FERC on Thursday issued a Notice of Proposed Rulemaking that would have NERC to expand its Critical Infrastructure Protection (CIP) reliability standards to cover internal communications (RM22-3).
The proposed standards would require registered entities to implement internal network security monitoring (INSM) for high- and medium-impact bulk electric system cyber systems (BCS), correcting what FERC staff called a “gap in the security standards” during Thursday’s open meeting.
Currently the CIP standards require a utility to monitor communications from the inside of its electronic security perimeter (ESP), the electronic border around the internal network to which BCS are connected, to the outside. The NOPR seeks to expand this monitoring to communications within the ESP, allowing “the earliest possible alerting and detection of intrusions and malicious activity” into the “trust zone” — the utility’s internal computing environment that is protected by the ESP.
As defined in FERC’s order, INSM is not a single process or piece of software but rather a set of practices for gaining visibility into an entity’s own system. It includes tools such as antimalware, intrusion detection and prevention systems, and firewalls; this software can have both passive, information-gathering applications, or active functions that block malicious network traffic.
FERC’s order was motivated by recent cyberattacks, most prominently the SolarWinds hack of 2020. The hack of SolarWinds’ Orion management software, used by thousands of public- and private-sector organizations around the world (including FERC itself), left many of those entities with malicious code inside their systems. (See FERC, E-ISAC Report Details Reach of SolarWinds Compromise.) Last April the U.S. accused Russia’s Foreign Intelligence Service of perpetrating the original attack and later leveraging their access to gain network privileges to SolarWinds’ Microsoft 365 and Azure Cloud environments.
Because the compromised software came via Orion’s official update channel, the SolarWinds attack “demonstrated how an attacker can bypass all network perimeter-based security controls traditionally used to identify the early phases of an attack,” FERC staff said. Adding INSM to the CIP standards would give all entities the means to detect and respond to suspicious activity by software within the network by, for example, recording normal network traffic and using it as a baseline to flag anomalous activity for further investigation.
“If [the hackers] do get in … you’d have enough awareness about that early to be able to take quick action to alleviate any concerns that might exist,” FERC Chairman Richard Glick said in a press conference following Thursday’s meeting. “Sometimes people get into your system using these perfectly legitimate pieces of software … and so, companies need to be vigilant not only about hackers getting in [but also] if people figure that out, let’s make sure that we have our defenses on internally to be able to address that as quickly as possible.”
For now, FERC is only proposing to add INSM to high- and medium-impact BCS because those systems are defined in the CIP standards, while low-impact systems are not; this distinction makes it difficult to apply CIP requirements to low-impact BCS because there is much more variety among these systems.
However, staff said in Thursday’s meeting that they “are seeking comments on the usefulness and practicality” of requiring INSM in low-impact systems, along with potential challenges of implementing INSM in general, what hardware and software capabilities would be needed to achieve the NOPR’s security goals, and what is a reasonable time frame for developing and implementing the new reliability standards.
Comments on the NOPR are due 60 days after its publication in the Federal Register.