Cyber Incident Response & Recovery Best Practices

by Sean Thompson, NERC Services Supervisor

Staff of the Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) on September 14, 2020 published a report on cyber planning for response and recovery that outlines best practices for the electric utility industry. The joint staffs of FERC and NERC, and the NERC Regional Entities, developed the report after interviewing subject matter experts from eight electric utilities of varying size and function. The report includes observations on their defensive capabilities and on the effectiveness of their Incident Response and Recovery (IRR) plans. The report identifies common elements among the IRR plans, and identifies best practices, finding that effective IRR plans: 

  • Contain well-defined personnel roles, promote accountability and empower personnel to act without unnecessary delays, and use supporting technology and automated tools while recognizing the importance of human performance;  
  • Require well-trained personnel who are constantly updating their skills and incorporate lessons learned from past incidents or tests;  
  • Use baselining so personnel can detect significant deviations from normal operations, and flowcharts or decision trees to determine quickly when the utility reaches a predefined risk threshold and a suspicious set of circumstances qualifies as an event; 
  • Remove all external connections when activated, and consider the possibility that a containment strategy may trigger predefined destructive actions by the malware, and employ evidence collection and continued analysis to determine whether an event indicates a larger compromise;
  • Consider the resource implications of incident responses of indeterminate length; and 
  • Implement lessons learned from previous incidents and simulated activities. 

The report concludes that effective IRR plans are important resources for addressing cyber threats, and that effective IRR plans should be in place and response teams should be prepared to detect, contain, and, when appropriate, eradicate cyber threats before they can harm utility operations. 

The report can be found at:  https://naes.news/Cyber-Response-Report