The Federal Energy Regulatory Commission (FERC) recently directed the North American Electric Reliability Corporation (NERC) to develop and submit for approval any new or modified Reliability Standards that require electric utilities to implement Internal Network Security Monitoring (INSM) within their trusted Critical Infrastructure Protection (CIP) environments. This requirement will apply to all High Impact bulk electric system (BES) Cyber Systems with and without external connectivity and to Medium Impact BES Cyber Systems with external connectivity.
The new standards will require that utilities develop baselines of the traffic inside their BES networked environments to monitor for and detect unauthorized activity, connections, devices and software.
Utilities must also identify anomalous activity to a higher level of confidence by logging network traffic, maintaining data and implementing measures to minimize the likelihood of an attacker removing evidence of their tactics, techniques and procedures from compromised devices.
What is Internal Network Security?
Internal network security refers to the implementation and monitoring of security measures within an organization’s trusted network environments, designed to detect intrusions and malicious activity. This encompasses the collection, detection, and analysis of network traffic, as well as the use of tools such as anti-malware, firewalls, and intrusion prevention systems. The goal is to maintain visibility over communications between networked devices and provide an additional layer of defense against cyber attacks.
INSM is designed to alarm, as early as possible, in situations where the perimeter network defenses are breached by detecting intrusions and unusual or malicious activity within a trust zone.
INSM consists of three stages: (1) collection; (2) detection; and (3) analysis. Some of the tools that may be used for INSM include:
- Anti-malware software
- Intrusion detection systems
- Intrusion prevention systems
These tools can be used for forensic investigation (e.g., collection, detection and analysis) of potential intrusive events. Additionally, some of the tools (anti-malware, firewall, or intrusion prevention systems) have the capability to block inappropriate or malicious network traffic.
According to FERC, INSM will better position a utility to detect malicious activity that has circumvented perimeter controls and gained access to the target systems.
Because an attacker that moves among devices internal to a trust zone must use network pathways and required protocols to send malicious communications, INSM can help alert a utility of the attack in its early phases and improve the utility’s ability to stop the attack and mitigate damages.
What Will Be Required in an INSM Standard?
According to FERC, INSM is a component of a comprehensive cybersecurity strategy because it provides an additional layer of defense against malicious intrusions regardless of the attack vector or whether existing security controls failed. With INSM, a utility can maintain visibility over communications between networked devices within a trust zone and detect malicious activity that has circumvented perimeter controls.
Currently, network security monitoring required by NERC’s CIP Reliability Standards focuses on network perimeter defense by preventing unauthorized access at the electronic security perimeter. While the CIP Standards require monitoring of inbound and outbound internet communications at the electronic security perimeter, they do not require monitoring within trusted CIP-networked environments for BES Cyber Systems. This gap may permit vendors or individuals with authorized access to be considered secure and trustworthy but still be able to introduce a cybersecurity risk, as well as other attack vectors.
NERC has been directed to develop new or modified CIP Reliability Standards that require INSM for CIP-networked environments within all high-impact BES Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable connectivity.
FERC determined that requirements to implement INSM will fill the identified gap in the current suite of CIP Reliability Standards and improve the cybersecurity posture of the Bulk-Power System. Specifically, a requirement for INSM augments existing perimeter defenses by increasing network visibility, so that a utility may understand what is occurring in its CIP-networked environment, and thus improve its capability to detect potential compromises in a timely manner.
TRC recommends that utility clients review this latest order and begin the process of considering how they would modify their CIP related protocols, policies, and procedures to adapt to NERC’s work product which will be developed over the course of the next fifteen months.
Your Trusted Regulatory Advisor:
The forgoing FERC action is a significant regulatory event which will create a fundamental change in security processes by adding internal network monitoring to the existing security perimeter approach embedded in the NERC CIP standards. TRC closely follows the national and state regulatory trends in all regions of North America. Our approach to power system security, engineering, planning, design, construction and commissioning testing, balances solutions that incorporate industry reliability risk trends, mandatory reliability standard requirements, regulatory guidance, compliance obligations, best practices, operational goals, and budgets. With expertise in power system engineering, planning and operations, TRC supports public utilities and private energy providers in their efforts to stay ahead of the curve and to meet or exceed regulatory requirements as they evolve.
This regulatory update is provided as a service to TRC’s utility clients, helping to keep you informed of forward-looking issues that will impact your company’s electric system reliability risks along with related topics regarding regulatory developments to help you achieve your company’s business goals.