Internal network security monitoring (INSM) is a worthy tool for maintaining security on the power grid but will require a “solid foundation” to ensure it is effectively implemented in low- and medium-impact cyber systems, NERC said in a study submitted to FERC on Jan. 18 (RM22-3). 

FERC ordered NERC to study INSM last year in its order mandating that the ERO develop standards requiring INSM at high-impact cyber systems and medium-impact systems with external routable connectivity (ERC). (See FERC Orders Internal Cyber Monitoring in Response to SolarWinds Hack.) The commission said NERC should examine the feasibility of implementing INSM in low-impact cyber systems and medium-impact systems without ERC. 

As defined in FERC’s order, INSM is designed to detect “intrusions and malicious activity within a trusted network zone.” In the report, NERC elaborated that INSM works “under the assumption that attackers have already compromised the network perimeter, or that the attacker is an insider with trusted network access.” The ERO compared INSM to security cameras within a secure building, monitored by personnel who “are alert to anything that looks suspicious.” 

NERC’s study was based on information submitted by registered entities as part of a data request issued by the ERO last year. (See NERC Issues Cybersecurity Data Request.) Questions in the data request included the number of facilities with low- and medium-impact cyber systems, with and without ERC; network configurations for several types of medium-impact systems; and entities’ assessments of the challenges involved in extending INSM to more systems. 

NERC submitted both public and nonpublic versions of the report to the commission. The main difference is that information that the ERO considers Critical Energy/Electric Infrastructure Information is redacted from the public version on the grounds that it “could be useful to a person planning an attack on critical electric infrastructure.” 

In practice this means that most of the specific information based on registered entities’ responses — such as the location and type of low- and medium-impact systems, challenges with implementing INSM and attack surface area — is not available in the public version. 

However, NERC’s recommendations were still visible. The ERO determined that while INSM can help “detect and respond to the machine speed, scale and scope of cyberattacks,” extending the scope of NERC’s proposed INSM standards will require considerable time and effort. 

One reason for this is the “sheer number” of facilities with low-impact cyber systems, NERC said, along with the “wide variety of legacy systems,” particularly at low-impact facilities, that may not be compatible with modern INSM tools and technologies. Entities also expressed “pessimistic expectations” regarding the likely compliance requirements for standards requiring the implementation of INSM. 

Concerns were also raised about finding staff to add INSM measures to existing systems, with the industry already experiencing a shortage of personnel qualified to “perform [the] highly technical work.” 

In the report’s conclusion, NERC acknowledged the challenges of adding INSM to low- and medium-impact cyber systems but asserted that the measures are too important to ignore. The ERO recommended that its Reliability and Security Technical Committee lead industry in developing a “roadmap” for the improvement of cybersecurity controls, including a phased approach for updating the Critical Infrastructure Protection (CIP) standards to require INSM.