Grid Security Now!

Grid Security Now!

Michael Mabee – Author of The Civil Defense Book

Menu
  • Home
  • Library
    • Grid Security Library
      • Government Documents on Grid Security
      • OE-417 Electric Disturbance Events Database
      • CIP Violation Database
      • Database of Chinese Transformers and Equipment in the U.S. Electric Grid
      • Why Haven’t We Secured the Grid?
      • What is the Electric Grid and How is it Regulated?
      • Grid Protection Posts
      • Video (EMP and Grid Security)
    • Civil Defense Library
      • The cavalry is not coming
      • Civil Defense Posts
      • Video (Preparedness)
      • Civil Defense Checklists
  • In the Press
  • Take Action!
  • Fund The Fight!
  • About Me
    • About Michael
    • Interviews – Michael Mabee
    • Subscribe to Mike’s Blog
    • Contact Me
  • My Book
Menu
Inspector General Criticizes FERC

Inspector General Criticizes FERC on Cybersecurity

Posted on January 26, 2011March 17, 2019 by Michael Mabee

In a January 26, 2011 report, the U.S. Department of Energy Office of the Inspector General criticizes FERC’s handling of grid cybersecurity CIP standards.


Read Full Report HERE.

The Office of the Inspector General (OIG) found:

However, even in situations where authority did exist, such as the authority to approve, remand, or direct changes to the CIP standards, the Commission had not always acted to ensure that cyber security standards were adequate. In addition, the Commission had not always effectively monitored how NERC and the regional entities assessed implementation of the cyber security standards.

OIG Report cover letter

Further:

We also found that the standards development and approval process was not timely, thereby limiting the usefulness of the standards in addressing emerging cyber security threats. Specifically, we noted that it took at least 41 months for the initial CIP standards to be developed, approved and fully implemented.

OIG Report page 3

Below is the Report’s summary of the findings in which the Inspector General criticizes FERC’s handling of grid cybersecurity Critical Infrastructure Protection (CIP) standards:


Although the Commission had taken steps to ensure CIP cyber security standards were developed and approved, our testing revealed that such standards did not always include controls commonly recommended for protecting critical information systems. In addition, the CIP standards implementation approach and schedule approved by the Commission were not adequate to ensure that systems-related risks to the Nation’s power grid were mitigated or addressed in a timely manner. In particular:

  • Despite their importance to protecting the power grid, the CIP standards did not include a number of security controls commonly recommended for government and industry systems, including both administrative and mission-related systems. For instance, the standards did not include essential security requirements and effective practices such as defining what constituted critical assets and implementation of strong logical access controls. In certain cases, Commission officials noted that the lack of stringent requirements for defining critical assets contributed to significant under reporting of these assets. In addition, while we recognize that there are inherent delays associated with the current regulatory structure, we found that the timeliness of the standards development and approval process was also impacted because the Commission did not take advantage of existing authority. Delays ultimately limited the standards’ usefulness in facilitating responses to emerging threats. Without increased efficiency in this area, the Commission and the entities under its purview may not be able to develop and implement future standards in a timely manner to address emerging security threats; and,
  • The Commission approved an implementation approach and schedule for the CIP standards that did not adequately consider risks to information systems. In particular, the Commission approved an approach whereby controls designed to mitigate higher risk threats were not required to be implemented before other controls related to documentation. For example, implementation of technical controls related to system access, patch management, and malware prevention were delayed, while documentation requirements such as reporting cyber security incidents and creating a recovery plan were given priority. While these controls must eventually be implemented, concentrating risk-based efforts on strong technical controls, rather than on creating documentation could have helped strengthen early implementation efforts. In addition, all entities were not required to comply with the CIP standards at the same time even though they may have encountered similar threats and the interconnectivity of the power grid, factors that could permit a breach at one entity to have a severe impact on other entities. As the Commission works toward approving updated standards in the future, it should ensure that those controls designed to address the most serious threats are given priority.

We found that these problems existed, in part, because the Commission had only limited authority to ensure adequate cyber security over the bulk electric system. While the Energy Policy Act established the Commission’s authority to approve, remand, or direct changes to proposed reliability standards, the Commission did not have the authority to implement its own reliability standards or mandatory alerts in response to emerging threats or vulnerabilities. However, even in situations where authority did exist, such as the authority to approve, remand, or direct changes to the CIP standards, the Commission had not always acted to ensure that cyber security standards were adequate. In addition, the Commission had not always effectively monitored how NERC and the regional entities assessed implementation of the cyber security standards.

