Site loading image

Regulatory Update

FERC Issues Guidance to Improve Power System Security and CIP Compliance

Larry Fitzgerald | September 30, 2024

In the Federal Energy Regulatory Commission’s (FERC) 2024 Report on Lessons Learned from Commission-Led CIP Reliability Audits, FERC staff found that while most of the cybersecurity protection processes and procedures adopted by utilities met CIP requirements for protecting the Bulk Electric System (BES), potential noncompliance and security risks remained.

The 2024 report provides guidance for improvements to power system security and compliance with the NERC CIP Standards requirements. The report contains a useful summary of current and past recommended practices that TRC clients are advised to review in detail.

2024 Lessons Learned Include:

  1. Assess the risk to operations presented by associated Cyber Assets, such as Electronic Access Control or Monitoring Systems (EACMS), Protected Cyber Assets (PCAs), and Physical Access Control Systems (PACS), and consider additional security controls beyond those that are required by their categorization. (CIP-002-5.1a, BES Cyber System Asset Identification and Categorization – R1)
  2. Ensure logically segmented Control Centers at a single site location are evaluated as a single Control Center in BES Asset identification and categorization procedures. (CIP-002-5.1a, Control Center Categorization – R1)
  3. Stakeholders should be certain that Cyber Asset baselines include all intentionally installed, commercially available software on each Cyber Asset, including browser extensions and standalone applications. (CIP-010-4, R1.1.2: Baseline Reporting of Browser Extensions and Standalone Applications)
  4. Identify, monitor, and implement controls to protect BES Cyber System Information (BCSI) to mitigate the risks posed by unauthorized disclosure and unauthorized access. (CIP-011-2, R1: BES Cyber System Information Protection)
  5. Ensure the risks of unauthorized disclosure and unauthorized modification of real-time data transmitted between Control Centers within a single environment (Networks, ESPs, etc.) are identified and addressed. (CIP-012-1, Control Center Real-Time Communications Identification – R1)

Next Steps: TRC Can Help

TRC clients are encouraged to read the report to better understand each of the above security risks. The report includes suggested approaches for mitigation and general guidance for ongoing compliance. Several of the Lessons Learned are industry-standard cybersecurity practices above and beyond the requirements of NERC CIP compliance but are strongly recommended.

The report also includes references to lessons learned from prior years and provides a good checklist for your company’s CIP compliance program.

TRC has qualified CIP specialists to assist you with your review when an independent third-party assessment of your CIP program is needed.

Resources:

FERC Staff Report Offers Lessons Learned from 2024 CIP Audits
Physical Security Solutions for Utilities
Cybersecurity Support for Utilities
Example NERC CIP project
NERC CIP-014 Compliance Support & Services (Physical Security)
CIP-014-3 (Physical Security) – Post Assessment Support

About TRC’s Security and Cybersecurity Practice:

TRC’s approach to security, including cybersecurity, balances solutions that incorporate appropriate standards, regulatory requirements, best practices, and operational goals and budgets. Our work for public and private sector utility clients is a testament to our understanding of security operations. Our successful application of technological solutions in a constantly evolving business and regulatory landscape will provide you with confidence regarding your security programs. Our security and power system experts help you stay ahead of changing regulatory expectations because they stay engaged with the regulatory process and know how to plan, design and install programs that address your financial, technical and scheduling goals including compliance with changing NERC Security standards and guidelines as well as industry “best practices” and the latest technology developments.

This regulatory update is a service to TRC’s utility clients, helping keep you informed of issues that impact your company’s electric system security risks along with related topics regarding future regulatory developments to help you achieve your company’s business goals.

Larry Fitzgerald

Larry Fitzgerald, CPTED, PSP, CPP leads TRC’s national Security and Emergency Management Practice, where he has supported security many different types of Critical Infrastructure, including dozens of utilities. He has assessed security, developed security master plans, security designs, developed policies, provided training, and overall security consulting/strategy for clients nationwide. Contact Larry at LFitzgerald@trccompanies.com

Looking for effective solutions to your problems?

Turn to the experts at TRC.

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. Read our Privacy Policy.