In response to recent cybersecurity incidents, the Federal Energy Regulatory Commission (FERC) has announced a Notice of Proposed Rulemaking (NOPR) that would task the North American Electric Reliability Corporation (NERC) to impose additional cybersecurity requirements on high-, medium-, and, potentially, low-impact bulk electric systems in its Critical Infrastructure Protection (CIP) Reliability Standards.

Specifically, in the NOPR (issued on January 20, 2022), FERC requested comments on a proposal for the development of new or modified Reliability Standards to require internal network security monitoring (INSM) for bulk electric systems in addition to the current controls. This would address what FERC considers a “gap” in the current Reliability Standards that, according to FERC, could have mitigated the effects of the SolarWinds attack in late 2020.

What is internal network security monitoring?

The NOPR defines internal network security monitoring as a “subset of network security monitoring that is applied within a ‘trust zone,’ and is designed to address situations where vendors or individuals with authorized access are considered secure and trustworthy but could still introduce a cybersecurity risk” to a cyber-system. INSM consists of three stages: 1) collection, 2) detection, and 3) analysis that, when combined, assist in the early detection of intrusions and malicious activity. Common tools used for INSM include anti-malware services, intrusion detection systems, intrusion prevention systems, and firewall protections.

Why would FERC add an express requirement of INSM in the Reliability Standards?

Currently, the CIP Reliability Standards rely primarily on network perimeter defense and network security monitoring for electronic access points in high- and medium-impact bulk electric systems at control centers. In the NOPR, FERC points out that “[g]iven the increased sophistication of cyberattacks, relying on network perimeter defense and other existing controls leaves trust zones vulnerable.” Even when electronic access points are monitored, the networked environment remains vulnerable to cyber threats, such as insider threats and attacks conducted by infiltrating a trusted vendor or trusted system (e.g., the SolarWinds attack). INSM gathers intelligence and helps monitor for threats that somehow have made it past the perimeter controls and are poised to launch an attack from within the network.

What does this mean and for whom?

The proposed security measures may require the implementation of additional security measures which, as always, come at both monetary and operational costs. As such, FERC recognizes that regulations of this nature need to consider not only potential benefits and security objectives but also the costs, technical barriers, and any other potential challenges that may arise when responsible entities are trying to comply with the security measures.

The NOPR focus is on high- and medium-impact bulk electric systems. However, FERC is also seeking comments on the usefulness and practicality of implementing INSM in low-impact bulk electric systems and is open to broadening its directive in the final rule change to include low-impact bulk electric systems if the idea receives support in the filed comments.

Accordingly, those responsible for high-, medium-, or low-impact bulk electric systems should consider this opportunity to provide FERC with input on the practicality and efficacy of proposed requirements by submitting comments in response to the NOPR.

For those not familiar, FERC, along with provincial governments in Canada, has designated NERC as the electric reliability organization pursuant to section 215 of the Federal Power Act. NERC has regulatory authority within North America to “assure the effective and efficient reduction of risks to the reliability and security” of the energy grid and is charged with developing reliability standards that are approved by FERC. The CIP Reliability Standards are created and enforced by NERC and are designed to mitigate the cybersecurity risks to bulk electric system facilities, systems, and equipment, which, if destroyed, degraded, or otherwise rendered unavailable because of a cybersecurity incident, would affect the reliable operation of bulk electric systems.

Comments on the FERC-proposed directive are due on March 28, 2022.