A proposed reliability standard to require utilities to implement internal network security monitoring (INSM) software on select grid cyber systems won industry approval this week, leaving a clear path for the ERO to submit the standard to FERC comfortably ahead of the commission’s deadline.
The latest ballot period for CIP-015-1 (Cybersecurity — INSM) began April 11 and closed April 17, the same day as the formal comment period that began April 5. NERC’s Standards Committee authorized reducing comment and ballot periods for the project to as few as 10 days because FERC in 2023 ordered the ERO to submit standards requiring INSM by July 9 of this year.
According to NERC’s ballot system, the standard received 175 votes for passage and 37 against. Applying the ERO’s weighting procedure (which proportionally reduces the impact of industry segments with fewer than 10 voters), the final result is a 76.78 weighted value in favor.
The standard needed a two-thirds majority to pass. Now that the target has been reached, the normal move is to submit it for a five-day final ballot; a spokesperson for NERC told ERO Insider the team for Project 2023-03 (INSM) has not met to discuss the next step for the project.
Under new rules approved by FERC in November, drafting teams may choose to conclude a standards action without a final ballot, but only if the previous ballot received approval from at least 85% of the registered ballot body, no further changes are proposed, and the team has made a good faith effort to resolve applicable objections and responded to industry comments in writing. (See FERC Approves NERC Standards Process Changes.)
FERC ordered NERC to add INSM to its cybersecurity requirements in response to incidents like the SolarWinds hack of 2020, through which thousands of public- and private-sector organizations — including FERC itself — may have been infected with malicious code. (See FERC Orders Internal Cyber Monitoring in Response to SolarWinds Hack.) Commission staff said the SolarWinds attack demonstrated that an attacker “can bypass all perimeter-based security controls … and compromise” electronic networks believed to be secure.
The standard this week would require registered entities to “implement one or more documented process(es) for [INSM] of networks … of high-impact [grid] cyber systems and medium-impact … systems with external routable connectivity [ERC].”
Documented processes under the standard must include each of the following:
-
- network data feeds to monitor network activity, including connections, devices and network communications
- at least one method to detect anomalous network activity using the network data feeds
- at least one method to evaluate anomalous activity to determine what additional action is needed
Entities would also have to implement documented processes to retain INSM data associated with anomalous network activity and to protect all data gathered or retained to prevent unauthorized deletion or modification.
The limit of the standard’s applicability to medium-impact systems with ERC and all high-impact systems is in keeping with FERC’s original order. The commission also ordered NERC last year to examine the feasibility of implementing INSM in low-impact systems and medium-impact systems without ERC, but the ERO recommended against expanding the standard’s reach at this stage in a study submitted in January. (See NERC Recommends Phased Approach to INSM.)