Without improvements, the Commission may not be able to provide adequate oversight to ensure that cyber security vulnerabilities within the power grid are identified and mitigated. Notably, the Commission has participated in a number of reliability standards reviews at entities and continues to work with Congress to obtain authority appropriate for ensuring adequate cyber security over the bulk electric system. Additionally, the Commission has worked with NERC to establish mandatory standards, including providing NERC with numerous directives identifying ways to improve the standards. While these are positive steps, additional action is needed. As such, we have made several recommendations that, if fully implemented, should help improve the overall effectiveness of the Commission’s ability to monitor security over the Nation’s power grid.


Inspector General Criticizes FERC

News

  • How to Fix Electric Grid Security
  • U.S. Continues to Import Large Transformers from China
  • 60 Minutes – How secure is America’s electric grid?
  • COVERUP UPDATE: CIP Violation Database and FOIA Lawsuit
  • Q: How Did We Become So Vulnerable?
  • Rate Recovery: How Electric Customers Fund Industry Lobbying
  • Energy Sector Supply Chain Review – U.S. Department of Energy
  • Criminally Negligent Homicide in February 2021 Texas Blackout Deaths?
  • Chinese Transformer Threat Now Confirmed by Two Administrations
  • Secretary of Energy Advisory Board: Comments of Michael Mabee
  • Electricity Advisory Committee: Comments of Michael Mabee
  • How the electric utility industry torpedoed grid security
  • Chinese Transformer Complaint Filed with U.S. Government
  • U.S. Electric Grid Imports More Chinese Transformers in 2020 and 2021
  • Recent Grid Threats: Frank Gaffney and Michael Mabee Break It Down
  • Secret Penalties: The Electric Grid Is Making You Pay Their Fines
  • Government Misses the Boat on Grid Security – Again
  • Critical Electric Infrastructure – The Government Must Step Up
  • FERC Dismisses Texas Grid Collapse Complaint
  • FERC Office of Public Participation: End the Electric Industry Coverup
  • Testimony of Michael Mabee on SB 1606 – All Hazards Grid Security
  • Federal Complaint Filed on Texas Grid Collapse
  • We Are Plugged In To Life Support
  • Texas Blackout: The Unacceptable Outcome of a Foreseeable Event
  • Chinese Transformers in the Electric Grid: Lights Out For NYC?
  • Message to Governor Jennifer Granholm and the Department of Energy
  • Chinese Transformers in the Electric Grid
  • The U.S. Has 300 Chinese Large Power Transformers
  • Senator Murkowski Questions Cybersecurity Order Suspension
  • Grid Supply Chain Cybersecurity Order “Suspended”

Fund The Fight!


Subjects

Search Website

Subscribe for Updates!

Follow me on Twitter

Tweets by CivilDefenseBK

Click To Get Prepared!

The Civil Defense Book: Emergency Preparedness for a Rural or Suburban Community
The Civil Defense Book Get it now!

Subscribe for updates

Follow Me On Facebook

The Civil Defense Book

11 months ago

The Civil Defense Book
Bradford Clark Freeman, the last surviving member of Easy Company's Band of Brothers, dies at 97apple.news/AkFt2MfXqTCWTe4KGOFDOPg ... See MoreSee Less

Bradford Clark Freeman, the last surviving member of Easy Company's Band of Brothers, dies at 97 — CNN

apple.news

Bradford Clark Freeman, believed to be the last surviving original member of the historic World War II parachute infantry regiment of the US Army known as Easy Company, died Sunday in Columbus, Missis...
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

The Civil Defense Book

11 months ago

The Civil Defense Book
Here Comes the Sun—to End Civilizationwww.wired.com/story/sun-storm-end-civilization/ ... See MoreSee Less

Here Comes the Sun—to End Civilization

www.wired.com

Every so often, our star fires off a plasma bomb in a random direction. Our best hope the next time Earth is in the crosshairs? Capacitors.
View on Facebook
· Share

Share on Facebook Share on Twitter Share on Linked In Share by Email

Fund The fight!


©2023 Grid Security Now! | Theme by SuperbThemes