The North American Electric Reliability Corporation (NERC) and the six Regional Entities (collectively the ERO Enterprise) have identified four risk themes that have made it difficult for some entities to mitigate risks associated with the NERC Critical Infrastructure Protection (“CIP”) Reliability Standards. To communicate these themes and possible resolutions to them, the ERO Enterprise developed the 2024 Critical Infrastructure Protection Themes and Lessons Learned report.
While industry excels at many aspects of cyber security, the intention of this report is to outline areas for improvement with the goal of driving continued progress toward our shared mission of ensuring a reliable power system.
The themes identified in this report are:
- Latent vulnerabilities: The importance of internal detective controls
- Insufficient commitment to low impact CIP programs: The need to revisit approaches to CIP-003 R2
- Shortages of labor and skillsets: Challenges in workforce and succession planning
- Performance drift: Physical security issues as markers of performance drift and apathy
The ERO Enterprise noted these themes through its compliance monitoring, enforcement, outreach, and other activities. Each of these themes is explored in more detail in the report, including suggestions to better address underlying issues and mitigate cyber security risks to the Bulk Electric System.
This report is the third installment of “CIP Themes and Lessons Learned,” with prior iterations having been released in 2015 and 2018.
The full report is available here.
And to watch a recording of the June 2024 Technical Talk with RF presentation previewing the report’s findings, click here.
###
About the ERO Enterprise:
The ERO Enterprise encompasses six regional organizations, including the Midwest Reliability Organization (MRO), the Northeast Power Coordinating Council (NPCC), ReliabilityFirst Corporation (RF), SERC Reliability Corporation (SERC), Texas Reliability Entity (Texas RE), and the Western Electricity Coordinating Council (WECC). NERC provides industry-wide perspective and oversight, and the Regional Entities have unique features and activities that serve the needs of their regional constituents while ensuring that industry follows NERC Reliability Standards. The ERO Enterprise is committed to its collective success in achieving its vision of a highly reliable and secure North American Bulk Power System. For more information, see the NERC website.