On January 20, 2022, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR)1 directing the North American Electric Reliability Corporation (NERC) to develop new or modified standards that would require registered entities to implement internal network security monitoring (INSM) to protect high and medium impact Bulk Electric System (BES) Cyber Systems.2
As defined by FERC, INSM3 is a subset of network security monitoring that is to be applied within a "trust zone,"4 such as an Electronic Security Perimeter (ESP).5 INSM is intended to provide an additional layer of protection by requiring that communications and malicious activity within a trust zone be monitored when perimeter network defenses are breached. The operational awareness obtained from INSM should enable responsible entities to mitigate malicious activity in the early stages of an attack.
FERC noted that, while the currently effective CIP Reliability Standards include a broad set of cybersecurity protections, they do not require INSM. Instead, the current CIP Reliability Standards focus on network perimeter defense. The focus on perimeter defense and lack of attention to internal network monitoring represents a potential gap in cybersecurity and thus presents a threat to the reliability of the BES.6
Of particular concern to FERC is the threat of an attacker gaining access to a trust zone undetected and communicating freely between devices. If such an attack were to occur, malicious actors could access control systems, e.g., Supervisory Control and Data Acquisition (SCADA) systems, and operate equipment to initiate malicious operations. For example, circuit breakers could be operated to drop generating resources or load, and cause BES instability or uncontrolled separation.7
In proposing to direct NERC to eliminate this gap, FERC observes that INSM:
- Could better position an entity to detect malicious activity that has circumvented perimeter controls and to stop the attack in its early phases;
- Can also be used to record network traffic for analysis by providing a baseline that an entity can use to better detect malicious activity and to facilitate timely recovery and/or to perform a post-incident analysis of the intrusion and further mitigation;
- May improve incident response by providing higher-quality data about the extent of the attack internal to a trust zone; and
- Allows an entity to conduct internal assessment and prioritizes any improvements based on the entity's risk profile.
Additionally, FERC noted that its proposal to direct NERC to add an INSM requirement to the existing reliability standards is consistent with Executive Order No. 14,028,8 which calls for employing a "zero trust" cybersecurity approach, and the objectives of President Biden's July 2021 Cybersecurity Initiative,9 which targets deployment of control system security technologies in the electricity and other critical sectors. In sum, FERC believes that requiring entities to implement INSM "will improve visibility and awareness of communication between networked devices and between devices internal to trust zones (i.e., ESPs), and increase the probability of detecting and mitigating malicious activity in the early stages of an attack."10
In providing further direction to NERC and the industry, FERC observed that the new or modified reliability standards should be tailored to achieve three security objectives:
- 1. Address the need for each responsible entity to develop a baseline for their traffic by analyzing expected network traffic and data flows for security purposes;
- 2. Address the need for responsible entities to monitor and detect unauthorized activity, connections, devices, and software inside the CIP networked environment (i.e., the trust zone); and
- 3. Require responsible entities to: (a) log and packet capture11 network traffic; (b) maintain sufficient records to support incident investigation; and (c) implement measures to minimize the likelihood of an attacker removing evidence (TTPs)12 from compromised devices.
In addition to seeking comments on all aspects of the proposed directive, including the security objectives mentioned above, FERC seeks comments on:
- 1. What are the potential challenges to implementing INSM (e.g., cost, availability of specialized resources, and document compliance);
- 2. What capabilities, e.g., software, hardware, staff, and services, are appropriate for INSM to meet the security objectives described above;
- 3. Are the security objectives described above necessary and sufficient to support the goal of having responsible entities successfully implement INSM, or are there other pertinent objectives that could support that goal; and
- 4. What is a reasonable timeframe for expeditiously developing and implementing reliability standards for INSM given the importance of addressing this reliability gap?
While its NOPR is centered on high and medium impact BES Cyber Systems, FERC also seeks comment on the practicality of implementing INSM to detect malicious activity in low impact BES Cyber Systems:
- Do the same risks, e.g., escalating privileges, executing unauthorized code, etc., associated with high and medium impact BES Cyber Systems, apply to low impact BES Cyber Systems;
- The possible criteria or methodology for identifying an appropriate subset of low impact BES Cyber Systems that could benefit from INSM;
- The potential benefits and drawbacks of defining a subset of low impact BES Cyber Systems, e.g., would focusing resources on the low impact assets with a more significant risk profile improve the entity's risk profile; and
- Does it make sense to require INSM for low impact BES Cyber Systems when there are no requirements for monitoring communications at the ESP for such systems, or would ESP and INSM be appropriate for low impact BES Cyber Systems?
The potential ramifications of this NOPR for responsible entities are significant from a compliance standpoint. Although there is little debate regarding the very real risk of cyberattack faced by U.S. energy infrastructure, there are many practical technical and implementation issues that must be considered and addressed at the outset of this standard development process. The failure to do so not only threatens the reliability of the BES, but places responsible entities at risk for excessive additional compliance costs and significant civil penalties.
Comments on the NOPR are due 60 days after it is published in the Federal Register. The energy team at DWT actively tracks the evolution of NERC Reliability Standards and reliability issues more broadly. Questions can be directed to any member of DWT's energy practice group.
1 Internal Network Security Monitoring for High and Medium Impact Bulk Electric System Cyber Systems, Notice of Proposed Rulemaking, 178 FERC ¶ 61,038 (2022) (NOPR).
2 Reliability Standard CIP-002-5.1a (BES Cyber System Categorization) sets forth criteria that registered entities apply to categorize BES Cyber Systems as high, medium, or low depending on the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. The impact level (i.e., high, medium, or low) of BES Cyber Systems, in turn, determines the applicability of security controls for BES Cyber Systems that are contained in the remaining CIP Reliability Standards (i.e., Reliability Standards CIP-003-8 to CIP-013-1).
3 INSM tools include: Anti-malware, intrusion detection systems, intrusion prevention systems, and firewalls.
4 A trust zone is defined as a "discrete computing environment designated for information processing, storage, and/or transmission that share the rigor or robustness of the applicable security capabilities necessary to protect the traffic transiting in and out of a zone and/or the information within the zone." U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), Trusted Internet Connections 3.0: Reference Architecture, at 2 (July 2020), https://www.cisa.gov/sites/default/files/publications/CISA_TIC%203.0%20Vol.%202%20Reference%20Architecture.pdf.
5 An ESP is defined in the NERC Glossary of Terms as "the logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol." NERC, Glossary of Terms Used in NERC Reliability Standards (June 28, 2021), https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf
6 Internal Network Security Monitoring for High and Medium Impact Bulk Electric System Cyber Systems, 178 FERC ¶ 61,038 at P.14 (2021).
7 NOPR at para. 21.
8 Executive Order No. 14,028, 86 FR 26633(May 12, 2021), https://www.govinfo.gov/content/pkg/FR-2021-05-17/pdf/2021-10460.pdf.
9 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, Section 2 (Industrial Control Systems Cybersecurity Initiative), (July 28, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/ (National Security Memorandum). See also The White House, Fact Sheet: Biden Administration Announces Further Actions to Protect U.S. Critical Infrastructure, (July 28, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/fact-sheet-biden-administration-announces-further-actions-to -protect-u-s-critical-infrastructure/ (The White House July 28, 2021, Fact Sheet).
10 NOPR at para. 14.
11 Packet capture allows information to be intercepted in real-time and stored for long-term or short-term analysis, thus providing a network defender greater insight into a network. Packet captures provide context to security events, such as intrusion detection system alerts. See CISA, National Cybersecurity Protection System Cloud Interface Reference Architecture, Volume 1, General Guidance, at 13,25, (July 2020), https://www.cisa.gov/sites/default/files/publications/CISA_NCPS_Cloud_Interface_RA_Volume-1.pdf.
12 TTP stands for Tactics, Techniques, and Procedures and describes the behavior of an actor. Tactics are high-level descriptions of behavior, techniques are detailed descriptions of behavior in the context of a tactic, and procedures are even lower-level, highly detailed descriptions in the context of a technique. TTPs could describe an actor's tendency to use a specific malware variant, order of operations, attack tool, delivery mechanism (e.g., phishing or watering hole attack). See, NIST, NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing, (Oct. 2016), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf.