- November 4, 2020 WebEx – 2020 Annual Security Compliance Certification (New Template) and Cyber Asset Designation Worksheet
- April 28, 2020 WebEx – 2020 FERC Security Program Webinar for Licensees/Exemptees
- March 14, 2018 WebEx – FERC Security Program Requirements and Cyber Brief
- May 31, 2017 WebEx – Webinar Controlling Security Sensitive Material
- March 8, 2017 WebEx - Revision 3A and Cyber Briefing
- May 11, 2016 WebEx – Revision 3A and Cyber Briefing
- Security Document Revision 3A
- Revision 3 and 3A Changes
- Frequently Asked Question to Revision 3 and 3A (FAQs)
- FERC Hydro Cyber/SCADA Security Checklist – Form 3 (fillable)
Best Practices for Completing the Annual Security Compliance Certification (ASCC). The ASCC is an annual requirement due December 31 each year. A webinar was conducted on November 4, 2020 to help clarify the requirements of the ASCC and a new template was reviewed. A link to the webinar is provided above this section. At a minimum, the ASCC must be submitted (new or old format; new format strongly recommended) with applicable FERC Physical Security Checklist(s) and a completed Cyber Asset Designation Worksheet. Below are links to help facilitate the completion of the ASCC:
- New ASCC Letter Template with Fillable Forms and Attachments (Security Documentation Table, Revised Cyber Asset Designation Worksheet, FERC Physical Security Checklist Version 5a, and Security Correspondence)
- Completed example of the New ASCC letter for a licensee/exemptee with four developments and the same security contacts for all four Developments
- Completed example of the New ASCC letter for a licensee/exemptee with eight developments and different security contacts for certain Developments
- The old ASCC Letter Template (please keep in mind if you use this option you must still attach the FERC Physical Security Checklist and the Cyber Asset Designation Worksheet to your submittal; see the 2 links directly below)
- FERC Physical Security Checklist Version 5
- Original Cyber Asset Designation
Guide on Best Practices for Controlling Security Sensitive Material. The guide is a starting point for information security planning and proposes a range of Security Sensitive Material protection strategies with examples of how to identify and manage sensitive information. The guide is not prescriptive and is not intended to substitute as policy or set any minimum standard for compliance.
Available Resources for sUAS/Drone Threat. The use of Small Unmanned Aircraft Systems (sUAS) or Drones have been an increasing concern to the critical energy infrastructure community. While sUAS/drones may be used to conduct day-to-day business operations and for the joy of recreational opportunities, misuse of these aircrafts can pose significant challenges to America’s critical infrastructure. These threats include:
- Weaponizing or Smuggling Payloads
- Prohibited Surveillance and Reconnaissance
- Intellectual Property theft
- Intentional Disruption or Harassment
To help assist critical infrastructure owners and operators address these concerns, we have provided several links for your reference.
- Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) UAS Fact Sheet
Security Assessment Template for Group 2 Dams - A template for the Security Assessment of Group 2 dams has been prepared from a joint effort between a volunteer licensee group and FERC staff. The template consists of three parts: (1) a Microsoft Word file formatting the assessment methodology, assessment findings, recommendations and conclusions in sufficient detail to satisfy the Security Program requirements; (2) The FERC Hydro Security Inspection Form, to be filled out by the licensee (included in the MS Word base report form; and, (3) a Microsoft Excel spreadsheet used to evaluate all the security components applicable to all critical assets identified at the site. An analysis of foot, land, and water avenues of approach are included in the spreadsheet. Use of this template is not a requirement, and is provided for licensee consideration on a voluntary basis.
Sample Security Plan - A sample of a Security Plan was requested from several FERC licensees. The following (redacted) document has been created by a volunteer licensee group to fulfill that purpose. Use of this format is not a requirement, and is provided for licensee consideration on a voluntary basis only. Other Security Plan formats and content will be considered by the FERC.
Security Letters - The following letters were issued by FERC regarding security concerns at hydropower dams after September 11, 2001.
Dam Assessment Matrix for Security and Vulnerability Risk (DAMSVR) - DAMSVR is a vulnerability assessment methodology for dams developed by FERC, USBR, USACE, ASDSO, and Foos Associates LLC (now Security Management Solutions).