The Federal Energy Regulatory Commission’s (FERC) 2018 Lessons Learned from Commission-Led CIP Reliability Audits shows, among other things, a major and recurring theme: NERC-registered entities must develop and implement accurate and thorough processes and procedures to demonstrate compliance with NERC’s Critical Infrastructure Protection (CIP) reliability standards. FERC encourages four activities:
- Improve Internal Assessments of the Effectiveness of Security Awareness Programs: Relating to CIP-004-6, FERC encourages NERC-registered entities to follow the National Institute of Standards and Technology’s (NIST) guidance (NIST SP 800-50) on security awareness programs, which recommends identification of training needs, current programs to address those needs, training gaps, and which training needs are most critical. To identify gaps and needed improvements, NIST guidance also recommends analysis of the effectiveness of current security awareness efforts. FERC notes that, while the audited companies generally had strong security awareness programs, their program documentation lacked adequate procedures to analyze the effectiveness of those security awareness programs, thus potentially leaving the companies unaware of training gaps and potential improvements. FERC thus, recommends that NERC-registered entities enhance their security awareness training programs by implementing and documenting an effectiveness analysis.
Improve Incident Response Documentation: Relating to CIP-008-5, FERC encourages registered entities to utilize NIST’s guidance on computer security incident response (NIST SP 800-61), which distinguishes between an incident response policy, plan, and procedures, as follows:
Policy – the policy should include objectives, prioritization, organizational structure, and performance measures regarding the entity’s handling of security incidents.
Plan – the plan should include the formal organizational approach to incident response, communication protocols, and metrics for measuring incident response capability.
Procedures – the standard operating procedures for incident response should be based on the policy and plan, and should delineate the specific technical processes, techniques, checklists, and forms to be used by the incident response team.
While FERC found that the audited companies generally implemented effective plans and processes for incident response, it encourages improvement in differentiating between policies, plans, and procedures, consistent with the NIST guidance.
- Improve Documented Procedures for Identifying and Protecting BES Cyber System Information: In connection with CIP-011-2, while FERC found that the audited companies had controls to identify and protect BES Cyber System Information,1 FERC encourages registered entities to utilize NERC guidance in the Security Guideline for the Electricity Sector: Protecting Sensitive Information to enhance their documented processes for (i) identifying sensitive information, (ii) responding to data loss events, and (iii) proper disposal of sensitive information as further discussed in the Security Guideline.
- Ensure Documented Internal Controls Match Actual Practices: With respect to all CIP reliability standards, FERC encourages registered entities to conduct a thorough review of their documented internal controls to identify where the documented controls differ from actual practices employed. This exercise can also identify where a cybersecurity program might be deficient and could be improved. Suggestions for improvement include ensuring that the documented controls are complete with no blanks left in the required fields; in connection with any mitigation, being concise and specific regarding compensating measures addressing the vulnerability; and including documented analysis regarding the effectiveness of testing of an incident response plan.
The last two items have been recurring areas of concern since they were detailed in FERC’s 2017 Lessons Learned from Commission-Led CIP Reliability Audits. As discussed in a previous client alert, when it comes to NERC compliance, it is not enough simply to have procedures in place; these procedures should be regularly reviewed to ensure not only that they are adequate on their face, but that they are being adequately implemented in practice.
In addition to the documentation related areas discussed above, the 2018 report addresses many other lessons learned from 2018 audits. Registered entities are encouraged to consider and implement FERC’s guidance in their CIP compliance programs.