Power & Pipes

FERC, CFTC, and State Energy Law Developments

FERC Staff issued an October 4 report on Commission-led critical infrastructure protection (CIP) reliability audits completed during fiscal year 2019. The report provides lessons learned and identifies voluntary practices that FERC Staff observed during those audits that could improve the protection of electric infrastructure from cyberattacks.

The report includes seven new lessons learned, primarily focused on enhancing electronic access control measures and implementing robust processes for managing employee and contractor access authorizations:

  1. Consider all generation assets, regardless of ownership, when categorizing BES Cyber Systems associated with transmission facilities.
  2. Ensure that all employees and third-party contractors complete the required training and that the training records are properly maintained.
  3. Verify employees’ recurring authorizations for using removable media.
  4. Review all firewalls to ensure there are no obsolete or overly permissive firewall access control rules in use.
  5. Limit access to employee’s PINs used for accessing PSPs using a least privilege approach.
  6. Ensure that all ephemeral port ranges are within the Internet Assigned Numbers Authority (IANA) recommended ranges.
  7. Clearly mark Transient Cyber Assets and Removable Media.

Some of this year’s lessons learned—such as the item addressing BES Cyber System categorization—reflect more specific guidance on prior recommendations from FERC Staff. However, this year’s report also addresses new areas of focus, such as best practices for the secure use of Removable Media and Transient Cyber Assets.

Even though some of the report’s recommendations go beyond what is necessary to comply with the mandatory CIP reliability standards, FERC Staff is likely to view implementation of these recommendations as evidence of a utility’s strong cybersecurity posture. That can, in turn, have positive ramifications for utilities undergoing cybersecurity reviews by FERC, NERC, or their Regional Entities.