In a 20-day ballot period that ended March 18, industry stakeholders voted down NERC’s proposed reliability standard that would require entities to implement internal network security monitoring (INSM) on certain cyber systems.
As a result of the ballot, which saw the proposed CIP-015-1 receive a 48.52% segment-weighted vote for approval — a two-thirds majority is required for passage — the standard will be sent back to the standard drafting team for Project 2023-03 for revision. Future ballot periods for the standard may be shortened in accordance with a decision by NERC’s Standards Committee at its February meeting to authorize reducing additional comment and ballot periods to as little as 10 days. (See NERC Committee Greenlights Shortened INSM Comments.)
The SDT created CIP-015-1 after a previous proposed standard, CIP-007-X (Cybersecurity — systems security management), failed to pass its initial comment and ballot period in January with only a 15.42% segment-weighted approval. Due to feedback received during that comment period, team members said they felt creating a new standard would “ensure that the purpose and requirements [of the standard] are clear and allow for future expansion if necessary.”
Although this technically was the first ballot for CIP-015-1, NERC elected not to form a new ballot pool, keeping the same stakeholders that voted on CIP-007-X. The project’s page on NERC’s website said no changes will be made to CIP-007, which “will revert to the currently enforced version,” CIP-007-6.
Respondents generally were supportive of breaking out the security monitoring requirements into a new standard, although some commenters asked why the SDT hadn’t gone further. James Keele and Gail Golden, both representing Entergy, pointed out that “other standards already require [cybersecurity] monitoring,” naming CIP-003-8 (Security management controls), CIP-005-7 (Cybersecurity — electronic security perimeter(s)), CIP-007-6 and CIP-010-4 (Cybersecurity — configuration change management and vulnerability assessments).
Keele and Golden suggested the SDT consolidate the security monitoring requirements from those standards into the new standard as well. An unnamed commenter representing the Tennessee Valley Authority shared similar sentiments — though only mentioning CIP-007 and CIP-003 to be consolidated — as did Alain Mukama from Hydro One Networks.
Keele and Golden also expressed reservations about requirement R1 of the proposed standard, which provides guidance to help registered entities “identify network data collection location(s) and method(s) by implementing a risk-based approach focused on network security risks.” Their comments said the wording of the requirement was not “clearly aligned with expectations in the measures [section of the standard] and the technical rationale,” putting entities at risk of being found noncompliant in audits.
“The wording of CIP-015-1 R1.1 … appears to provide entities the latitude to identify [data collection locations and methods] based on risk, but without an expectation of an exceedingly robust methodology and without an expectation to consider all possible network data collection locations,” Keele and Golden said. “The requirement should be updated to … start with a list of all/many [network monitoring] locations and apply well-defined risk criteria … against that list to arrive at the final locations subject to the program.”
Cain Braveheart, writing on behalf of the Bonneville Power Administration, also suggested the requirement’s language “leaves it open for auditor interpretation” and “some level of deference must be offered to an entity’s risk management approach,” or that NERC should “create auditor guidance on what a risk-based approach looks like.” He also asked the SDT “clarify the term ‘locations’ in the requirement, adding context currently only found in the technical rationale.”
NERC’s Standards Committee will hear an update on Project 2023-03 at its upcoming meeting on March 20; the SDT will meet the following day to consider its next steps. The ERO considers the INSM effort a high-priority project because FERC has ordered it to submit standards requiring INSM by July 9 of this year. (See FERC Orders Internal Cyber Monitoring in Response to SolarWinds Hack.)