Welcome to the new Energy Central — same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

Energy Business
Russ Hissom
Russ Hissom
Expert Member
·Posted in Energy Business
Mon, Jan 8

FERC CIP Audits 2023 - Best Practices in Cyber Readiness

Get CIP Readiness Insights

The Federal Energy Regulatory Commission (FERC) Division of Audit and Accounting (DAA) conducts audits in many areas to support the needs of the Commission. A recent FERC publication details the results of FERC Critical Infrastructure Protection (CIP) audits of several U.S.-based North American Reliability Corporation (NERC) registered entities. This report gives insights into best practices to measure your system’s CIP readiness. The audits were conducted jointly with FERC, NERC, and NERC Regional Organization staff.

Key article takeaways

  1. The FERC DAA conducts audits of NERC registered entities to test for compliance with NERC Reliability Standards.

2. Audit staff found that while most of the cyber security protection processes and procedures adopted by the registered entities met the mandatory requirements of the CIP Standards, potential noncompliance and security risks remained.

3. The report also contains practices not required by the CIP Standard that could improve security. These are labeled in the report as voluntary cyber security recommendations.

Cybersecurity non-compliance areas

The FERC report - 2023 Lessons Learned from Commission-Led Reliability Audits, found that most of the registered entities meet the mandatory requirements of the CIP reliability standards.

The report first makes recommendation based on non-compliance with CIP standards. The FERC report recommends that entities:

- Identify and categorize all bulk-electric cyber systems and their associated cyber assets (CIP-002-5.1a, R1);

- Report all cyber security incidents, and attempts to compromise their systems that were identified as cyber security incidents, to the Electricity Information Sharing and Analysis Center and the Cybersecurity and Infrastructure Security Agency (CIP-003-8, R2, Section 4, CIP-007-6, R4; CIP-008-6, R4);

- Restrict all inbound and outbound access permissions, including the reason for granting access, and denying all other access by default (CIP-005-7, R1.3);

- Enhance supply chain risk management programs to include evaluating the risks of existing vendors, and develop a plan to respond to risks that are identified (CIP-013-1, R1).

Reviewing the common theme of the audit, is that lack of documentation of issues is the cause of non-compliance.

Evaluating your organizations’ CIP compliance readiness

Beginning on page 20 of the report is a section on findings from prior audits from 2017 - 2022. A review of the detailed findings from previous years gives additional insights on areas to review in evaluating your organization’s CIP compliance readiness in meeting the CIP standards and for potential future audits.