On March 29, 2019, FERC released its 2018 staff report on Critical Infrastructure Protection (“CIP”) reliability audits (“2018 CIP Report”).  The 2018 CIP Report summarizes new and previously-identified “lessons learned” from CIP audits conducted for fiscal years 2016 through 2018.  The audits evaluated whether certain users, owners, and operators of the Bulk Electric System (“BES”) – generally referred to as “registered entities” – had been complying with the FERC-approved CIP Reliability Standards during the relevant fiscal years.  FERC staff found that the audited registered entities met most of the mandatory requirements of the CIP Reliability Standards, but that there were some potential compliance infractions.  In addition, the staff summarized certain other existing practices that could improve BES security, but are not necessarily required by the CIP Reliability Standards and so therefore were only noted as recommendations in the 2018 CIP Report.

The CIP Reliability Standards were developed pursuant to Section 215 of the Federal Power Act and are enforced by the North American Electric Reliability Corporation (“NERC”), with FERC oversight.  In fiscal year 2016, FERC initiated the CIP Reliability Standards audit process, which is managed primarily by FERC’s Office of Electric Reliability and Office of Enforcement, with assistance from NERC and its regional entities.  The results of the audits are non-public; however, the resulting CIP reports provide information and recommendations to NERC, NERC regional entities, and BES registered entities that FERC staff found to be useful in their assessments of risk, compliance, and overall BES cyber security.

The 2018 CIP Report listed thirteen “lessons learned” along with explanations and recommendations.  Three such lessons were carryovers from previous CIP reports.  Some new recommended improvements were:

• Implement valid Security Certificates within the boundaries of BES Cyber Systems with encryption capable of ensuring proper authentication of internal connections to prevent user from becoming desensitized to error messages;
• Improve the encryption for Interactive Remote Access so that it is better able to protect data sent between the remote access client and the BES Cyber System’s Intermediate System;
• Replace or upgrade system components that have reached their “end-of-life” date, as such components can put a Registered Entity at a higher risk of a cyber incident.

The full 2018 CIP Report can be found here.