FERC has released a 23-page Staff report entitled “Lessons Learned from Commission-Led CIP Version 5 Reliability Audits.” A copy of the report can be found here. This report is a must read for compliance and cybersecurity professionals that support utilities with NERC CIP compliance programs.
Two years ago, FERC announced that it was going to take the lead on various audits throughout the country, stepping in front of NERC and the Regional Entities. In the past, I have been involved in audits where FERC has served as “passive observers” (well, sort of), to audits led by the Regional Entities. FERC conducted its own audits in 2016 and 2017, and is now taking the opportunity to inform the industry on what it views as lessons learned from reviewing compliance with CIP Version 5 implementation, as well as the remnants of CIP Version 3 programs.
I could try to summarize FERC’s 21 observations, but it is probably easiest to just repeat them here. With each lesson learned, FERC includes a paragraph or two of elaboration. While extremely high level, FERC’s comments are practical, and can be the basis for developing internal audit and compliance activity. Kudos to FERC Staff for providing insight to the industry in this regard.
Happy reading and have a great weekend.
1. Conduct a thorough review of CIP Reliability Standards compliance documentation; identify areas of improvement to include but not be limited to instances where the documented instructional processes are inconsistent with actual processes employed or where inconsistencies exist between documents; and modify documentation accordingly.
2. Review communication protocols between business units related to CIP operations and compliance, and enhance these protocols where appropriate to ensure complete and consistent communication of information.
3. Consider all owned generation assets, regardless of BES-classification, when evaluating impact ratings to ensure proper classification of BES Cyber Systems.
4. Identify and categorize cyber systems used for supporting generation, in addition to the cyber systems used to directly control generation.
5. Ensure that all shared facility categorizations are coordinated between the owners of the shared facility through clearly defined and documented responsibilities for CIP Reliability Standards compliance.
6. Conduct a detailed review of contractor personnel risk assessment processes to ensure sufficiency and to address any gaps.
7. Conduct a detailed review of physical key management to ensure the same rigor in policies and testing procedures used for electronic access is applied to physical keys used to access the Physical Security Perimeter (PSP).
8. Enhance procedures, testing, and controls around manual transfer of access rights between personnel accessing tracking systems, Physical Access Control Systems (PACS), and Electronic Access Control Monitoring Systems (EACMS) or, alternatively, consider the use of automated access rights provisioning.
9. Ensure that access permissions within personnel access tracking systems are clearly mapped to the associated access rights within PACS and EACMS.
10. Ensure that policies and testing procedures for all electronic communications protocols are afforded the same rigor.
11. Perform regular physical inspections of BES Cyber Systems to ensure no unidentified Electronic Access Points (EAPs) exist.
12. Review all firewall rules and ensure access control lists follow the principle of “least privilege.”
13. For each remote cyber asset conducting Interactive Remote Access (IRA), disable all other network access outside of the connection to the BES Cyber System that is being remotely accessed, unless there is a documented business or operational need.
14. Enhance processes and controls around the use of manual logs, such as using highly visible instructions outlining all of the parts of the requirement with each manual log, to consistently capture all required information.
15. Enhance processes and procedures for documenting the determination for each cyber asset that has no provision for disabling or restricting ports, to ensure consistency and detail in the documentation.
16. Consider employing host-based malicious code prevention for all cyber assets within a BES Cyber System, in addition to network level prevention, for non-Windows based cyber assets as well as Windows-based cyber assets.
17. Implement procedures and controls to monitor or limit the number of simultaneously successful logins to multiple different systems.
18. Implement procedures to detect and investigate unauthorized changes to baseline configurations.
19. Ensure that all commercially available enterprise software tools are included in BES Cyber System Information (BSCI) storage evaluation procedures.
20. Enhance documented processes and procedures for identifying BCSI to consider the NERC Critical Infrastructure Protection Committee (CIPC) guidance document, “Security Guideline for the Electricity Sector: Protecting Sensitive Information.”
21. Document all procedures for the proper handling of BCSI.