On January 20, 2022, the Federal Energy Regulatory Commission (FERC) proposed to direct the North American Electric Reliability Corporation (NERC) to develop for FERC review and approval new or modified Reliability Standards for internal network security monitoring (INSM) within trusted Critical Infrastructure Protection (CIP) network environments for high and medium impact Bulk Electric System (BES) Cyber Systems.1 FERC’s action targets a gap in the current NERC CIP Reliability Standards, which do not require INSM. The main goal is to “address situations where vendors or individuals with authorized access are considered secure and trustworthy but could still introduce a cybersecurity risk.” Such was the style of the SolarWinds attack in 2020, which FERC said shows “how an attacker can bypass network perimeter-based security controls used to identify and thwart attacks” by leveraging the technology of a trusted vendor. It is too early to tell exactly what the new or modified Reliability Standards might look like, but FERC provided some general objectives for NERC to address. Comments are due March 28, 2022.
Under the current NERC CIP Reliability Standards, network security monitoring requirements focus on “defending the electronic security perimeter”—such as through access point controls and monitoring for malicious communications—rather than on “potential vulnerabilities of the internal network.” Adding INSM requirements is “designed to address situations where perimeter network defenses are breached by providing the earliest possible alerting and detection of intrusions and malicious activity within a trust zone.” Early detection and response could, in turn, “reduce the likelihood that an attacker can gain a strong foothold and potential command and control, including operational control, on the target system.” INSM can also enable “collection of data and analysis required to implement a defense strategy, improves an entity’s incident investigation capabilities, and increases the likelihood that an entity can better protect itself from a future cyberattack and address any security gaps the attacker was able to exploit.”
FERC provides several objectives for NERC to address, noting that any new or modified CIP Reliability Standards should require covered entities to:
- “[D]evelop a baseline for their network traffic by analyzing expected network traffic and data flows for security purposes.”
- “[M]onitor for and detect unauthorized activity, connections, devices, and software inside the CIP networked environment (i.e., trust zone).”
- “[L]og and packet capture network traffic; . . . maintain sufficient records to support incident investigation . . . ; and . . . implement measures to minimize the likelihood of an attacker removing evidence of their Tactics, Techniques, and Procedures . . . from compromised devices.”
FERC seeks comment on “all aspects of the proposed directive,” including on: “(1) what are the potential challenges to implementing INSM (e.g., cost, availability of specialized resources, and documenting compliance); (2) what capabilities (e.g., software, hardware, staff, and services) are appropriate for INSM to meet [FERC’s] security objectives . . . ; (3) [whether FERC’s security objectives] for INSM [are] necessary and sufficient and, if not sufficient, what are other pertinent objectives that would support the goal of a having responsible entities successfully implement INSM; and (4) what is a reasonable timeframe for expeditiously developing and implementing Reliability Standards for INSM given the importance of addressing [the] reliability gap?” Finally, FERC welcomes comments on “the usefulness and practicality of implementing INSM to detect malicious activity in networks with low impact BES Cyber Systems, including any potential benefits, technical barriers and associated costs.”
The proposal shows that BES reliability and cybersecurity continue to be high priorities for FERC. Indeed, Chairman Richard Glick noted during FERC’s January meeting that it must continue to be vigilant against cyber threats. Commissioner James Danly highlighted FERC’s keen awareness of the risk and his appreciation for the unanimous vote to approve the proposal. Commissioner Allison Clements described the proposal as a “step in the right direction” and expressed her hope that NERC will move quickly to develop the Reliability Standards for FERC’s consideration. Commissioner Mark C. Christie voted for, but did not comment on, the proposal. Finally, new Commissioner Willie L. Phillips recognized that several steps remain before realization of the proposal’s purpose—including reviewing, analyzing and acting on any comments—and shared his hope that NERC will find a way to “expedite” its process to enable implementation of INSM standards as soon as possible.
FERC’s next action in this matter could come as soon as April or May 2022, but could take longer. It also is uncertain how long FERC will give NERC to file its proposed Reliability Standards if FERC ultimately directs it to do so in a Final Rule. Accordingly, any mandatory, enforceable rules likely are at least months away.
1 NERC’s CIP Reliability Standards currently in effect set forth criteria “to categorize BES Cyber Systems as high, medium, or low depending on the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES.” The designated impact level then “determines the applicability of security controls for BES Cyber Systems that are contained in the remaining CIP Reliability Standards” as they currently exist.