FERC Directs NERC to Develop Internal Network Security Monitoring for High and Medium Impact Bulk Electric System Cyber Systems

Elizabeth McCormick
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

Troutman Pepper

[co-author: Sahara Shrestha]

On January 19, 2023, the Commission issued a final rule that directs the North American Electric Reliability Corporation (“NERC”) to develop and submit reliability standards for monitoring high and medium impact bulk electric systems with high-speed internet connections. The Commission stated that the new reliability standards would assist entities in monitoring network traffic inside the bulk electric systems and detecting unauthorized activity inside those systems.

Under the Commission’s current Critical Infrastructure Protection (“CIP”) reliability standards, network security monitoring is focused on defending the security perimeter of networks and does not address potential vulnerabilities of the internal network to cyber threats. The new rule thus requires NERC to develop Internal Network Security Monitoring (“INSM”). FERC explains that INSM is used to detect situations where vendors or individuals with authorized access are considered trustworthy, but might still introduce a cybersecurity risk. These vendors can be leveraged by cyber attackers who ultimately compromise the internal networks of the bulk electric system. FERC stated that incorporating INSM requirements into the CIP reliability standards “would help to ensure that utilities maintain visibility over communications in their protected networks,” which would “help detect an attacker’s presence and movements and give the utility time to take action before an attacker can fully compromise the network.”

The Commission issued a Notice of Proposed Rulemaking for this rule on January 20, 2022, to address INSM for all high and medium impact bulk electric system cyber systems. The final rule explains that the Commission became persuaded by commenters to limit its final rule to only cover all high impact bulk electric system cyber systems with and without broadband access and medium impact bulk electric system cyber systems with broadband access. Thus, the Commission explains, the final rule focuses on cybersecurity systems that pose the highest risk to the security of bulk electric cyber systems. FERC explains that NERC may in the future extend INSM to medium and low impact bulk electric cyber systems with no broadband access. As such, the Commission also tasked NERC with studying the risks posed by the lack of INSM and studying the feasibility of implementing INSM at such unaddressed bulk electric cyber systems. The Commission directed NERC to submit the new standards to the Commission for approval within 15 months and submit its report on medium and low impact bulk electric system cyber systems with no broadband access within 12 months.

FERC’s order, issued in Docket No. RM22-3, can be found here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide