FERC on June 26 approved NERC’s proposed reliability standard requiring utilities to implement internal network security monitoring (INSM) while ordering the ERO to modify the standard by extending its reach (RM24-7).
Acting during its monthly open meeting, the commission also withdrew a Notice of Inquiry to determine whether NERC’s Critical Infrastructure Protection (CIP) standards need further modification (RM20-12).
NERC submitted CIP-015-1 (Cybersecurity – INSM) in June 2024 in response to a 2023 directive from FERC. The commission called the proposal a necessary precaution against events like the SolarWinds hack of 2020, in which malicious actors — later identified by U.S. law enforcement as belonging to Russia’s Foreign Intelligence Service — infiltrated the update channel for SolarWinds’ Orion network management software and pushed code to customers that the attackers could use to gain access to their systems.
FERC said the SolarWinds compromise indicated that the kind of security measures mandated in the CIP standards at that point could be bypassed. Those standards required utilities to monitor communications from the inside of their electronic security perimeter (ESP) — the electronic border around its internal network — to the outside. Implementing INSM could help security staff discover attackers that already had infiltrated the system, it said.
CIP-015-1 requires utilities to implement INSM for all high-impact grid-connected cyber systems with or without external routable connectivity (ERC), as well as medium-impact systems with ERC. The commission approved this requirement but indicated that further modification is needed in light of new developments since NERC submitted the standard.
FERC’s requested changes have to do with a clarification that NERC requested in comments on a Noticed of Proposed Rulemaking in November 2024. (See NERC Responds to FERC Cybersecurity NOPRs.) The ERO noted that the NOPR called on it to protect “all trust zones of the CIP-networked environment” but did not define the term “CIP-networked environment,” which made the directive unclear.
In response, FERC specified that the term “does not cover all of a responsible entity’s network,” but it does include “the systems within the [ESP] and network connections among and between electronic access control or monitoring systems (EACMS) and physical access control systems (PACS) external to the [ESP].”
With this definition established, FERC ordered NERC to modify the standard to “extend INSM implementation to EACMS and PACS outside of the” ESP, which it called “known targets for malicious actors.” The commission gave NERC 12 months from the date of the order to file the modified standard; as for CIP-015-1, it will take effect 60 days after the date of publication of FERC’s final rule in the Federal Register.
The NOI that the commission withdrew was initiated in 2020 to identify potential gaps in the CIP standards, after FERC raised concerns that the then-current standards did not adequately address the rapidly evolving cybersecurity threat landscape. FERC based its questions on a review of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, asking stakeholders whether the standards provide sufficient protection regarding data security, detection of anomalies and events, and mitigation of cybersecurity events.
The commission noted in its June 26 filing that most commenters on the NOI said the CIP standards, both those in existence and those under development at the time, “adequately addressed the … categories identified.” Those that acknowledged gaps between the CIP and NIST standards still warned that they “serve fundamentally different purposes and … cautioned against an apples-to-apples comparison.” (See Stakeholders Speak out on FERC CIP Concerns.)
FERC also acknowledged that since the NOI’s issuance, NERC and FERC have worked to improve the grid’s cybersecurity posture and address emerging risks. FERC cited multiple CIP standards approved since 2020 including CIP-015-1, CIP-003-9 (Cybersecurity – security management controls) and CIP-012-1 (Cybersecurity – communications between control centers). This progress, the commission said, justified closing the inquiry and the docket.
