The Federal Energy Regulatory Commission on Jan. 19 directed the North American Electric Reliability Corporation to develop and submit reliability standards requiring internal network security monitoring for high-impact bulk electric system cyber systems and medium-impact systems with high-speed internet connections.
The final rule, Order No. 887, issued at FERC’s monthly open meeting, also directs NERC to study the risks posed by the lack of internal network security monitoring at bulk electric cyber systems that would not be addressed by the new or modified standard, and the feasibility of extending monitoring to those systems.
In issuing the directive to NERC, FERC observed that current NERC reliability standards require monitoring at a network’s electronic security perimeter, but do not require similar monitoring of anomalous activity within the network environment, which the Commission characterized as a gap in the current NERC reliability standards.
NERC has flexibility in developing the content of the new requirements, but the Commission said the new standards should address the need for entities to develop baselines of their network traffic inside the applicable networked environments and to monitor for and detect unauthorized activity, connections, devices and software inside those networked environments.
FERC said the new standards also should require entities to identify anomalous activity to a high level of confidence by logging network traffic, maintaining logs and other data and implementing measures to minimize the likelihood of an attacker removing evidence of their tactics, techniques and procedures from compromised devices.
The rule takes effect 60 days after publication in the Federal Register, and NERC has 15 months from the effective date to submit the new standards for Commission approval. NERC has 12 months from the date of the order to submit its report on low-impact bulk electric cyber systems and medium-impact systems with no broadband access.
Order No. 887 results from a notice of proposed rulemaking issued by FERC in January 2022 proposing internal network security monitoring for all high and medium impact bulk electric system cyber systems. The NOPR also asked for comments on whether internal network security monitoring should be applied to low impact BES Cyber Systems.
The American Public Power Association responded to the NOPR in joint comments filed with the Edison Electric Institute, the Electric Power Supply Association, the Large Public Power Council, and the National Rural Electric Cooperative Association.
The joint comments urged FERC to conduct additional information gathering on internal network security monitoring before issuing a directive. The comments also cited the significant technological and practical challenges associated with deploying internal network security monitoring, and the Joint Associations urged FERC to limit the applicability of any internal network security monitoring directive to high impact BES cyber systems and medium impact BES cyber systems at control centers.
APPA and the other groups also argued that use of internal network security monitoring for low impact bulk electric system cyber systems is unlikely to be practicable.
Order No. 887 partly responds to the concerns raised by the groups, insofar as it only applies the internal network security monitoring requirement to a subset of medium impact assets, and the directive does not require internal network security monitoring for low impact assets at this time.