On January 19, 2023, the U.S. Federal Energy Regulatory Commission (FERC) issued a final rule (RM22-3) (the Rule) directing the North American Electric Reliability Corporation (NERC) to develop and submit for approval reliability standards that require internal network security monitoring (INSM) within a trusted Critical Infrastructure Protection (CIP) networked environment for all high-impact bulk electric system (BES) cyber systems and medium-impact BES cyber systems with external routable connectivity. FERC also directed NERC to study all low-impact BES cyber systems and medium-impact BES cyber systems without external routable connectivity (Other BES). NERC has 15 months to submit its proposed reliability standards for approval and 12 months to submit a report on its study of the Other BES.
FERC indicated that while the currently effective CIP reliability standards offer broad cybersecurity protection, particularly on preventing unauthorized entry at the outer edges of a network, they have a noticeable gap — namely, the current standards do not address potential malicious movement within a network. If a hacker is able to bypass or penetrate the perimeter, it can move around undetected and potentially gain control over the systems that are supposed to be protected, including equipment used to run the grid. As an example, FERC pointed to the 2020 cyberattack involving SolarWinds, a widely used IT infrastructure management software. In that instance, a threat actor gained access to the SolarWinds environment, pushed malicious code through legitimate updates, and allowed the adversary to gain remote access and network privileges, which permitted the actor to manipulate identity and authentication mechanisms. The attack bypassed traditional network perimeter-based security controls because the update was installed with an authenticated SolarWinds certificate. FERC’s Rule is intended to improve detection, prevention, and recovery in respect of malicious activity by setting heightened standards and requirements for internal monitoring.
The Rule follows on from FERC’s Notice of Proposed Rulemaking (NOPR) issued January 20, 2022, with respect to INSM. FERC received 22 sets of comments to the NOPR from a variety of parties. Commenters generally agreed that implementing INSM as an additional layer of cybersecurity protection would offer tangible benefits but differed on the desirable scope of the directive to NERC. Several stakeholders requested that FERC limit the directive to INSM for high-impact BES cyber systems, but FERC ultimately determined that medium-impact BES cyber systems with external routable connectivity should also be covered.
The Rule reaffirms FERC’s three security objectives identified in the NOPR:
First, any new or modified CIP Reliability Standards should address the need for each responsible entity to develop a baseline for their network traffic, specifically for security purposes. Second, any new or modified CIP Reliability Standards should address the need for responsible entities to monitor for and detect unauthorized activity, connections, devices, and software inside the CIP-networked environment. Third, any new or modified CIP Reliability Standards should address the ability to support operations and response by requiring responsible entities to ensure that anomalous activity can be identified to a high level of confidence by: (1) logging network traffic at a sufficient level of detail; (2) maintaining logs and other data collected regarding network traffic; and (3) implementing measures to minimize the likelihood of an attacker removing evidence of their tactics, techniques, and procedures.
In the Rule, FERC indicated its agreement with stakeholders that the CIP reliability standards should be objective, technology neutral, and provide flexibility to entities to address the foregoing three objectives.
The Rule recognizes the challenges associated with extending the INSM reliability standards to medium-impact BES cyber systems without external routable connectivity. The challenges include the sheer number of such systems, which pose staffing and resource constraints and can possibly cause supply chain constraints to fully implement. FERC also found that the benefits of implementing INSM reliability standards with respect to Other BES would not outweigh the associated costs; it would be difficult to implement or audit given the current lack of visibility of such systems. Accordingly, FERC directed NERC to submit a report assessing the risks, implementation challenges, and potential solutions for extending INSM reliability standards to the Other BES in the future.
In declining to extend the INSM reliability standards to Other BES, FERC found 15 months to be sufficient for NERC to develop responsive standards. However, FERC did not provide a specific implementation timeframe and left that task to NERC.