FERC’s proposal to add internal network security monitoring (INSM) to NERC’s Critical Infrastructure Protection (CIP) reliability standards is an “appropriate approach to address” the growing risk of cyber penetration into secure electronic networks, NERC and the regional entities said last week.
The ERO Enterprise asked to take the lead in the process to implement the commission’s plan (RM22-3).
However, in their comments on FERC’s proposal, NERC and the REs — along with other stakeholders — also warned FERC not to act too quickly on forcing through changes to the CIP standards. One of the commission’s suggestions — to impose INSM on low-impact bulk electric system cyber systems (BCS) — proved especially unpopular, with some respondents urging FERC to drop the idea altogether.
FERC suggested modifying the CIP standards in January, issuing a Notice of Proposed Rulemaking that would add INSM — defined as a set of practices or tools for network visibility including anti-malware, intrusion detection and prevention systems, and firewalls — for high- and medium-impact BCS. (See FERC Proposes New Cybersecurity Standard.) In its order, the commission also called for comments on whether low-impact BCS should be included in the standards effort as well.
The NOPR was prompted by recent cyberattacks in which hackers gained access to the internal networks of target organizations. In particular, commission staff cited the SolarWinds hack of 2020, in which attackers — later identified by the U.S. as officers of Russia’s Foreign Intelligence Service — penetrated the official update channel of SolarWinds’ Orion network management software and distributed malicious code to thousands of public and private sector organizations worldwide.
Staff said the SolarWinds attackers “bypassed all network perimeter-based security controls traditionally used to identify the early phase of an attack” and left the company no way to detect their activities inside the network. They warned that because the CIP standards currently only require a utility to monitor communications from the inside of its electronic security perimeter (ESP) — the electronic border around the internal network to which BCS are connected — to the outside, utilities that do not implement INSM are vulnerable to similar tactics.
Fears About Size, Complexity of Task
In its response, the ERO Enterprise emphasized that it “appreciates the risks identified in the NOPR” and agreed with the idea of incorporating INSM requirements into the CIP standards. Promoting awareness of “components or activities on [utilities’] systems” has been a major focus of the ERO for some time, the comments said, referring to NERC’s previous work with FERC staff on supply chain vendor identification. (See FERC, NERC Offer Cyber Supply Chain Guidance.)
NERC and the REs were not alone in their support, both for the principle that utilities should have insight into their networks and for how the commission hoped to achieve the goal. The ISO/RTO Council (IRC) called INSM “a necessary and valuable security practice,” while the Bonneville Power Administration (BPA) said it “supports the commission in recognizing INSM as an important cybersecurity protection that entities should begin deploying.”
But not all respondents were wholehearted in their approval of the proposal. A group of trade associations, including the Edison Electric Institute, the American Public Power Association, the National Rural Electric Cooperative Association, and the Electric Power Supply Association, said that “INSM holds significant potential” to promote electric reliability, but that the technology faces “significant obstacles” in the near term, mainly that there are currently few subject matter experts “capable of working with the technology,” while the technology itself is also not widely available.
Many commenters were similarly concerned about pushing utilities into investing in technologies or practices that are not yet fully mature. The North American Generator Forum (NAGF) pointed out that “all high and medium BCS are not the same” and said that a network monitoring approach may work on one system but not another. In addition, NAGF warned that encrypted network traffic would be impossible to monitor unless it is all routed through a central location with universal encryption keys. Such a location would inevitably become a “high value target for attackers,” its comment said.
Respondents resisted even more strongly the idea of requiring INSM at low-impact BCS: Idaho Power noted that such systems, “by their very definition,” pose little risk to the BES, and as a result the benefit of implementing network monitoring is likewise small. Similarly, the utility said systems without external routable connectivity (ERC) — whether low- or medium-impact — cannot have INSM installed without also adding ERC. Imposing INSM on these systems may not be worth the cost, particularly since systems without ERC pose far lesser risks for hacking.
This sentiment won many supporters. Even the ERO Enterprise, while supporting “considering” INSM on low-impact systems, said that adding this requirement to the CIP standards would require “extensive revisions” because the standards don’t currently define low-impact BCS. BPA went further, arguing that any mandate for internal network monitoring should apply only to high-impact systems, at least initially, with application to medium-impact systems — only those with ERC, for reasons similar to Idaho Power’s — coming later.
All respondents urged FERC not to move too quickly in forcing INSM on utilities, considering the cutting-edge nature of the technology. NERC and the REs suggested that the commission “defer to NERC regarding the timeline for any standards development” due to the “complex considerations” faced by the ERO and industry stakeholders.
“While the ERO Enterprise intends to act expeditiously to support any directed standards revisions, [it] respectfully requests the Commission not impose deadlines that could hamper thoughtful deliberations on technical considerations, scalability and manageability for responsible entities of all sizes, and whether any further implementation requirements may be necessary,” the ERO said.