Support
No items found.

Emerging NERC CIP Requirements for Internal Network Security Monitoring (INSM)

January 26, 2024

We continually update this blog to provide the latest information as it becomes available.

Updated January 26th: The North American Electric Reliability Corporation (NERC) has recently submitted its feasibility report on implementing internal network security monitoring (INSM) for certain categories of Bulk Electric Systems (BES). This report focuses on 'low impact BES' and 'medium impact BES without external routable connectivity (ERC)'.

For context, when the Federal Energy Regulatory Commission (FERC) initially issued its order, NERC was instructed to develop new INSM requirements for:

  • 'High impact BES', both with and without ERC
  • 'Medium impact BES with ERC'

Additionally, NERC was directed to assess the feasibility of introducing INSM requirements for 'low impact BES' and 'medium impact BES without ERC' and provide a report within a 12-month period.

NERC has now delivered the feasibility report, with the public version available here: NERC INSM Feasibility Study.

NERC conducted this study in collaboration with representatives from Regional Entities as well as the Electricity Information Sharing and Analysis Center (E-ISAC).

The report emphasizes the importance of not implementing INSM as a “bolt-on” control - there needs to be a solid foundation established for this. NERC recommends low impact and medium impact BES without ERC develop a roadmap for improving security controls, including strengthening the implementation of the CIP-003 standard.

Here is an excerpt from the report elaborating on this:

“The high‐level roadmap would include NERC CIP standards changes such as:
  • Requirements for low impact BES Cyber System asset inventories
  • Requirements for designing, constructing, and documenting defensible network architectures to remove insecure by design network configurations (i.e., segmentation, conduits & zones, traffic analysis points, etc.)
  • Requirements for strong multi‐factor authentication for interactive remote access
  • Standards changes should not negatively incentivize entities to delay changes, or implement BES Cyber
  • Systems in order to circumvent standards requirements through compliance loopholes or abuse of exceptions such as:
  • Maintaining non‐supported end of life equipment and applications to alleviate compliance overhead to the detriment of security.”
Source: NERC, Internal Network Security Monitoring Feasibility Study, January 2024

While advising continued INSM implementation at originally scoped BES, NERC proposed the NERC, E-ISAC and FERC continue to monitor risk and needs to update the roadmap for INSM for lower impact systems.

Updated January 15, 2024: Have you seen the latest on emerging NERC-CIP requirements for Internal Network Security Monitoring (INSM)? This follows our previous coverage in January last year, where the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability Corporation (NERC) to create new or modify existing Critical Infrastructure Protection (CIP) reliability standards. These standards are focused on implementing INSM in CIP-networked environments.

As covered in this blog originally, FERC’s order was issued in January of the previous year. Now, NERC has released its first draft of these requirements, and will be taking comments until January 17th. We recommend reading the analysis by Patrick Miller, strategic technical advisor to Industrial Defender, on the draft. His analysis discusses the language proposed under NERC CIP-007.

While much of the language in the recent draft echoes the original order issued by NERC, and some additions remain a subject of debate, it's important to acknowledge the significant strides made by both FERC and NERC towards the implementation and subsequent enforcement of INSM requirements. This progression underlines the necessity for organizations to continuously enhance their visibility and monitoring strategies, aligning them with these emerging requirements. Staying abreast of these developments is not just about compliance, but also about fortifying network security in an increasingly digital world.

Provide your feedback to NERC this week.

Status of this project:
A 35-day formal comment period for Project 2023-03 Internal Network Security is open through 8 p.m. Eastern, Wednesday, January 17, 2024 for the following standard and implementation plan:
• CIP-007-X – Cyber Security – Systems Security Management
• Implementation Plan
Ballot pools are being formed through 8 p.m. Eastern, Tuesday, January 2, 2024.
Initial ballots for the standard and implementation plan, as well as a non-binding poll of the associated Violation Risk Factors and Violation Severity Levels will be conducted January 8-17, 2024.

--

Original blog from January 30, 2023

The importance of enhancing visibility within network environments remains critical. Organizations should be proactive in establishing clear baselines and differentiating between secure and vulnerable aspects of their network

The Federal Energy Regulatory Commission (FERC) has proposed new security requirements for high- and medium-impact bulk electric system facilities. The proposal would require these facilities to "maintain visibility over communications between networked devices." More specifically, FERC has directed the North American Electric Reliability Corporation (NERC) to develop new or modified Critical Infrastructure Protection (CIP) reliability standards that require internal network security monitoring (INSM) for CIP-networked environments.

The CIP Reliability Standards have traditionally focused on protecting the electronic security perimeter of networks. However, FERC has identified a gap in these standards as they do not adequately address potential vulnerabilities within the internal network to cyber threats. In order to address this issue, FERC is directing NERC to integrate INSM requirements into these standards. INSM provides ongoing visibility of communications between networked devices within a trusted zone and detects malicious activity that has bypassed perimeter controls. Additionally, INSM allows for early detection of anomalous network activity, indicating a potential attack, increasing the chances for quick mitigation and recovery.

NERC will need to develop new or modified CIP reliability standards that are forward-looking, objective-based, and address three security objectives that pertain to INSM.

  1. Any new or modified CIP reliability standards should address the need for responsible entities to develop baselines of their network traffic inside their CIP-networked environment.
  2. Any new or modified CIP reliability standards that should address the need for responsible entities to monitor for and detect unauthorized activity, connections, devices, and software inside the CIP-networked environment.
  3. Any new or modified CIP reliability standards should require responsible entities to identify anomalous activity to a high level of confidence by logging network traffic, maintaining logs and other data collected regarding network traffic, and implementing measures to minimize the likelihood of an attacker removing the evidence of their tactics, techniques, and procedures (TTPs) from compromised devices.

The new standards proposed by FERC will be applied to all high-impact and medium-impact bulk electric system (BES) cyber systems with external routable connectivity. NERC will also need to evaluate the feasibility for low-impact BES cyber systems and medium-impact BES cyber systems without external routable connectivity, and report on that within the year.

FERC wrote: “We find that, while the CIP Reliability Standards require monitoring of the electronic security perimeter and associated systems for high and medium impact BES Cyber Systems, the CIP-networked environment remains vulnerable to attacks that bypass network perimeter-based security controls traditionally used to identify the early phases of an attack. This presents a gap in the currently effective CIP Reliability Standards.”

This echoes some of our industry’s debates around security vs. compliance – whether any given organization is actually pursuing a high level of security or just meeting the requirements set forth by various regulations and industry standards. Some argue that a focus on compliance can distract from achieving a truly secure environment and may lead to a "check the box" mentality, where an organization is more focused on meeting the letter of the law rather than the spirit of it. However, compliance can serve as a foundation for ensuring that organizations have the appropriate controls in place to protect sensitive information and can serve as a guide for organizations looking to further enhance their security.

Overall, security and compliance are interrelated and both are important to protect the organization from different types of risks. Compliance can be seen as a basic requirement for security, which should be followed by further actions, controls and program to continuously improve security maturity.

Industrial Defender helps organizations both meet compliance needs and strengthen overall security. We have long been strategic partners for electric utilities in meeting NERC CIP requirements and making it easier to pass their audits. We also deliver deeper-level asset data and vital endpoint information, along with historical context and change detection, to identify cyber risks and mature security postures beyond basic requirements.

We’re dedicated to helping our customers stay up to date with the latest compliance requirements and security practices.

To learn more about how we can partner with the power & electric utilities industry, please visit https://www.industrialdefender.com/industries/electric-utilities-cybersecurity.