Grid Security Now!

Grid Security Now!

Michael Mabee – Author of The Civil Defense Book

Menu
  • Home
  • Library
    • Grid Security Library
      • Government Documents on Grid Security
      • OE-417 Electric Disturbance Events Database
      • CIP Violation Database
      • Grid Protection Posts
      • Video (EMP and Grid Security)
      • What is the Electric Grid and How is it Regulated?
    • Civil Defense Library
      • Civil Defense Posts
      • Video (Preparedness)
      • Civil Defense Checklists
  • Fund The Fight!
  • Take Action!
  • About Me
    • About Michael
    • My Book
    • Michael in the Press
    • Subscribe to Mike’s Blog
    • Interviews
    • My Friends
    • Contact Me
Menu
Inspector General Criticizes FERC

Inspector General Criticizes FERC on Cybersecurity

Posted on January 26, 2011March 17, 2019 by Michael Mabee
Share the knowledge...Tweet about this on Twitter
Twitter
Share on Facebook
Facebook
Share on LinkedIn
Linkedin
Pin on Pinterest
Pinterest
Share on Reddit
Reddit
Email this to someone
email
Print this page
Print

In a January 26, 2011 report, the U.S. Department of Energy Office of the Inspector General criticizes FERC’s handling of grid cybersecurity CIP standards.


Read Full Report HERE.

The Office of the Inspector General (OIG) found:

However, even in situations where authority did exist, such as the authority to approve, remand, or direct changes to the CIP standards, the Commission had not always acted to ensure that cyber security standards were adequate. In addition, the Commission had not always effectively monitored how NERC and the regional entities assessed implementation of the cyber security standards.

OIG Report cover letter

Further:

We also found that the standards development and approval process was not timely, thereby limiting the usefulness of the standards in addressing emerging cyber security threats. Specifically, we noted that it took at least 41 months for the initial CIP standards to be developed, approved and fully implemented.

OIG Report page 3

Below is the Report’s summary of the findings in which the Inspector General criticizes FERC’s handling of grid cybersecurity Critical Infrastructure Protection (CIP) standards:


Although the Commission had taken steps to ensure CIP cyber security standards were developed and approved, our testing revealed that such standards did not always include controls commonly recommended for protecting critical information systems. In addition, the CIP standards implementation approach and schedule approved by the Commission were not adequate to ensure that systems-related risks to the Nation’s power grid were mitigated or addressed in a timely manner. In particular:

  • Despite their importance to protecting the power grid, the CIP standards did not include a number of security controls commonly recommended for government and industry systems, including both administrative and mission-related systems. For instance, the standards did not include essential security requirements and effective practices such as defining what constituted critical assets and implementation of strong logical access controls. In certain cases, Commission officials noted that the lack of stringent requirements for defining critical assets contributed to significant under reporting of these assets. In addition, while we recognize that there are inherent delays associated with the current regulatory structure, we found that the timeliness of the standards development and approval process was also impacted because the Commission did not take advantage of existing authority. Delays ultimately limited the standards’ usefulness in facilitating responses to emerging threats. Without increased efficiency in this area, the Commission and the entities under its purview may not be able to develop and implement future standards in a timely manner to address emerging security threats; and,
  • The Commission approved an implementation approach and schedule for the CIP standards that did not adequately consider risks to information systems. In particular, the Commission approved an approach whereby controls designed to mitigate higher risk threats were not required to be implemented before other controls related to documentation. For example, implementation of technical controls related to system access, patch management, and malware prevention were delayed, while documentation requirements such as reporting cyber security incidents and creating a recovery plan were given priority. While these controls must eventually be implemented, concentrating risk-based efforts on strong technical controls, rather than on creating documentation could have helped strengthen early implementation efforts. In addition, all entities were not required to comply with the CIP standards at the same time even though they may have encountered similar threats and the interconnectivity of the power grid, factors that could permit a breach at one entity to have a severe impact on other entities. As the Commission works toward approving updated standards in the future, it should ensure that those controls designed to address the most serious threats are given priority.

We found that these problems existed, in part, because the Commission had only limited authority to ensure adequate cyber security over the bulk electric system. While the Energy Policy Act established the Commission’s authority to approve, remand, or direct changes to proposed reliability standards, the Commission did not have the authority to implement its own reliability standards or mandatory alerts in response to emerging threats or vulnerabilities. However, even in situations where authority did exist, such as the authority to approve, remand, or direct changes to the CIP standards, the Commission had not always acted to ensure that cyber security standards were adequate. In addition, the Commission had not always effectively monitored how NERC and the regional entities assessed implementation of the cyber security standards.

