Updated May 2, 2024: NERC CIP requirements for Internal Network Security Monitoring (INSM) continue to make progress, with the new CIP-015-1 standard and implementation plan approved in the final ballot period. Concluding on April 30, 2024, this was an expedited seven-day ballot period allowing stakeholders to vote on whether they approve the new standard and its accompanying implementation plan.
The next steps involve submitting the standard (CIP-015-1) and its implementation plan to the NERC Board of Trustees. The Board’s role is to review and adopt the standard, ensuring it aligns with broader regulatory and security objectives.
Once adopted by the Board, the standard is then filed with the appropriate regulatory authorities, likely including the Federal Energy Regulatory Commission (FERC). This filing makes the standard formally recognized and enforceable under U.S. federal regulations.
Background:
In 2023, the Federal Energy Regulatory Commission (FERC) proposed new security requirements for high- and medium-impact bulk electric system facilities. The proposal would require these facilities to "maintain visibility over communications between networked devices." More specifically, FERC has directed the North American Electric Reliability Corporation (NERC) to develop new or modified Critical Infrastructure Protection (CIP) reliability standards that require internal network security monitoring (INSM) for CIP-networked environments.
The CIP Reliability Standards have traditionally focused on protecting the electronic security perimeter of networks. However, FERC has identified a gap in these standards as they do not adequately address potential vulnerabilities within the internal network to cyber threats. In order to address this issue, FERC is directing NERC to integrate INSM requirements into these standards. INSM provides ongoing visibility of communications between networked devices within a trusted zone and detects malicious activity that has bypassed perimeter controls. Additionally, INSM allows for early detection of anomalous network activity, indicating a potential attack, increasing the chances for quick mitigation and recovery.
The order was for NERC to develop new or modified CIP reliability standards that are forward-looking, objective-based, and address three security objectives that pertain to INSM.
The new standards proposed by FERC will be applied to all high-impact and medium-impact bulk electric system (BES) cyber systems with external routable connectivity.
FERC wrote: “We find that, while the CIP Reliability Standards require monitoring of the electronic security perimeter and associated systems for high and medium impact BES Cyber Systems, the CIP-networked environment remains vulnerable to attacks that bypass network perimeter-based security controls traditionally used to identify the early phases of an attack. This presents a gap in the currently effective CIP Reliability Standards.”
INSM Developments in Review
January 2022:
FERC made the proposed rule for new security requirements for high- and medium-impact bulk electric system facilities.
January 2023:
FERC published the final rule, ordering NERC to develop new or modified Critical Infrastructure Protection (CIP) reliability standards that require internal network security monitoring (INSM) for CIP-networked environments.
December 2023:
NERC released its first draft for the new INSM requirements, initially as an addition to CIP-007.
January 2024 – Assessment of Low-Impact Requirements
NERC submitted its feasibility report on implementing INSM for certain categories of Bulk Electric Systems (BES), focusing on 'low impact BES' and 'medium impact BES without external routable connectivity (ERC)'.
While advising continued INSM implementation at originally scoped BES, NERC proposed the NERC, E-ISAC and FERC continue to monitor risk and needs to update the roadmap for INSM for lower impact systems. The report emphasized the importance of not implementing INSM as a “bolt-on” control - there needs to be a solid foundation established for this.
The high‐level roadmap for low impact would include:
February 2024 – CIP-015-01 As A Distinct New Standard:
Based on the feedback received during the initial posting, the DT decided to create a new reliability standard, designated as Reliability Standard CIP-015-1. This revised approach is clearer to the objective of detecting and evaluating anomalous network activity. NERC opened the second draft for a formal comment period on "CIP-015-01 – Cyber Security – Internal Network Security Monitoring".
Concurrently, CIP-007 will be restored to its previously enforced version.
Comments on the first draft of CIP-015-1 were taken from February 27 through March 18. There were 73 sets of responses, including comments from approximately 160 different people from approximately 102 companies.
April 2024:
Draft 2 of CIP-015-01 was released, with some language clarifications. Comments were taken from April 5-April 17. Additional ballots for the standard and implementation plan were conducted, along with a non-binding poll of the associated Violation Risk Factors and Violation Severity Levels. The final ballot resulted in approval.
The CIP-015-1 standard had an approval of 76.57% with a quorum of 93.36%.
The implementation plan had an approval of 82.1% with a quorum of 93.31%.
Next:
As mentioned, the next steps involve submitting the standard (CIP-015-1) and its implementation plan to the NERC Board of Trustees for review and adoption. Once adopted by the Board, the standard will be filed with the appropriate regulatory authorities, likely including the Federal Energy Regulatory Commission (FERC), making it formally recognized and enforceable under U.S. federal regulations.
--
Navigating Security & Compliance
The development of INSM requirements underlines the necessity for organizations to continuously enhance their visibility and monitoring strategies, aligning them with these emerging requirements. Staying abreast of these developments is not just about compliance, but also about fortifying network security in an increasingly digital world.
The importance of enhancing visibility within network environments remains critical. Organizations should be proactive in establishing clear baselines and differentiating between secure and vulnerable aspects of their network.
These new requirements echo debates around security vs. compliance – whether any given organization is actually pursuing a high level of security or just meeting the requirements set forth by various regulations and industry standards. Some argue that a focus on compliance can distract from achieving a truly secure environment and may lead to a "check the box" mentality, where an organization is more focused on meeting the letter of the law rather than the spirit of it. However, compliance often serves as a foundation for ensuring that organizations have the appropriate security controls in place.
Overall, security and compliance are interrelated and both are important to protect the organization from different types of risks. Compliance can be seen as a basic requirement for security, which should be followed by further actions, controls and program to continuously improve security maturity.
Industrial Defender helps organizations both meet compliance needs and strengthen overall security. We have long been strategic partners for electric utilities in meeting NERC CIP requirements and making it easier to pass their audits. We also deliver deeper-level asset data and vital endpoint information, along with historical context and change detection, to identify cyber risks and mature security postures beyond basic requirements.
To learn more about how we can partner with the power & electric utilities industry, please visit https://www.industrialdefender.com/industries/electric-utilities-cybersecurity.