The Federal Energy Regulatory Commission (FERC) on Jan. 20 issued a notice of proposed rulemaking (NOPR) proposing to strengthen mandatory critical infrastructure protection (CIP) reliability standards by requiring internal network security monitoring for high- and medium-impact bulk electric system cyber systems.
The NOPR proposes to direct the North American Electric Reliability Corporation (NERC) to develop and submit new or modified reliability standards on internal network security monitoring to address what FERC regards as a gap in the current standards.
Mandatory electric reliability standards, including the CIP standards, are developed by NERC and approved by FERC. The Commission also has authority to direct NERC to develop new or revised standards, and FERC is relying on that authority in the NOPR.
Under existing CIP reliability standards, network security monitoring is focused on defending the electronic security perimeter of networks that do not equate to an internal security network.
In proposing to direct NERC to expand or revise the existing CIP rules, FERC said that it is seeking to address concerns that the existing standards do not address potential vulnerabilities of the internal network to cyber threats
Internal network security monitoring addresses situations where vendors or individuals with authorized access that are considered trustworthy might still introduce a cybersecurity risk.
As an example, FERC said that the SolarWinds attack in 2020 demonstrated how an attacker can bypass network perimeter-based security controls used to identify and thwart attacks. This supply chain attack leveraged a trusted vendor to compromise the networks of public and private organizations, FERC said.
Incorporating internal network security monitoring requirements into the CIP reliability standards would help to ensure that utilities maintain visibility over communications in their protected networks, FERC said. Doing so can help detect an attacker’s presence and movements and give the utility time to take action before an attacker can fully compromise the network.
Internal network security monitoring also helps to improve vulnerability assessments and can speed recovery from an attack, FERC noted.
The NOPR seeks comment on all aspects of the proposed directive to develop and submit new or modified reliability standards for internal network security monitoring for high- and medium-impact cyber systems. Although the proposal is currently limited to high- and medium-impact assets, as classified under NERC’s risk-based classification system, the NOPR also seeks comment on whether internal network security monitoring should be expanded to low-impact assets, or a subset of these assets.
At FERC’s January monthly open meeting, FERC Chairman Richard Glick emphasized that reliability of the bulk power system, including cybersecurity, is a top priority for the Commission.
He noted that, if a hacker does breach an entity’s electronic perimeter, internal network monitoring can allow for a more effective and timely response.
He encouraged interested parties to comment on the applicability of the proposal to low impact bulk electric system cyber systems, calling it “an interesting issue.”
Comments on the NOPR are due 60 days after publication in the Federal Register.
Click here to access the NOPR.