Client Portal Contact Us Search
x Cookie Disclaimer: This website uses cookies to collect certain information about your browsing session. To learn more, view our Cookies Policy.

Lessons Learned from Commission-Led CIP Reliability Audits: Federal Energy Regulatory Commission Staff Report

October 14, 2021

By: Walter G. Wright

Category: Arkansas Environmental, Energy, and Water Law

Download PDF

The Federal Energy Regulatory Commission (“FERC”) staff prepared an October 8th report titled:

Lessons Learned from Commission-Led CIP Reliability Audits (“Report”)

The Report is intended to offer recommendations to assist users, owners and operators of bulk-power systems to improve their compliance with the Critical Infrastructure Protection (“CIP”) Reliability Standards and their overall cyber security posture.

Electric utilities that own, operate or use the bulk electric system must comply with the CIP standards. Compliance with such standards can obviously be expensive. Failure to meet these standards can result in noncompliance penalties. Difficulties associated with compliance can increase as technology and cyber security concerns evolve.

Section 215 of the Federal Power Act requires an FERC-certified Electric Reliability Organization to develop mandatory and enforceable Reliability Standards. Such Standards are subject to FERC review and approval. They are designed to mitigate the cyber security and fiscal security risks to the relevant facilities which, if destroyed, degraded, or otherwise rendered unavailable as a result of a security interest, would affect the reliable operation of the Bulk-Power System.

The Report states that the FERC staff completed non-public CIP audits of several bulk electric system registered entities during fiscal year 2021. The audits are stated to have evaluated registered entities’ compliance with CIP Reliability Standards.

FERC staff are stated to have determined that:

. . . While most of the cyber security protection processes and procedures adopted by the registered entities met the mandatory requirements of the CIP Reliability Standards, there were also potential compliance infractions.

Further, staff is also stated to have identified practices not required by the CIP Reliability Standards that could improve security.

The Report’s recommendations include:

  • Enhance policies and procedures to include evaluation of Cyber Asset misuse and degradation during asset categorization;
  • Properly document and implement policies, procedures and controls for low-impact transient cyber assets;
  • Enhance recovery and testing plans to include a sample of any offsite backup images in the representative sample of data used to test the restoration of bulk-electric system cyber systems;
  • Improve vulnerability assessments to include credential-based scans of cyber assets; and
  • Enhance internal compliance and controls programs to include control documentation processes and associated procedures pertaining to compliance with the CIP Reliability Standards.

A copy of the Report can be downloaded here.

The Between the Lines blog is made available by Mitchell, Williams, Selig, Gates & Woodyard, P.L.L.C. and the law firm publisher. The blog site is for educational purposes only, as well as to give general information and a general understanding of the law. This blog is not intended to provide specific legal advice. Use of this blog site does not create an attorney client relationship between you and Mitchell Williams or the blog site publisher. The Between the Lines blog site should not be used as a substitute for legal advice from a licensed professional attorney in your state.