FERC staff today offered recommendations to help users, owners and operators of the bulk-power system improve their compliance with the mandatory Critical Infrastructure Protection (CIP) reliability standards and their overall cybersecurity posture.

Today’s annual report comprises lessons learned from the non-public CIP audits of registered entities and includes findings that most of the cybersecurity protection measures adopted by the entities met the mandatory requirements of the CIP reliability standards. The report also identifies and makes recommendations to address remaining potential noncompliance and security risks. The report recommends cybersecurity practices that include processes, procedures and technical controls to mitigate those risks.

Lessons learned from the fiscal year 2022 audits will help registered entities assess their risk and compliance with the mandatory standards, while also facilitating further efforts to improve the cybersecurity of the nation’s electric grid.

FERC’s Office of Electric Reliability and Office of Enforcement conducted the audits, in collaboration with the North American Electric Reliability Corporation and its regional entities.

Among the report’s recommendations:

Re-evaluate policies, procedures, and controls for low-impact cyber systems and associated cyber assets;
Address risks posed by bulk electric system cyber assets that have reached the manufacturer-determined end of life or service and no longer are supported by vendors;
Deploy a comprehensive malicious code prevention program for all cyber assets within a bulk electric system cyber system;
Implement comprehensive vulnerability assessment processes for applicable cyber assets; and
Review and validate controls used to mitigate software vulnerabilities and malicious code on transient cyber assets managed by a third party.