Speaking Energy

On January 19, 2023, the Federal Energy Regulatory Commission (FERC or the “Commission”) issued a Final Rule directing the North American Electric Reliability Corporation (NERC) to file for FERC review new or modified Reliability Standards that require internal network security monitoring (INSM) within trusted Critical Infrastructure Protection (CIP) network environments for certain Bulk Electric System (BES) Cyber Systems.¹ The Final Rule, as we described here when first proposed, targets a gap in the current NERC CIP Reliability Standards. Specifically, its main goal is to ensure that registered entities adopt INSM capable of addressing “situations where vendors or individuals with authorized access are considered secure and trustworthy but could still introduce a cybersecurity risk, as well as other attack vectors that can exploit this gap,”² and to “increase the probability of early detection and allow for quicker mitigation and recovery from an attack.”³ Such was the style of the SolarWinds attack in 2020,⁴ which FERC said shows “how an attacker can bypass all network perimeter-based security controls traditionally used to identify the early phases of an attack” by leveraging the technology of a trusted vendor.⁵