Alexa, can you tell me when my grid is hacked?
A new addition to the NERC CIP regulation is coming for the electric sector requiring anomaly detection and internal network security monitoring to detect active attacks on critical systems.
The Short Story
Within the next 2-3 years, if you are a NERC Registered Entity with high impact or medium impact with ERC BES cyber systems, you will need to baseline your network traffic for all applicable cyber assets inside the ESP and look for anomalies beyond the traditional anti-malware and port-restriction controls already in place as part of the existing CIP standards. Examples of anomalies could be, among other things, accounts used in ways they shouldn’t be or new unexpected devices on the network or sending legitimate commands to control systems in ways that could stop or degrade the system. Further, you will need to record/log the traffic information and protect that information from misuse.
What happened?
On January 19th, FERC issued Order 887 directing NERC to draft regulation that would “require internal network security monitoring (INSM) for CIP-networked environments for all high impact bulk electric system (BES) Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable connectivity.”
This means that affected utilities would need to implement (if they haven’t already) a method for continuous network visibility of traffic within the protected CIP networks and detection of malicious activity that made it past the perimeter. It would apply to large control centers, some transmission substations, and a few generation plants.
Why now?
Whether intentional or not, the timing coincided with what feels like an annual cycle. Almost exactly a year earlier, FERC issued a Notice of Public Rulemaking (NOPR) on INSM giving everyone a chance to comment on their proposed direction. And almost exactly a year before that, similar INSM language was issued as part of the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, and within several Executive Orders around the same time. INSM has been building steam for the past few years and the message has been consistently echoed frequently through multiple official channels.
It is also important to note that “now” in FERC terms can translate into a long time. FERC directed NERC to complete their new standards within 15 months – which will be early Q2 of 2024. FERC can then take as long as they need to review and respond. For the sake of discussion, let’s speculate and say it will take them 4-6 months to respond – so Q4 of 2024 (or later). They can respond by remanding (rejecting), approving, or approval with new directives to fix areas they don’t like. If the new standards get full approval, then there will be an effective date sometime in the future, often between 12-18 months from the approval date – which would be possibly Q1-Q3 of 2026 as a reasonable window to see these standards go into effect and be auditable.
Regulation is slow, and there are all kinds of other snags that can extend this timeline. Could it happen sooner? Maybe, but it is unlikely unless some catalytic event (such as a cyber attack) forces some shortcuts to the usual process and timelines.
What security problems are we trying to solve?
The NERC CIP standards already cover the perimeter (CIP-005) with security controls, for instance, restricting the traffic allowed through the perimeter to the minimum necessary for operations and requiring all administrative (interactive) access to have multifactor authentication and go through a “jump host.”
The CIP standards also cover a wide range of security controls for the critical systems inside the protected network (CIP-007) such as restricting ports and services, security patch management, malicious code prevention, security event monitoring, and access control. System baselining, change management and vulnerability management are also required (CIP-010).
If we have required controls on the perimeter and on the systems inside the perimeter, where is the gap?
FERC states that the Order is designed to address situations “where vendors or individuals with authorized access are considered secure and trustworthy but could still introduce a cybersecurity risk” to an applicable system. For example, in the event of a compromised ESP, they believe that improving visibility within a network with INSM would increase the probability of early detection of malicious activities and would allow for quicker mitigation and recovery from an attack.
The details matter
Asking utilities to include network security monitoring and anomaly detection – as a concept – is a good idea. It makes sense to have this level of visibility into your critical networks. But when it comes to regulation, the details really do matter. Let’s take a closer look.
FERC expects the new requirements to cover three security objectives related to INSM.
The first is a network baseline, or in other words, a known set of normal and expected communications between all systems on the network. This can be challenging even on small networks with few systems, and FERC doesn’t provide any additional clues on how they expect this to be done or the level of depth of the baseline. For example, is this as simple as just knowing which systems are talking to each other, or does it mean specifics like the port, protocol, time of day, frequency, etc.? We will need to wait and see what the NERC drafting team produces here.
The second is monitoring and detecting unauthorized activity, connections, devices, and software inside the CIP-protected network. This is very difficult to do manually, and therefore it implies that a system will be needed to monitor and detect for these unauthorized items. The drafting team will have an interesting task of defining what constitutes unauthorized “activity” and “connections” in a way that can be audited.
Third, utilities will need to identify anomalous activity to a high level of confidence by: (1) logging network traffic (FERC notes that packet capture is one means of accomplishing this goal); (2) maintaining logs and other data collected regarding network traffic; and (3) implementing measures to minimize the likelihood of an attacker removing evidence of their tactics, techniques, and procedures from compromised devices. This set of (sub)requirements is the most specific, however they all involve a very significant amount of effort to achieve each.
What should you do?
If you haven’t already, at a minimum, start planning your implementation of INSM. For example, all INSM actions have a prerequisite of visibility into the network. This may require upgrades to network gear such as managed switches with span ports, or better yet, network taps in all key locations to get the necessary telemetry. Plan to capture information for all applicable CIP cyber assets. This new technology will need to be purchased (don’t forget about CIP-013) and it may make sense to refine your network architecture while doing this. In some situations, like generation and transmission facilities, this may require a network outage to complete the work. Getting everything prepared up front will help during implementation.
Next (or in parallel) begin thinking about how you are going to baseline your network. We don’t know what the drafting team(s) will produce, but we can expect that it will probably not be achievable with manual processes and spreadsheets. You will likely need a technology platform specifically designed for this. The great thing is that there are many out there to choose from. However, since everyone will be rushing to them at essentially the same time, it may make sense to do your evaluations and get in the queue early and avoid the supply/demand lesson.
Many of these technology platforms that will perform “baselining” can also do the monitoring, detecting, and alerting for unauthorized activity, connections, devices, and software inside the CIP-protected network.
As part of your planning, consider how you will be logging network traffic. Capacity (disk space) calculation will depend on the time/amount of logs required to be stored – as well as your network size and complexity. You won’t be able to guess this immediately, but you can start forming an idea of what you will need. Be mindful of backup systems and their capacity as well. Some are already considering their options to store this data in the cloud, and when the new versions of CIP-004 and CIP-011 are effective on January 1, 2024, you may have some interesting new choices.
Lastly, security controls to minimize the likelihood of an attacker removing evidence of their tactics, techniques, and procedures from compromised devices can be borrowed from other existing approaches such as NIST or IEC 62443. Even some of the new ransomware immutability technologies may make sense here.
These are just some quick tips and ideas scratching the surface of what is really needed to start exploring your level of effort to become compliant to this future standard. The ultimate language of the requirements will dictate the exact measures you will need to take but waiting until then to start thinking about your approach will only make your implementation efforts more challenging.
What’s on the horizon?
A drafting team will be formed comprised of industry (asset owners, product and service suppliers, trade organizations, etc.) to write the new regulation. If you are interested in participating, this is a great way to both shape the future of the standards but to also help your organization see what’s coming through a direct line into the development. Simply put, if you want to influence the outcome of this regulation, this is the most effective way. For those that don’t want to have a direct role in drafting, you can always provide comments along the way and listen in on the drafting team meetings.
Finally, there is a high likelihood that this regulation will also eventually apply to the rest of the medium and low impact NERC assets within the next few years after adoption. FERC directed NERC to submit a report “that studies the feasibility of implementing INSM at all low impact BES Cyber Systems and medium impact BES Cyber Systems without external routable connectivity.” This study and subsequent report are due within 12 months, so it would be a while, but this kind of action from FERC is often a clear signal of the direction they prefer and will ultimately choose.
[UPDATED March 24, 2023]
NERC has released the Proposed Data Request for Internal Network Security Monitoring under their Section 1600 Rules of Procedure authority, along with the link to the comment form and an unofficial comment form for review.
Stay tuned for more as this begins to take shape and we get a sense of where the drafting team will be headed. Also, check out our additional blog and podcast on this topic.