Search
May 6, 2024
FERC Orders Internal Cyber Monitoring in Response to SolarWinds Hack
Rule Requires Expansion of NERC CIP Standards
Cesar Tapia, FERC
Cesar Tapia, FERC | FERC
Jan 20, 2023 | Holden Mann
FERC ordered NERC to require utilities to implement internal network security monitoring on certain cyber systems at bulk power system facilities.

Citing the need for “constant monitoring and vigilance” to protect the bulk power system from cyberthreats, FERC directed NERC on Thursday to require utilities to implement internal network security monitoring (INSM) on certain cyber systems at BPS facilities (RM22-3).

The commission approved the draft final rule at its January open meeting, with all four commissioners voting in favor of the measure. Commissioner Allison Clements said the rule would plug a critical “gap in our current cybersecurity standards” and urged FERC to “be vigilant to keep that [regulatory] ground floor strong enough … to counter the evolving threat.”

Acting Chair Willie Phillips predicted that building consensus around a new standard would “not [be] an easy task” for NERC but said it was a job that must be completed.

“I’ve noted — and I know my colleagues have noted many times — that grid security, and cybersecurity in particular, are among our most important responsibilities regarding the [BPS], so I’m very happy to see that we are moving to finalize this rulemaking today,” Phillips said.

Final Rule Softens NOPR

FERC’s order expanding NERC’s Critical Infrastructure Protection (CIP) standards builds on a Notice of Proposed Rulemaking that the commission issued almost a year ago. (See FERC Proposes New Cybersecurity Standard.) The rule applies to all high-impact bulk electric system cyber systems, regardless of whether they have external routable connectivity (ERC), and to medium-impact BES cyber systems with ERC. “Bulk electric system” refers to those facilities subject to NERC’s reliability standards, a subset of the broader BPS.

FERC gave NERC 15 months to submit new or modified CIP standards requiring INSM in all applicable BES cyber systems. NERC would also need to submit, within 12 months, a report on the feasibility of implementing INSM on low-impact BES cyber systems and medium-impact systems without ERC.

“I’m very pleased that we are directing a firm 15-month deadline for NERC to propose the standards. … It’s hard; the processes take time, but it is imperative that we get this important cybersecurity measure in place as quickly as it is feasible,” Clements said.

The draft rule represents a slight softening of FERC’s original NOPR, which proposed requiring INSM in all high- and medium-impact BES cyber systems regardless of ERC. The commission’s order explained the change as an effort to “strike a proper balance” between commenters such as NERC and the regional entities, which supported the proposal in full, and those that warned about the difficulty and cost of implementing INSM on all cyber systems. (See ERO Backs FERC’s Cyber Monitoring Proposal.)

Order Plugs Cyber Monitoring Gap

Speaking at Thursday’s open meeting, Cesar Tapia of FERC’s Office of Electric Reliability described the proposed standards as a necessary response to events like the SolarWinds hack of 2020, through which thousands of public- and private-sector organizations — including FERC itself — were infected with malicious code. Tapia said the attack “demonstrated how an attacker can bypass all perimeter-based security controls traditionally used to identify malicious activity and compromise” electronic networks believed to be secure.

In response to a question from Phillips, Tapia explained that the classification of BES cyber systems as high-, medium- and low-impact is based on “the functions of the assets housed within each system and the risks they potentially pose to the reliable operation of the” BES. He added that registered entities determine the systems’ impact level themselves.

Asked how the presence of INSM can reduce time needed to discover and respond to a security compromise, Tapia said that attackers who have compromised one device on a network “typically [attempt] to compromise other devices within the network as well,” requiring them to “move from device to device.” Unlike other security controls, INSM can alert security staff to this kind of movement, contributing to a “defense in depth strategy.”

The timelines set by FERC will begin 60 days after the publication of the final rule in the Federal Register.

CIPFERC & FederalNERC & Committees
Keywordscritical infrastructure protection (CIP)cybersecurityFederal Energy Regulatory Commission (FERC)North American Electric Reliability Corp. (NERC)RM22-3SolarWinds
Holden Mann
Ballot Opens on Proposed GMD Revisions
More From This Author

Leave a Reply

Your email address will not be published. Required fields are marked *

We Recommend

1
NERC Seeks Comment on Changes to Mediation Procedures
May 1, 2024NERC & CommitteesHolden Mann
2
Ariz. Looks to Public Safety Power Shutoffs to Prevent Wildfires
Apr 29, 2024Regional EntitiesElaine Goodman
3
NERC’s Cancel, Hoptroff to Retire in 2025
Apr 29, 2024Standards/ProgramsHolden Mann
4
RF Levies $30K Penalty for Twin Ridges Oversights
Apr 29, 2024Regional EntitiesHolden Mann
5
FERC Proposes Adopting NAESB’s Latest Revisions
Apr 25, 2024Standards/ProgramsHolden Mann

Popular Stories

1
WRAP Participants Seek 1-Year Delay to ‘Binding’ Operations
Apr 22, 2024Resource AdequacyRobert Mullin
2
Ariz. Looks to Public Safety Power Shutoffs to Prevent Wildfires
Apr 29, 2024Regional EntitiesElaine Goodman
3
Gas, Electric Trade Associations Call for More Gas Infrastructure
Apr 16, 2024Regional EntitiesJon Lamson
4
DOE Urges Utilities to Embrace ‘Holistic’ Reliability Solutions
Apr 17, 2024Resource AdequacyHolden Mann
5
Industry Approves NERC’s Cyber Monitoring Standards
Apr 18, 2024Standards/ProgramsHolden Mann

Industry Gatherings