An interesting but somewhat confusing document was issued this week by the Dept of Energy, Audit Report: Federal Energy Regulatory Commission’s Monitoring of Power Grid Cyber Security. This audit, performed by the DoE Office of Inspector General, assesses FERC’s performance in the role given them by Congress. It is not an assessment of the effectiveness of the NERC CIP standards in securing the bulk electric system, although there are comments on this that bleed into the report.

While the report is somewhat negative about FERC’s performance, they will like the conclusions because a major part of the report says FERC needs more authority to push NERC and the electric sector. Senate and house members have been asking if FERC needs more authority in hearings, with a very clear nudge to say ‘yes, we need more authority’. Now FERC can take this report to Congress as an objective analysis on how to fix the disappointing results of CIP.

The report captured FERC’s limitations based on current law: “Commission lacked the authority to develop or modify reliability standards – indicating that it can only approve or remand standards developed by NERC or direct changes to a standard as part of the approval process.”

The auditors and FERC disagreed a bit on whether FERC had used the authority it did have with enough force. The auditors pointed to several cases where they felt FERC fell short, and FERC responded that they wanted to see something in place as soon as possible because there were no cyber security requirements on the bulk electric system. These minor disagreements in analysis of the past will fade away as both the auditors and FERC come to the conclusion that Congress should give FERC more authority.

The auditors thought FERC should have prioritized certain controls, particularly technical controls, over others.

The Commission approved an implementation approach and schedule for the CIP standards that did not adequately consider risks to information systems. In particular, the Commission approved an approach whereby controls designed to mitigate higher risk threats were not required to be implemented before other controls related to documentation. For example, implementation of technical controls related to system access, patch management, and malware prevention were delayed, while documentation requirements such as reporting cyber security incidents and creating a recovery plan were given priority. While these controls must eventually be implemented, concentrating riskbased efforts on strong technical controls, rather than on creating documentation could have helped strengthen early implementation efforts.

My guess is this is in response to all the complaints about the time and effort on documentation, but they really miss the mark here for quite a few reasons. First, recovery from a cyber incident is one of the top priorities, especially since there are so many security deficiencies that can’t be addressed. If I had to rank ‘controls’, I would put recovery after hardening the security perimeter. Second, the documentation is largely to support audit, so is FERC saying they did not want early controls to be auditable? They didn’t want a list of approved communication through the ESP and why? I would have supported less stringent audit and more of an assessment approach early on, but I’m in the minority on that and FERC/USG is moving down the more specifics / less judgement path.

Third the paragraph perpetuates the myth that technical security controls are more important than administrative security controls. The auditors are on the right path here that many of the documentation requirements were and still are inefficient and not markedly helping achieve or prove security. A better recommendation would be for FERC to instruct NERC to look at reducing the administrative burden of CIP, but again the wind is blowing in the other direction on this point.

Keep an eye on this FERC/NERC/CIP political issue even if you are not in the electric sector because it likely could affect other regulatory requirements from the USG. FERC maybe should be careful because right now they don’t have the authority or get much of the blame. If the CIP’s continue to go down the path of more specificity there will be a lot of blame to pass around and FERC will get a larger share. ]]>