In a January 26, 2011 report, the U.S. Department of Energy Office of the Inspector General criticizes FERC’s handling of grid cybersecurity CIP standards.
The Office of the Inspector General (OIG) found:
However, even in situations where authority did exist, such as the authority to approve, remand, or direct changes to the CIP standards, the Commission had not always acted to ensure that cyber security standards were adequate. In addition, the Commission had not always effectively monitored how NERC and the regional entities assessed implementation of the cyber security standards.
OIG Report cover letter
Further:
We also found that the standards development and approval process was not timely, thereby limiting the usefulness of the standards in addressing emerging cyber security threats. Specifically, we noted that it took at least 41 months for the initial CIP standards to be developed, approved and fully implemented.
OIG Report page 3
Below is the Report’s summary of the findings in which the Inspector General criticizes FERC’s handling of grid cybersecurity Critical Infrastructure Protection (CIP) standards:
Although the Commission had taken steps to ensure CIP cyber security standards were developed and approved, our testing revealed that such standards did not always include controls commonly recommended for protecting critical information systems. In addition, the CIP standards implementation approach and schedule approved by the Commission were not adequate to ensure that systems-related risks to the Nation’s power grid were mitigated or addressed in a timely manner. In particular:
- Despite their importance to protecting the power grid, the CIP standards did not include a number of security controls commonly recommended for government and industry systems, including both administrative and mission-related systems. For instance, the standards did not include essential security requirements and effective practices such as defining what constituted critical assets and implementation of strong logical access controls. In certain cases, Commission officials noted that the lack of stringent requirements for defining critical assets contributed to significant under reporting of these assets. In addition, while we recognize that there are inherent delays associated with the current regulatory structure, we found that the timeliness of the standards development and approval process was also impacted because the Commission did not take advantage of existing authority. Delays ultimately limited the standards’ usefulness in facilitating responses to emerging threats. Without increased efficiency in this area, the Commission and the entities under its purview may not be able to develop and implement future standards in a timely manner to address emerging security threats; and,
- The Commission approved an implementation approach and schedule for the CIP standards that did not adequately consider risks to information systems. In particular, the Commission approved an approach whereby controls designed to mitigate higher risk threats were not required to be implemented before other controls related to documentation. For example, implementation of technical controls related to system access, patch management, and malware prevention were delayed, while documentation requirements such as reporting cyber security incidents and creating a recovery plan were given priority. While these controls must eventually be implemented, concentrating risk-based efforts on strong technical controls, rather than on creating documentation could have helped strengthen early implementation efforts. In addition, all entities were not required to comply with the CIP standards at the same time even though they may have encountered similar threats and the interconnectivity of the power grid, factors that could permit a breach at one entity to have a severe impact on other entities. As the Commission works toward approving updated standards in the future, it should ensure that those controls designed to address the most serious threats are given priority.
We found that these problems existed, in part, because the Commission had only limited authority to ensure adequate cyber security over the bulk electric system. While the Energy Policy Act established the Commission’s authority to approve, remand, or direct changes to proposed reliability standards, the Commission did not have the authority to implement its own reliability standards or mandatory alerts in response to emerging threats or vulnerabilities. However, even in situations where authority did exist, such as the authority to approve, remand, or direct changes to the CIP standards, the Commission had not always acted to ensure that cyber security standards were adequate. In addition, the Commission had not always effectively monitored how NERC and the regional entities assessed implementation of the cyber security standards.
Without improvements, the Commission may not be able to provide adequate oversight to ensure that cyber security vulnerabilities within the power grid are identified and mitigated. Notably, the Commission has participated in a number of reliability standards reviews at entities and continues to work with Congress to obtain authority appropriate for ensuring adequate cyber security over the bulk electric system. Additionally, the Commission has worked with NERC to establish mandatory standards, including providing NERC with numerous directives identifying ways to improve the standards. While these are positive steps, additional action is needed. As such, we have made several recommendations that, if fully implemented, should help improve the overall effectiveness of the Commission’s ability to monitor security over the Nation’s power grid.
