.

During Commission-led CIP audits conducted in 2022, audit staff found that while entities generally included multiple vulnerability assessment elements for applicable Cyber Assets, in some cases entities did not include key elements in the execution of the vulnerability assessment process, the report revealed. “Lack of comprehensive vulnerability assessments can lead to the compromise of BES Cyber Assets that can potentially impair BES reliability. Network port and service identification are critical to verify that all enabled ports and services have an appropriate business justification,” it added.

The report also found that there were 14 audit findings identified across all U.S.-based registered entities from 2016 through 2022 during CIP Compliance Audits related to CIP-010-2 and CIP-010-3 Requirement R4. These findings trended upward from 2017 through 2019, eventually leveling off and sharply decreasing with only two violations between 2020 through 2021. However, experiences from recent Commission-led CIP audits as well as the establishment of other vendor-related requirements such as CIP-005-6 R2.4 and R2.5 and the requirements found within CIP-013-2, have demonstrated that security and compliance risks remain. 

During Commission-led CIP audits conducted in 2022, audit staff found that applicable registered entities reviewed, and validated controls used for the mitigation of software vulnerabilities and malicious code on TCAs managed by a third party appropriately and in a manner that yielded reasonable assurance that those controls were achieving the requirement objective, the report said. However, some entities accepted attestations from third parties without performing due diligence to validate that the implementation and performance of the controls being employed met the requirement criteria, it added. 

Keeping in mind the findings of the FERC staff, the report recommends re-evaluation of policies, procedures, and controls for low-impact cyber systems and associated cyber assets. It also suggests addressing risks posed by BES cyber assets that have reached the manufacturer-determined end of life or service and no longer are supported by vendors, and deployment of a comprehensive malicious code prevention program for all cyber assets within a BES cyber system. 

The FERC also suggests implementing comprehensive vulnerability assessment processes for applicable cyber assets and reviewing and validating controls used to mitigate software vulnerabilities and malicious code on transient cyber assets managed by a third party.

Last month, FERC issued a Notice of Proposed Rulemaking (NOPR) to establish rules providing incentive-based rate treatment for utilities making certain voluntary cybersecurity investments. The Commission also analyzes the participation by utilities in cybersecurity threat information sharing programs, as directed by the Infrastructure Investment and Jobs Act (IIJA) of 2021.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.