On September 14th, 2020, staff from FERC and the North American Electricity Reliability Corporation (NERC) published a report on cyber planning for response and recovery entitled “Cyber Planning for Response and Recovery Study” (CYPRES), which emphasizes best practices for the electric utility industry.
The combined personnel of FERC and NERC, and the NERC Regional Entities, collaborated to develop the report after interviewing experts on this matter from eight electric utilities of different sizes and functions. Included in the staffs’ report are observations on the organizations’ defensive capabilities and on the effectiveness of their Incident Response and Recovery (IRR) plans.
The report identifies shared elements within the IRR plans. These common elements define their scope, computer security events, staff functions and responsibilities, and levels of empowerment to respond. The shared elements indicate reporting requirements and guidelines for external communications and information sharing, as well as procedures to assess performance.
The report also highlighted best practices, concluding that effective IRR plans must:
- have well-defined personnel functions, encourage accountability, give personnel the authority to act without unnecessary delays, and use supporting technology and automated tools while recognizing the importance of human performance
- require well-qualified personnel who continually sharpen their skills and stay mindful of lessons learned from past events or simulated challenges
- use specific standards so personnel can detect substantial deviations from regular operations
- eliminate all outside connections when activated and consider the risk that a containment strategy may cause predefined damaging actions by the malware. The plans use evidence gathering and ongoing analysis to determine if an event indicates a greater compromise
- consider the resource implications of incident responses of unknown length
- implement lessons learned from prior incidents and simulated events
The teams concluded that effective IRR plans are vital resources for addressing cyber threats. They therefore determined that effective IRR plans should be established, and response teams should be ready to detect, contain, and eliminate cyber threats before they do harm to utility operations.
For inquiries regarding this report, contact Mary O’Driscoll at FERC by phone at (202) 502-8680 or via email at mediadl@ferc.gov, or contact Kimberly Mielcarek at NERC via email at Kimberly.mielcarek@nerc.net.
Sources:
FERC, NERC Staff Outline Cyber Incident Response, Recovery Best Practices (ferc.gov)
2020 FERC, NERC and REs Report: Cyber Planning for Response and Recovery Study (CYPRES) (ferc.gov)
