Skip to main content
close search
site logo
Dive Brief

FERC cybersecurity report identifies 'potential compliance infractions'

Published Oct. 11, 2019
Robert Walton's headshot
Senior Reporter
Getty

Dive Brief:

  • Federal Energy Regulatory Commission (FERC) staff have concluded that some users, owners and operators of the bulk electric system (BES) system are not properly categorizing cyber systems associated with the transmission network, potentially putting system reliability at risk.
  • The finding was part of a staff report, released Oct. 4 advising BES entities on compliance with mandatory Critical Infrastructure Protection (CIP) standards and overall levels of cybersecurity.  Responsible entities are required to identify their assets as High, Medium or Low Impact.
  • Separately, the National Institute of Standards and Technology (NIST) is seeking technology vendors to help develop solutions to secure the "Industrial Internet of Things," potentially including sensors, network monitoring, system monitoring, and data acquisition devices related to grid analysis. A recent assessment from the U.S. Government Accountability Office (GAO) concluded industrial control systems and the rise of distributed resources are making the nation's grid more vulnerable to attacks.

Dive Insight:

FERC's report "highlights lessons learned" from non-public CIP reliability audits, though it also concludes the industry is generally — but not always — meeting standards.

"Most of the cybersecurity protection processes and procedures adopted by the registered entities met the mandatory requirements," according to the report. "However, there were also potential compliance infractions found. Additionally, staff observed practices that could improve security but are not necessarily required by the CIP Reliability Standards."

The CIP standards require transmission entities to identify generation that could be rendered unavailable if their assets are "destroyed, degraded, misused, or otherwise rendered unavailable." The report recommends BES entities "consider all generation assets, regardless of ownership, when categorizing bulk electric system cyber systems associated with transmission facilities."

The North American Electric Reliability Corporation defines "BES Cyber Asset" as a cyber asset that, if rendered unavailable, degraded or misused would, "within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System."

According to the report, staff observed multiple examples where an entity "only considered the loss of its own generation facilities when evaluating the potential impact of its transmission facilities being rendered unavailable"

The report also recommended BES entities ensure employees and third-party contractors complete required training, that the training records are properly maintained, and that they "verify employees' recurring authorizations for using removable media."

Firewalls should also be reviewed to ensure there are no "obsolete or overly permissive" access control rules in use. While entities were again found generally to be doing a good job, the report said that "in a minority of instances, staff observed that entities maintained firewalls with overly permissive firewall access IP ranges."

The electric sector is increasingly under attack from hackers, though so far the United States has avoided any related electric interruptions. But as the grid becomes increasingly decentralized, experts worry it is also more vulnerable. 

The GAO's September report recommended FERC analyze the threat of a "coordinated cyberattack on geographically distributed targets" and consider beefing up its security requirements and compliance thresholds.

How to secure the distributed grid is the focus of NIST's Industrial Internet of Things work. An Oct. 8 Federal Register notice invited organizations to "provide products and technical expertise to support and demonstrate security platforms."

NIST says the call to tech vendors is a first step for the National Cybersecurity Center of Excellence in "collaborating with technology companies to address cybersecurity challenges identified under the energy sector program."

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Utility Broadband Alliance 2024 Summit & Plugfest Shatters Attendance Milestone
From Utility Broadband Alliance
November 21, 2024
General Atlantic’s BeyondNetZero Fund and TA Partner to Drive Continued Growth of Technosylva
From Technosylva
November 21, 2024
Oncor System Resiliency Plan Approved by PUCT
From Oncor
November 14, 2024
Puget Sound Energy Maximizes Consumer Participation in Rates Engagement Pilot Powered by Uplig…
From Uplight
November 12, 2024
Editors' picks
Latest in Transmission & Distribution
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell