FERC Directs NERC to Study Bulk Electric System's Internal Cybersecurity Gaps

Continuing a recent trend in which the Federal Energy Regulatory Commission ("FERC") has been directing the North American Electric Reliability Corporation ("NERC") to improve or maintain the reliability of the nation's energy infrastructure, FERC issued a Final Rule[1] directing NERC to develop standards and perform a study to address a regulatory gap in its cybersecurity protections for the Bulk Electric System ("BES").[2] Specifically, FERC directed NERC to develop and submit reliability standards requiring internal network security monitoring ("INSM") for high impact BES Cyber Systems[3] and medium impact BES Cyber Systems with high-speed internet connections and to study the feasibility of adding similar INSM requirements for low impact BES Cyber Systems.

The Notice of Proposed Rulemakings

FERC initiated this proceeding with a Notice of Proposed Rulemaking (the "NOPR") in early 2022.[4] In the NOPR, FERC raised the issue of a regulatory gap in Critical Infrastructure Protection ("CIP") reliability standards. The NOPR cautioned that the currently effective CIP Reliability Standards do not require INSM within trusted CIP-networked environments for BES Cyber Systems,[5] thereby exposing those environments to cyber risk and attack. In the NOPR, FERC considered whether to require INSM for all high and medium impact BES Cyber Systems.

INSM is a subset of network security monitoring that is applied within a "trust zone,"[6] such as an electronic security perimeter. INSM is designed to address, as early as possible, breaches of perimeter network defenses by detecting malicious activity within a trust zone. INSM is comprised of three stages: (1) collection; (2) detection; and (3) analysis.[7] With INSM, an entity can observe communications between networked devices within a trust zone and detect malicious activity that has circumvented or penetrated perimeter controls.

In practice, INSM employs tools like anti-malware, intrusion detection systems, intrusion prevention systems, and firewalls. These tools can be used for collection, detection, and analysis (e.g., forensics) of an attempted breach. Additionally, some of the tools (e.g., anti-malware and firewalls) have the capability to prevent system intrusions. The goal of INSM is early detection and alerting of intrusions and malicious activity. Without INSM, an attacker could exploit software vulnerability to gain administrator account privileges, move undetected inside the trust zone of the CIP-networked environment, or could execute unauthorized code (e.g., a virus or ransomware).

The Final Rule

In directing NERC to develop new or modified standards that address security objectives that pertain to INSM, FERC stated that any new or modified CIP Reliability Standards should:

address the need for responsible entities to develop baselines of their network traffic inside their CIP-networked environment;
address the need for responsible entities to monitor and detect unauthorized activity, connections, devices, and software inside the CIP-networked environment; and
require responsible entities to identify anomalous activity to a high level of confidence by:
- logging network traffic;
- maintaining logs and collecting other data regarding network traffic; and
- implementing measures to minimize the ability of an attacker to remove evidence of its tactics, techniques, and procedures from compromised devices.[8]

After considering the comments submitted in response to the NOPR, FERC directed NERC to develop CIP Reliability Standards that require INSM for CIP-networked environments for all high impact BES Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable connectivity.[9] In doing so, FERC recognizes the need to prioritize the protection of certain BES Cyber Systems and to balance the limited resources available against the urgent need for improvement.[10] FERC opted not to extend the INSM requirement to all low impact BES Cyber Systems as there is no requirement for entities to identify their low impact BES Cyber Systems or electronic security perimeters for their low impact BES Cyber Systems.[11]

Standards Development Time

To emphasize the importance of the ISNM reliability gap, FERC directed NERC to submit new or modified CIP Reliability Standards within 15 months of the effective date of the Final Rule.[12] FERC believes that a 15-month deadline would provide sufficient time for NERC to develop responsive new or modified standards within NERC's standards development process, citing that most of the complexities cited by NERC are resolved by FERC's decision not to extend INSM in this Final Rule to low impact BES Cyber Systems and to medium impact BES Cyber Systems without external routable connectivity.[13] While FERC declined to direct a specific implementation timeframe for any new or modified standards, it directed NERC to propose an implementation period that balances the various concerns raised by commenters with the need to timely address the identified gap in the CIP Reliability Standards pertaining to INSM.[14]

NERC Study and Report on INSM Implementation

Even though FERC declined to require INSM for medium impact BES Cyber Systems without external routable connectivity and all low impact BES Cyber Systems, it noted that extending INSM to all medium impact BES Cyber Systems and at least a subset of low impact BES Cyber Systems in the future could be necessary to protect the security and the reliability of the BPS.[15] Accordingly, FERC directed NERC to conduct a study to guide the implementation of INSM, or other mitigation strategies, for medium impact BES Cyber Systems without external routable connectivity and all low impact BES Cyber Systems. FERC directed that the study should focus on two main topics: (1) risk and (2) challenges and solutions.

As it pertains to risk, FERC directed NERC to collect information from registered entities on the number of low impact and medium impact BES Cyber Systems that would not be subject to the new or revised Reliability Standards, which would inform the scope of the risk from systems without INSM.[16] FERC also required NERC to provide an analysis regarding the substantive risks posed by BES Cyber Systems operating without the implementation of INSM.[17] Specifically, FERC directed NERC to determine the quantity of: (1) substation and generation locations that contain medium impact BES Cyber Systems without external routable connectivity; (2) low impact locations (including a breakdown by substations, generation resources, and control centers) that contain low impact BES Cyber Systems without external routable connectivity; and (3) locations that contain low impact BES Cyber Systems with external routable connectivity (including a breakdown by substations, generation resources, and control centers).[18] Lastly, FERC directed NERC to discuss the risks to the security of the BPS due to the lack of an INSM requirement for identified facilities.[19]

Regarding challenges and solutions, FERC directed NERC to identify the potential technological, logistical, or other challenges involved in extending INSM to additional BES Cyber Systems, as well as possible alternative actions to mitigate any risk posed by leaving some systems outside the regulation.[20] Some challenges include: (1) lengthy timelines for identifying the location of low impact BES Cyber Systems; (2) the need to add external routable connectivity at many medium impact BES Cyber Systems to effectively implement INSM; (3) a wider footprint for monitoring and detecting for larger entities; (4) shortages of qualified staff; and (5) supply chain constraints.[21] This study is due within 12 months of the Final Rule.

Implications

The Final Rule reflects FERC's commendable effort to address an important regulatory gap in the CIP Reliability Standards in a measured fashion. FERC considered comments regarding the practical challenges to the wider application of INSM and stepped back from NOPR's proposal to require INSM for all high impact and medium impact BES Cyber Systems. Nevertheless, the time period for ultimate implementation of new or revised CIP Reliability Standards may be viewed as unnecessarily protracted and, hence, presenting undue exposure for the nation's BES Cyber Systems at all impact levels. It remains to be seen whether FERC will be able to establish (perhaps with regard to accelerating the implementation scheduled proposed in response to the Final Rule) a regulatory compromise that reconciles identified implementation challenges with the nation's need to bolster its ability to deflect cyber attacks on the BES.

Register now for your free, tailored, daily legal newsfeed service.

FERC Directs NERC to Study Bulk Electric System's Internal Cybersecurity Gaps
Blog Energy & Environmental Law Blog

Filed under

Topics

Organisations

Popular articles from this firm

NLRB General Counsel Offers Roadmap for Severance Agreements, But Employers Might See a Dead End *

Data Breach Notification Law Update: Utah and Pennsylvania *

CFPB Officially Takes Aim at Credit Card Late Fees *

SEC Proposes Host of New Rules for Data Security, Cybersecurity, and IT Resilience *

FCC Considering Changes to the E-rate Program to Help Close the Homework Gap *

More from Energy & Environmental Law Blog

D.C. Circuit Upholds FERC's "Send-Out" Approach to PURPA

California Is Paving the Way for Offshore Wind

FERC Directs NERC to Present Security Report in Response to Physical Attacks on the Electric Grid

WOTUS Update: While Supreme Court Case Still Pending, EPA Issues New Rule

FERC's Reservation Charge Crediting Policy Imperils Gas Service Reliability - There Is a Better Way

Related practical resources PRO

Related research hubs