The Federal Energy Regulatory Commission (FERC) has published a final action notice that approves proposed Reliability Standard CIP-015-1 (Cyber Security—Internal Network Security Monitoring), which the North American Electric Reliability Corporation (NERC) submitted in response to a Commission directive. In addition, the Commission directs NERC to develop certain modifications to proposed Reliability Standard CIP-015-1 to extend internal network security monitoring to include electronic access control or monitoring systems and physical access control systems outside of the electronic security perimeter.
The Commission also provides greater clarity about the term Critical Infrastructure Protection (CIP)-networked environment as it is used in proposed Reliability Standard CIP-015-1. It noted that the CIP-networked environment includes traffic inside an electronic security perimeter but also extends beyond the perimeter.
The CIP-networked environment includes the systems within the electronic security perimeter and network connections among and between electronic access control or monitoring systems (EACMS) and physical access control systems (PACS) external to the electronic security perimeter. It is necessary to defend against attacks external to the electronic security perimeter because they may compromise systems such as EACMS and PACS, and then infiltrate the perimeter as a trusted communication. Thus, EACMS and PACS are included in the CIP-networked environment.
“With this clarification, it is apparent that Reliability Standard CIP-015-1, which requires INSM only within the electronic security perimeter, is not fully compliant with the Commission’s directive in Order No. 887,” the FERC wrote in a notice published last week in the Federal Register. “Therefore, pursuant to section 215(d)(5) of the FPA, we direct NERC to develop further modifications to proposed Reliability Standard CIP-015-1, within 12 months of the effective date of the final rule in this proceeding, to extend INSM to include EACMS and PACS outside of the electronic security perimeter.”
At last month’s FERC meeting, the NERC CIP-015-1 standard was formally approved. It signals a significant shift for the North American electric sector, mandating internal network security monitoring of industrial control systems (ICS) within the electronic security perimeter, moving beyond protection at the network edge.
Last September, the Commission issued a Notice of Proposed Rulemaking (NOPR) proposing to approve proposed Reliability Standard CIP-015-1 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. While proposing to approve the proposed Reliability Standard CIP-015-1, the Commission also proposed to direct that NERC develop modifications to the Reliability Standard to address a reliability gap.
Specifically, the FERC stated that proposed Reliability Standard CIP-015-1 does not fully implement the scope of protection contemplated in Order No. 887 because it limits internal network security monitoring implementation to within the electronic security perimeter, instead of extending it to the entire CIP-networked environment.
Identifying that the action is effective Sept. 2, this year, the FERC said that it agreed with NERC, OpenPolicy, and trade associations that proposed Reliability Standard CIP-015-1 will improve detection of anomalous, malicious, or unauthorized network activity, assisting responsible entities in responding to cyber attacks within the electronic security perimeter.
“We determine that improved detection and response to cyber attacks and visibility into east-west communication—lacking in other CIP Reliability Standards—will improve the security posture of the electric industry, strengthening the reliability of the Bulk-Power System,” FERC said in the notice. “Further, we find that proposed Reliability Standard CIP-015-1 fulfills the directive in Order No. 887 to require responsible entities to implement INSM for all high impact BES Cyber Systems and medium impact BES Cyber Systems with external routable connectivity, albeit only within the electronic security perimeter. Additionally, proposed Reliability Standard CIP-015-1 satisfies the directive in Order No. 887 that the Reliability Standard address the three security objectives for east-west network traffic.”
FERC added that it declined to direct NERC to modify the proposed Standard to address OpenPolicy’s recommendations. “We note, however, that responsible entities, in addition to implementing the INSM requirements set forth in proposed Reliability Standard CIP-015-1, may voluntarily choose to adopt additional INSM practices such as those recommended by OpenPolicy. Moreover, OpenPolicy or other entities may advocate for OpenPolicy’s recommendations in the NERC Reliability Standard development process.”
The Commission recognizes that NERC in modifying the Standard in response to the directive in this final rule retains the ability to propose an equally efficient and effective solution to determining which EACMS and PACS outside of the electronic security perimeter should be covered by the Standard.
“However, we caution that Trade Associations’ approach appears to fall short of that criteria as it would leave a reliability gap that malicious actors could exploit by using EACMS and PACS outside the electronic security perimeter to penetrate the electronic security perimeter,” FERC highlighted. “The additional clarity provided in this final rule should be sufficient for the drafting team to develop a Reliability Standard that is fully responsive to the directive in Order No. 887 to implement INSM within the CIP-networked environment.”
FERC also reminded responsible entities that they will determine how to implement INSM based on their architecture and tools (subject to oversight by the compliance enforcement authority), even if revised Reliability Standard CIP-015-1 mandates which cyber assets are subject to INSM requirements. Again, that could mean setting incident alert thresholds and creating baselines for network activity that alert responsible entities only of network traffic that has indicia of malicious intent, reducing the potential for false positive and alert fatigue.
The Commission solicits comments on the need for this information, whether the information will have practical utility, the accuracy of the burden estimates, ways to enhance the quality, utility, and clarity of the information to be collected or retained, and any suggested methods for minimizing respondents’ burden, including the use of automated information techniques.
FERC said that it bases its paperwork burden estimates on the additional paperwork burden presented by the proposed revision to Reliability Standard CIP-015-1, as this is a new proposed Reliability Standard. “Reliability Standards are objective-based and allow entities to choose compliance approaches best tailored to their systems. Reliability Standard CIP-015-1 does not require applicable entities to submit any filings with either the Commission or NERC as the ERO. Entities, however, are required to maintain documentation adequate to demonstrate compliance with the Reliability Standard.”
It added that the Commission and NERC staff conduct periodic audits of entities and auditors rely on the entity’s documentation in determining compliance with a Reliability Standard. While entities retain flexibility on how they choose to demonstrate compliance, the Reliability Standard includes Compliance Measures providing examples of the type of documentation an entity may want to develop and maintain to demonstrate compliance.
“Based on our consideration of the record, we adopt the 12-month deadline proposed in the NOPR,” the notice added. “While we recognize that parties might benefit from additional time, we are not persuaded at this time that additional time is needed to address the modifications directed in this order. To the extent NERC concludes during the standards drafting process that additional time is needed, NERC may request, and the Commission will consider whether to grant an extension at that time.”
Last week, the FERC withdrew its notice of inquiry and terminated the related rulemaking proceeding in Docket No. RM20-12-000. The notice of inquiry had requested public comment on whether the CIP Reliability Standards in place at the time sufficiently addressed cybersecurity risks related to data security, detection of anomalies and events, and mitigation of cybersecurity incidents. The withdrawal will become effective July 31.
