Federal Review Finds Strengths & Weak Spots in Utility Cybersecurity Programs

Key Takeaways

• Incident Reporting Requirements: FERC noted that attempted compromises must be reported to both E-ISAC and CISA under CIP-008-6, and some entities need clearer internal procedures to ensure this happens consistently.
• Low Impact Cyber Systems: CIP-003-8 findings show that documentation and controls for Low Impact systems and transient cyber assets need more structure, even when the technical risk is lower.
• Access Governance: Under CIP-004, several audits identified gaps in verifying, revoking, and aligning both physical and electronic access, including ensuring access to BCSI is based strictly on “need to know.”
• Technical Control Maintenance: CIP-005, CIP-007, and CIP-010 observations point to the need for regular firewall rule reviews, strong remote access encryption, end-of-life asset mitigation, and consistent configuration change monitoring.
• Repeatability Over Paper Compliance: Across the lessons, FERC emphasizes that having a policy is not enough. Controls must be applied the same way every time and supported by evidence that reflects real operational practice.

Deep Dive

The Federal Energy Regulatory Commission (FERC) has released an updated set of “Lessons Learned” from Commission-led audits of the Critical Infrastructure Protection (CIP) Reliability Standards, offering a clearer picture of where compliance programs are improving and where common gaps are still appearing across the electric sector.

The compiled lessons reflect several years of audit activity and cover a wide range of requirements, from incident reporting and access management to remote access controls, system recovery planning, and supply chain risk. While the technical areas vary, the audits continue to show that many challenges arise not from missing controls, but from how consistently those controls are implemented and documented across systems and teams.

One example appears in the handling of Cyber Security Incidents under CIP-008-6. In several cases, entities identified potential compromises but did not report them to both the Electricity Information Sharing and Analysis Center (E-ISAC) and the Cybersecurity and Infrastructure Security Agency (CISA), as required. FERC’s guidance emphasizes ensuring reporting procedures are clear, and that personnel know when attempted compromises meet the threshold for notification.

The audits also continue to highlight the treatment of Low Impact BES Cyber Systems under CIP-003-8. Some entities were advised to revisit how their policies and controls are documented and applied, particularly for transient devices and assets that move between environments. The takeaway is that “low impact” does not reduce the expectation for traceability and defined control practices.

Access control remains another area where gaps frequently appear. Under CIP-004, FERC noted instances where access to systems or BCSI was not consistently reviewed, revoked, or tied to demonstrated need. This includes ensuring that physical access systems, electronic access controls, and training and authorization records align—not just individually, but as a coordinated process.

On the technical side, lessons tied to CIP-005 and CIP-007 point to issues such as firewall rules that were either outdated or more permissive than intended, remote access that lacked sufficiently strong encryption, incomplete port and service hardening, and equipment that had reached end-of-support without a clear mitigation plan. These findings emphasize the operational side of CIP compliance, where controls need to be updated as environments evolve, not only when audits occur.

Additional lessons address recovery planning under CIP-009, configuration and baseline monitoring under CIP-010, protection and tracking of BCSI under CIP-011, and ongoing evaluation of vendor risks under CIP-013. In each case, FERC’s message is that procedures must reflect actual practice, and evidence should demonstrate that controls are carried out reliably and repeatably.

The release does not introduce new compliance expectations, but it provides a practical reference for entities reviewing their programs ahead of audits or internal assessments. The value of the compilation lies in showing the issues that arise most commonly across the industry and pointing to where additional clarity, documentation updates, or process alignment may help reduce compliance risk.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.