December 22, 2024
FERC Proposes Further Cybersecurity Measures
Shutterstock
|
FERC issued two NOPRs indicating it will direct NERC to develop new cybersecurity standards.

FERC on Sept. 19 indicated its approval of NERC’s new reliability standard requiring utilities to implement internal network security monitoring (INSM) on some grid-connected cyber assets, while also floating the prospect of new standards aimed at securing the supply chain of critical electronic components. 

The commission issued two Notices of Proposed Rulemaking (NOPRs) at its monthly open meeting. The first indicated its plan to approve CIP-015-1 (Cybersecurity — INSM), which NERC submitted to FERC in June (RM24-7). It would require utilities to implement INSM at all high-impact grid-connected cyber systems, as well as medium-impact systems with external routable connectivity (ERC). (See NERC Submits INSM Standard for FERC Approval.) 

FERC ordered NERC to develop requirements for INSM last year, calling the proposal a necessary response to events like the SolarWinds hack of 2020. In that attack, malicious actors — later identified by U.S. law enforcement as belonging to Russia’s Foreign Intelligence Service — infiltrated the update channel for SolarWinds’ Orion network management software and pushed code to customers that the attackers could use to gain access to their systems. 

Commission staff said last year the compromise demonstrated a weakness of the kind of cybersecurity measures mandated in NERC’s Critical Infrastructure Protection (CIP) standards, which require a utility to monitor communications from the inside of its electronic security perimeter (ESP) — the electronic border around its internal network — to the outside. INSM could help security staff discover and respond to an attacker that already had infiltrated the system and did not need to communicate with external attackers, they said. 

CIP-015-1 would require registered entities to “implement one or more documented process(es) for [INSM] of networks … of high-impact [grid] cyber systems and medium-impact … systems with” ERC. Documented processes under the standard must include: 

    • network data feeds to monitor network activity, including connections, devices and network communications;
    • at least one method to detect anomalous network activity using the network data feeds; and
    • at least one method to evaluate anomalous activity to determine what additional action is needed. 

Entities also would have to implement documented processes to retain INSM data associated with anomalous network activity and to protect all data gathered or retained to prevent unauthorized deletion or modification. 

FERC’s NOPR proposed to accept CIP-015-1 but also described the standard in its current form as “not … fully responsive to the commission’s directive in Order 887 to implement INSM for the ‘CIP-networked environment.’” The commission specifically warned that the standard is not sufficient to “defend against attacks that circumvent network perimeter-based security controls.”

FERC said it’s concerned attackers may be able to compromise systems external to a utility’s ESP, such as electronic access control and monitoring systems (EACMS) or physical access control systems (PACS), and then use that control to establish access within the perimeter as a trusted communication. 

To address this potential shortcoming, the commission proposed approving CIP-015-1 while directing NERC to develop additional modifications to the standard “that would extend INSM to include EACMS and PACS outside the” ESP. The ERO would need to submit the revised standard to the commission within 12 months of the effective date of FERC’s final rule. Comment on “all aspects of this proposal” is due to FERC 60 days after the NOPR’s publication in the Federal Register. 

New Supply Chain Standards Proposed

FERC’s other NOPR proposed to direct NERC to address perceived gaps in the ERO’s standards concerning supply chain risk management (SCRM) (RM24-4). SCRM provisions are found in three existing standards: 

    • CIP-005-7 — Cybersecurity — electronic security perimeter(s); 
    • CIP-010-4 — Cybersecurity — configuration change management and vulnerability assessments; and 
    • CIP-013-2 — Cybersecurity — supply chain risk management. 

“Although the currently effective SCRM reliability standards provide a baseline of protection against supply chain threats, there are increasing opportunities for attacks posed by the global supply chain,” FERC said in its NOPR. “Using the global supply chain, adversaries have inserted counterfeit and malicious software, tampered with hardware and enabled remote access.” 

The gaps the commission identified in NERC’s standards relate to the sufficiency of entities’ SCRM plans as concern the identification, assessment and response to supply chain risks, as well as the applicability of the current standards to protected cyber assets. FERC said the current standards do not specify when and how entities should identify and assess supply chain risks; they also do not require entities to respond to supply chain risks through their SCRM plans. 

These gaps have led to “multiple gaps in SCRM” observed by FERC staff during their audits of responsible entities’ CIP compliance in fiscal 2023. (See FERC Report Identifies CIP Audit Lessons Learned.) Staff identified multiple SCRM-related security risks among the seven audited entities, most notably a “lack of consistency and effectiveness in SCRM plans for evaluating vendors and their supplied equipment and software.” Auditors also said many entities’ SCRM plans did not have procedures for responding to identified risks. 

FERC’s NOPR would have NERC submit new or modified standards establishing specific timing for entities to evaluate vendors and equipment to identify supply chain risks, along with periodic assessments of risks associated with vendors, products and services. The standards also would have to require entities to ensure their SCRM plans have steps to validate the accuracy and completeness of information received from vendors during the procurement process, and a process to document, track and respond to identified supply chain risks. 

As with the INSM proposal, the commission invited interested parties to submit comments on its intended actions. Comments are due 60 days after the NOPR’s publication in the Federal Register. 

CIP

Leave a Reply

Your email address will not be published. Required fields are marked *