FERC initiates process for integrating INSM requirements into CIP reliability standards

The Federal Energy Regulatory Commission (FERC) initiated on Thursday the process of strengthening its CIP reliability standards by requiring internal network security monitoring (INSM) for high- and medium-impact bulk electric system (BES) cyber systems. Currently, network security monitoring in the CIP (critical infrastructure protection) reliability standards focuses on preventing unauthorized access to BES cyber systems at the network perimeter.

The Notice of Proposed Rulemaking (NOPR) seeks comment on all aspects of the proposed directive to develop and submit new or modified reliability standards for INSM for high- and medium-impact cyber systems. Comments on the NOPR are due 60 days after publication in the Federal Register.

To address the current reliability gap and improve cybersecurity, the FERC has issued the NOPR that directs the North American Electric Reliability Corporation (NERC) to develop and submit new or modified reliability standards to address a gap in the current standards. Under existing CIP reliability standards, network security monitoring is focused on defending the electronic security perimeter of networks. FERC is seeking to address concerns that the existing standards do not address potential vulnerabilities of the internal network to cyber threats.

Integrating INSM requirements into the CIP reliability standards would help to ensure that utilities maintain visibility over communications in their protected networks, FERC said in a media statement. Doing so can help detect an attacker’s presence and movements and give the utility time to take action before an attacker can fully compromise the network. INSM also helps to improve vulnerability assessments and can speed recovery from an attack, it added.

“In my view, the FERC NOPR is further proof that NERC is not equipped to provide cybersecurity best practices to protect the entire Electric Grid and responsibility for cybersecurity protections guidance should come from our Nation’s cybersecurity experts at the Cybersecurity and Infrastructure Security Agency (CISA),” Dick Brooks, co-founder and lead software engineer at Reliable Energy Analytics, told Industrial Cyber. 

The NOPR will “not provide cybersecurity improvements because many entities already implement these cybersecurity best practices, such as anti-malware, but the FERC Order will increase the workload on entities subject to NERC compliance, because they will also have to meet all of the NERC compliance requirements, usually in the form of paperwork, in addition to managing cybersecurity,” Brooks added.  

The NERC standards development process requires a significant amount of time and effort, Brooks said. “It often takes 3 or more years to develop NERC CIP standards and have them become effective in grid operations. Additionally, the NERC Standards Development Teams already have a lot on their plate, so it could be several months or even a year before the resources will free up to focus on this work,” he added. 

The INSM consists of three stages, including collection, detection, and analysis that, taken together, provide the benefit of early detection and alerting of intrusions and malicious activity. Some of the tools used for INSM include anti-malware tools such as intrusion detection systems, intrusion prevention systems, and firewalls. These tools are multipurpose and can be used for collection, detection, and analysis. Including INSM requirements in the CIP reliability standards, as the draft NOPR proposes, would complement existing perimeter requirements for high and medium-impact BES cyber systems by improving the visibility of communications inside the network, FERC said. 

Internal network security monitoring increases the chance of early detection of malicious activity, which in turn allows for quicker mitigation and recovery from an attack. In addition to improved incident response capabilities and situational awareness, internal network security monitoring also contributes to better vulnerability assessments within an electronic security perimeter, which support an entity’s cybersecurity defenses and could reduce the impact of cyberattacks, the federal agency added.

“In addition to early detection, INSM is critical for identifying malicious activities at the later stages of cybersecurity attacks,” FERC said in a supporting document. “Absent INSM, an entity may not be alerted if an adversary establishes a command and control communication channel that interacts with the compromised system on a regular basis,” it added.

The CISA and National Institute of Standards and Technology (NIST) have recommended detailed cybersecurity practices that include elements of INSM, such as recommending that organizations conduct network baseline analysis on control systems and networks to understand approved communication flows and to monitor control systems for malicious activity on control systems.

The siloed approach to cybersecurity used by FERC/NERC is leaving the nation’s electric grid vulnerable, Brooks pointed out. “Let’s put our best foot forward on cybersecurity and put the experts at CISA in charge! Let NERC focus on what it does best, grid operation and planning for reliability.”

He also proposed for the CISA to work directly with the NERC regional entities to provide guidance and support for CISA’s cybersecurity best practices. “Eliminate all of the extraneous and wasted labor we call ‘NERC CIP COMPLIANCE’ and replace it with harsh financial penalties on any entity that suffers a cybersecurity breach from failing to follow CISA best practices. This would incentivize real security measures to be taken, instead of wasting resources producing compliance paperwork,” Brooks added.

While centered on high and medium-impact BES cyber systems, the draft NOPR also seeks comments on the potential usefulness and practicality of implementing internal network security monitoring to detect malicious activity in networks with low-impact BES cyber systems, including any potential benefits, technical barriers, and associated costs. Among other specific questions, the draft NOPR seeks comment on possible criteria or methodologies for identifying an appropriate subset of low-impact BES cyber systems that could benefit from internal network security monitoring.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.