Citing the need for “constant monitoring and vigilance” to protect the bulk power system from cyberthreats, FERC directed NERC on Thursday to require utilities to implement internal network security monitoring (INSM) on certain cyber systems at BPS facilities (RM22-3).
The commission approved the draft final rule at its January open meeting, with all four commissioners voting in favor of the measure. Commissioner Allison Clements said the rule would plug a critical “gap in our current cybersecurity standards” and urged FERC to “be vigilant to keep that [regulatory] ground floor strong enough … to counter the evolving threat.”
Acting Chair Willie Phillips predicted that building consensus around a new standard would “not [be] an easy task” for NERC but said it was a job that must be completed.
“I’ve noted — and I know my colleagues have noted many times — that grid security, and cybersecurity in particular, are among our most important responsibilities regarding the [BPS], so I’m very happy to see that we are moving to finalize this rulemaking today,” Phillips said.
Final Rule Softens NOPR
FERC’s order expanding NERC’s Critical Infrastructure Protection (CIP) standards builds on a Notice of Proposed Rulemaking that the commission issued almost a year ago. (See FERC Proposes New Cybersecurity Standard.) The rule applies to all high-impact bulk electric system cyber systems, regardless of whether they have external routable connectivity (ERC), and to medium-impact BES cyber systems with ERC. “Bulk electric system” refers to those facilities subject to NERC’s reliability standards, a subset of the broader BPS.
FERC gave NERC 15 months to submit new or modified CIP standards requiring INSM in all applicable BES cyber systems. NERC would also need to submit, within 12 months, a report on the feasibility of implementing INSM on low-impact BES cyber systems and medium-impact systems without ERC.
“I’m very pleased that we are directing a firm 15-month deadline for NERC to propose the standards. … It’s hard; the processes take time, but it is imperative that we get this important cybersecurity measure in place as quickly as it is feasible,” Clements said.
The draft rule represents a slight softening of FERC’s original NOPR, which proposed requiring INSM in all high- and medium-impact BES cyber systems regardless of ERC. The commission’s order explained the change as an effort to “strike a proper balance” between commenters such as NERC and the regional entities, which supported the proposal in full, and those that warned about the difficulty and cost of implementing INSM on all cyber systems. (See ERO Backs FERC’s Cyber Monitoring Proposal.)
Order Plugs Cyber Monitoring Gap
Speaking at Thursday’s open meeting, Cesar Tapia of FERC’s Office of Electric Reliability described the proposed standards as a necessary response to events like the SolarWinds hack of 2020, through which thousands of public- and private-sector organizations — including FERC itself — were infected with malicious code. Tapia said the attack “demonstrated how an attacker can bypass all perimeter-based security controls traditionally used to identify malicious activity and compromise” electronic networks believed to be secure.
In response to a question from Phillips, Tapia explained that the classification of BES cyber systems as high-, medium- and low-impact is based on “the functions of the assets housed within each system and the risks they potentially pose to the reliable operation of the” BES. He added that registered entities determine the systems’ impact level themselves.
Asked how the presence of INSM can reduce time needed to discover and respond to a security compromise, Tapia said that attackers who have compromised one device on a network “typically [attempt] to compromise other devices within the network as well,” requiring them to “move from device to device.” Unlike other security controls, INSM can alert security staff to this kind of movement, contributing to a “defense in depth strategy.”
The timelines set by FERC will begin 60 days after the publication of the final rule in the Federal Register.