FERC Report on Lessons Learned from Commission-Led CIPv5 Audits

Introduction

The staff of the Division of Reliability Standards and Security in the Office of Electric Reliability, with assistance of staff from the Division of Audits and Accounting in the Office of Enforcement, of the Federal Energy Regulatory Commission (Commission) has completed non-public audits of several registered entities of the Bulk Electric System (BES).1 The audits evaluated the registered entities’ compliance with the applicable mandatory Reliability Standards for the Bulk-Power System Critical Infrastructure Protection (CIP) Reliability Standards (CIP Reliability Standards).2 Staff from Regional Entities and the North American Electric Reliability Corporation (NERC) participated on the audits, including the on-site portion. The audits were completed during Fiscal Years 2016 and 2017 (FY2016 and FY2017, respectively). The audits provided audited entities an assessment of their compliance status in the audited areas. Staff found that, for the first series of completed non-public audits, most of the cyber security protection processes and procedures adopted by the audited entities met the mandatory requirements of the CIP Reliability Standards. Staff also found instances of potential compliance infractions. Additionally, staff identified possible areas of improvement in the security posture of audited entities that are not specifically addressed by the CIP Reliability Standards. The audits afforded audited entities opportunities to learn of areas for improvement in their security posture and staff recommended proposals to addresses the matters. This anonymized summary report informs the regulated community and the public of lessons learned from the audits, including insights into the cyber security and CIP compliance issues encountered by registered entities. This report provides information and recommendations to NERC, Regional Entities, and registered entities that staff believes is useful in their assessments of risk, compliance, and overall cyber security. Moreover, this information may be generally beneficial to the utility-based cyber security community to improve the security of the BES.

Read full Report