Fri, Oct 01, 2021 02:15 PM

M-D100121-01 Cybersecurity Best Practices

NOTICE DATE: October 1, 2021

NOTICE TYPE: M-D100121-01 General

SHORT DESCRIPTION: Cybersecurity Best Practices

INTENDED AUDIENCE: All Market Participants

DAYS AFFECTED: October 1, 2021

LONG DESCRIPTION: In 2020, Nodal Protocol Revision Request (NPRR) 928, Cybersecurity Incident Notification, was implemented to establish Market Participant notification responsibilities with respect to Cybersecurity Incidents. ERCOT sponsored NPRR928 due to the increased risk of potential cybersecurity intrusions into systems and assets of the electric market and the need for increased measures to protect the reliability and integrity of the ERCOT System and market operations. While NPRR928 helps mitigate and prevent damage to ERCOT and Market Participant networks and systems, ERCOT issues this Notice to provide Market Participants with cybersecurity best practices for ensuring grid security.  ERCOT has implemented all of the below cybersecurity best practices.

Multi-Factor Authentication (MFA)

MFA is an electronic authentication process that grants access to a website or application after successfully providing at least two pieces of evidence/factors to the user. Market Participants should enable MFA on all remote connections (e.g., email, Virtual Private Network (VPN) connections), and other access systems that could provide an attacker an avenue into the Market Participant’s network or cloud instances. This measure will create an extra layer of security to help ensure that only authorized individuals can access a Market Participant’s systems.

System Updates and Backups

Market Participants should promptly update and patch systems when available—i.e., maintaining the security of operating systems, applications, and firmware, in a timely manner. Market Participants should also ensure that system backups and configurations are regularly tested and saved offline as hackers will attempt to encrypt backups during a ransomware attack.

Network Protection

Segmenting corporate networks can slow an attacker’s progress giving the Market Participant time to detect and respond to a Cybersecurity Incident. A Distributed Denial-of-Service (DDoS) attack occurs when an attacker sends enough network traffic to a corporate network that it impacts normal operations. DDoS attacks can occur on a customer payment portal, via email or other services necessary for the operation of the network/systems. Commercially available solutions to limit the impact of DDoS attacks are recommended. Furthermore, Market Participants should never utilize internet exposed network infrastructure for routing internal critical traffic.

Email Defenses/Domain-Based Message Authentication (DMARC)

Phishing email attacks have been a main vector of compromise over the past few years. Email filtering systems can help limit the number of unwanted emails delivering malware. ERCOT utilizes a DMARC practice to reject emails that do not past a verification test. DMARC is an email authentication/validation policy and reporting practice designed to detect and prevent the distribution of fraudulent or deceptive emails. Enabling a DMARC practice can help Market Participants control who can send emails on behalf of the Market Participant, and thereby prevent nefarious parties from utilizing a Market Participant’s domain. For more information regarding ERCOT’s implementation of a DMARC “reject” policy, see Market Notice M-A031419-01, ERCOT Implementation of a DMARC “Reject” Policy. ERCOT encourages Market Participants to adopt a DMARC practice to help protect their own domains and systems from fraudulent and/or deceptive emails. Market Participants can also visit the DMARC website for more information and to determine whether a particular domain uses a DMARC practice through the DMARC Inspector search tool.

System Backups

Ensure system backups and configurations are regularly tested and saved offline as hackers will attempt to also encrypt backups during a ransomware attack.

CONTACT: If you have any questions, please contact your ERCOT Account Manager. You may also call the general ERCOT Client Services phone number at (512) 248-3900 or contact ERCOT Client Services via email at

If you are receiving email from a public ERCOT distribution list that you no longer wish to receive, please follow this link in order to unsubscribe from this list: