FERC Directs NERC to Study Bulk Electric System's Internal Cybersecurity Gaps

Continuing a recent trend in which the Federal Energy Regulatory Commission ("FERC") has been directing the North American Electric Reliability Corporation ("NERC") to improve or maintain the reliability of the nation's energy infrastructure, FERC issued a Final Rule[1] directing NERC to develop standards and perform a study to address a regulatory gap in its cybersecurity protections for the Bulk Electric System ("BES").[2] Specifically, FERC directed NERC to develop and submit reliability standards requiring internal network security monitoring ("INSM") for high impact BES Cyber Systems[3] and medium impact BES Cyber Systems with high-speed internet connections and to study the feasibility of adding similar INSM requirements for low impact BES Cyber Systems.

The Notice of Proposed Rulemakings

FERC initiated this proceeding with a Notice of Proposed Rulemaking (the "NOPR") in early 2022.[4] In the NOPR, FERC raised the issue of a regulatory gap in Critical Infrastructure Protection ("CIP") reliability standards. The NOPR cautioned that the currently effective CIP Reliability Standards do not require INSM within trusted CIP-networked environments for BES Cyber Systems,[5] thereby exposing those environments to cyber risk and attack. In the NOPR, FERC considered whether to require INSM for all high and medium impact BES Cyber Systems.

INSM is a subset of network security monitoring that is applied within a "trust zone,"[6] such as an electronic security perimeter. INSM is designed to address, as early as possible, breaches of perimeter network defenses by detecting malicious activity within a trust zone. INSM is comprised of three stages: (1) collection; (2) detection; and (3) analysis.[7] With INSM, an entity can observe communications between networked devices within a trust zone and detect malicious activity that has circumvented or penetrated perimeter controls.

In practice, INSM employs tools like anti-malware, intrusion detection systems, intrusion prevention systems, and firewalls. These tools can be used for collection, detection, and analysis (e.g., forensics) of an attempted breach. Additionally, some of the tools (e.g., anti-malware and firewalls) have the capability to prevent system intrusions. The goal of INSM is early detection and alerting of intrusions and malicious activity. Without INSM, an attacker could exploit software vulnerability to gain administrator account privileges, move undetected inside the trust zone of the CIP-networked environment, or could execute unauthorized code (e.g., a virus or ransomware).

The Final Rule

In directing NERC to develop new or modified standards that address security objectives that pertain to INSM, FERC stated that any new or modified CIP Reliability Standards should:

1. address the need for responsible entities to develop baselines of their network traffic inside their CIP-networked environment;
2. address the need for responsible entities to monitor and detect unauthorized activity, connections, devices, and software inside the CIP-networked environment; and
3. require responsible entities to identify anomalous activity to a high level of confidence by:
• logging network traffic;
• maintaining logs and collecting other data regarding network traffic; and
• implementing measures to minimize the ability of an attacker to remove evidence of its tactics, techniques, and procedures from compromised devices.[8]

After considering the comments submitted in response to the NOPR, FERC directed NERC to develop CIP Reliability Standards that require INSM for CIP-networked environments for all high impact BES Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable connectivity.[9] In doing so, FERC recognizes the need to prioritize the protection of certain BES Cyber Systems and to balance the limited resources available against the urgent need for improvement.[10] FERC opted not to extend the INSM requirement to all low impact BES Cyber Systems as there is no requirement for entities to identify their low impact BES Cyber Systems or electronic security perimeters for their low impact BES Cyber Systems.[11]

Standards Development Time

To emphasize the importance of the ISNM reliability gap, FERC directed NERC to submit new or modified CIP Reliability Standards within 15 months of the effective date of the Final Rule.[12] FERC believes that a 15-month deadline would provide sufficient time for NERC to develop responsive new or modified standards within NERC's standards development process, citing that most of the complexities cited by NERC are resolved by FERC's decision not to extend INSM in this Final Rule to low impact BES Cyber Systems and to medium impact BES Cyber Systems without external routable connectivity.[13] While FERC declined to direct a specific implementation timeframe for any new or modified standards, it directed NERC to propose an implementation period that balances the various concerns raised by commenters with the need to timely address the identified gap in the CIP Reliability Standards pertaining to INSM.[14]

NERC Study and Report on INSM Implementation

Even though FERC declined to require INSM for medium impact BES Cyber Systems without external routable connectivity and all low impact BES Cyber Systems, it noted that extending INSM to all medium impact BES Cyber Systems and at least a subset of low impact BES Cyber Systems in the future could be necessary to protect the security and the reliability of the BPS.[15] Accordingly, FERC directed NERC to conduct a study to guide the implementation of INSM, or other mitigation strategies, for medium impact BES Cyber Systems without external routable connectivity and all low impact BES Cyber Systems. FERC directed that the study should focus on two main topics: (1) risk and (2) challenges and solutions.

As it pertains to risk, FERC directed NERC to collect information from registered entities on the number of low impact and medium impact BES Cyber Systems that would not be subject to the new or revised Reliability Standards, which would inform the scope of the risk from systems without INSM.[16] FERC also required NERC to provide an analysis regarding the substantive risks posed by BES Cyber Systems operating without the implementation of INSM.[17] Specifically, FERC directed NERC to determine the quantity of: (1) substation and generation locations that contain medium impact BES Cyber Systems without external routable connectivity; (2) low impact locations (including a breakdown by substations, generation resources, and control centers) that contain low impact BES Cyber Systems without external routable connectivity; and (3) locations that contain low impact BES Cyber Systems with external routable connectivity (including a breakdown by substations, generation resources, and control centers).[18] Lastly, FERC directed NERC to discuss the risks to the security of the BPS due to the lack of an INSM requirement for identified facilities.[19]

Regarding challenges and solutions, FERC directed NERC to identify the potential technological, logistical, or other challenges involved in extending INSM to additional BES Cyber Systems, as well as possible alternative actions to mitigate any risk posed by leaving some systems outside the regulation.[20] Some challenges include: (1) lengthy timelines for identifying the location of low impact BES Cyber Systems; (2) the need to add external routable connectivity at many medium impact BES Cyber Systems to effectively implement INSM; (3) a wider footprint for monitoring and detecting for larger entities; (4) shortages of qualified staff; and (5) supply chain constraints.[21] This study is due within 12 months of the Final Rule.

Implications

The Final Rule reflects FERC's commendable effort to address an important regulatory gap in the CIP Reliability Standards in a measured fashion. FERC considered comments regarding the practical challenges to the wider application of INSM and stepped back from NOPR's proposal to require INSM for all high impact and medium impact BES Cyber Systems. Nevertheless, the time period for ultimate implementation of new or revised CIP Reliability Standards may be viewed as unnecessarily protracted and, hence, presenting undue exposure for the nation's BES Cyber Systems at all impact levels. It remains to be seen whether FERC will be able to establish (perhaps with regard to accelerating the implementation scheduled proposed in response to the Final Rule) a regulatory compromise that reconciles identified implementation challenges with the nation's need to bolster its ability to deflect cyber attacks on the BES.

[1] Internal Network Sec. Monitoring for High and Medium Impact Bulk Elec. Sys. Cyber Sys, 182 FERC ¶ 61,021 (2023) ("Final Rule"). FERC took this action in Docket No. RM22-3-000.

[2] The “BES” refers to those facilities that are subject to NERC’s Reliability Standards. The BES is a subset of the statutory term “Bulk Power System” set forth in Section 215 of the Federal Power Act.

[3] The classification of BES Cyber Systems (defined below) as high impact, medium impact, or low impact is undertaken by the registered entities and is based on the functions of the assets housed within each system and the risks (i.e., the impact) they pose to the BES if they are compromised.

[4] Internal Network Sec. Monitoring for High & Medium Impact Bulk Elec. Sys. Cyber Sys., Notice of Proposed Rulemaking, 178 FERC ¶ 61,038, at PP 2-3, 7-8 (2022) (“NOPR”). The NOPR represents in part a reaction to the SolarWinds hack in 2020 that infected many institutions with a malicious code.

[5] NERC defines BES Cyber Systems as “one or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability task.” See NERC, Glossary of Terms Used in NERC Reliability Standards (2022) (NERC Glossary), https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf.

[6] The Department of Homeland Security defines a “trust zone” as a “discrete computing environment designated for information processing, storage, and/or transmission that share the rigor or robustness of the applicable security capabilities necessary to protect the traffic transiting in and out of a zone and/or the information within the zone.” U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, Trusted Internet Connections 3.0: Reference Architecture, at 2 (July 2020), https://www.cisa.gov/sites/default/files/publications/CISA_TIC%203.0%20Vol.%202%20Reference%20Architecture.pdf. For the purpose of the Final Rule, the “trust zone” is the CIP-networked environment.

[7] Final Rule at 9.

[8] Id. at P 6.

[9] NERC defines “external routable connectivity” as an “ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.” In other words, external routable connectivity allows remote communication with a BES Cyber System through use of a high-speed internet service to send information over a network. Id. at P 57.

[10] Id. at P 54.

[11] Id. at P 68-69.

[12] The effective date of this Final Rule is 30 days from publication in the Federal Register. FERC has directed NERC to submit the new or modified CIP Reliability Standards for FERC approval within 15 months of the effective date of this Final Rule. FERC also directed NERC to submit the Study and Report on INSM Implementation within 12 months of the issuance of the Final Rule.

[13] This deadline is within the range of ISO/RTO Council’s suggested one-to-two-year timeframe. Id. at P 86.

[14] Id. at P 87.

[15] Id. at P 88.

[16] Id.

[17] Id.

[18] Id. at P 89.

[19] Id. at P 90.

[20] Id.

[21] Id.