FERC Proposes to Strengthen Reliability Standards for Electric Grid Cyber Systems

The Federal Energy Regulation Commission (FERC) on Jan. 20 proposed to reinforce its Critical Infrastructure Protection reliability standards by demanding internal network security monitoring, or INSM, for high- and medium-impact bulk electric system cyber systems. Inclusion of INSM requirements in the reliability standards would complement current perimeter requirements for high- and medium-impact systems by enhancing visibility of communications within the network.

The commission proposes to direct the North American Electric Reliability Corporation to enhance and submit new and/or amended reliability standards to deal with a potential gap in the current standards. The proposal states that the current standards in place do not adequately address INSM.

Network security monitoring, amid existing reliability standards, focuses on defending the electronic security perimeter of networks. FERC is aiming to address concerns that the existing standards neglect potential shortcomings of the internal network to cyber threats. The agency aims to prevent unauthorized access to Bulk Electric System (BES) Cyber Systems at the network perimeter.

Under the latest proposal, the INSM deals with situations where suppliers or individuals with permitted access that are considered accountable may still introduce a cybersecurity risk. An example of this is the SolarWinds attack in 2020, which shows how sophisticated attackers can evade network perimeter-based security controls that are traditionally used to detect the early stages of an attack. As the attacker used an authenticated SolarWinds certificate, there was no reason for the company’s customers to suspect that compromised updates were installed.

In order to prevent this going forward, the latest INSM requirements into CIP reliability standards, would help to ensure utilities maintain visibility over activity in their protected networks. Incorporating the INSM would help detect a cyber attacker’s activities and allow utilities enough time to act before a potentially damaging cyberattack.

Comments on the proposed rulemaking are due within 60 days following publication in the Federal Register. Although focused on high and medium impact systems, the commission seeks comments regarding the usefulness and practicality of INSM to detect malicious activity in networks with low impact cyber systems.