Attacks and Vulnerabilities
Critical infrastructure
ICS Security Framework
Industries
Management & Strategy
NERC-CIP
News
Regulation, Standards and Compliance
Risk & Compliance
SOC & Incident Response
System Design & Architecture
Technology & Solutions
Utilities: Energy & Power, Water, Waste

FERC report recommends compliance with CIP reliability standards

October 11, 2021
CIP reliability standards

Following its ​​annual commissioner-led Reliability Technical Conference, the Federal Energy Regulatory Commission (FERC) released Friday its recommendations to help users, owners and operators of the bulk-power system (BPS) improve their compliance with the mandatory CIP reliability standards and their overall cybersecurity posture. The lessons learned from the fiscal year 2021 audits can help entities assess their risk and compliance with mandatory reliability standards and, more generally, can facilitate efforts to improve the security of the nation’s electric grid.

The CIP reliability standards cover the reliability requirements for energy and utility companies operating within the Bulk Electric System to protect critical cyber assets and minimize risk and manipulation by bad actors seeking to cause damage to the nation’s electric grid. The CIP (critical infrastructure protection) covers prior planning and preparation within organizations and government agencies to deal with threats to the effective and timely functioning of national and regional critical infrastructure.

In its 2021 Staff Report ‘Lessons Learned from Commission-Led CIP Reliability Audits,’ the agency advised enhancing policies and procedures to include evaluation of cyber asset misuse and degradation during asset categorization, properly document and implement policies, procedures and controls for low-impact transient cyber assets, and enhance recovery and testing plans to include a sample of any offsite backup images in the representative sample of data used to test the restoration of bulk-electric system cyber systems.

The report also proposed improving vulnerability assessments to include credential-based scans of cyber assets, and boosting internal compliance and controls programs to include control documentation processes and associated procedures pertaining to compliance with the CIP reliability standards. Staff from FERC’s Office of Electric Reliability and Office of Enforcement conducted the audits in collaboration with staff from the North American Electric Reliability Corporation (NERC) and its regional entities.

During the CIP audits, staff found that while most of the cyber security protection processes and procedures adopted by the registered entities met the mandatory requirements of the CIP Reliability Standards, there were also potential compliance infractions, the report said. Staff also identified practices not required by the CIP Reliability Standards that could improve security, which this report includes as voluntary cybersecurity recommendations.

The report also pointed out that Section 215 of the Federal Power Act (FPA) requires a Commission-certified Electric Reliability Organization (ERO) to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently. The Commission established a process to select and certify an ERO, and subsequently certified NERC.

The baseline CIP Reliability Standards have been designed to mitigate the cybersecurity and physical security risks to BES facilities, systems, and equipment, which, if destroyed, degraded, or otherwise rendered unavailable as a result of a security incident, would affect the reliable operation of the BPS, according to the report.

Pursuant to section 215 of the FPA, on Jan. 28, 2008, the Commission approved an initial set of eight mandatory CIP Reliability Standards pertaining to cybersecurity. In addition, the Commission directed NERC to develop certain modifications to the CIP Reliability Standards. Since 2008, the CIP Reliability Standards have undergone multiple revisions to address Commission directives and respond to emerging cybersecurity issues, it added.

The FERC document failed to address recent reports on the presence of Chinese equipment or systems currently in use in the American electric grid and BPS. There have been calls for the agency to conduct a comprehensive survey of all registered entities in the BPS to determine what Chinese equipment or systems are currently in use in the BPS, and how they are being used. The concern gets amplified as the equipment identified could also be used in other critical infrastructures, including water and wastewater systems, pipelines, oil and gas, and manufacturing sectors.

In August, a private citizen, Michael Mabee, who conducts public interest research on the security of the electric grid called for the issuance of an appropriate order to the Electric Reliability Organization (ERO) to strengthen the security of the bulk power systems. Mabee also said that U.S. entities in the bulk power systems and the electric grid, are buying critical equipment from China to install into the U.S critical electric infrastructure that the regime’s state-sponsored and state-supported hackers are already probing and attacking.

The lessons learned from the fiscal year 2021 audits can help entities assess their risk and compliance with mandatory reliability standards and, more generally, can facilitate efforts to improve the security of the nation’s electric grid.

A few of them include, enhancing policies and procedures to include evaluation of cyber asset misuse and degradation during asset categorization, accurately document and implement policies, procedures and controls for low-impact transient cyber assets, and enhance recovery and testing plans to include a sample of any offsite backup images in the representative sample of data used to test the restoration of bulk-electric system cyber systems.

It also sought to improve vulnerability assessments to include credential-based scans of cyber assets, and enhance internal compliance and controls programs to include control documentation processes and associated procedures pertaining to compliance with the CIP reliability standards.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape