FERC Staff issued a report on March 29 on Commission-led critical infrastructure protection (CIP) reliability audits completed for fiscal years 2016 through 2018. The report provides lessons learned from those audits, as well as voluntary recommendations on cybersecurity practices to enhance the protection of electric infrastructure from cyberattacks. Even though many of these recommendations go beyond what is necessary for compliance with the mandatory CIP reliability standards, FERC is likely to view implementation of these recommendations as evidence of a strong cybersecurity culture that proactively addresses best cybersecurity practices and evolving threats. That can, in turn, have positive ramifications for utilities undergoing cybersecurity reviews by FERC, NERC, or the Regional Entities.

The March 29 report includes 13 lessons learned along with corresponding explanations, of which three lessons learned were previously identified in prior annual reports. The new lessons learned in the report are:

  1. Enhance documented processes and procedures for security awareness training to consider NIST SP 800-50, “Building an Information Technology Security Awareness and Training Program” guidance
  2. Implement valid Security Certificates within the boundaries of BES Cyber Systems with encryption sufficiently strong enough to ensure proper authentication of internal connections
  3. Implement encryption for Interactive Remote Access that is strong enough to protect the data that is sent between the remote access client and the BES Cyber System’s Intermediate System
  4. Consider Internet Control Message Protocol as a logical access port for all the BES Cyber Assets
  5. Enhance documented processes and procedures for incident response to consider the NIST SP 800-61, “Computer Security Incident Handling Guide”
  6. Consider the remote configuration of applicable Cyber Assets via a TCP/IP-to-RS232 Bridge during vulnerability assessments
  7. Consider the use of secure administrative hosts to perform administrative tasks when accessing either Electronic Access Control or Monitoring Systems or Physical Access Control Systems
  8. Replace or upgrade “End-of-Life” system components of an applicable Cyber Asset
  9. Incorporate file verification methods, such as hashing, during manual patching processes and procedures, where appropriate
  10. Use automated mechanisms that enforce asset inventory updates during configuration management

The three lessons learned carried over from prior reports are:

  1. Conduct a thorough review of CIP Reliability Standards compliance documentation to identify where the documented instructional processes are inconsistent with actual processes employed
  2. For each remote cyber asset conducting IRA, disable all other network access outside of the connection to the applicable Cyber System that is being remotely accessed, unless there is a documented business or operational need
  3. Enhance documented processes and procedures for identifying BES Cyber System Information to consider the NERC Critical Infrastructure Protection Committee guidance document, “Security Guideline for the Electricity Sector: Protecting Sensitive Information”