No items found.

FERC and NERC Look to Strengthen CIP Standards for Bulk Electric Systems

January 30, 2023

The Federal Energy Regulatory Commission (FERC) has proposed new security requirements for high- and medium-impact bulk electric system facilities. The proposal would require these facilities to "maintain visibility over communications between networked devices." More specifically, FERC has directed the North American Electric Reliability Corporation (NERC) to develop new or modified Critical Infrastructure Protection (CIP) reliability standards that require internal network security monitoring (INSM) for CIP-networked environments.

The CIP Reliability Standards have traditionally focused on protecting the electronic security perimeter of networks. However, FERC has identified a gap in these standards as they do not adequately address potential vulnerabilities within the internal network to cyber threats. In order to address this issue, FERC is directing NERC to integrate INSM requirements into these standards. INSM provides ongoing visibility of communications between networked devices within a trusted zone and detects malicious activity that has bypassed perimeter controls. Additionally, INSM allows for early detection of anomalous network activity, indicating a potential attack, increasing the chances for quick mitigation and recovery.

NERC will need to develop new or modified CIP reliability standards that are forward-looking, objective-based, and address three security objectives that pertain to INSM.

  1. Any new or modified CIP reliability standards should address the need for responsible entities to develop baselines of their network traffic inside their CIP-networked environment.
  2. Any new or modified CIP reliability standards that should address the need for responsible entities to monitor for and detect unauthorized activity, connections, devices, and software inside the CIP-networked environment.
  3. Any new or modified CIP reliability standards should require responsible entities to identify anomalous activity to a high level of confidence by logging network traffic, maintaining logs and other data collected regarding network traffic, and implementing measures to minimize the likelihood of an attacker removing the evidence of their tactics, techniques, and procedures (TTPs) from compromised devices.

The new standards proposed by FERC will be applied to all high-impact and medium-impact bulk electric system (BES) cyber systems with external routable connectivity. NERC will also need to evaluate the feasibility for low-impact BES cyber systems and medium-impact BES cyber systems without external routable connectivity, and report on that within the year.

FERC wrote: “We find that, while the CIP Reliability Standards require monitoring of the electronic security perimeter and associated systems for high and medium impact BES Cyber Systems, the CIP-networked environment remains vulnerable to attacks that bypass network perimeter-based security controls traditionally used to identify the early phases of an attack. This presents a gap in the currently effective CIP Reliability Standards.”

This echoes some of our industry’s debates around security vs. compliance – whether any given organization is actually pursuing a high level of security or just meeting the requirements set forth by various regulations and industry standards. Some argue that a focus on compliance can distract from achieving a truly secure environment and may lead to a "check the box" mentality, where an organization is more focused on meeting the letter of the law rather than the spirit of it. However, compliance can serve as a foundation for ensuring that organizations have the appropriate controls in place to protect sensitive information and can serve as a guide for organizations looking to further enhance their security.

Overall, security and compliance are interrelated and both are important to protect the organization from different types of risks. Compliance can be seen as a basic requirement for security, which should be followed by further actions, controls and program to continuously improve security maturity.

Industrial Defender helps organizations both meet compliance needs and strengthen overall security. We have long been strategic partners for electric utilities in meeting NERC CIP requirements and making it easier to pass their audits. We also deliver deeper-level asset data and vital endpoint information, along with historical context and change detection, to identify cyber risks and mature security postures beyond basic requirements.

We’re dedicated to helping our customers stay up to date with the latest compliance requirements and security practices.

To learn more about how we can partner with the power & electric utilities industry, please visit