The Federal Energy Regulatory Commission (“FERC”) issued a final rule (Order No. 887) directing the North American Electric Reliability Corporation (“NERC”) to develop new or modified Reliability Standards that require internal network security monitoring (“INSM”) within Critical Infrastructure Protection (“CIP”) networked environments. This Order may be of interest to entities that develop, implement, or maintain hardware or software for operational technologies associated with bulk electric systems (“BES”).
The forthcoming standards will only apply to certain high- and medium-impact BES Cyber Systems. The final rule also requires NERC to conduct a feasibility study for implementing similar standards across all other types of BES Cyber Systems. NERC must propose the new or modified standards within 15 months of the effective date of the final rule, which is 60 days after the date of publication in the Federal Register.
According to the FERC news release, the 2020 global supply chain attack involving the SolarWinds Orion software demonstrated how attackers can “bypass all network perimeter-based security controls traditionally used to identify malicious activity and compromise the networks of public and private organizations.” Thus, FERC determined that current CIP Reliability Standards focus on prevention of unauthorized access at the electronic security perimeter and that CIP-networked environments are thus vulnerable to attacks that bypass perimeter-based security controls. The new or modified Reliability Standards (“INSM Standards”) are intended to address this gap by requiring responsible entities to employ INSM in certain BES Cyber Systems. INSM is a subset of network security monitoring that enables continuing visibility over communications between networked devices that are in the so-called “trust zone,” a term which generally describes a discrete and secure computing environment. For purposes of the rule, the trust zone is any CIP-networked environment. In addition to continuous visibility, INSM facilitates the detection of malicious and anomalous network activity to identify and prevent attacks in progress. Examples provided by FERC of tools that may support INSM include anti-malware, intrusion detection systems, intrusion prevention systems, and firewalls.
New or Modified Reliability Standards
The INSM Standards will apply to all high-impact BES Cyber Systems and medium-impact BES Cyber Systems with external routable connectivity, defined as the ability to access a BES Cyber System from outside of its associated electronic security perimeter. FERC declined to set an implementation timeframe for the forthcoming standards and instead directed NERC to recommend an implementation period when it submits its proposal. Accordingly, the deadline for responsible entities to implement INSM could be years in the future.
Under the rule, the INSM Standards must:
- (1) Address the need for responsible entities to develop baselines of their network traffic inside their CIP-networked environment;
- (2) Address the need for responsible entities to monitor for and detect unauthorized activity, connections, devices, and software inside the CIP-networked environment; and
- (3) Require responsible entities to identify anomalous activity to a high level of confidence by:
- (a) Logging network traffic;
- (b) Maintaining logs and other data collected regarding network traffic; and
- (c) Implementing measures to minimize the likelihood of an attacker removing evidence of their tactics, techniques, and procedures from compromised devices.
Within 12 months of the final rule, NERC must also submit a report that studies the feasibility of implementing INSM within medium-impact BES Cyber Systems without external routable connectivity and all low-impact BES Cyber Systems, which are not subject to the INSM Standards.
FERC has emphasized that the commissioned feasibility study should include a determination of:
(1) The ongoing risk to the reliability and security of the Bulk-Power System posed by low and medium-impact BES Cyber Systems that will not be subject to the INSM Standards; and (2) The potential technological or other challenges involved in extending INSM to additional BES Cyber Systems, as well as possible alternative mitigating actions to address the risks posed.