NERC Initiates Data Collection on INSM for Low Impact CIP Assets

NERC has initiated the Internal Network Security Monitoring (INSM) Data Request in response to a directive from FERC. This effort aims to gather data on the risks of not implementing INSM in medium and low impact BES Cyber Systems. NERC is collecting information from utilities in the electric power industry regarding facility numbers, network configurations, malicious code detection, implementation challenges, and alternative solutions. The data must be submitted by July 25, 2023.

THE SHORT STORY (TL;DR)

In January, FERC ordered NERC to include Internal Network Security Monitoring (INSM) in the CIP Standards, but only for high and some of the medium impact systems. At the same time, FERC also ordered NERC to do a study on the state of INSM in the rest of the medium impact and all of the low impact systems. To perform this study, NERC recently issued a data request to gather the information needed. This blog talks about the questions asked by NERC, and offers some commentary on the type and nature of possible responses to them.

 

WHAT HAPPENED?

In response to a directive from the Federal Energy Regulatory Commission (FERC), NERC has initiated a comprehensive data collection effort known as the Internal Network Security Monitoring (INSM) Data Request. This data request aims to gather information to support a detailed study on the risks associated with the absence of INSM in medium (without ERC) and low impact BES Cyber Systems.

 

WHY DID IT HAPPEN?

On January 19th, 2023, FERC issued Order No. 887, directing NERC to develop and propose new or modified Critical Infrastructure Protection (CIP) Reliability Standards for INSM within CIP networked environments (behind the Electronic Security Perimeter, or ESP). It was specific to high impact BES Cyber Systems with and without external routable connectivity (ERC) and medium impact BES Cyber Systems with ERC.

 

Additionally – and specific to this new data request – Order No. 887 mandated NERC to perform a comprehensive study to assess the ongoing risks arising from the absence of INSM in medium impact without ERC and low impact BES Cyber Systems (essentially, all other NERC CIP applicable cyber assets not covered by the above directive).

 

WHO IS IN SCOPE?

To accomplish FERC’s directed study, NERC is now actively collecting data from all applicable Registered Entities within the electric power industry.

  • Balancing Authorities (BA)

  • Generator Owners (GO)

  • Generator Operators (GOP)

  • Reliability Coordinators (RC)

  • Transmission Owners (TO)

  • Transmission Operators (TOP)

  • Distribution Providers (DP)

 

WHAT DATA ARE THEY COLLECTING?

The first part of the Data Request seeks specific quantitative and qualitative information related to various aspects of locations containing the relevant BES Cyber Systems:

  1. NERC Compliance Registry number

  2. Entity Contact Information

  3. Quantity of substation and generation locations containing medium impact BES Cyber Systems with ERC

  4. Quantity of substation and generation locations containing medium impact BES Cyber Systems without ERC

  5. Quantity of substation, generation, and Control Center locations containing low impact BES Cyber Systems with ERC

  6. Quantity of substation, generation, and Control Center locations containing low impact BES Cyber Systems without ERC

  7. The estimated percentages, totaling 100%, of network configurations for medium impact BES Cyber Systems without ERC, of the following types:

    1. Completely IP-based

    2. Majority IP-based with minimal serial (or other non-IP connectivity)

    3. Completely serial (or other non-IP connectivity)

    4. Majority serial (or other non-IP connectivity) with minimal IP-based connectivity

    5. Approximately 50/50 mix of IP-based and serial (or other non-IP connectivity) present at location

  8. The estimated percentages, totaling 100%, of network configurations for low impact BES Cyber Systems, of the following types:

    1. Completely IP-based

    2. Majority IP-based with minimal serial (or other non-IP connectivity)

    3. Completely serial (or other non-IP connectivity)

    4. Majority serial (or other non-IP connectivity) with minimal IP-based connectivity

    5. Approximately 50/50 mix of IP-based and serial (or other non-IP connectivity) present at location

  9. Independently rate each of the following listed potential technological, logistical, or other challenges involved in extending INSM to both medium impact without ERC and all low impact – from (1) least challenging to (5) most challenging:

    1. Implementation of INSM may require equipment retrofit and network redesign

    2. Compliance burden associated with implementing INSM

    3. The overall costs associated with INSM (e.g., implementation, maintenance, support)

    4. Technical supply chain constraints (e.g., hardware/software availability)

    5. Shortages of qualified staff (e.g., implementation, maintenance, support)

    6. INSM implementation may require expanding ERC at some BES Cyber System locations, thereby increasing the attack surface

    7. (Optional) Other challenges

  10. Provide the estimated percentage of low impact BES Cyber Systems that currently have network based malicious code detection. Malicious code detection can be accomplished either internally to the BES Cyber System network or at the BES Cyber System network boundary.

  11. (Optional) List recommended alternative solutions or controls to mitigate the risk posed to BES Cyber Systems operating without INSM

  12. (Optional) For existing implementations of INSM at current BES Cyber System locations, what solutions (e.g., vendors, products, and service providers) are deployed?

    1. For high impact BES Cyber Systems

    2. For medium impact BES Cyber Systems with ERC

    3. For medium impact BES Cyber Systems without ERC

    4. For low impact BES Cyber Systems

 

COMMENTARY

Asking for the numbers on assets/facilities that fall out of scope of the high impact and medium impact with ERC applicability factors (Qs 1-6) seems like a no-brainer. My only question is: don’t we already have this information from previous Section 1600 Data Requests and possibly through other means?

 

As for the types of network configurations (Qs 7-8), I think it’s useful and appropriate that they abstracted a bit and only asked for estimated percentages.

 

For the qualitative assessment items in Q9, I would be surprised if many utilities would put anything other than a 5 for these. To get an idea on why this effort is so challenging, see our other posts on what is needed to actually implement INSM…

For Q10, given that the current Low Impact standards don’t require it, and don’t have any adjacent or even implied requirements around malicious code detection (the closes possibility would be incident response), I’d be surprised if this number is very high. The sheer number of Low Impact assets/facilities makes this a significant cost and support issue for many.

 

For Q11, it’s optional, but it’s definitely worth responding. This is where the industry should get creative. It’s your best shot at reducing the scope and impact of the pending regulation. But this is also a trick question. If the industry comes back with a bunch of bogus, insufficient, or otherwise ineffective “alternative solutions,” then it will appear that they are just trying to get around being regulated. These solutions should be clear, concise, and effective. For best results, use/reference existing controls from other standards, regulations, frameworks, etc.

 

For Q12, another optional question, but I’m mixed on how much information I’d recommend for this one. I’m leaning toward responding, but only providing high-level information and very little specific detail on actual vendors, products, and service providers. Rather, just state types of technologies or platforms without actual names.

 

 

WHEN IS IT DUE?

July 25, 2023. Respond via the ERO Portal.

 

WHAT TO DO NEXT?

The initiation of the Internal Network Security Monitoring (INSM) Data Request should be taken seriously. Give it appropriate time, do your internal research, and answer as accurately as possible. By providing the most genuine, accurate, least diversionary, clear, and concise responses (referencing other existing controls within the CIP Standards or other standards/frameworks/regulations) we can hope for the best possible outcome. Stonewalling and trying to introduce “flexibilities” hasn’t been effective in the past and this will likely continue to be true with this effort as well.

Featured Posts

Featured
Exploring the Evolving Landscape of ICS/OT Cybersecurity at RSAC 2024
Exploring the Evolving Landscape of ICS/OT Cybersecurity at RSAC 2024

The RSA Conference 2024 spotlighted the critical importance of ICS/OT cybersecurity, reflecting a significant increase in attention compared to previous years. Ampyx Cyber CEO, Patrick Miller noted the strong presence of AI-driven security tools on the vendor floor and highlighted the conference's rich agenda featuring discussions on the convergence of IT and OT. As digital transformation continues, the industry's commitment to enhancing ICS/OT cybersecurity is more evident than ever.

Read More →
Reporting Cyber Incidents under DHS CIRCIA’s Proposed Rulemaking
Reporting Cyber Incidents under DHS CIRCIA’s Proposed Rulemaking

The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on April 4, 2024 published its proposed rules requiring critical infrastructure entities to report significant cyber incidents and ransom payments to CISA. The proposed regulations are intended to consolidate, fortify, and strengthen the United States’ cyber defenses in critical infrastructure (CI) sectors.

Read More →
Ampere Industrial Security Evolves into Ampyx Cyber
Ampere Industrial Security Evolves into Ampyx Cyber

Ampere Industrial Security, renowned for its expertise in industrial security, announces its rebranding to Ampyx Cyber, marking a new chapter in its global presence with offices in Portland, OR, USA, and a new European base in Tallinn, Estonia. This strategic change represents an expanded commitment to providing top-tier cybersecurity solutions across continents.

Read More →
Embracing AI for the Electric Grid: Insights from NERC
Embracing AI for the Electric Grid: Insights from NERC

In the rapidly evolving landscape of the electric sector, the integration of cutting-edge technologies is not just an option; it's a necessity. Among these, artificial intelligence (AI) stands out as a transformative force, offering unprecedented opportunities to enhance grid reliability, security, and efficiency. Recognizing this potential, the North American Electric Reliability Corporation (NERC) has provided insightful comments on how AI can be harnessed to address the challenges and opportunities within the electric grid.

Read More →
CIP-015: The Crucial Role of INSM in Strengthening Grid Security
INSM, Internal Network Security Monitoring, NERC CIP, FERC, FERC 887
CIP-015: The Crucial Role of INSM in Strengthening Grid Security
INSM, Internal Network Security Monitoring, NERC CIP, FERC, FERC 887

introduction of CIP-015, a new regulation aimed at enhancing grid security by mandating Internal Network Security Monitoring (INSM) for high and medium impact Bulk Electric System (BES) Cyber Systems. This development, initiated by FERC Order No. 887, responds to the need for robust monitoring within trusted network zones to detect and mitigate potential cyber threats. CIP-015 emerges as a standalone standard after industry feedback suggested that INSM requirements did not align well with existing frameworks, shifting towards an objective-based rather than prescriptive approach.

Read More →
INSM, Internal Network Security Monitoring, NERC CIP, FERC, FERC 887
INSMPatrick MillerINSM, Internal Network Security Monitoring, Low Impact