As part of Industrial Defender’s PrOTect Operational Technology(OT) series, “Conversations About Protecting Critical Infrastructure,” we discussed the top improvement areas in NERC CIP based on independent FERC audits. Our expert for the discussion was Patrick Miller, CEO of Ampyx Cyber.
Patrick identified these top five lessons from FERC audits conducted in 2024:
Proper categorization under the NERC CIP standards is essential for digital assets that would impact the BES within 15 minutes if they become unavailable, are misused, or experience degraded functionality. Only those items considered necessary for operations are included in this categorization.
The audits highlighted concerns with Electronic Security Perimeter (ESP) assets. As boundary devices, these assets often are classified as part of an Electronic Access Control or MonitoringSystem (EACMS), subjecting them to a less stringent set of rules. This classification results in the application of fewer standards, which was evident in the audits, as many utilities struggled to effectively manage and maintain firewall configurations.
A much more in-depth and complete understanding of the environment is necessary to determine the criticality of these assets. Because the failure of such devices could directly impact BES operation, they should be listed as BES cyber assets and not just an EACMS. Additionally, misclassification at this stage can cascade into other areas, making it vital to understand the dependencies of all assets in the environment.
Lesson learned: Critical devices must be classified correctly.
The audits showed that at least one organization tried to divide a physical control center that exceeded 1,500 megawatts (MW) into multiple logical control centers to bring each below the 1,500 MW threshold. While the standards provide guidance for segmentation, particularly with generation facilities, these segmented facilities must be zero-shared systems – from control loops to networking infrastructure.
However, control centers – and data centers for that matter– do not have this flexibility; legal requirements prohibit logical separations. Although they can be segmented operationally without impacting CIP applicability, these control centers still operate from a single location, even when controlling multiple geographic locations.
In this case, the organization tried to exercise some allowances intended for other asset types, such as generation assets.
Lesson learned: Even if you have legitimate reasons to establish logical control centers within a larger control center, you still must adhere to NERC requirements.
The baseline standards outlined in CIP 010 cover a broad range of requirements and provide a decent footprint on the system. However, the definition of software has always been ambiguous. For instance, what about software packages that are installed but disabled? These packages often can be re-enabled through various means, either intentionally – such as through standard Windows patching – or accidentally.
In addition to disabled software, browser extensions and other kinds of software elements also should be included in the baseline. The reason: Certain browser extensions are necessary to run operating environments such as energy management systems, distributed control systems, or platforms that support power system operations.
Additionally, FERC is considering new virtualization standards, with approval expected in the coming months. As a result, the baseline standards are likely to become more stringent over time as more areas are included.
Lesson learned: Baseline standards are evolving to become more comprehensive. As such, considerations like disabled software, browser extensions, and upcoming virtualization standards should be included as part of the baseline.
CIP 011 requires that facilities have a plan in place to protect access to BCSI – critical information about important assets – as well as rules for granting and revoking access. This information is highly sensitive and could potentially provide a roadmap to damage the asset or facility.
The FERC audit revealed that BCSI sometimes was stored in both logical and physical areas where the people who had access to it were not appropriately recorded. For instance, a physical storage facility might document individuals who could access stored information but omit certain personnel, such as janitorial staff who also have access to the area.
Lesson learned: Access to BCSI must be strictly controlled and documented. Every individual with access must be recorded, with a clear reason for their access listed. Additionally, access must be reviewed periodically and revoked when no longer necessary.
CIP 012 indicates that communication between control centers– whether within your own facilities or with other parties – must be protected. Some entities were unaware that this level of protection applied to their own control centers. Additionally, some failed to identify their real-time assessments or real-time monitoring (RTA RTM). Although the standards provide some flexibility, Inter-Control Center Communications Protocol (ICCP) networks and links should be included, as should real-time modeling environments, state estimation data, and similar components.
Lesson learned: If a system is needed for real-time operation– within your control center and others – it is probably RTA RTM, and it should be protected.
Finally, Patrick noted that future audits are expected to place greater emphasis on these issues. These audits may serve as a preview of future refinements to the standards, with modifications addressing these gaps going forward.
Want to know more? For additional insights into this topic, listen to our discussion here.