The OIG audit found that cybersecurity standards approved by FERC did not include a number of cybersecurity controls recommended for government and industry systems. “For instance, the standards did not include essential security requirements and effective practices such as defining what constituted critical assets and implementation of strong logical access controls.”
Under the Federal Power Act, FERC is responsible for approving cybersecurity standards proposed by the North American Electricity Reliability Corporation (NERC), a nonprofit industry body, as well as monitoring the implementation of the standards through NERC’s regional entities.
The audit warned that FERC’s implementation schedule was not timely and “ultimately limited the standards’ usefulness in facilitating responses to emerging threats." The OIG faulted FERC for an implementation schedule that focused on preparing documentation rather than reducing risks to information systems. “For example, implementation of technical controls related to system access, patch management, and malware prevention were delayed, while documentation requirements such as reporting cybersecurity incidents and creating a recovery plan were given priority.”
The OIG concluded: “Without improvements, the Commission may not be able to provide adequate oversight to ensure that cybersecurity vulnerabilities within the power grid are identified and mitigated."
In response to the audit, FERC said that the OIG’s criticism of its approval of deficient cybersecurity standards failed to recognize the commission’s limited authority in developing standards, which is the responsibility of NERC. In addition, FERC said that the OIG’s criticism of slow implementation of the standards did not take into account the “complexities inherent in imposing, for the first time, mandatory cybersecurity standards on the diverse entities that make up the users, owners, and operators of the bulk electric system.”
FERC called on Congress to grant it additional authority so that it could “quickly, comprehensively, and effectively respond to cybersecurity threats.”