FERC staff report on cyber security, CIP reliability standards

Federal Energy Regulatory Commission staff have released a report on cyber security, including recommendations to help users, owners, and operators of the bulk-power system assess their risk and compliance position.

Federal law establishes a framework for regulating the reliability of the nation's major electricity grid, also known as the bulk electric system.  Acting under Section 215 of the Federal Power Act, the  Federal Energy Regulatory Commission has approved a set of Critical Infrastructure Protection or CIP Reliability Standards implemented by the North American Electric Reliability Corporation (NERC) and its regional entities.  The CIP reliability standards are designed to mitigate the cybersecurity risks to bulk electric system facilities, systems, and equipment.

Over the past two years, staff from FERC’s Office of Electric Reliability and Office of Enforcement and from NERC conducted a series of non-public audits of entities on the compliance registry.   The audits focused on compliance with version 5 of NERC’s Critical Infrastructure Protection (CIP) standards and also and identified possible areas for improvement that are not specifically addressed by the CIP reliability standards.

According to the report, "for the first series of completed non-public audits, most of the cyber security protection processes and procedures adopted by the audited entities met the mandatory requirements of the CIP Reliability Standards. Staff also found instances of potential compliance infractions."

The report presents 21 lessons learned, including the value of coordination and communication among regulated entities, improvements in physical security, and considering disconnecting unnecessary network access for remote assets.

Cybersecurity remains a hot topic in the energy sector.