NERC has submitted to FERC its proposed cybersecurity reliability standard requiring utilities to implement internal network security monitoring (INSM) software on select grid cyber systems (RM24-7).
The commission in 2023 ordered the ERO to develop requirements for INSM, calling the proposal a necessary response to events like the SolarWinds hack of 2020. (See FERC Orders Internal Cyber Monitoring in Response to SolarWinds Hack.) In that attack — now attributed to Russia’s Foreign Intelligence Service by the U.S. — malicious hackers infiltrated the update channel for SolarWinds’ Orion network management software and used their access to push code to customers that the attackers could use to gain access to their systems.
When the attack first was discovered, nearly 18,000 SolarWinds customers were thought to have been compromised, including the U.S. Department of Energy and FERC, although SolarWinds since has claimed fewer than 100 customers were affected.
NERC’s Critical Infrastructure Protection (CIP) standards require a utility to monitor communications from the inside of its electronic security perimeter (ESP) — the electronic border around its internal network — to the outside. FERC staff said last year the SolarWinds compromise “demonstrated how an attacker can bypass all perimeter-based security controls traditionally used to identify malicious activity” and that implementing INSM could reduce the time needed to discover and respond to a security compromise.
FERC’s order called on NERC to submit standards requiring INSM at all high-impact grid-connected cyber systems, as well as medium-impact systems with external routable connectivity (ERC), by July 9, 2024. The commission limited its order to high- and medium-impact systems because those systems are defined in the CIP standards.
FERC previously sought input from ERO stakeholders on whether low-impact systems should be included as well (RM22-3). However, industry commenters warned this measure would impose a large compliance burden on utilities for relatively little return. Even the ERO Enterprise said adding low-impact systems would require “extensive revisions” to the CIP standards in order to define the term. (See ERO Backs FERC’s Cyber Monitoring Proposal.)
NERC assigned the INSM standard development to Project 2023-03, which initially conceived its work as a modification of CIP-007-6 (Cybersecurity — systems security management). But the initial ballot for the proposed CIP-007-X was rejected overwhelmingly by industry with a segment-weighted vote in its favor of just 15.42%. A two-thirds majority is needed for passage.
Following the rejection, the team changed its approach to create a new standard, CIP-015-1 (INSM). This standard underwent another unsuccessful round of voting in March before receiving industry approval in a shortened ballot period the following month. (See Industry Approves NERC’s Cyber Monitoring Standards.) NERC’s Board of Trustees voted to accept the standard and submit it to FERC for approval at its meeting in May.
CIP-015-1 would require registered entities to “implement one or more documented process(es) for [INSM] of networks … of high-impact [grid] cyber systems and medium-impact … systems with” ERC. Documented processes under the standard must include:
-
- network data feeds to monitor network activity, including connections, devices and network communications;
- at least one method to detect anomalous network activity using the network data feeds; and
- at least one method to evaluate anomalous activity to determine what additional action is needed.
Entities also would have to implement documented processes to retain INSM data associated with anomalous network activity and to protect all data gathered or retained to prevent unauthorized deletion or modification.