Before the Federal Energy Regulatory Commission (FERC) moves to develop new or modified mandatory reliability standards related to internal network security monitoring it should first convene a forum that would allow for an exchange of information on the state and availability of existing technology, as well as its cost and efficacy, the American Public Power Association (APPA) and several other trade associations recently said.
APPA was joined in submitting comments in late March at FERC by the Edison Electric Institute, the Electric Power Supply Association, the Large Public Power Council, and the National Rural Electric Cooperative Association (Docket No. RM22-3).
The trade groups submitted the comments in response to a FERC notice of proposed rulemaking (NOPR) issued in January 2022. The NOPR proposes to direct the North American Electric Reliability Corporation (NERC) to develop new or modified mandatory reliability standards requiring internal network security monitoring within a trusted critical infrastructure protection networked environment for high and medium impact bulk electric system (BES) cyber systems.
The groups said that they agree with the Commission that the implementation of internal network security monitoring in some form may improve the security posture of responsible entities owning or operating high impact BES cyber systems.
But they also argued that there are significant obstacles to the near-term implementation of this technology.
APPA and the other groups noted that forms of internal network security monitoring are in their infancy, only now being utilized by a relatively small group of utilities, and the necessary technology is not widely available.
Moreover, there is a limited group of subject matter experts (SMEs) capable of working with the technology, the groups told FERC.
“Further, related processes associated with the application of the technology (particularly, ‘baselining’ existing network traffic and ‘packet capture’ and analysis) are expected to be challenging, and consensus concerning best practices has not yet been reached,” the groups said in their comments.
Therefore, before issuing any directive, the groups said that FERC should convene a forum in which Commission staff, stakeholders, SMEs and NERC staff can exchange information on the state and availability of existing technology, as well as its cost and efficacy.
APPA and the other groups said that this discussion could help inform decisions regarding the most effective ways to deploy internal network security monitoring for high-impact BES cyber systems, while also assessing the potential benefits and challenges of applying internal network security monitoring requirements to all medium-impact BES cyber systems, for which internal network security monitoring is likely to have limited utility.
The discussion could also include how to accomplish the security objectives the Commission seeks to achieve using the internal network security monitoring tool given the rapidly evolving market for cybersecurity tools, they went on to say.
Following this discussion, and assuming the Commission moves ahead with a directive, the groups “ask that it be limited to high-impact BES cyber systems and medium-impact BES cyber systems at control centers for now.”
APPA and the other groups also said that use of internal network security monitoring for low-impact BES cyber systems is unlikely to be practicable, would increase rather than mitigate risk to the BES, and would not be cost-effective from a BES reliability perspective.
“Accordingly, any directive issued by the Commission should not extend to low-impact assets, or to any subset thereof,” they said.