FERC Staff Report Offers Lessons Learned from 2024 CIP Audits: What You Need to Know
In its 2024 CIP audit report, the Federal Energy Regulatory Commission (FERC) shared critical lessons learned from the latest round of reliability audits, revealing key areas where NERC-registered entities can strengthen their security posture. While many organizations successfully met compliance requirements, the report highlighted specific gaps in asset categorization, control center segmentation, and data protection that could pose significant operational risks. By addressing these issues and implementing FERC’s voluntary recommendations, entities can enhance their defenses and ensure the continued reliability of the Bulk Electric System.
In August 2024, the Federal Energy Regulatory Commission (FERC) released its staff report summarizing the lessons learned from the latest round of Critical Infrastructure Protection (CIP) reliability audits. These audits focus on assessing the compliance of North American Electric Reliability Corporation (NERC)-registered entities with the mandatory CIP Standards, which safeguard the security of the Bulk Electric System (BES) against cyber and physical threats. The 2024 findings are vital for improving the overall security posture of utilities and critical infrastructure operators. Let’s dive into the key takeaways from the report and what your organization can do to address potential gaps.
Key Lessons Learned
The 2024 report provides deep insights into areas where many organizations are performing well and where there’s still room for improvement. Here are some of the most important findings:
1. BES Cyber System Categorization (CIP-002-5.1a)
FERC noted that many entities successfully identified and categorized their BES Cyber Systems, but some associated Cyber Assets posed risks not fully addressed by the current categorization structure. Specifically, instances existed where entities deployed “next-generation firewalls” that were configured in such a manner that their loss, compromise, or misuse may cause a “15-minute impact” to the reliable operation of the BES beyond what is suggested by their categorization as EACMS. These assets, while not directly defined as BES Cyber Assets, could lead to a significant operational impact. The report suggests that entities consider the broader operational risks presented by such systems and implement additional security controls where needed. In short, FERC is essentially implying that these Cyber Assets should be also categorized as BES Cyber Assets in situations where the device would fail “closed” and the entity would encounter difficulty using their systems to perform expected BES reliability operating services.
Recommendation: Entities should reassess how they categorize associated assets like firewalls, even if they fall outside traditional BES Cyber Asset definitions, and apply enhanced security measures to mitigate potential risks.
2. Control Center Categorization
Several entities were found to segment their Control Centers incorrectly. Specifically, some organizations logically divided a single physical Control Center into multiple “logical Control Centers” which was presumed to allow them to avoid applying certain CIP requirements by falling under the 1,500MW threshold. However, FERC clarified that if a Control Center shares the same physical infrastructure, it must be categorized as a single entity under the CIP standards, regardless of logical segmentation. The CIP Standards allow the flexibility to logically segment BES Cyber Systems, for example logically separating a generation asset’s units to lower the single site generation below 1,500 MW. However, in this instance the NERC Glossary definition of Control Center does not allow that type of segmentation to occur because the definition already encompasses “one or more facilities...” In other words, FERC does not recognize the concept of a logically separated Control Center.
Recommendation: Ensure that all control centers housed in the same physical space are categorized as a single unit. Failing to do so could lead to compliance risks and insufficient security controls.
3. Cyber Asset Baseline Management (CIP-010-4)
Another common issue was incomplete baseline reporting, particularly concerning browser extensions and standalone applications. The CIP standards require entities to maintain detailed baselines for all software installed on critical systems. However, some organizations failed to account for installed but disabled software, which could create vulnerabilities. In some cases, entities did not include or could not differentiate between the browser extension or standalone version of the same software application.
Recommendation: Make sure that every Cyber Asset's baseline includes all installed software, including browser extensions and any disabled applications. This helps ensure that configurations are secure and can be easily restored if needed. FERC recommended developing a Configuration and Change Management plan that includes:
Configuration item
Baseline configuration or setting
Configuration management database
Configuration control review board
Monitoring of configuration changes
4. BES Cyber System Information (BCSI) Protection (CIP-011-2)
The report identified gaps in protecting BES Cyber System Information (BCSI). Some entities didn’t properly track and manage access to this sensitive data, potentially exposing critical system information to unauthorized users. For example, some entities did not account for individuals who had access to BCSI. In some cases, these individuals did not have the need to know but were included in access groups. Further, most technologies used in support of access groups for shared drives have default administrator accounts built in that have full control to that shared drive by default. Some entities did not apply proper controls for access to physical BCSI generated from printers within a physical security perimeter.
Recommendation: Organizations should tighten their BCSI management protocols by implementing stricter access controls and ensuring all individuals with access to this information are accounted for and thoroughly vetted. Additionally, ensure that printed materials containing BCSI are labeled appropriately and secured or properly disposed of after use. FERC recommended enhancing the BCSI protection programs to include:
Physical Requirements
Revise procedures and controls to comprehensively address monitoring and tracking of physical BCSI
When identifying and documenting physical BCSI storage locations, consider where any printers are located and the ability to print hard copies
Ensure cyber security training includes proper handling, identification, and use of BCSI
Electronic Requirements
Re-evaluate methods for identifying BCSI and associated BES Cyber Systems
Review all data sources and ensure all BCSI is properly identified
Re-evaluate BCSI access and protection measures
5. Control Center Communication Security (CIP-012-1)
Many entities overlooked risks related to real-time communication between their primary and backup control centers. While most control centers were compliant, some organizations did not properly identify or secure real-time data transmissions, especially between their own primary and backup control centers in high-availability scenarios where a standby server might still receive critical data.
Recommendation: Enhance identification of critical (RTA/RTM) communications not only to external Control Centers but include all Control Centers, including Control Centers within their own environments.
Looking Ahead: The Importance of Continuous Improvement
One recurring theme in the 2024 FERC CIP audit report is the need for continuous improvement. Cybersecurity threats are evolving, and so must the protective measures applied to the BES. FERC's voluntary recommendations offer an opportunity for organizations to go beyond compliance and bolster their security posture against emerging threats. Adopting a proactive approach to CIP standards and incorporating lessons learned from these audits can help prevent potential compliance failures and security breaches in the future.
Conclusion
The FERC 2024 CIP audit report highlights the importance of both compliance and security enhancements for NERC-registered entities. While most organizations are successfully meeting the NERC CIP requirements, there are still significant areas where additional security measures are crucial (as usual, there were multiple references to the NIST 800 series of Special Publications as Additional Guidance). By addressing these gaps, utilities and critical infrastructure operators can better protect the reliability and security of the Bulk Electric System.
