The 2020 “Staff Report Lessons Learned from Commission-Led CIP Reliability Audits” report covers CIP reliability standards, audit scope and methodology, an overview and discussion of lessons learned. The annual report concluded that nearly all of the entities’ adopted procedures and cybersecurity protection processes met the mandatory requirements of the CIP reliability standards. Along with gauging compliance with the CIP reliability standards, the report offers recommendations related to voluntary cybersecurity practices. This current report’s recommendations:

• guarantee that all cyber assets are properly identified and that all substation cyber systems are properly classified as high, medium, or low impact
• review all physical security perimeters regularly to make sure that no unidentified physical access points exist
• confirm that backup and recovery procedures are revised in a timely manner and that all solutions and steps taken to mitigate vulnerabilities are documented
• consider assessing the security controls implemented by third parties consistently and implement additional controls where needed when using a third party to manage cyber system information

FERC anticipates lessons learned from the audits completed in fiscal year 2020 will help entities evaluate their risk and compliance with mandatory reliability standards and be able to facilitate efforts to improve the security of the nation’s electric grid.

Sources:

FERC Staff Report Details Lessons Learned from CIP Reliability Audits (sec.gov)

2020 Staff Report Lessons Learned from Commission-Led CIP Reliability Audits (sec.gov)