Under the current NERC CIP Reliability Standards, network security monitoring requirements focus on “defending the electronic security perimeter”—such as through access point controls and monitoring for malicious communications—rather than on “potential vulnerabilities of the internal network.” Adding INSM requirements is “designed to address situations where perimeter network defenses are breached by providing the earliest possible alerting and detection of intrusions and malicious activity within a trust zone.” Early detection and response could, in turn, “reduce[] the likelihood that an attacker can gain a strong foothold and potential command and control, including operational control, on the target system.” INSM can also enable “collection of data and analysis required to implement a defense strategy, improves an entity’s incident investigation capabilities, and increases the likelihood that an entity can better protect itself from a future cyberattack and address any security gaps the attacker was able to exploit.”
FERC provides several objectives for NERC to address, noting that any new or modified CIP Reliability Standards should require covered entities to:
- “[D]evelop a baseline for their network traffic by analyzing expected network traffic and data flows for security purposes.”
- “[M]onitor for and detect unauthorized activity, connections, devices, and software inside the CIP networked environment (i.e., trust zone).”
- “[L]og and packet capture network traffic; . . . maintain sufficient records to support incident investigation . . . ; and . . . implement measures to minimize the likelihood of an attacker removing evidence of their Tactics, Techniques, and Procedures . . . from compromised devices.”
FERC seeks comment on “all aspects of the proposed directive,” including on: “(1) what are the potential challenges to implementing INSM (e.g., cost, availability of specialized resources, and documenting compliance); (2) what capabilities (e.g., software, hardware, staff, and services) are appropriate for INSM to meet [FERC’s] security objectives . . . ; (3) [whether FERC’s security objectives] for INSM [are] necessary and sufficient and, if not sufficient, what are other pertinent objectives that would support the goal of a having responsible entities successfully implement INSM; and (4) what is a reasonable timeframe for expeditiously developing and implementing Reliability Standards for INSM given the importance of addressing [the] reliability gap?” Finally, FERC welcomes comments on “the usefulness and practicality of implementing INSM to detect malicious activity in networks with low impact BES Cyber Systems, including any potential benefits, technical barriers and associated costs.”
The proposal shows that BES reliability and cybersecurity continue to be high priorities for FERC. Indeed, Chairman Richard Glick noted during FERC’s January meeting that it must continue to be vigilant against cyber threats. Commissioner James Danly highlighted FERC’s keen awareness of the risk and his appreciation for the unanimous vote to approve the proposal. Commissioner Allison Clements described the proposal as a “step in the right direction” and expressed her hope that NERC will move quickly to develop the Reliability Standards for FERC’s consideration. Commissioner Mark C. Christie voted for, but did not comment on, the proposal. Finally, new Commissioner Willie L. Phillips recognized that several steps remain before realization of the proposal’s purpose—including reviewing, analyzing and acting on any comments—and shared his hope that NERC will find a way to “expedite” its process to enable implementation of INSM standards as soon as possible.
FERC’s next action in this matter could come as soon as April or May 2022, but could take longer. It also is uncertain how long FERC will give NERC to file its proposed Reliability Standards if FERC ultimately directs it to do so in a Final Rule. Accordingly, any mandatory, enforceable rules likely are at least months away.
1 NERC’s CIP Reliability Standards currently in effect set forth criteria “to categorize BES Cyber Systems as high, medium, or low depending on the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES.” The designated impact level then “determines the applicability of security controls for BES Cyber Systems that are contained in the remaining CIP Reliability Standards” as they currently exist.