The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

27,364 Members

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

FERC Enhances its Cybersecurity Initiative to These 5 Focus Areas

FERC Presentation Nov 21, 2019 https://www.ferc.gov/industries/electric/indus-act/reliability/cybersecurity/11-21-19-A-4-presentation.pdf

On November 21, 2019, FERC made an announcement concerning cybersecurity threats and electric infrastructure challenges, where they unveiled five areas of focus. In addition, FERC announced organizational changes within the Office of Energy (OEP) and the Office of Electric Reliability (OER) that will better serve grid security and cybersecurity concerns.

Pulling from the experience and knowledge of each of the relevant offices, a FERC staff presentation on November 21st identified five key areas where Commission staff will strategically and collectively focus efforts to address critical cybersecurity challenges.

Based on FERC’s reviews of recent threat reports, the cybersecurity climate concerning global events, NERC CIP standards and other recent developments in the industry, the commission staff has designated the following five focus areas:

  1. Supply Chain/Insider Threat/Third Party Authorized Access: Starting next year, new mandatory supply chain risk controls will take effect. The new standards, referred to as Supply Chain Standards, consist of new Reliability Standard CIP-013–1 and revised Reliability Standards CIP-010–3 and CIP-005–6. They become effective 60 days after publication in the Federal Register and will be implemented over 18 months. The commission said the transition was needed because compliance will likely require technical upgrades, with implications for capital budgets and planning cycles that have longer time horizons.
  2. Industry Access to Timely Information on Threats and Vulnerabilities: FERC recognized that many entities have limited threat intelligence capabilities and access to information on threats, vulnerabilities, and an entity-wide process for risk mitigation.  FERC recommends improving access to vulnerability and threat information in order to minimize response and remediation time and reduce the risk of disruption.
  3. Cloud/Managed Security Service Provider: This focus area recognizes that managed security of SaaS services can provide substantial operational and security benefits to entities if deployed in a secure manner. As currently written, the existing CIP reliability standards do not account for the use of cloud services in operating the grid and protecting the IT infrastructure, which could prevent utilities from leveraging these products and the enhanced security and efficiencies they provide.
  4. Adequacy of Security Controls: FERC acknowledges that there are many assets connected to Commission jurisdictional facilities that are subject to either minimal or no mandatory cybersecurity controls. While Low Impact BES Cyber Systems (BCS) make up the majority of BES cyber assets, there are very few mandatory security controls required for these assets. While Low Impact BES Cyber Systems have a lower impact on the BES, the simultaneous loss or degradation in a large number of these systems could have a significant aggregate effect. In addition, many Commission jurisdictional hydroelectric facilities connect to Low Impact BCS facilities that are not subject to high levels of mandatory security controls. Likewise, natural gas pipelines are not subject to mandatory cybersecurity controls, but the disruption of these pipelines could still have a significant impact on the BES.
  5. Internal Network Monitoring and Detection: Mandatory monitoring and detection are not currently required for internal networks under the NERC CIP standards. This focus area underscores the risk of inattentive internal monitoring practices, especially if a hacker has already breached a network and remains undetected by the entity.

 

Organizational Changes:
Commission staff also discussed several organizational changes aimed at bolstering the agency’s cybersecurity resources. The OEP’s Division of Dam Safety and Inspections established a new security-focused group that will address both cybersecurity and physical security concerns at jurisdictional hydropower facilities. The new group’s responsibilities will include performing special cyber and physical inspections, conducting security and vulnerability surveys, and serving as the lead on the resolution of cyber and physical issues under FERC’s Dam Safety Program. In addition, OER has been organizationally realigned to include a new division focused exclusively on cybersecurity.

Compliance Central Enterprise Management Software: 
 
With a highly versatile NERC compliance management system that links and organizes compliance standards and risk data with schedules, tasks as well as activities, compliance requirements, evidence from every area of the organization an entity would better improve their capabilities of staying vigilant concerning the mentioned focus areas. In addition, if the same system was to be integrated with a patch management system that maintains asset baseline including information on software, firmware, patches, and open ports an entity can centralize critical information making them better equipped to adjust to the constant enhancing of industry standards and maintain reliability.

Tiffany Aliano's picture

Thank Tiffany for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

Matt Chester's picture
Matt Chester on Dec 3, 2019 1:47 pm GMT

Any movement in this space is important to see, but the question will always be: is it enough? Do you think these latest moves are ambitious enough, Tiffany?

Tiffany Aliano's picture
Tiffany Aliano on Dec 3, 2019 4:32 pm GMT

Hello Matt,

I think the latest initiatives are definitely a step in the right direction.  Unfortunately, we learn the most after events have already occurred, where new vulnerabilities are discovered every day and it's almost impossible to foresee security gaps prior to that.   It's important for the commission to stay vigilant and quickly react to industry threats, which in the best of their capacity, I believe they are doing.  Individual entities reporting threats as they occur will also better equip other entities as well as the commission and improve response, reaction time as well as corrective and preventative measures moving forward, creating new industry standards.
We should also keep in mind that it's highly unlikely that enough will ever be enough, being that as technology continues to advance and our security evolves, so does the tactics of hackers, malicious actors, and threats alike.  

What about you, do you think the commission could have better addressed the industries cybersecurity challenges?  Is there any area they may have overlooked?

Look forward to your thoughts.

Matt Chester's picture
Matt Chester on Dec 3, 2019 5:19 pm GMT

Unfortunately, we learn the most after events have already occurred, where new vulnerabilities are discovered every day and it's almost impossible to foresee security gaps prior to that.

This is the scary truth-- it's a bit of a Schrodinger's cat where we might not know until it's too late. I do think we have smart people and people with decision making powers who are taking these problems seriously and head on, but with cyber concerns the worrying part is it only takes on vulnerability to be exploited

Tiffany Aliano's picture
Tiffany Aliano on Dec 4, 2019 7:10 pm GMT

I agree it's an uneasy thought, however, the best we could do is stay vigilant, proactive and use tools available to automate processes, track training as well as stay informed that we can better allocate resources towards predictive security measures. 

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »