NERC is taking the pulse of industry again on its latest revisions to a proposed reliability standard requiring utilities to implement internal network security monitoring (INSM) after stakeholders rejected an attempt to pass the standard in March.
The ballot period for CIP-015-1 (INSM) will run from April 12-17, according to the page for Project 2023-03, which is developing the standard. A formal comment period for the standard began April 5 and will also end April 17.
In an email to stakeholders April 11, NERC said the project team had updated the redline version of CIP-015-1 after the comment period began because Requirement R1 of the redline used “security systems” instead of “cyber systems.” The updated redline is consistent with language in the clean version of the standard.
Balloting and comments for the most recent update to CIP-015-1 closed March 18, with stakeholders delivering a 48.52% segment-weighted vote in favor. A two-thirds majority is needed for passage. (See Industry Sends Back NERC Cyber Monitoring Standards.)
It was the first ballot for CIP-015-1 but the second for the entire project, because the original formal comment and ballot period that ended in January concerned a different standard conceived as a modification of CIP-007-6 (Cybersecurity — systems security management). The team decided to create a new standard after the ballot for CIP-007-6 was rejected overwhelmingly by industry with a segment-weighted vote in favor of just 15.42%.
The quick turnaround to a new comment period is a reflection of the tight deadline NERC is working under; FERC ordered the ERO in 2023 to submit standards requiring INSM by July 9 of this year (RM22-3). (See FERC Orders Internal Cyber Monitoring in Response to SolarWinds Hack.) NERC’s Standards Committee voted at its February meeting to reduce comment and ballot periods for the project to as little as 10 days to meet FERC’s target, having already approved shortening to 20 days in August.
In the comment form for the standard, the team for Project 2023-03 outlined some of the changes made to the latest version of the standard. These include relatively minor alterations, such as adding generator owners to the list of applicable entities after inadvertently excluding it from the previous posting, in addition to more substantial revisions.
For example, requirement R1 and the associated metric both were revised, with language expanded and abbreviations removed “for consistency and clarity” regarding the methods by which entities should monitor network data activity for anomalous activity. Similarly, revisions to requirement R2 clarified the types of INSM data that entities should protect, and R3 was modified with a note that entities are “not required to retain detailed [INSM] data … that is not relevant to anomalous network activity” identified in other requirements.
If the standard meets the threshold for approval in this ballot round, the next step will be a five-day final ballot (shortened from the usual 10 days), after which the standard will be submitted to NERC’s Board of Trustees for adoption. The next board meeting is scheduled for May 8.