FERC CIP Audits 2023 - Best Practices in Cyber Readiness

Get CIP Readiness Insights

The Federal Energy Regulatory Commission (FERC) Division of Audit and Accounting (DAA) conducts audits in many areas to support the needs of the Commission. A recent FERC publication details the results of FERC Critical Infrastructure Protection (CIP) audits of several U.S.-based North American Reliability Corporation (NERC) registered entities. This report gives insights into best practices to measure your system’s CIP readiness. The audits were conducted jointly with FERC, NERC, and NERC Regional Organization staff.

 Key article takeaways

1. The FERC DAA conducts audits of NERC registered entities to test for compliance with NERC Reliability Standards.

2. Audit staff found that while most of the cyber security protection processes and procedures adopted by the registered entities met the mandatory requirements of the CIP Standards, potential noncompliance and security risks remained.

3. The report also contains practices not required by the CIP Standard that could improve security. These are labeled in the report as voluntary cyber security recommendations.

           Cybersecurity non-compliance areas

The FERC report - 2023 Lessons Learned from Commission-Led Reliability Audits, found that most of the registered entities meet the mandatory requirements of the CIP reliability standards.

The report first makes recommendation based on non-compliance with CIP standards. The FERC report recommends that entities:

- Identify and categorize all bulk-electric cyber systems and their associated cyber assets (CIP-002-5.1a, R1);

- Report all cyber security incidents, and attempts to compromise their systems that were identified as cyber security incidents, to the Electricity Information Sharing and Analysis Center and the Cybersecurity and Infrastructure Security Agency (CIP-003-8, R2, Section 4, CIP-007-6, R4; CIP-008-6, R4);

- Restrict all inbound and outbound access permissions, including the reason for granting access, and denying all other access by default (CIP-005-7, R1.3);

- Enhance supply chain risk management programs to include evaluating the risks of existing vendors, and develop a plan to respond to risks that are identified (CIP-013-1, R1).

Reviewing the common theme of the audit, is that lack of documentation of issues is the cause of non-compliance.

Evaluating your organizations’ CIP compliance readiness

Beginning on page 20 of the report is a section on findings from prior audits from 2017 - 2022. A review of the detailed findings from previous years gives additional insights on areas to review in evaluating your organization’s CIP compliance readiness in meeting the CIP standards and for potential future audits.

About Russ Hissom - Article Author

Russ Hissom, CPA is a principal of Utility Accounting & Rates Specialists a firm that provides power utilities rate, expert witness, and consulting services, and online/on-demand courses on accounting, rates, FERC/RUS construction accounting, financial analysis, and business process improvement services. Russ was a partner in a national accounting and consulting firm for 20 years. He works with electric investor-owned and public power utilities, electric cooperatives, broadband providers, and gas, water, and wastewater utilities. His goal is to share industry best practices to help your business perform effectively and efficiently and meet the challenges of the changing power and utilities industry.  

Find out more about Utility Accounting & Rates Specialists here, or you can reach Russ at russ.hissom@utilityeducation.com.

The material in this article is for informational purposes only and should not be taken as legal or accounting advice provided by Utility Accounting & Rates Specialists. You should seek formal advice on this topic from your accounting or legal advisor.