Without improvements, the Commission may not be able to provide adequate oversight to ensure that cyber security vulnerabilities within the power grid are identified and mitigated. Notably, the Commission has participated in a number of reliability standards reviews at entities and continues to work with Congress to obtain authority appropriate for ensuring adequate cyber security over the bulk electric system. Additionally, the Commission has worked with NERC to establish mandatory standards, including providing NERC with numerous directives identifying ways to improve the standards. While these are positive steps, additional action is needed. As such, we have made several recommendations that, if fully implemented, should help improve the overall effectiveness of the Commission’s ability to monitor security over the Nation’s power grid.


Inspector General Criticizes FERC
Share the knowledge...Tweet about this on Twitter
Twitter
Share on Facebook
Facebook
Share on LinkedIn
Linkedin
Pin on Pinterest
Pinterest
Share on Reddit
Reddit
Email this to someone
email
Print this page
Print

News

  • A Billion Reasons We Do Not Have Grid Security
  • Money Talks, Grid Security Walks
  • Critical Infrastructure Attacks Expose Regulatory Failures
  • Lawsuit: The Federal Government Must Secure The Grid
  • COVERUP UPDATE: CIP Violation Database and FOIAs
  • Securing America with Frank Gaffney: Threats to the Electric Grid
  • FERC: Who Will Be Responsible For All The Deaths If The Grid Goes Down?
  • Federal Energy Regulatory Commission Lays Down On The Job!
  • EMP Progress Report – A National Disgrace
  • EMP Ignorance Is Bliss – Dr. Peter Vincent Pry
  • China: EMP Threat – A New Report by Dr. Peter Pry
  • FERC Denies Grid Physical Security Complaint, BUT…
  • Secure the Grid Coalition Opposes Senate Bill S.3688
  • Electric Industry Lobbyist’s China Ties Questioned
  • Supply Chain Cybersecurity Complaint Filed with FERC
  • Executive Order 13920: Securing the United States Bulk-Power System
  • Electric Industry Wants to Defer Implementation of Cybersecurity
  • Electric Sector Protests Effective Grid Physical Security
  • Emergency Preparedness: Souhegan and Derry CERT
  • Coronavirus: Don’t Panic, Prepare!
  • New Hampshire Rep. David Testerman on Grid Physical Security
  • Former CIA Director James Woolsey on Grid Physical Security
  • Loopholes in Grid Physical Security Identified
  • FEMA’s Strategic Plan and the NDAA: A Perfect Fit
  • Greg Allison and Michael Mabee Talk Grid Security On YouTube
  • Complaint Filed About Inadequate Electric Grid Physical Security
  • Is the Tail Wagging The Dog in Grid Security?
  • Video: EMP Threat (KSNV News Las Vegas)
  • Why Thomas Popik should be a FERC Commissioner
  • “Wired for Greed: The Shocking Truth About America’s Electric Utilities”

Fund The Fight!


Subjects

Search Website

Subscribe for Updates!

Follow me on Twitter

Tweets by CivilDefenseBK

Click To Get Prepared!

The Civil Defense Book: Emergency Preparedness for a Rural or Suburban Community
The Civil Defense Book Get it now!

Subscribe for updates

Follow Me On Facebook

The Civil Defense Book

2 days ago

The Civil Defense Book
Kim Jong Un Offers a Rare Sneak Peek at North Korea’s Weapons Program: Leader says Pyongyang is developing military drones, a nuclear-powered submarine and surveillance satellites. apple.news/AEW8HnWOTS0Wk23aOI9fZ1g ...

Kim Jong Un Offers a Rare Sneak Peek at North Korea’s Weapons Program — The Wall Street Journal

apple.news

As President-elect Joe Biden prepares to take office, Kim Jong Un offered details on Pyongyang’s pipeline of military hardware during a rare Workers’ Party Congress meeting that ended this week.
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

The Civil Defense Book

2 days ago

The Civil Defense Book
Iranian missiles land within 20 miles of ship, 100 miles from Nimitz strike group in Indian Ocean: officialsapple.news/AS2qoJtG7R2ewr5C5T7qYyw ...

Iranian missiles land within 20 miles of ship, 100 miles from Nimitz strike group in Indian Ocean: officials — Fox News

apple.news

EXCLUSIVE: Long-range missiles from Iran splashed down dangerously close to a commercial ship in the Indian Ocean Saturday and 100 miles from the Nimitz aircraft carrier strike group, Fox News has learned, in the latest example of rising tensions in the region.
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

Fund The fight!


©2021 Grid Security Now! | Theme by SuperbThemes