Analysis
Attacks and Vulnerabilities
Critical infrastructure
NERC-CIP
News

FERC publishes final rule for integrating INSM requirements into CIP reliability standards

January 24, 2023
FERC publishes final rule for integrating INSM requirements into CIP reliability standards

The Federal Energy Regulatory Commission (FERC) called upon the North American Electric Reliability Corporation (NERC) to develop new or modified Critical Infrastructure Protection (CIP) reliability standards that require internal network security monitoring (INSM) for CIP-networked environments. The move would affect high-impact bulk electric system (BES) cyber systems with and without external routable connectivity and medium-impact BES cyber systems with external routable connectivity.

The FERC wrote in its Final Rule published last week that it “directs NERC to submit a report within 12 months of issuance of this final rule that studies the feasibility of implementing INSM at all low impact BES Cyber Systems and medium impact BES Cyber Systems without external routable connectivity (i.e., BES Cyber Systems not subject to the new or revised Reliability Standards).”

“We find that, while the CIP Reliability Standards require monitoring of the electronic security perimeter and associated systems for high and medium impact BES Cyber Systems, the CIP-networked environment remains vulnerable to attacks that bypass network perimeter-based security controls traditionally used to identify the early phases of an attack,” the FERC said. “This presents a gap in the currently effective CIP Reliability Standards.” 

To address this gap, FERC “direct NERC to develop new or modified CIP Reliability Standards requiring INSM for all high impact BES Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable connectivity to ensure the detection of anomalous network activity indicative of an attack in progress. These provisions will increase the probability of early detection and allow for quicker mitigation and recovery from an attack,” it added.

INSM refers to a subset of network security monitoring that is applied within a ‘trust zone,’ such as an electronic security perimeter. For this rule, the trust zone applicable to INSM is the CIP-networked environment. INSM enables continuing visibility over communications between networked devices within a trust zone and detection of malicious activity that has circumvented perimeter controls. Further, INSM facilitates the detection of anomalous network activity indicative of an attack in progress, increasing the probability of early detection and allowing for quicker mitigation and recovery from an attack.

In the Final Rule, FERC directs NERC to develop new or modified CIP reliability standards that are forward-looking, objective-based, and address three security objectives that pertain to INSM. 

The first one is that any new or modified CIP reliability standards should address the need for responsible entities to develop baselines of their network traffic inside their CIP-networked environment. The second area of focus should be on any new or modified CIP reliability standards that should address the need for responsible entities to monitor for and detect unauthorized activity, connections, devices, and software inside the CIP-networked environment. 

Thirdly, any new or modified CIP reliability standards should require responsible entities to identify anomalous activity to a high level of confidence by logging network traffic, maintaining logs and other data collected regarding network traffic, and implementing measures to minimize the likelihood of an attacker removing the evidence of their tactics, techniques, and procedures (TTPs) from compromised devices.

FERC said in the Final Rule that it believes ‘that a 15-month deadline provides sufficient time for NERC to develop responsive standard(s) within NERC’s standards development process.’

The deadline is within the range of ISO/RTO Council’s suggested one-to-two-year timeframe, the Final Rule said. “Regarding NERC’s request that the Commission not set a deadline, we believe that most of the complexities cited by NERC are resolved by our decision not to extend INSM in this final rule to low impact BES Cyber Systems and medium impact BES Cyber Systems without external routable connectivity,” it added.

Further, the Commission sought comment in the NOPR on the possible implementation of INSM to detect malicious activity in networks with low-impact BES cyber systems but did not propose to direct the development of reliability standards for INSM for low-impact BES cyber systems. 

“In this final rule, we direct NERC to conduct a study to support future Commission actions to extend INSM requirements to all low-impact BES Cyber Systems and medium-impact BES Cyber Systems without external routable connectivity,” FERC said. 

It specified that NERC should include in its study a determination of ongoing risk to the reliability and security of the bulk power systems posed by low and medium-impact BES cyber systems that would not be subject to the new or modified reliability standards, including the number of low and medium impact BES cyber systems not required to comply with the new or modified standard. 

FERC also addressed potential technological or other challenges involved in extending INSM to additional BES cyber systems, as well as possible alternative mitigating actions to address ongoing risks. “We believe that this information would provide the basis for further Commission action, as warranted, regarding INSM or alternatives. We direct NERC to file its study report with the Commission within 12 months of the issuance of this final rule,” the agency added.

Apart from publishing the full text of the document in the Federal Register, the FERC will provide interested persons with an opportunity to view and/or print the contents of this document via the Internet through the Commission’s Home Page. In the Final Rule, FERC said that “these regulations are effective [insert date 30 days from publication in Federal Register for non-major rules and 60 days from the later of the date Congress receives the agency notice or the date the rule is published in the Federal Register].”

Last January, the FERC initiated the process of strengthening its CIP reliability standards by requiring INSM for high- and medium-impact BES cyber systems. A Notice of Proposed Rulemaking (NOPR) sought feedback on all aspects of the proposed directive to develop and submit new or modified reliability standards for INSM for high- and medium-impact cyber systems. 

FERC disclosed in its Annual Report released last October that its staff found that most of the registered entities’ cybersecurity protection processes and procedures met the mandatory requirements of the CIP standards, though potential non-compliance and security risks remained. Audits of non-public CIP audits of several U.S.-based NERC registered entities were completed, covering BES cyber assets and protected cyber assets within the BES cyber environment.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation