Internal Network Security Monitoring for High and Medium Impact Bulk Electric System Cyber Systems, 8354-8368 [2023-01453]
Download as PDF
<![CDATA[
8354
Federal Register / Vol. 88, No. 27 / Thursday, February 9, 2023 / Rules and Regulations
MGMRY, AL
GONDR, AL
RSVLT, GA
SINCA, GA
UGAAA, GA
ECITY, SC
STYLZ, NC
BONZE, NC
MCDON, VA
NUTTS, VA
WAVES, VA
TAPPA, VA
COLIN, VA
SHLBK, MD
PRNCZ, MD
Smyrna, DE (ENO)
JIIMS, NJ
Coyle, NJ (CYN)
DIXIE, NJ
Kennedy, NY (JFK)
KEEPM, NY
Calverton, NY (CCC)
YANTC, CT
Boston, MA (BOS)
*
*
*
*
*
WP
WP
WP
FIX
WP
WP
WP
WP
WP
FIX
WP
FIX
FIX
WP
WP
VORTAC
WP
VORTAC
FIX
VOR/DME
FIX
VOR/DME
WP
VOR/DME
ACTION:
Issued in Washington, DC, on February 6,
2023.
Brian Konie,
Acting Manager, Airspace Rules and
Regulations.
[FR Doc. 2023–02766 Filed 2–8–23; 8:45 am]
BILLING CODE 4910–13–P
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
18 CFR Part 40
[Docket No. RM22–3–000; Order No. 887]
Internal Network Security Monitoring
for High and Medium Impact Bulk
Electric System Cyber Systems
Federal Energy Regulatory
Commission, Department of Energy.
AGENCY:
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
(Lat.
32°13′20.78″
32°22′01.98″
32°36′55.43″
33°04′52.28″
33°56′51.32″
34°25′09.62″
35°24′22.83″
35°52′09.16″
36°40′29.56″
37°04′34.16″
37°35′13.54″
37°58′12.66″
38°05′59.23″
38°20′16.21″
38°37′38.10″
39°13′53.93″
39°32′15.62″
39°49′02.42″
40°05′57.72″
40°37′58.40″
40°50′14.77″
40°55′46.63″
41°33′22.81″
42°21′26.82″
N,
N,
N,
N,
N,
N,
N,
N,
N,
N,
N,
N,
N,
N,
N,
N,
N,
N,
N,
N,
N,
N,
N,
N,
long.
long.
long.
long.
long.
long.
long.
long.
long.
long.
long.
long.
long.
long.
long.
long.
long.
long.
long.
long.
long.
long.
long.
long.
086°19′11.24″
085°45′57.08″
085°01′03.81″
083°36′17.52″
083°19′28.42″
082°47′04.58″
082°16′07.01″
081°14′24.10″
079°00′52.03″
078°12′13.69″
077°26′52.03″
076°50′40.62″
076°39′50.85″
076°26′10.51″
076°05′08.20″
075°30′57.49″
074°58′01.72″
074°25′53.85″
074°09′52.17″
073°46′17.00″
073°32′42.58″
072°47′55.89″
071°59′56.95″
070°59′22.37″
Final action.
The Federal Energy
Regulatory Commission (Commission) is
directing the North American Electric
Reliability Corporation (NERC) to
develop and submit within 15 months
of the effective date of this final action
for Commission approval new or
modified Reliability Standards that
require internal network security
monitoring within a trusted Critical
Infrastructure Protection networked
environment for all high impact bulk
electric system (BES) Cyber Systems
with and without external routable
connectivity and medium impact BES
Cyber Systems with external routable
connectivity. In addition, the
Commission directs NERC to perform a
study of all low impact BES Cyber
Systems with and without external
routable connectivity and medium
impact BES Cyber Systems without
external routable connectivity, as set
SUMMARY:
W)
W)
W)
W)
W)
W)
W)
W)
W)
W)
W)
W)
W)
W)
W)
W)
W)
W)
W)
W)
W)
W)
W)
W)
forth in the final action, and to submit
its study report to the Commission
within 12 months of the issuance of this
final action.
DATES: This final agency action is
effective April 10, 2023.
FOR FURTHER INFORMATION CONTACT:
Cesar Tapia (Technical Information),
Office of Electric Reliability, Federal
Energy Regulatory Commission, 888
First Street NE, Washington, DC 20426,
(202) 502–6559, cesar.tapia@ferc.gov.
Leigh Faugust (Legal Information),
Office of the General Counsel, Federal
Energy Regulatory Commission, 888
First Street NE, Washington, DC 20426,
(202) 502–6396, leigh.faugust@ferc.gov.
Seth Yeazel, Office of the General
Counsel, Federal Energy Regulatory
Commission, 888 First Street NE,
Washington, DC 20426, (202) 502–6890,
seth.yeazel@ferc.gov.
SUPPLEMENTARY INFORMATION:
Table of Contents
khammond on DSKJM1Z7X2PROD with RULES
Paragraph No.
I. Introduction ...............................................................................................................................................................................
II. Background ...............................................................................................................................................................................
A. Section 215 and the Mandatory Reliability Standards ..................................................................................................
B. Internal Network Security Monitoring ............................................................................................................................
C. Notice of Proposed Rulemaking .......................................................................................................................................
III. Need for Reform ......................................................................................................................................................................
IV. Discussion ...............................................................................................................................................................................
A. Overview ...........................................................................................................................................................................
B. INSM for High and Medium Impact BES Cyber Systems ..............................................................................................
1. Comments ...................................................................................................................................................................
2. Commission Determination .......................................................................................................................................
C. INSM for Low Impact BES Cyber Systems .....................................................................................................................
1. Comments ...................................................................................................................................................................
2. Commission Determination .......................................................................................................................................
D. Security Objectives ...........................................................................................................................................................
1. Comments ...................................................................................................................................................................
2. Commission Determination .......................................................................................................................................
E. Standards Development Timeframe .................................................................................................................................
1. Comments ...................................................................................................................................................................
VerDate Sep<11>2014
16:00 Feb 08, 2023
Jkt 259001
PO 00000
Frm 00006
Fmt 4700
Sfmt 4700
E:\FR\FM\09FER1.SGM
09FER1
1
7
7
8
13
18
23
23
31
32
48
59
61
67
69
70
76
80
81
Federal Register / Vol. 88, No. 27 / Thursday, February 9, 2023 / Rules and Regulations
8355
Paragraph No.
2. Commission Determination .......................................................................................................................................
F. NERC Study and Report on INSM Implementation .......................................................................................................
V. Information Collection Statement ...........................................................................................................................................
VI. Environmental Analysis .........................................................................................................................................................
VII. Regulatory Flexibility Act .....................................................................................................................................................
VIII. Document Availability .........................................................................................................................................................
IX. Effective Date and Congressional Notification .....................................................................................................................
I. Introduction
khammond on DSKJM1Z7X2PROD with RULES
1. Pursuant to section 215(d)(5) of the
Federal Power Act (FPA),1 the
Commission directs the North American
Electric Reliability Corporation (NERC)
to develop new or modified Critical
Infrastructure Protection (CIP)
Reliability Standards that require
internal network security monitoring
(INSM) for CIP-networked environments
for all high impact bulk electric system
(BES) Cyber Systems 2 with and without
external routable connectivity and
medium impact BES Cyber Systems
with external routable connectivity.3
Further, the Commission directs NERC
to submit a report within 12 months of
issuance of this final action that studies
the feasibility of implementing INSM at
all low impact BES Cyber Systems 4 and
medium impact BES Cyber Systems
without external routable connectivity
(i.e., BES Cyber Systems not subject to
1 16 U.S.C. 824o(d)(5) (The Commission may
order the Electric Reliability Organization to submit
to the Commission a proposed reliability standard
or a modification to a reliability standard that
addresses a specific matter if the Commission
considers such a new or modified reliability
standard appropriate to carry out this section.).
2 BES Cyber Systems are defined as ‘‘one or more
BES Cyber Assets logically grouped by a
responsible entity to perform one or more reliability
tasks.’’ See NERC, Glossary of Terms Used in NERC
Reliability Standards (2022) (NERC Glossary),
https://www.nerc.com/pa/Stand/Glossary%20of
%20Terms/Glossary_of_Terms.pdf. BES Cyber
Systems are categorized as high, medium, or low
impact depending on the functions of the assets
housed within each system and the risk they
potentially pose to the reliable operation of the
Bulk-Power System. Reliability Standard CIP–002–
5.1a (BES Cyber System Categorization) sets forth
criteria that registered entities apply to categorize
BES Cyber Systems as high, medium, or low impact
depending on the adverse impact that loss,
compromise, or misuse of those BES Cyber Systems
could have on the reliable operation of the BES. The
impact level (i.e., high, medium, or low) of BES
Cyber Systems, in turn, determines the applicability
of security controls for BES Cyber Systems that are
contained in the remaining CIP Reliability
Standards (i.e., Reliability Standards CIP–003–8 to
CIP–013–1).
3 NERC defines external routable connectivity as
the ‘‘ability to access a BES Cyber System from a
Cyber Asset that is outside of its associated
Electronic Security Perimeter via a bi-directional
routable protocol connection.’’ See NERC Glossary.
4 For ease of reference, low impact BES Cyber
Systems include those with and without external
routable connectivity.
VerDate Sep<11>2014
16:00 Feb 08, 2023
Jkt 259001
the new or revised Reliability
Standards).5
2. INSM is a subset of network
security monitoring that is applied
within a ‘‘trust zone,’’ 6 such as an
electronic security perimeter.7 For the
purpose of this rulemaking, the trust
zone applicable to INSM is the CIPnetworked environment. INSM enables
continuing visibility over
communications between networked
devices within a trust zone and
detection of malicious activity that has
circumvented perimeter controls.
Further, INSM facilitates the detection
of anomalous network activity
indicative of an attack in progress, thus
increasing the probability of early
detection and allowing for quicker
mitigation and recovery from an attack.
3. We find that, while the CIP
Reliability Standards require monitoring
of the electronic security perimeter and
associated systems for high and medium
impact BES Cyber Systems, the CIPnetworked environment remains
vulnerable to attacks that bypass
network perimeter-based security
controls traditionally used to identify
the early phases of an attack. This
presents a gap in the currently effective
CIP Reliability Standards. To address
this gap, we direct NERC to develop
new or modified CIP Reliability
Standards requiring INSM for all high
impact BES Cyber Systems with and
without external routable connectivity
and medium impact BES Cyber Systems
with external routable connectivity to
5 For ease of reference, BES Cyber Systems not
subject to the new or revised Reliability Standards
in this final action will be referred to as all low
impact BES Cyber Systems and medium impact
BES Cyber Systems without external routable
connectivity.
6 The U.S. Department of Homeland Security,
Cybersecurity and Infrastructure Security Agency
(CISA) defines trust zone as a ‘‘discrete computing
environment designated for information processing,
storage, and/or transmission that share the rigor or
robustness of the applicable security capabilities
necessary to protect the traffic transiting in and out
of a zone and/or the information within the zone.’’
CISA, Trusted Internet Connections 3.0: Reference
Architecture, at 2 (July 2020), https://www.cisa.gov/
sites/default/files/publications/CISA_
TIC%203.0%20Vol.%202%20Reference%20
Architecture.pdf.
7 An electronic security perimeter is ‘‘the logical
border surrounding a network to which BES Cyber
Systems are connected using a routable protocol.’’
NERC Glossary.
PO 00000
Frm 00007
Fmt 4700
Sfmt 4700
85
87
91
96
97
100
103
ensure the detection of anomalous
network activity indicative of an attack
in progress. These provisions will
increase the probability of early
detection and allow for quicker
mitigation and recovery from an attack.
4. As discussed below, while the
Commission’s notice of proposed
rulemaking (NOPR) 8 in this proceeding
proposed to direct NERC to address
INSM for all high and medium impact
BES Cyber Systems, we are persuaded
by commenters that raised certain
concerns with the NOPR proposal and,
in this final action, limit our directive
to all high impact BES Cyber Systems
with and without external routable
connectivity and medium impact BES
Cyber Systems with external routable
connectivity.
5. While NERC has flexibility in
developing the content of INSM
requirements, the new or modified CIP
Reliability Standards must address the
specific concerns that we identify in
this final action. In particular, in this
final action, we direct NERC to develop
new or modified CIP Reliability
Standards that are forward-looking,
objective-based, and that address the
following three security objectives that
pertain to INSM. First, any new or
modified CIP Reliability Standards
should address the need for responsible
entities to develop baselines of their
network traffic inside their CIPnetworked environment. Second, any
new or modified CIP Reliability
Standards should address the need for
responsible entities to monitor for and
detect unauthorized activity,
connections, devices, and software
inside the CIP-networked environment.
And third, any new or modified CIP
Reliability Standards should require
responsible entities to identify
anomalous activity to a high level of
confidence by: (1) logging network
traffic (we note that packet capture is
one means of accomplishing this goal); 9
8 See Internal Network Sec. Monitoring for High
& Medium Impact Bulk Elec. Sys. Cyber Sys., Notice
of Proposed Rulemaking, 87 FR 4173 (Jan. 27,
2022), 178 FERC ¶ 61,038, at P 31 (2022) (INSM
NOPR).
9 While the NOPR stated that ‘‘any new or
modified CIP Reliability Standards should address
the ability to support operations and response by
E:\FR\FM\09FER1.SGM
Continued
09FER1
8356
Federal Register / Vol. 88, No. 27 / Thursday, February 9, 2023 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES
(2) maintaining logs and other data
collected regarding network traffic; and
(3) implementing measures to minimize
the likelihood of an attacker removing
evidence of their tactics, techniques,
and procedures 10 from compromised
devices.11
6. We also direct NERC to submit the
new or modified CIP Reliability
Standards for Commission approval
within 15 months of the effective date
of this final action. We believe that a 15month deadline provides sufficient time
for NERC to develop responsive
standard(s) within NERC’s standards
development process.
7. Further, the Commission sought
comment in the NOPR on the possible
implementation of INSM to detect
malicious activity in networks with low
impact BES Cyber Systems but did not
propose to direct the development of
Reliability Standards for INSM for low
impact BES Cyber Systems. In this final
action, we direct NERC to conduct a
study to support future Commission
actions to extend INSM requirements to
all low impact BES Cyber Systems and
medium impact BES Cyber Systems
without external routable connectivity.
Specifically, NERC should include in its
study a determination of: (1) ongoing
risk to the reliability and security of the
Bulk-Power System posed by low and
medium impact BES Cyber Systems that
would not be subject to the new or
modified Reliability Standards,
including the number of low and
medium impact BES Cyber Systems not
required to comply with the new or
modified standard; and (2) potential
technological or other challenges
requiring responsible entities to . . . log and packet
capture network traffic,’’ id. (citation omitted), we
clarify in this final action that ‘‘packet capture’’ is
one example of how to support that goal. Packet
capture allows information to be intercepted in realtime and stored for long-term or short-term analysis,
thus providing a network defender greater insight
into a network. Packet captures provide context to
security events, such as intrusion detection system
alerts. See CISA, National Cybersecurity Protection
System Cloud Interface Reference Architecture,
Volume 1, General Guidance, at 13, 25 (July 24,
2020), https://www.cisa.gov/sites/default/files/
publications/CISA_NCPS_Cloud_Interface_RA_
Volume-1.pdf.
10 NIST defines tactics, techniques, and
procedures as describing the behavior of an actor,
where ‘‘Tactics are high-level descriptions of
behavior, techniques are detailed descriptions of
behavior in the context of a tactic, and procedures
are even lower-level, highly detailed descriptions in
the context of a technique.’’ NIST further explains
that ‘‘tactics, techniques, and procedures could
describe an actor’s tendency to use a specific
malware variant, order of operations, attack tool,
delivery mechanism (e.g., phishing or watering hole
attack), or exploit.’’ See NIST, NIST Special
Publication 800–150: Guide to Cyber Threat
Information Sharing, at 2 (Oct. 2016), https://
nvlpubs.nist.gov/nistpubs/SpecialPublications/
NIST.SP.800-150.pdf.
11 INSM NOPR, 178 FERC ¶ 61,038 at P 31.
VerDate Sep<11>2014
16:00 Feb 08, 2023
Jkt 259001
involved in extending INSM to
additional BES Cyber Systems, as well
as possible alternative mitigating actions
to address ongoing risks. We believe
that this information would provide the
basis for further Commission action, as
warranted, regarding INSM or
alternatives. We direct NERC to file its
study report with the Commission
within 12 months of the issuance of this
final action.
II. Background
A. Section 215 and the Mandatory
Reliability Standards
8. FPA section 215 provides that the
Commission may certify an Electric
Reliability Organization (ERO), the
purpose of which is to develop
mandatory and enforceable Reliability
Standards, subject to Commission
review and approval.12 Reliability
Standards may be enforced by the ERO,
subject to Commission oversight, or by
the Commission independently.13
Pursuant to FPA section 215, the
Commission established a process to
select and certify an ERO 14 and
subsequently certified NERC.15
B. Internal Network Security Monitoring
9. INSM is designed to address as
early as possible situations where
perimeter network defenses are
breached by detecting intrusions and
malicious activity within a trust zone.
INSM consists of three stages: (1)
collection; (2) detection; and (3)
analysis. Taken together, these three
stages provide the benefit of early
detection and alerting of intrusions and
malicious activity.16 Some of the tools
that may be used for INSM include:
anti-malware; intrusion detection
systems; intrusion prevention systems;
and firewalls.17 These tools are
multipurpose and can be used for
12 16
U.S.C. 824o(c).
U.S.C. 824o(e).
14 Rules Concerning Certification of the Elec.
Reliability Org.; & Procs. for the Establishment,
Approval, & Enf’t of Elec. Reliability Standards,
Order No. 672, 71 FR 8662 (Feb. 17, 2006), 114
FERC ¶ 61,104, order on reh’g, Order No. 672–A, 71
FR 19814 (Apr. 18, 2006), 114 FERC ¶ 61,328
(2006).
15 N. Am. Elec. Reliability Corp., 116 FERC
¶ 61,062, order on reh’g and compliance, 117 FERC
¶ 61,126 (2006), aff’d sub nom. Alcoa, Inc. v. FERC,
564 F.3d 1342 (D.C. Cir. 2009).
16 See Chris Sanders & Jason Smith, Applied
Network Security Monitoring, at 9–10 (Nov. 2013);
see also ISACA, Applied Collection Framework: A
Risk-Driven Approach to Cybersecurity Monitoring
(Aug. 18, 2020), https://www.isaca.org/resources/
news-and-trends/isaca-now-blog/2020/appliedcollection-framework.
17 See NIST Special Publication 800–83, Guide to
Malware Incident Prevention and Handling for
Desktops and Laptops, at 10–13 (July 2013), https://
nvlpubs.nist.gov/nistpubs/specialpublications/
nist.sp.800-83r1.pdf.
13 16
PO 00000
Frm 00008
Fmt 4700
Sfmt 4700
collection, detection, and analysis (e.g.,
forensics). Additionally, some of the
tools (e.g., anti-malware, firewall, or
intrusion prevention systems) have the
capability to block network traffic.
10. The benefits of INSM can be
understood by first describing the way
attackers commonly compromise
targets. Attackers typically follow a
systematic process of planning and
execution to increase the likelihood of
a successful compromise.18 This process
includes reconnaissance (e.g.,
information gathering), choice of attack
type and method of delivery (e.g.,
malware delivered through a phishing
campaign), taking control of the entity’s
systems, and carrying out the attack
(e.g., exfiltration of project files,
administrator credentials, and employee
personal identifiable information).
Thus, successful cyberattacks require
the attacker to: (1) gain access to a target
system; and (2) execute commands
while in that system.
11. INSM could better position an
entity to detect malicious activity that
has circumvented perimeter controls
and gained access to the target system.
Because an attacker that moves among
devices internal to a trust zone must use
network pathways and required
protocols to send malicious
communications, INSM will potentially
alert an entity of the attack and improve
the entity’s ability to stop the attack at
its early phases.
12. By providing visibility of network
traffic that may only traverse internally
within a trust zone, INSM can warn
entities of an attack in progress. For
example, properly placed, configured,
and tuned INSM capabilities such as
intrusion detection system and
intrusion prevention system sensors
could detect and/or block malicious
activity early and alert an entity of the
compromise. INSM can also be used to
record network traffic for analysis,
providing a baseline that an entity can
use to better detect malicious activity.
Establishing baseline network traffic
allows entities to define what is and is
not normal and expected network
activity and determine whether
observed anomalous activity warrants
further investigation.19 The recorded
network traffic can also be retained to
facilitate timely recovery and/or
perform a thorough post-incident
analysis of malicious activity. High
quality data from collected network
18 SANS Institute, Applying Security Awareness
to the Cyber Kill Chain (May 31, 2019), https://
www.sans.org/blog/applying-security-awareness-tothe-cyber-kill-chain/.
19 See CISA, Best Practices for Securing Election
Systems, Security Tip (ST19–002) (Aug. 25, 2021),
https://www.cisa.gov/tips/st19-002.
E:\FR\FM\09FER1.SGM
09FER1
Federal Register / Vol. 88, No. 27 / Thursday, February 9, 2023 / Rules and Regulations
traffic is important for recovering from
cyberattacks as this type of data allows
for: (1) determining the timeframe for
backup restoration; (2) creating a record
of the attack for incident reporting and
response; and (3) analyzing the attack
itself to inform actions to prevent it
from happening again.20
13. In summary, INSM better
positions an entity to detect an attacker
in the early phases of an attack and
reduces the likelihood that an attacker
can gain a strong foothold, including
operational control, on the target
system. In addition to early detection
and mitigation, INSM may improve
incident response by providing higher
quality data about the extent of an attack
internal to a trust zone. Finally, INSM
provides insight into east-west network
traffic 21 happening inside the network
perimeter, which enables a more
comprehensive picture of the extent of
an attack compared to data gathered
from the network perimeter alone.22
khammond on DSKJM1Z7X2PROD with RULES
C. Notice of Proposed Rulemaking
14. On January 20, 2022, the
Commission issued the INSM NOPR
proposing to direct NERC to develop
new or modified CIP Reliability
Standards to require INSM for high and
medium impact BES Cyber Systems. In
the NOPR, the Commission
preliminarily found that the currently
effective CIP Reliability Standards do
not address INSM, thus leaving a gap in
the CIP Reliability Standards.23 The
NOPR explained that including INSM
requirements in the CIP Reliability
Standards would ensure that
responsible entities maintain visibility
over communications between
20 Help Net Security, Three Reasons Why
Ransomware Recovery Requires Packet Data (Aug.
2021), https://www.helpnetsecurity.com/2021/08/
24/ransomware-recovery-packet-data/.
21 East-west traffic refers to the communications
among BES Cyber Systems and is the specific type
of network traffic that remains within the network
perimeter. It may refer to communication peer-topeer industrial automation and control systems
devices in a network or to activity between servers
or networks inside a data center, rather than the
data and applications that traverse networks to the
outside world. CISCO, Networking and Security in
Industrial Automation Environments Design Guide,
at 111 (Aug. 2020), https://www.cisco.com/c/en/us/
td/docs/solutions/Verticals/Industrial_Automation/
IA_Horizontal/DG/Industrial-AutomationDG.pdf;
The President’s National Security
Telecommunications Advisory Committee, Report
to the President on Software-Defined Networking, at
E–3 (Aug. 12, 2020), https://www.cisa.gov/sites/
default/files/publications/
NSTAC%20SDN%20Report%20%288-1220%29.pdf.
22 CISA, CISA Analysis: FY2020 Risk and
Vulnerability Assessments (July 2021), https://
www.cisa.gov/sites/default/files/publications/FY20RVA-Analysis_508C.pdf.
23 INSM NOPR, 178 FERC ¶ 61,038 at PP 2, 14,
26.
VerDate Sep<11>2014
16:00 Feb 08, 2023
Jkt 259001
networked devices within a trust zone
rather than simply monitoring
communications at the network
perimeter access point(s) (i.e., at the
boundary of an electronic security
perimeter as required by the current CIP
requirements).24
15. The NOPR discussed various risks
to trusted CIP networks posed by the
lack of requirements for INSM in the
Standards, which include attackers: (1)
escalating privileges; (2) moving inside
the CIP-networked environment; and (3)
executing unauthorized code.25 In the
context of supply chain risk, the NOPR
explained that a malicious update from
a known software vendor could be
downloaded directly to a server as
trusted code, and it would not set-off
any alarms until abnormal behavior
occurred and was detected.26 The NOPR
explained that, because the CIPnetworked environment is a trust zone,
a compromised server in the trust zone
could be used to install malicious
updates directly onto devices that are
internal to the CIP-networked
environment without detection. Further,
in the context of an insider threat, an
employee with elevated administrative
credentials could identify and collect
data, add accounts, delete logs, or even
exfiltrate data without being detected.
The NOPR also pointed to the
SolarWinds attack as an example of how
an attacker can bypass all network
perimeter-based security controls
traditionally used to identify the early
phases of an attack.27 This supply chain
attack leveraged a trusted vendor to
compromise the networks of public and
private organizations.28
16. The NOPR sought comments on
all aspects of the proposed directive,
and it also specifically solicited
responses to the following questions: (1)
what are the potential challenges to
implementing INSM (e.g., cost,
availability of specialized resources, and
documenting compliance); (2) what
capabilities (e.g., software, hardware,
staff, and services) are necessary or
appropriate for INSM to meet the
security objectives; (3) are the three
security objectives for INSM described
24 Id.
PP 2, 26.
P 33.
26 Id. P 17.
27 Id. P 18 (citing FERC, NERC, SolarWinds and
Related Supply Chain Compromise, at 16 (July 7,
2021), https://cms.ferc.gov/media/solarwinds-andrelated-supply-chain-compromise-0).
28 A threat actor gained access to the SolarWinds
production environment, ‘‘pushed’’ malicious code
through legitimate updates to customers and
enabled the adversary to gain remote access and
network privileges allowing the actor to manipulate
identity and authentication mechanisms.
SolarWinds and Related Supply Chain Compromise
at 7.
25 Id.
PO 00000
Frm 00009
Fmt 4700
Sfmt 4700
8357
in the NOPR necessary and sufficient
and, if not sufficient, what are other
pertinent objectives that would support
the goal of having responsible entities
successfully implement INSM; and (4)
what is a reasonable timeframe for
developing and implementing
Reliability Standards for INSM.29
17. While the Commission’s proposed
directives centered on high and medium
impact BES Cyber Systems, the
Commission also sought comment on
the usefulness and practicality of
implementing INSM to detect malicious
activity in networks with low impact
BES Cyber Systems, as well as
potentially identifying a subset of low
impact BES Cyber Systems to which
INSM requirements could apply.30 In
particular, the Commission sought
comment on whether the same risks
associated with high and medium
impact BES Cyber Systems also apply to
low impact BES Cyber Systems.31
Commensurate with their impact on the
Bulk-Power System, low impact BES
Cyber Systems have fewer security
controls and, unlike high and medium
impact BES Cyber Systems, are not
subject to monitoring at the network
perimeter access point(s).32
18. The comment period for the NOPR
ended on March 28, 2022, and the
Commission received 22 sets of
comments, including one late-filed
comment.33 A list of commenters
appears in Appendix A.
III. Need for Reform
19. INSM is a component of a
comprehensive cybersecurity strategy as
it provides an additional layer of
defense against intrusions regardless of
the attack vector or whether existing
security controls failed. With INSM, an
entity can maintain visibility over
communications between networked
devices within a trust zone and detect
malicious activity that has
circumvented perimeter controls.34
29 INSM
NOPR, 178 FERC ¶ 61,038 at P 32.
PP 4, 33–34.
31 Id. P 33.
32 See Version 5 Critical Infrastructure Protection
Reliability Standards, Order No. 791, 78 FR 72756
(Dec. 13, 2013), 145 FERC ¶ 61,160, at P 106 (2013),
order on clarification and reh’g, Order No. 791–A,
78 FR 24107 (Apr. 24, 2013), 146 FERC ¶ 61,188
(2014) (finding that categorizing assets as high,
medium, or low based on their impact on the
reliable operation of the Bulk-Power System, with
all BES Cyber Systems being categorized as at least
low impact, offers more comprehensive protection
than prior versions of the standards and declining
to require NERC to develop specific controls for low
impact facilities).
33 The late-filed comment raised issues that were
outside the scope of this rulemaking. Accordingly,
we do not address the comment here.
34 INSM NOPR, 178 FERC ¶ 61,038 at P 11.
30 Id.
E:\FR\FM\09FER1.SGM
09FER1
8358
Federal Register / Vol. 88, No. 27 / Thursday, February 9, 2023 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES
INSM facilitates the detection of
anomalous network activity indicative
of an attack in progress, thus increasing
the probability of early detection and
allowing for quicker mitigation and
recovery from an attack.35 Without
INSM, an attacker may be able to move
among devices internal to a trust zone
using network pathways and required
protocols to send malicious
communications. Further, without
INSM, an attacker could exploit
legitimate cyber resources to: (1)
escalate privileges (i.e., exploit a
software vulnerability to gain
administrator account privileges); (2)
move undetected inside the trust zone
of the CIP-networked environment; or
(3) execute unauthorized code (e.g., a
virus or ransomware).
20. Currently, network security
monitoring in the CIP Reliability
Standards focuses on network perimeter
defense and preventing unauthorized
access at the electronic security
perimeter. While the CIP Reliability
Standards require monitoring of
inbound and outbound internet
communications at the electronic
security perimeter,36 the currently
effective CIP Reliability Standards do
not require INSM within trusted CIPnetworked environments for BES Cyber
Systems. This leaves a gap in the CIP
Reliability Standards for situations
where vendors or individuals with
authorized access are considered secure
and trustworthy but could still
introduce a cybersecurity risk, as well as
other attack vectors that can exploit this
gap. Additionally, the lack of INSM
controls diminishes an essential
component of a defense-in-depth
strategy and therefore may increase the
time it takes an entity to detect an
intrusion and the time an attacker has
to leverage compromised user accounts
and traverse unmonitored network
connections.37
21. The currently effective CIP
Reliability Standards, while offering a
broad set of cybersecurity protections,
do not require INSM. For example,
Reliability Standard CIP–005–6
(Electronic Security Perimeter(s)),
Requirement R1.5 addresses monitoring
of network traffic for malicious
communications at the electronic
security perimeter. Under CIP–005–6
Requirement R1.5, the only locations
35 Id.
P 2.
Reliability Standard CIP–005–6 (Electronic
Security Perimeter(s)).
37 INSM NOPR, 178 FERC ¶ 61,038 at P 31; see
also Nat’l Sec. Agency, Network Infrastructure
Security Guide (June 2022), https://
media.defense.gov/2022/Jun/15/2003018261/-1/-1/
0/CTR_NSA_NETWORK_INFRASTRUCTURE_
SECURITY_GUIDE_20220615.PDF.
36 See
VerDate Sep<11>2014
16:00 Feb 08, 2023
Jkt 259001
that require network security
monitoring are the electronic security
perimeter electronic access points for
high and medium impact BES Cyber
Systems at control centers.
Additionally, Reliability Standard CIP–
007–6 (System Security Management),
Requirement R.4.1.3 addresses security
monitoring and requires the entity to
detect malicious code for all high and
medium impact BES Cyber Systems and
their associated electronic access
control or monitoring systems, physical
access control systems, and protected
cyber assets. To comply with Reliability
Standard CIP–007–6 R.4.1.3, responsible
entities must install security monitoring
tools at the device level but are not
required to use INSM methods, such as
intrusion detection systems.38
22. Further, the currently effective CIP
Reliability Standards do not require
responsible entities to ensure that
anomalous activity within the trust zone
can be identified with a high level of
confidence because the CIP Reliability
Standards are focused on perimeterbased security with limited internal
security controls. The three INSM
security objectives—pertaining to (1)
baselining, (2) monitoring and detecting
unauthorized activity, and (3)
identification of anomalous activity—
aim to address this deficiency. As
discussed below, new or modified
Reliability Standards responsive to this
final action must address these three
objectives.
23. For the reasons discussed below,
in this final action we affirm the
preliminary finding in the NOPR that
the lack of INSM requirements in the
currently effective CIP Reliability
Standards constitutes a security gap.
Further, we conclude that there is a
sufficient basis for a directive to NERC
to require INSM in the CIP Reliability
Standards for all high impact BES Cyber
Systems with and without external
routable connectivity and medium
impact BES Cyber Systems with
external routable connectivity.39
38 Under Reliability Standard CIP–007–6,
Requirement R.4.1.3, an entity may choose, but is
not required, to use system-generated listing of
network log in/log outs, or malicious code, or other
types of monitored network traffic only at the
perimeter of all medium and high impact BES
Cyber Systems (and not within the trust zone,
unlike INSM). The related Measures for this
provision provide examples of acceptable evidence
of compliance, including a paper or systemgenerated listing of monitored activities for which
the BES Cyber System is configured to log and
capable of detecting.
39 INSM architecture generally relies on external
routable connectivity to achieve the full, real-time
benefits of INSM, such as the capability to transmit
collected data from network traffic and devices to
a centralized location for further analysis by
cybersecurity professionals.
PO 00000
Frm 00010
Fmt 4700
Sfmt 4700
IV. Discussion
A. Overview
24. Pursuant to FPA section 215(d)(5),
we direct NERC to develop new or
modified CIP Reliability Standards that
require applicable responsible entities
to implement INSM for all high impact
BES Cyber Systems with and without
external routable connectivity and
medium impact BES Cyber Systems
with external routable connectivity.
Given the importance of timely
addressing the identified security gap,
we direct that NERC submit responsive
new or modified CIP Reliability
Standards within 15 months of the
effective date of this final action. Based
on the comments received in response
to the NOPR, we determine that the
record in this proceeding supports the
development of mandatory
requirements for the implementation of
INSM for all high impact BES Cyber
Systems with and without external
routable connectivity and medium
impact BES Cyber Systems with
external routable connectivity that are
within the control of responsible
entities that fall within the scope of our
authority under FPA section 215.
25. Overall, commenters agree with
the benefits of implementing INSM as
an additional layer of cybersecurity
protection, although commenters differ
on the contours of a directive to NERC
to address the issue. NERC notes that
while there may be challenges, INSM
‘‘would be an appropriate approach’’ to
address the risks identified in the
NOPR.40
26. NERC and other commenters
support new or modified CIP Reliability
Standards that address INSM for high
impact BES Cyber Systems as a
worthwhile improvement to the
cybersecurity posture of the Bulk-Power
System.41 While no entities altogether
oppose INSM for high impact BES Cyber
Systems, two commenters recommend
limiting INSM at high impact BES Cyber
Systems to those located in a control
center or those systems with external
routable connectivity.42
27. Support for requiring the
implementation of INSM for medium
impact BES Cyber Systems varies, with
a majority of commenters agreeing that
extending INSM to at least some
medium impact BES Cyber Systems
could address the risks to the security
of the Bulk-Power System identified in
40 NERC Comments at 3; see also EPSA
Comments at 3; Idaho Power Comments at 2; ISO/
RTO Comments at 3.
41 E.g., NERC Comments at 8; BPA Comments at
1; Trades Comments at 1.
42 See ITC Comments at 7; Idaho Power
Comments at 2.
E:\FR\FM\09FER1.SGM
09FER1
Federal Register / Vol. 88, No. 27 / Thursday, February 9, 2023 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES
the NOPR.43 Several other commenters
also recognize that the NOPR’s proposed
directives regarding INSM are
appropriate to address the threats that
high and medium impact BES Cyber
Systems face, and their potential impact
on the reliable and secure operation of
the Bulk-Power System.44 Other
commenters, however, either oppose the
proposal for medium impact BES Cyber
Systems 45 or advocate for delayed or
limited inclusion of medium impact
BES Cyber Systems within the scope of
CIP Reliability Standards.46
28. Commenters raise challenges that
may arise during development and
implementation of CIP Reliability
Standards requiring INSM for medium
impact BES Cyber Systems that do not
have external routable connectivity.
These challenges include the large
number of such medium impact BES
Cyber Systems, which pose staffing and
resource constraints for responsible
entities and the possibility of supply
chain constraints limiting the
availability of necessary hardware and
software tools to fully implement
INSM.47 As discussed below, we are
persuaded by the comments raising
challenges and thus modify the NOPR
proposal by directing that NERC
develop new or modified Reliability
Standards requiring implementation of
INSM for medium impact BES Cyber
Systems with external routable
connectivity.
29. Further, we decline at this time to
direct NERC to develop new or modified
CIP Reliability Standards to require
INSM for low impact BES Cyber
Systems. NERC and most other
commenters note that the risks
associated with high and medium
impact BES Cyber Systems do not apply
to low impact BES Cyber Systems and
that the costs associated with
implementing INSM for low impact BES
Cyber Systems would not result in a
corresponding benefit to security.48
30. Although we decline to direct
NERC to develop new or modified CIP
Reliability Standards requiring INSM for
43 NERC Comments at 3; Consumers Comments at
1–2; Cynalytica Comments at 1; ISO/RTO Council
Comments at 2–3; Juniper Comments at 1–2;
Microsoft Comments at 1; MRO NSRF Comments at
1–2; NAGF Comments at 1; Nozomi Networks
Comments at 3; OT Coalition Comments at 3; TAPS
Comments at 14; Conway Comments at 1.
44 E.g., EPSA Comments at 3; Idaho Power
Comments at 2; ISO/RTO Comments at 3.
45 BPA Comments at 2.
46 EPSA Comments at 2; Idaho Power Comments
at 2; Indicated Trade Associations Comments at 9.
47 E.g., BPA Comments at 3; EPSA Comments at
3; Idaho Power Comments at 2.
48 E.g., NERC Comments at 8; BPA Comments at
4–5; MRO NSRF Comments at 4; NAGF Comments
at 4.
VerDate Sep<11>2014
16:00 Feb 08, 2023
Jkt 259001
medium impact BES Cyber Systems
without external routable connectivity
and all low impact BES Cyber Systems
in this final action, we recognize the
importance of bolstering the
cybersecurity of these systems. We
believe that the current lack of visibility
at low impact BES Cyber Systems, as
well as medium impact BES Cyber
Systems with similar configurations
(i.e., serial-connected and other physical
non-internet protocol based industrial
control system communications), may
leave systems vulnerable to cyberattacks
that degrade the reliable and secure
operation of the Bulk-Power System.
However, we also recognize that
extending INSM requirements to all low
impact BES Cyber Systems would be
difficult to implement or audit, given
that there is neither a requirement for
entities to identify their low impact BES
Cyber Systems on an individual basis
nor a requirement for entities to identify
an electronic security perimeter for their
low impact BES Cyber Systems.49
Therefore, as discussed below, we direct
NERC, pursuant to § 39.2(d) of the
Commission’s regulations,50 to submit
to the Commission a report discussing
the results of the study assessing the
risks, implementation challenges, and
potential solutions for all low impact
BES Cyber Systems and medium impact
BES Cyber Systems without external
routable connectivity, within 12 months
of the issuance of this final action.
31. We address below the following
issues raised in the NOPR and NOPR
comments: (1) the need for INSM
Reliability Standards for all high impact
BES Cyber Systems with and without
external routable connectivity and
medium impact BES Cyber Systems
with and without external routable
connectivity; (2) the extension of INSM
to all low impact BES Cyber Systems;
(3) security objectives of the new or
modified Reliability Standards; and (4)
standard development and
implementation timelines. Further, we
address the need for further study to
support future action as warranted to
require INSM for medium impact BES
Cyber Systems without external routable
connectivity and all low impact BES
Cyber Systems.
49 Reliability Standard CIP–003–8 (Security
Management Controls), Requirement R2, requires
that an entity with low impact BES Cyber Systems
must implement a cybersecurity plan that includes
elements specified in Attachment 1 of CIP–003–8.
While entities must implement a plan that includes
‘‘electronic access controls,’’ the NERC defined term
‘‘Electronic Security Perimeter’’ is not mentioned in
Attachment 1.
50 18 CFR 39.2(d) (the ERO shall provide the
Commission such information as is necessary to
implement section 215 of the FPA).
PO 00000
Frm 00011
Fmt 4700
Sfmt 4700
8359
B. INSM for High and Medium Impact
BES Cyber Systems
32. In the NOPR, the Commission
proposed to direct NERC to develop
new or modified CIP Reliability
Standards requiring that responsible
entities implement INSM for their high
and medium impact BES Cyber
Systems.51 The Commission
preliminarily found that INSM, as a
fundamental element of a zero-trust
architecture,52 should improve the
cybersecurity posture of responsible
entities with high and medium impact
BES Cyber Systems.53 The NOPR
explained that the proposed directive
centers on high and medium impact
BES Cyber Systems to improve visibility
within networks containing BES Cyber
Systems whose compromise could have
a significant impact on the reliable
operation of the Bulk-Power System.54
The NOPR sought comments on all
aspects of the proposed directive to
NERC to modify the CIP Reliability
Standards to require INSM for high and
medium impact BES Cyber Systems.
1. Comments
a. Implementation of INSM for High
Impact BES Cyber Systems
33. NERC, BPA, Consumers,
Cynalytica, ISO/RTO Council, Juniper
Networks, Microsoft, MRO NSRF,
NAGF, Nozomi Networks, and Conway
support the NOPR’s efforts to require
INSM for high impact BES Cyber
Systems.55 NERC states its support for
INSM as an ‘‘appropriate approach for
consideration’’ for high impact BES
Cyber Systems.56
34. BPA recommends that the
Commission limit its initial rulemaking
to only high impact BES Cyber
Systems.57 BPA recognizes INSM as an
important cybersecurity protection but
51 INSM
NOPR, 178 FERC ¶ 61,038 at PP 29, 31.
defines zero-trust architecture as ‘‘[a]
security model, a set of system design principles,
and a coordinated cybersecurity and system
management strategy based on an acknowledgement
that threats exist both inside and outside traditional
network boundaries. The [zero-trust] security model
eliminates implicit trust in any one element,
component, node, or service and instead requires
continuous verification of the operational picture
via real-time information from multiple sources to
determine access and other system responses.’’
NIST, Computer Security Resource Center Glossary,
https://csrc.nist.gov/glossary/term/zero_trust_
architecture.
53 INSM NOPR, 178 FERC ¶ 61,038 at P 30.
54 Id. P 3.
55 NERC Comments at 3; Consumers Comments at
1–2; Cynalytica Comments at 1; ISO/RTO Council
Comments at 2–3; Juniper Networks Comments at
1–2; Microsoft Comments at 1; MRO NSRF
Comments at 1–2; NAGF Comments at 1; Nozomi
Networks Comments at 1; Conway Comments at 1.
56 NERC Comments at 8.
57 BPA Comments at 1.
52 NIST
E:\FR\FM\09FER1.SGM
09FER1
8360
Federal Register / Vol. 88, No. 27 / Thursday, February 9, 2023 / Rules and Regulations
recommends phased adoption of INSM
and limiting the initial rulemaking to
high impact BES Cyber Systems, due to
the resources and length of time needed
to make such changes to industrial
control systems. BPA recommends that
the Commission, in a future proceeding,
explore whether INSM requirements
should apply to remote medium and
low impact facilities without external
routable connectivity.58
35. Indicated Trade Associations and
Idaho Power recommend limiting the
NOPR’s proposal for high impact BES
Cyber Systems. Indicated Trade
Associations explains that by
prioritizing high impact BES Cyber
Systems, responsible entities would be
able to ‘‘gather operational experience
with INSM technologies.’’ 59 While
Indicated Trade Associations support
implementation of INSM for high
impact BES Cyber Systems, they also
ask the Commission to convene a forum
prior to issuing any directive. Idaho
Power also tempers its support of the
NOPR recommendations, emphasizing
that its support of INSM within BES
Cyber Systems is limited to those with
external routable connectivity—
although also noting that the majority of
high impact BES cyber systems likely
already have external routable
connectivity.60
36. ITC’s comments support limiting
INSM to high impact BES Cyber
Systems located in control centers
because they have larger numbers of
more diversely routed systems with
greater external connectivity and
therefore more access for an attacker to
exploit.61 According to ITC, additional
focus on the prevention of electronic
security perimeter breaches continues to
be the most effective overall approach to
improving the cybersecurity of
responsible entities. ITC also cautions
that implementing INSM as
contemplated by the NOPR could cause
congestion and potentially slow the
reactions of operators, who must
observe and respond quickly to system
and customer needs.62
Instead of INSM, ITC states that it and
many other entities already employ huband-spoke architecture 63 for their
electronic security perimeters to protect
58 Id.
at 3.
59 Indicated
Trade Associations Comments at 9.
Power Comments at 2.
61 ITC Comments at 2–3.
62 Id. at 2.
63 ITC explains that hub-and-spoke architecture
uses many, relatively small, electronic security
perimeters, each containing a small number of BES
Cyber Systems and/or Assets that are often in close
physical proximity to each other but using few
connections between Cyber Assets and Systems
within each electronic security perimeter. Id. at 4.
khammond on DSKJM1Z7X2PROD with RULES
60 Idaho
VerDate Sep<11>2014
16:00 Feb 08, 2023
Jkt 259001
the BES Cyber Systems and BES Cyber
Assets within them, which it asserts are
inconsistent with (and in many cases,
duplicative of) the NOPR proposed
directives. Further, ITC explains that as
its hub-and-spoke architecture uses few
connections between BES Cyber Assets
and BES Cyber Systems within each
electronic security perimeter,
monitoring of such ‘‘fixed, small-scale
network traffic’’ provides little security
benefit compared to the costs.64 ITC
recommends that the Commission
consider other cybersecurity strategies
like application whitelisting 65 for
defense-in-depth, which it asserts
provide comparable security to INSM.66
37. Indicated Trade Associations and
NAGF both note that entities may not
have the same internal networks or
architectures and that some may have
implemented network segmentation or
micro-segmentation of their networks.67
NAGF explains that applying a complex
and costly INSM infrastructure may
disincentivize the use of
segmentation.68
b. Implementation of INSM for Medium
Impact BES Cyber Systems
38. NERC, Consumers, Cynalytica,
ISO/RTO Council, Juniper Networks,
Microsoft, MRO NSRF, NAGF, Nozomi
Networks, and Conway support the
NOPR’s efforts to require INSM for
medium impact BES Cyber Systems.69
39. NERC states that it supports the
efforts to address the risks identified in
the NOPR (such as a bad actor
leveraging vendors or others with
authorized access to a network to attack
these systems) and agrees that INSM is
an appropriate approach to address such
risks.70 NERC comments that INSM
could benefit the CIP Reliability
64 Id.
65 Whitelisting, also referred to as allowlisting,
allows only selected authorized programs to run,
while all other programs are blocked from running
by default. It is used to establish a baseline for
authorized applications and file locations and
prevents any action that departs from that baseline.
See CISA, Guidelines for Application Whitelisting,
(2013), https://www.cisa.gov/uscert/sites/default/
files/documents/Guidelines%20for
%20Application%20Whitelisting
%20in%20Industrial%20Control%20Systems_
S508C.pdf.
66 ITC Comments at 6.
67 Indicated Trade Associations Comments at 17;
NAGF Comments at 2. Network segmentation is one
way of improving security by dividing a larger
network into multiple segments, which each act as
their own small network.
68 NAGF Comments at 2.
69 NERC Comments at 3; Consumers Comments at
1–2; Cynalytica Comments at 1; ISO/RTO Council
Comments at 2–3; Juniper Networks Comments at
1–2; Microsoft Comments at 1; MRO NSRF
Comments at 1–2; NAGF Comments at 1; Nozomi
Networks Comments at 1; Conway Comments at 1.
70 NERC Comments at 3.
PO 00000
Frm 00012
Fmt 4700
Sfmt 4700
Standards as a ‘‘consistent means of
gaining visibility and awareness’’ within
an electronic security perimeter.71
Furthermore, NERC recognizes ‘‘the
importance of maturing security
controls pertaining to zero-trust
principles within Reliability Standards’’
and agrees with the NOPR that INSM
would advance responsible entities’
cybersecurity posture towards zero-trust
architecture.72 Both NERC and Conway
explain that INSM ensures that there is
monitoring of east-west endpoint to
endpoint communications internal to
the electronic security perimeter.73 ISO/
RTO Council and MRO NSRF, also
supporting the NOPR proposal, state
that systems solutions for anomaly
detection, such as east-west monitoring,
allow for more efficient summarizing of
data and identification of anomalies.74
40. NAGF supports the NOPR
proposal and states that INSM will
complement existing network security
perimeter monitoring requirements for
high and medium impact BES Cyber
Systems through improved internal
network communications visibility.75 In
support of the NOPR proposal,
Consumers notes that it has already
independently concluded that INSM
warrants investment and has
implemented INSM for most of its high
and medium impact BES Cyber Systems
within an electronic security
perimeter.76
41. Comments from technology
vendors support the NOPR’s proposed
directives to add INSM to the NERC CIP
Reliability Standards. Cynalytica and
Microsoft both point to INSM as being
crucial to a zero-trust strategy.77
Cynalytica further opines ‘‘that all BES
Cyber Systems should be monitored to
ensure the visibility and operational
situational awareness that a true zerotrust strategy brings in support of
critical infrastructure resiliency.’’ 78
Microsoft also supports directing NERC
to develop Reliability Standards that
require INSM for high and medium
71 Id.
at 5.
at 6.
73 NERC Comments at 4–5; Conway Comments at
72 Id.
2.
74 ISO/RTO Council Comments at 4–5; MRO
NSRF Comments at 2.
75 NAGF Comments at 1.
76 Consumers Comments at 2.
77 Cynalytica Comments at 1; Microsoft
Comments at 3 (asserting that the Commission’s
recommendations for implementation of INSM on
BES Cyber Systems is a cybersecurity best practice
and is consistent with a zero-trust security model
and is consistent with the White House zero-trust
strategy published in January 2022 (citing White
House, Moving the U.S. Government Toward Zero
Trust Cybersecurity Principles (Jan. 26, 2022),
https://www.whitehouse.gov/wp-content/uploads/
2022/01/M-22-09.pdf)).
78 Cynalytica Comments at 4.
E:\FR\FM\09FER1.SGM
09FER1
Federal Register / Vol. 88, No. 27 / Thursday, February 9, 2023 / Rules and Regulations
impact BES Cyber Systems.79 Nozomi
and Juniper Networks also support the
proposal, asserting that, given the
increasingly sophisticated methods by
which attackers gain access to critical
systems, it is critical that entities move
beyond protection of the electronic
security perimeter and implement
dynamic, persistent monitoring
measures.
42. CDWR, Electricity Canada, the OT
Coalition, Reclamation, and TAPs focus
their comments on the effectiveness of
using INSM to achieve cybersecurity
goals rather than explicitly supporting
or opposing the NOPR proposal to
implement INSM for high and medium
impact BES Cyber Systems.80 For
example, CDWR requests that the
Commission consider whether
directives necessary to provide an
adequate level of reliability and security
are also cost effective.81 And Electricity
Canada states that it agrees that INSM is
an important part of an overall
cybersecurity strategy when
implemented at appropriate locations in
a network.82
khammond on DSKJM1Z7X2PROD with RULES
c. Limiting INSM for Medium Impact
BES Cyber Systems Based on External
Routable Connectivity
43. Although the NOPR did not
distinguish the proposed directive for
medium impact BES Cyber Systems by
risk, their location at control centers, or
the existence of external routable
connectivity, commenters raise the
possibility of limiting INSM on those
bases.
44. EPSA, supporting Indicated Trade
Associations’ request for the
Commission to convene a forum prior to
issuing any directive, argues that while
high impact BES Cyber Systems are
indisputably worthy of INSM measures,
any new requirements imposed on
medium impact locations should be
commensurate with the risk posed by
each individual location that could be
compromised. Therefore, EPSA asserts
that if the Commission does act before
convening a forum, that it phase in new
requirements based on risk, for example
beginning with high impact BES Cyber
Systems and only medium impact BES
Cyber Systems at control centers. EPSA
states that this phased implementation
would allow entities to account for
challenges while controlling costs and
constraints.83
45. ITC and Indicated Trade
Associations support INSM for medium
impact BES Cyber Systems located at
control centers. ITC asserts that the
Commission could direct NERC to
develop a Reliability Standard which
requires INSM only for high and
medium impact BES Cyber Systems
within control centers to achieve a more
balanced risk-to-cost outcome.
According to ITC, controls centers
generally do contain more diversely
routed Cyber Systems with greater
external connectivity beyond the
electronic security perimeter, which
provides more access for an attacker to
exploit.84 Further, as ITC explains,
control centers’ electronic security
perimeters already require network
monitoring that reduces the difficulty
and expense of implementing INSM at
these locations.85 Similarly, while
Indicated Trade Associations agree with
the Commission that implementation of
INSM may improve the security posture
of entities owning or operating high
impact BES Cyber Systems and ‘‘holds
significant potential to increase grid
visibility and capability of detecting and
mitigating malicious activity,’’ 86 they
propose limiting the implementation to
high impact BES Cyber Systems and
medium impact BES Cyber Systems
located at control centers.87
46. Idaho Power states that it agrees
with the Commission that implementing
INSM at medium impact BES Cyber
Systems, in particular those with
external routable connectivity, is
‘‘justified and necessary for the threats
these systems are facing.’’ 88 Idaho
Power explains that BES Cyber Systems
with external routable connectivity
provide an additional remote attack
vector which is not present in systems
without it, and warns that if there is a
requirement for INSM for systems that
do not currently have external routable
connectivity, entities may add external
routable connectivity (and therefore an
additional attack vector) in order to
meet the INSM requirements.89 Idaho
Power recommends that, if the
Commission were to require INSM at
high and medium impact BES Cyber
Systems, the Commission should limit
the directive to BES Cyber Systems with
external routable connectivity, since
external routable connectivity is
arguably needed to take full advantage
of INSM.90 Although BPA recommends
79 Microsoft
84 ITC
80 CDWR
85 Id.
Comments at 1.
Comments at 4; Electricity Canada
Comments at 2; OT Coalition Comments at 3–4;
Reclamation Comments at 3; TAPS Comments at 1.
81 CDWR Comments at 4.
82 Electricity Canada Comments at 2.
83 EPSA Comments at 4.
VerDate Sep<11>2014
16:00 Feb 08, 2023
Jkt 259001
Comments at 7.
86 Indicated
Trade Associations Comments at 7.
at 2.
88 Idaho Power Comments at 2.
89 Id.
90 Id.
87 Id.
PO 00000
Frm 00013
Fmt 4700
Sfmt 4700
8361
implementing INSM initially only at
high impact BES Cyber Systems, it
states that if the Commission orders
implementation at medium impact BES
Cyber Systems as well, the Commission
should limit the implementation to
medium impact BES Cyber Systems
with external routable connectivity.91
47. Commenters point out the
following concerns if this final action
were to apply to all medium impact BES
Cyber Systems, including those without
external routable connectivity: (1)
lengthy timelines for implementation; 92
(2) lack of external routable connectivity
at many medium impact BES Cyber
Systems, which is needed to effectively
implement INSM; 93 (3) for large
entities, the undertaking may be sizable
given their wider footprint for
monitoring and detecting; 94 (4) already
limited personnel would be stretched
thin and there may be a shortage of
qualified staff; 95 and (5) costs would far
exceed any potential cybersecurity
benefit.96
48. In its comments opposing INSM
for medium impact BES Cyber Systems,
BPA explains that many medium impact
BES Cyber Systems do not have external
routable connectivity and that these
systems therefore pose minimal risk to
intrusion and do not strongly implicate
the INSM objectives identified by the
Commission.97 Similar to BPA,
Indicated Trade Associations assert that
not all medium impact BES Cyber
Systems have external routable
connectivity and therefore conclude that
without this attack surface, there is less
to monitor.98 Furthermore, Indicated
Trade Associations argue that medium
impact BES Cyber Systems without
external routable connectivity do not
contain the same risk, or pose the same
potential impact, as medium impact
BES Cyber Systems with external
routable connectivity because an
attacker does not have a path to move
beyond the local trust zone.99
2. Commission Determination
49. Pursuant to FPA section 215(d)(5),
we direct NERC to develop new or
modified CIP Reliability Standards that
require INSM for CIP-networked
environments for all high impact BES
91 BPA
Comments at 3.
92 Id.
93 Id.
at 1, 3; Idaho Power Comments at 2.
Trade Associations Comments at 10
(referring to large entities with multi-state footprints
and several hundred physical locations).
95 Id. at 2; EPSA Comments at 4; ITC Comments
at 5; TAPS Comments at 4.
96 ITC Comments at 4; TAPS Comments at 3–5.
97 BPA Comments at 4.
98 Indicated Trade Associations Comments at 9.
99 Id. at 9–10.
94 Indicated
E:\FR\FM\09FER1.SGM
09FER1
khammond on DSKJM1Z7X2PROD with RULES
8362
Federal Register / Vol. 88, No. 27 / Thursday, February 9, 2023 / Rules and Regulations
provides comparable security to INSM.
Cyber Systems with and without
Application whitelisting is a security
external routable connectivity and
tool implemented at the cyber asset
medium impact BES Cyber Systems
with external routable connectivity. We level and does not monitor network
traffic, which is the purpose of INSM.
determine that requirements to
Therefore, application whitelisting and
implement INSM as we direct in this
INSM are two distinct components of a
final action will fill a gap in the current
defense-in-depth strategy and two
suite of CIP Reliability Standards and
improve the cybersecurity posture of the distinct components of zero-trust
architecture.
Bulk-Power System.100 Specifically, a
52. We are also not persuaded by
requirement for INSM that augments
ITC’s objections to the NOPR proposal
existing perimeter defenses will
based on ITC’s claims regarding the
increase network visibility so that an
entity may understand what is occurring relative limited vulnerability of huband-spoke networks. A hub-and-spoke
in its CIP-networked environment and,
thus, improve capability to timely detect connection is bound on both sides by
electronic security perimeters. Like any
potential compromises.101 INSM also
other BES Cyber Asset, the electronic
allows for the collection of data and
access points of the hub and spoke
analysis required to implement a
configuration are addressed by the
defense strategy, improves an entity’s
currently effective CIP Reliability
incident investigation capabilities, and
Standards, but there is currently no
increases the likelihood that an entity
required monitoring of network traffic
can better protect itself from a future
within the hub and spoke electronic
cyberattack and address any security
security perimeters. We disagree with
gaps the attacker was able to exploit.
ITC’s assertion that hub-and-spoke
50. Moreover, the NOPR identified
architecture has lower risk because it
certain cyber-related risks that
implementation of INSM could mitigate uses few connections between Cyber
Assets and Cyber Systems within each
through early detection, such as a
electronic security perimeter.107 INSM
supply chain attack leveraging
is a cybersecurity capability that is
malicious updates from a known
software vendor (i.e., SolarWinds attack) indifferent to the architecture to which
it is applied. INSM is intended to
and ransomware attacks.102 NERC and
other commenters agree that INSM is an monitor east-west network traffic that
does not traverse the access point. An
appropriate approach to address such
architecture like hub-and-spoke is not a
risks.103
substitute for a cybersecurity capability
51. We disagree with ITC’s rationale
like INSM.
for opposing the NOPR proposal. In
53. Finally, we disagree with ITC’s
particular, we disagree with ITC’s
assertion that the ‘‘NOPR’s approach is
assertions that the NOPR proposals are
also inconsistent with the Commission’s
an ‘‘overly aggressive implementation
long-standing risk-based approach to
of’’ zero-trust architecture.104 As
reliability.’’ 108 The security objectives
explained in the NOPR, while INSM is
proposed in the INSM NOPR are riska fundamental element of the zero-trust
based and objective.109 Furthermore,
architecture, it is only one of many
aspects.105 Furthermore, ITC presents its malicious actors that compromise BES
statement that there would only be little Cyber Systems within an electronic
security perimeter could have the
monitoring INSM could perform of its
opportunity to perform the same
fixed, small-scale network traffic, and
functions as an authorized user, which
thus provide ITC little benefit,106
includes operation of the Bulk-Power
without further context or explanation.
System, as demonstrated by the Ukraine
Additionally, we disagree with ITC’s
attacks referenced in the INSM
assertion that application whitelisting
NOPR.110
54. We are not persuaded by BPA’s
100 See, e.g., NERC Comments at 4–5 (current CIP
request to limit our directive to INSM
Standards require ‘‘malicious communications
monitoring at the Electronic Access Point on the
for high impact BES Cyber Assets based
[electronic security perimeter], not necessarily
on resource and timing concerns nor
monitoring of activity of those who already have
persuaded by ITC’s assertion that INSM
access to the network’’).
101 Id. at 5 (‘‘CIP Reliability Standards could
would lead to congestion. Rather, we
benefit from consideration of internal network
believe that our decision to limit our
security monitoring requirements as a consistent
directive at this time to those medium
means of gaining visibility and awareness within an
impact BES Cyber Assets with external
[electronic security perimeter].’’).
routable connectivity strikes a proper
102 INSM NOPR, 178 FERC ¶ 61,038 at PP 17–19.
103 E.g.,
NERC Comments at 6; Juniper Comments
107 Id.
at 1.
108 Id.
105 INSM
109 INSM
Comments at 2.
NOPR, 178 FERC ¶ 61,038 at P 30.
106 ITC Comments at 5.
VerDate Sep<11>2014
16:00 Feb 08, 2023
Jkt 259001
110 Id.
PO 00000
NOPR, 178 FERC ¶ 61,038 at P 31.
P 21.
Frm 00014
111 NERC
Comments at 4–5; Conway Comments at
2.
112 ISO/RTO
at 4.
104 ITC
balance between limited resources and
the security benefits of INSM and
adequately addresses BPA’s concerns
and that technical concerns are better
addressed during NERC’s standards
drafting process or during the
implementation of INSM. Similarly,
NAGF and Indicated Trade
Associations’ concern that requiring
INSM may discourage entities from
using greater network segmentation to
enhance security is a specific technical
concern better raised and addressed
during NERC’s standards drafting
process.
55. We agree with commenters that
articulate the various benefits of INSM.
NERC and other commenters state that
INSM ensures that there is monitoring
of east-west endpoint-to-endpoint
communications internal to the
electronic security perimeter.111
Likewise, ISO/RTO Council and MRO
NSRF explain that systems solutions for
anomaly detection, such as east-west
monitoring, allow for more efficient
summarizing of data and identification
of anomalies.112 Accordingly, the record
in this proceeding supports
incorporating INSM requirements into
the CIP Standards for high and medium
impact BES Cyber Systems, as set forth
in this final action.
56. We are not persuaded by Indicated
Trade Associations’ and ITC’s
suggestions to limit application of INSM
to high impact BES Cyber Systems and
medium impact BES Cyber Systems
located at control centers.113 Limiting
application of INSM to high impact BES
Cyber Systems and medium impact BES
Cyber Systems located at control centers
would constitute too narrow an
approach because the trust zone
associated with medium impact BES
Cyber Systems encompasses systems
with a definitive potential to affect
Bulk-Power System reliability. We are,
however, persuaded by commenters to
limit the scope of our directive with
regard to medium impact BES Cyber
Systems to those with external routable
connectivity. Idaho Power argues that
the presence of external routable
connectivity is an appropriate limiting
factor for the directive,114 and BPA,
while it recommends applying the
directive only to high impact BES Cyber
Systems, states that if the directive
encompasses medium impact BES Cyber
Systems then it should apply only to
medium impact BES Cyber Systems
Fmt 4700
Sfmt 4700
Council Comments at 4–5; MRO
NSRF Comments at 2.
113 ITC Comments at 7; Indicated Trade
Associations Comments at 11.
114 Idaho Power Comments at 2.
E:\FR\FM\09FER1.SGM
09FER1
Federal Register / Vol. 88, No. 27 / Thursday, February 9, 2023 / Rules and Regulations
with external routable connectivity.115
Control centers generally already have
external routable connectivity and are
thus encompassed by a directive to limit
application of INSM for medium impact
BES Cyber Systems on the basis of
external routable connectivity. For these
reasons, we believe that external
routable connectivity is a preferable
approach to targeting the application of
INSM.
57. Although not addressed in the
NOPR, multiple commenters raised
concerns regarding the efficacy and
practicality of requiring implementation
of INSM for medium impact BES Cyber
Systems that lack external routable
connectivity.116 Simply stated, external
routable connectivity allows remote
communication with a BES Cyber
System through use of a high-speed
internet service to send information
over a network. Typically, external
routable connectivity allows higher
quality data to flow from the field
devices at substations to a centralized
location where cybersecurity
professionals can perform further
analysis.
58. Commenters explain that a system
without external routable connectivity,
while not risk-free, is less vulnerable to
attack than systems with external
routable connectivity.117 Likewise,
according to commenters, external
routable connectivity is necessary to
achieve the full, real-time benefits of
INSM.118 In consideration of these
concerns, we modify the NOPR proposal
and direct NERC to develop new or
modified CIP Reliability Standards that
require INSM for medium impact BES
Cyber Systems with external routable
connectivity.
59. While we agree with commenters
regarding the challenges with
implementing INSM for medium impact
BES Cyber Systems without external
routable connectivity such as costs and
stretching thin limited resources,119 we
continue to believe that, if these
challenges can be adequately addressed,
implementation of INSM for all medium
impact BES Cyber Systems would
improve the cybersecurity posture of the
Bulk-Power System by allowing early
115 BPA
Comments at 3.
EPSA Comments at 2; Idaho Power
Comments at 1; ITC Comments at 7; Indicated Trade
Associations Comments at 11.
117 BPA Comments at 4; Indicated Trade
Associations Comments at 9; Idaho Power
Comments at 2. Medium impact BES Cyber Systems
that lack external routable connectivity remain
vulnerable to insider threats and supply chain
attacks.
118 See, e.g., BPA Comments at 2; Idaho Power
Comments at 2.
119 E.g., Indicated Trade Associations Comments
at 10.
khammond on DSKJM1Z7X2PROD with RULES
116 Id.;
VerDate Sep<11>2014
16:00 Feb 08, 2023
Jkt 259001
detection and response to cyber
intrusions in BES Cyber Systems.
Although we decline Indicated Trade
Associations’ request to convene a
forum to discuss INSM in the
proceeding prior to a directive as the
robust comments provide an adequate
basis for this final action, we are
directing NERC to conduct a study that
pertains, inter alia, to the challenges of,
and solutions for, implementing INSM
at medium impact BES Cyber Systems
without external routable connectivity
and all low impact BES Cyber Systems,
as discussed in more detail below.
C. INSM for Low Impact BES Cyber
Systems
60. In the NOPR, the Commission
stated that its proposal centered on high
and medium impact BES Cyber Systems
but sought comment on the usefulness
and practicality of implementing INSM
to detect malicious activity in networks
with low impact BES Cyber Systems,
including any potential benefits,
technical barriers and associated
costs.120 Low impact BES Cyber
Systems have fewer security controls
and, unlike high and medium impact
BES Systems, are not subject to
monitoring at the network perimeter
access point(s). The Commission
particularly sought comment on
whether the same risks associated with
high and medium impact BES Cyber
Systems apply to low impact BES Cyber
Systems, including escalating privileges,
moving inside the CIP-networked
environment, and executing
unauthorized code. The Commission
further sought comment on the
appropriate scope of coverage for INSM
for low impact BES Cyber Systems, to
the extent such risks exist.
61. The Commission suggested that
there may be benefits to having INSM
requirements apply to a defined subset
of low impact BES Cyber Systems and
sought comment on possible criteria or
methodology for identifying an
appropriate subset of low impact BES
Cyber Systems that could benefit from
INSM.121 The Commission further
pointed out that there are currently no
CIP requirements for low impact BES
Cyber Systems for monitoring
communications at the electronic
security perimeter and therefore asked:
(1) whether it makes sense to require
INSM while perimeter monitoring is not
required; and (2) would it be
appropriate to address both perimeter
monitoring and INSM for low impact
BES Cyber Systems.122
120 INSM
121 Id.
NOPR, 178 FERC ¶ 61,038 at P 33.
P 34.
122 Id.
PO 00000
Frm 00015
Fmt 4700
Sfmt 4700
8363
1. Comments
62. Technology solutions vendors
Cynalytica, Microsoft, Nozomi
Networks, and OT Coalition support
extending INSM to low impact BES
Cyber Systems.123 Microsoft
recommends directing the
implementation of INSM for low impact
BES Cyber Systems ‘‘to the maximum
extent practicable.’’ 124 Cynalytica and
Microsoft comment that risks within
low impact BES Cyber Systems are
similar to those within higher impact
systems.125 Cynalytica, Microsoft, and
Nozomi Networks all assert that
requiring all BES Cyber Systems to
implement INSM at this time would
reduce cybersecurity risk and
exposure.126 Cynalytica is of the
opinion that ‘‘all BES Cyber Systems
should be monitored to ensure the
visibility and operational situational
awareness,’’ as low impact BES Cyber
Systems ‘‘could be used for operational
intelligence gathering, capabilities
testing, or could be used to pivot among
internal systems.’’ 127
63. Microsoft elaborates that low
impact BES Cyber Systems such as
distributed energy resources, along with
their increasing use, may increase the
potential risks associated with low
impact BES Cyber Systems.128 Nozomi
Networks recommends extending INSM
to low impact BES Cyber Systems as a
possible way to both improve their
security risks and posture over time, as
well as identify potential supply chain
security issues.129
64. OT Coalition, supporting a phased
implementation of INSM for low impact
BES Cyber Systems, warns that failure
to account for the risk of a low impact
BES Cyber System ‘‘being used as a
lateral attack vector is inexcusable.’’ 130
OT Coalition recommends that INSMrelated and perimeter monitoring
requirements should be phased in over
time, e.g., over the course of five years
and moving from larger to smaller
entities.
65. Other commenters, however,
advocate against requiring INSM at low
impact BES Cyber Systems at this time.
NERC, BPA, MRO NSRF, and NAGF
oppose requiring INSM for low impact
BES Cyber Systems as part of this
123 Cynalytica Comments at 4; Microsoft
Comments at 1; Nozomi Networks Comments at 3;
OT Coalition Comments at 3–4.
124 Microsoft Comments at 1.
125 Cynalytica Comments at 4; Microsoft
Comments at 11.
126 Cynalytica Comments at 4; Microsoft
Comments at 1; Nozomi Networks Comments at 3.
127 Cynalytica Comments at 4.
128 Microsoft Comments at 11.
129 Nozomi Networks Comments at 3.
130 OT Coalition Comments at 4.
E:\FR\FM\09FER1.SGM
09FER1
8364
Federal Register / Vol. 88, No. 27 / Thursday, February 9, 2023 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES
proceeding because of the extensive
revisions to the CIP Reliability
Standards that would be needed and the
correspondingly longer time such
revisions would take to implement.131
For example, NERC and MRO NSRF
point to the lack of any current
requirement for a list of low impact BES
Cyber Systems.132 NERC and MRO
NSRF also note that there is no current
requirement for low impact BES Cyber
Systems to have an electronic security
perimeter.133 Thus, according to MRO
NSRF, to properly enact INSM at
facilities with low impact BES Cyber
Systems would require upgrading all
such facilities to one with the same
network architecture, protections, and
monitoring as that of a facility with high
or medium BES Cyber Systems and that
the ‘‘cost and effort associated with such
an enterprise would not be justified.’’ 134
66. NERC, BPA, CDWR, Consumers,
EPSA, Idaho Power, MRO NSRF, NAGF,
TAPS, Conway, and Indicated Trade
Associations all caution that extending
INSM requirements to low impact BES
Cyber Systems at this time would be
infeasible or impractical from a cost,
time, and technical standpoint.135
Indicated Trade Associations, BPA,
EPSA, TAPS, and CDWR explain that
the sheer number of low impact BES
Cyber Systems, which far exceeds that
of medium and high impact BES Cyber
Systems, makes implementation of
INSM at low impact BES Cyber Systems
impractical at this time, from a cost and
time commitment perspective.136
Reclamation notes that low impact BES
Cyber Systems pose inherently less risk
and therefore may not benefit from
INSM as much as medium and high
impact BES Cyber Systems.137 NERC
and other commenters explain that
procuring the necessary support
equipment, such as relays, remote
terminal units, and communications
processors, would be prohibitively
expensive due to issues such as limited
131 NERC Comments at 8; BPA Comments at 4–
5; MRO NSRF Comments at 4; NAGF Comments at
4.
132 NERC Comments at 8–9; MRO NSRF
Comments at 4 (‘‘Analysis requires not just a
monitoring system but a baseline inventory of BES
Cyber Assets to have something to benchmark
against.’’).
133 Id.
134 MRO NSRF Comments at 4.
135 NERC Comments at 8–9; BPA Comments at 4–
5; CDWR Comments at 4; Consumers Comments at
2; EPSA Comments at 4–5; Idaho Power Comments
at 2–3; MRO NSRF Comments at 4; NAGF
Comments at 4; TAPS Comments at 4–9; Conway
Comments at 1; Indicated Trade Associations
Comments at 28.
136 BPA Comments at 4; CDWR Comments at 4;
EPSA Comments at 4; TAPS Comments at 8;
Indicated Trade Associations Comments at 28.
137 Reclamation Comments at 3.
VerDate Sep<11>2014
16:00 Feb 08, 2023
Jkt 259001
bandwidth, remote proximity of the
systems, and greater variety of
communications protocols.138 NERC
states that expanding INSM
requirements to apply to low impact
BES Cyber Systems would also pose
scalability and manageability issues,
such as considering whether
communications paths would need to be
enhanced to correct any latency or realtime operations impact.139
67. NAGF and Consumers assert that
requiring INSM implementation for low
impact BES Cyber Systems could
displace efforts relating to higher impact
systems.140 TAPS comments that there
are limited incremental reliability
benefits due to low impact BES Cyber
Systems being less likely to result in
instability, uncontrolled separation, or
cascading failure. TAPS further argues
that there are technical barriers
stemming from the diversity of low
impact BES Cyber Systems requiring
customized implementation and highly
specialized staff.141
2. Commission Determination
68. We find comments explaining the
challenges of extending INSM
requirements to all low impact BES
Cyber Systems are persuasive, and we
therefore decline to direct NERC to
extend requirements for INSM to all low
impact BES Cyber Systems at this time.
We agree with commenters such as
Microsoft, Cynalytica, and Nozomi
Networks that the risks within low
impact BES Cyber Systems are similar to
those within higher impact systems and
that implementing INSM at low impact
BES Cyber Systems would reduce
cybersecurity risk and improve the
overall security posture of the BulkPower System. Nevertheless, we are
persuaded by NERC and other
commenters that implementing INSM at
all low impact BES Cyber Systems could
present certain challenges that makes
such a directive at this time impractical.
We agree that extending INSM
requirements to all low impact BES
Cyber Systems could be difficult to
scope, implement, or audit, given that
there is no requirement for entities to
individually identify their low impact
BES Cyber Systems or electronic
security perimeters for their low impact
BES Cyber Systems. Additionally, we
accept the explanation of NERC and
other commenters that extending INSM
to low impact BES Cyber Systems could
138 NERC Comments at 8–9; Idaho Power
Comments at 2–3; TAPS Comments at 5–6;
Indicated Trade Associations Comments at 28.
139 NERC Comments at 8–9.
140 Consumers Comments at 2; NAGF Comments
at 4.
141 TAPS Comments at 3, 5.
PO 00000
Frm 00016
Fmt 4700
Sfmt 4700
pose scalability and manageability
issues,142 pose challenges to limited
company resources and specialization
issues for locations with small support
staff,143 and require more highly
specialized staff.144
69. Although declining to direct
NERC at this time to do so, we believe
that in the longer term it may be
necessary that INSM be extended to at
least some subset of low impact BES
Cyber Assets to address the known risks
associated with these assets. To address
the challenges raised by commenters
and support this goal, we direct NERC
to study the hurdles and possible
solutions of implementing INSM at all
low impact BES Cyber Assets, as
discussed below.
D. Security Objectives
70. In the NOPR, the Commission
proposed that new or modified CIP
Reliability Standards requiring INSM for
high and medium impact BES Cyber
Systems should address three security
objectives pertaining to INSM.145 First,
any new or modified CIP Reliability
Standards should address the need for
each responsible entity to develop a
baseline for their network traffic,
specifically for security purposes.
Second, any new or modified CIP
Reliability Standards should address the
need for responsible entities to monitor
for and detect unauthorized activity,
connections, devices, and software
inside the CIP-networked environment.
Third, any new or modified CIP
Reliability Standards should address the
ability to support operations and
response by requiring responsible
entities to ensure that anomalous
activity can be identified to a high level
of confidence by: (1) logging network
traffic at a sufficient level of detail; (2)
maintaining logs and other data
collected regarding network traffic; and
(3) implementing measures to minimize
the likelihood of an attacker removing
evidence of their tactics, techniques,
and procedures.
1. Comments
71. Cynalytica characterizes the
security objectives listed in the NOPR as
a ‘‘solid foundation’’ and recommends
that the CIP Reliability Standards adopt
the objectives.146 Microsoft, who
strongly advocates for the
implementation of the zero-trust
security model, asserts that the security
objectives from the NOPR align with
142 NERC
Comments at 8–9.
Comments at 4.
144 TAPS Comments at 3, 5.
145 INSM NOPR, 178 FERC ¶ 61,038 at P 31.
146 Cynalytica Comments at 3.
143 NAGF
E:\FR\FM\09FER1.SGM
09FER1
Federal Register / Vol. 88, No. 27 / Thursday, February 9, 2023 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES
this model and are critical to
maintaining network visibility to drive
threat detection and response in real
time.147 NAGF characterizes the
security objectives listed in the NOPR as
‘‘acceptable and meaningful’’ and
asserts that INSM will complement
existing network perimeter monitoring
requirements.148
72. Specific to the security objectives
proposed in the NOPR, commenters
provide guidance for the development
of a baseline of network traffic and
suggest there could be alternative
approaches. Electricity Canada asserts
that there may be other approaches to
analyzing network traffic besides
baselining and suggests adopting
‘‘simplified language’’ that would not
exclude the use of a type of technology
based on the type of security analysis
performed.149 Electricity Canada
recommends that the security objective
should be to monitor for and detect
unauthorized ‘‘network communication
protocols,’’ rather than unauthorized
‘‘software.’’ 150
73. Indicated Trade Associations
explain that establishing a baseline of
legitimate network traffic is challenging
and calls for significant judgments
unique to the implementation of INSM
and that in this context baselining can
have many different meanings.151
According to Indicated Trade
Associations, approaches to baselining
could include: (1) simply differentiating
between alerts and false positives as
opposed to actual malicious activity;
and (2) an expansive approach of fully
mapping every packet between every
asset on a network. Indicated Trade
Associations states that the expenses
and challenges of baselining increase if
an expansive definition of baselining is
adopted and recommends convening a
forum to discuss and agree upon a
workable definition.152
74. Conway urges that the
Commission include in its security
objectives language that focuses on
desired operational capabilities, which
Conway avers would help shape
individual analyst roles and response
actions and inform system operators and
national response to information
shared.153 Conway explains that ‘‘[i]n
order for the INSM . . . technologies to
be meaningful or useful the sensors and
implementation approach must be ICS
147 Microsoft
Comments at 2, 4.
Comments at 1.
149 Electricity Canada at 2.
150 Id. at 3.
151 Indicated Trade Associations Comments at
13–14.
152 Id. at 14–15.
153 Conway Comments at 4.
148 NAGF
VerDate Sep<11>2014
16:00 Feb 08, 2023
Jkt 259001
[industrial control systems] protocol
aware and provide detections.’’ 154
75. Beyond the proposed security
objectives, multiple commenters
generally support an objective,
prioritized, flexible, and risk-based
approach to the implementation of
INSM to BES Cyber Systems. BPA and
NAGF advocate for flexibility for the
industry to develop risk-based criteria
for implementation of INSM to allow
entities to focus on their most important
assets first and then consider whether
other assets should be protected in the
same manner.155 ISO/RTO Council and
MRO NSRF emphasize that any new or
modified CIP reliability standards
should allow registered entities the
necessary flexibility to implement the
INSM solution most appropriate for
their own environments.156
76. Commenters suggest other security
objectives that the Commission and
NERC should prioritize. For example,
NAGF suggests an objective of
maintaining logs and records of network
activities.157 Microsoft recommends that
the Commission include a security
objective to ensure that the operator has
the staff and procedures in place to
drive cybersecurity improvements from
its INSM solution.158 Microsoft explains
that effective INSM implementation
requires trained staff with the ability to
respond to a pre-defined set of alerts
with the security operations center or
the network operations center. Microsoft
further recommends a security objective
requiring an intrusion detection system
to perform threat vector analysis for
assets on the network, to aid security
personnel in prioritizing patching
targets in its critical systems.159
2. Commission Determination
77. We agree with commenters that, as
a general matter, the CIP Reliability
Standards should be objective-based,
technology neutral, and provide
flexibility to entities in identifying how
to address the three security objectives
identified in the NOPR.
78. Regarding comments to include
security objectives pertaining to
adequate staffing and training, we
believe that these goals are necessary to
achieve the three objectives stated in the
NOPR and need not be set out as
separate objectives.160 As described
above, commenters raise a number of
thoughts and suggestions pertaining to
154 Id.
at 2.
Comments at 5; NAGF Comments at 4.
156 ISO/RTO Council Comments at 4–5; MRO
NSRF Comments at 2.
157 NAGF Comments at 1.
158 Microsoft Comments at 9–10.
159 Id. at 10.
160 Id. at 9–10.
155 BPA
PO 00000
Frm 00017
Fmt 4700
Sfmt 4700
8365
baselining, packet-level monitoring,
logging, and capture of internal network
traffic.161 We expand our second
security objective based on Electricity
Canada’s recommendation to replace
software with network communication
protocols by adding ‘‘network
communication protocols’’ to the
objective. However, we do not adopt
other recommendations, because these
matters are better raised during NERC’s
standards drafting process. We are not
persuaded that such level of detail is
useful to incorporate within the
Commission’s final action. Instead,
NERC’s standards drafting process is the
appropriate forum to determine the
level of detail necessary to ensure the
security objectives are met by any new
or modified CIP Reliability Standards.
79. We direct NERC to ensure that the
new or modified CIP Reliability
Standards that require security controls
for INSM for all high impact BES Cyber
Systems with and without external
routable connectivity and medium
impact BES Cyber Systems with
external routable connectivity address
three security objectives for east-west
network traffic. First, any new or
modified CIP Reliability Standards
should address the need for each
responsible entity to develop a baseline
for their network traffic by analyzing
network traffic and data flows for
security purposes. Second, any new or
modified CIP Reliability Standards
should address the need for responsible
entities to monitor for and detect
unauthorized activity, connections,
devices, network communication
protocols, and software inside the CIPnetworked environment, as well as
encompass awareness of protocols used
in industrial control systems.162 Third,
in response to the comments requesting
that any new or modified CIP Reliability
Standards should be objective-based, we
clarify our NOPR proposal so that it is
not oriented toward specific
technologies or activities, as discussed
below.
80. We agree that any new or
modified CIP Reliability Standards
should provide flexibility to responsible
entities in determining the best way to
identify anomalous activity to a high
level of confidence, so long as those
161 See, e.g., Electricity Canada Comments at 2;
EPSA Comments at 2–6; ISO/RTO Council
Comments at 4–5; MRO NSRF Comments at 2;
NAGF Comments at 1; Indicated Trade Associations
Comments at 18–19.
162 E.g., Conway Comments at 2; CISA, Industrial
Control Systems Cybersecurity Initiative:
Considerations for ICS/OT Monitoring Technologies
with an Emphasis on Detection and Information
Sharing, at 2 (2021), https://www.cisa.gov/sites/
default/files/publications/ICS-MonitoringTechnology-Considerations-Final-v2_508c.pdf.
E:\FR\FM\09FER1.SGM
09FER1
8366
Federal Register / Vol. 88, No. 27 / Thursday, February 9, 2023 / Rules and Regulations
methods ensure: (1) logging of network
traffic (we note that packet capture is
one means of accomplishing this goal);
(2) maintaining those logs, and other
data collected, regarding network traffic
that are of sufficient data fidelity to
draw meaningful conclusions and
support incident investigation; and (3)
maintaining the integrity of those logs
and other data by implementing
measures to minimize the likelihood of
an attacker removing evidence of their
tactics, techniques, and procedures
(maintaining the integrity of logs and
other data assures an entity that analysis
and findings from incident
investigations are representative of the
actual incident and can aid in the
mitigation of current and future similar
compromises).
khammond on DSKJM1Z7X2PROD with RULES
E. Standards Development Timeframe
81. The Commission in the INSM
NOPR requested comments on
reasonable timeframes for expeditiously
developing and implementing
Reliability Standards for INSM given the
importance of addressing this reliability
gap.163 The INSM NOPR also inquired
as to potential challenges to
implementing INSM (e.g., cost,
availability of specialized resources, and
documenting compliance).
1. Comments
82. Among the few comments on the
timeframe for developing new or
modified standards addressing INSM,
ISO/RTO Council suggests a one-to-twoyear timeframe is appropriate.164 NERC
requests that, given the complexity of
the subject matter, the Commission
defer to NERC regarding the appropriate
timeline for standards development to
better assure that all relevant issues can
receive the proper consideration in the
standards development process.165
Other commenters express caution, and
counsel the Commission balance the
competing needs of speed and quality in
standards development.166 Others
suggest an iterative or staggered
approach to standards development.167
83. Regarding timeframes for
implementation of INSM (i.e., after the
proposed INSM standards become
effective), commenters recommend
timeframes for implementation ranging
from two to ten years, depending on
whether INSM is to be extended to high
impact, medium impact, or low impact
BES Cyber Systems. Microsoft suggests
163 INSM
NOPR, 178 FERC ¶ 61,038 at P 32.
Council Comments at 3–6.
165 NERC Comments at 3, 6–7.
166 Reclamation Comments at 2; Cynalytica
Comments at 3.
167 NAGF Comments at 4; Conway Comments at
4.
a minimum of two years for applicable
registered entities to come into
compliance with a new INSM reliability
standard based on typically budget
cycles. Microsoft also points out that
entities would need to change their
networks to include INSM during a
shutdown period, which occurs every
12 to 18 months.168
84. MRO NSRF and BPA aver that full
implementation of INSM for high and
medium impact BES Cyber Systems
would require a minimum of three to
five years, and MRO NSRF suggests a
staggered implementation timeline.169
MRO NSRF cites several challenges that
could affect the implementation
timeline, including: (1) supply chain
constraints if multiple entities are trying
to obtain INSM tools in the same
timeframe; (2) shortages of qualified
staff; and (3) higher cost due to
additional requirements, system
configurations, and sudden increase in
demand.170 MRO NSRF did not provide
specific cost estimates.
85. Indicated Trade Associations do
not provide a specific period but
mention that implementing INSM for
large entities would require a sizable
undertaking, because doing so would
entail installing new or upgraded
network equipment, increasing network
connectivity, and installing multiple
INSM monitoring devices requiring
aggregation to provide complete
operating pictures or baselines.171
2. Commission Determination
86. We direct NERC to submit
responsive new or modified CIP
Reliability Standards within 15 months
of the effective date of this final action.
We believe that a 15-month deadline
would provide sufficient time for NERC
to develop responsive new or modified
Standards within NERC’s standards
development process. This deadline is
within the range of ISO/RTO Council’s
suggested one-to-two-year timeframe.
Regarding NERC’s request that the
Commission not set a deadline, we
believe that most of the complexities
cited by NERC are resolved by our
decision not to extend INSM in this
final action to low impact BES Cyber
Systems and medium impact BES Cyber
Systems without external routable
connectivity.
87. We decline to direct a specific
implementation timeframe for any new
or modified standards. Commenters
provide a wide range of potential
164 ISO/RTO
VerDate Sep<11>2014
16:00 Feb 08, 2023
Jkt 259001
168 Microsoft
169 MRO
Comments at 10.
NSRF Comments at 3; BPA Comments at
3.
170 MRO
NSRF Comments at 1–2.
Trade Associations Comments at 10.
171 Indicated
PO 00000
Frm 00018
Fmt 4700
Sfmt 4700
implementation timeframes and raise
concerns regarding resource availability
and the need for flexibility in
implementing new or modified INSM
Reliability Standards. Rather than
setting the implementation timeframe at
this time, we believe NERC should
propose an implementation period by
balancing the various concerns raised by
commenters as well as the need to
timely address the identified gap in the
CIP Standards pertaining to INSM.
When submitting the proposed CIP
Standards, NERC should provide its
rationale for the chosen implementation
timeframe.
F. NERC Study and Report on INSM
Implementation
88. While determining above that it is
premature to require INSM for medium
impact BES Cyber Systems without
external routable connectivity and all
low impact BES Cyber Systems, we
recognize the importance of bolstering
the cybersecurity of those systems. We
believe that extending INSM to all
medium impact BES Cyber Systems and
at least a subset of low impact BES
Cyber Systems in the future could be
necessary to protect the security and the
reliability of the Bulk-Power System. To
provide a basis for such action, we
direct NERC, pursuant to § 39.2(d) of the
Commission’s regulations,172 to conduct
a study to guide the implementation of
INSM, or other mitigation strategies, for
medium impact BES Cyber Systems
without external routable connectivity
and all low impact BES Cyber Systems.
The study shall focus on two main
topics: (1) risk and (2) challenges and
solutions.
89. First, regarding risk, NERC should
collect from registered entities
information on the number of low
impact and medium impact BES Cyber
Systems that would not be subject to the
new or revised Reliability Standards,
which would inform the scope of the
risk from systems without INSM. Next,
NERC should provide an analysis
regarding the substantive risks posed by
these BES Cyber Systems operating
without the implementation of INSM.
Specifically, NERC should determine
the quantity of: (1) substation and
generation locations that contain
medium impact BES Cyber Systems
without external routable connectivity;
(2) low impact locations (including a
breakdown by substations, generations
resources, and control centers) that
contain low impact BES Cyber Systems
without external routable connectivity;
and (3) low impact locations that
contain low impact BES Cyber Systems
172 18
E:\FR\FM\09FER1.SGM
CFR 39.2(d).
09FER1
Federal Register / Vol. 88, No. 27 / Thursday, February 9, 2023 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES
with external routable connectivity
(including a breakdown by substations,
generations resources, and control
centers). NERC should then discuss the
risks to the security of the Bulk-Power
System due to the lack of an INSM
requirement for the identified facilities.
90. Second, regarding challenges and
solutions, NERC should identify the
potential technological, logistical, or
other challenges involved in extending
INSM to additional BES Cyber Systems,
as well as possible alternative actions to
mitigate the risk posed. For example, as
discussed in more detail above,
challenges raised by commenters
include: (1) lengthy timelines for
identifying the location of low impact
BES Cyber Systems; (2) the need to add
external routable connectivity at many
medium impact BES Cyber Systems to
effectively implement INSM; (3) a wider
footprint for monitoring and detecting
for larger entities; (4) shortages of
qualified staff; and (5) supply chain
constraints.
91. NERC should consult with
Commission staff to ensure that the
study adequately addresses the topics
discussed above. We direct NERC to
submit the study report to the
Commission within 12 months of the
issuance of this final action.
V. Information Collection Statement
92. The information collection
requirements contained in this order are
subject to review by the Office of
Management and Budget (OMB) under
section 3507(d) of the Paperwork
Reduction Act of 1995. OMB’s
regulations require approval of certain
information collection requirements
imposed by agency rules. Upon
approval of a collection of information,
OMB will assign an OMB control
number and expiration date.
Respondents subject to the filing
requirements of this rulemaking will not
be penalized for failing to respond to
this collection of information unless the
collection of information displays a
valid OMB control number. Comments
are solicited on the Commission’s need
for the information proposed to be
reported, whether the information will
have practical utility, ways to enhance
the quality, utility, and clarity of the
information to be collected, and any
suggested methods for minimizing the
respondent’s burden, including the use
of automated information techniques.
93. The reporting requirements (and
associated burden) proposed by the
NOPR in Docket No. RM22–3–000 are
already covered by the OMB-approved
FERC–725. However, we are seeking
clearance for this collection of
information under FERC–725(1B),
VerDate Sep<11>2014
16:00 Feb 08, 2023
Jkt 259001
which is a temporary placeholder
number. FERC–725(1B) is being used
because FERC–725 (OMB Control
Number 1902–0225) is pending review
at OMB for another collection of
information, and only one item per
OMB control number can be pending
review at a time. Otherwise, the
collection of information for this final
action would be submitted to OMB
under FERC–725, as discussed in the
NOPR, since the reporting requirements
and associated burdens in this final
action are already covered by FERC–
725.
94. This final action requires that
entities that are in the NERC
Compliance Registry have an obligation
to respond to the Commission directed
NERC study, and thus there is a burden
to be included in FERC–725(1B)
information collection requirements.
95. The NERC Compliance Registry,
as of October 3, 2022, identifies
approximately 1,682 utilities, both
public and non-public, in the U.S. that
may respond to the NERC study. For the
following reasons, we are using
placeholders of one respondent, one
response, and one burden hour for
FERC–725(1B) in order to submit this
request to OMB for PRA review.
(1) We anticipate that the collection of
information in this final action will
become part of FERC–725 when that
collection becomes available for
revision.
(2) FERC–725 already includes
burdens associated with the ERO’s
responsibility for Reliability Standards
Development
(3) In order to submit the collection of
information in this final action, we must
submit it through the ROCIS system,
which requires figures for respondents,
responses, and burdens.
96. To approximate NERC’s cost for
the temporary, placeholder FERC–
725(1B), we are using the estimated
average of $91/hour (for wages and
benefits) for 2022 for a Commission
employee. Therefore, the estimated
annual cost of the one placeholder
burden hour is $91.
VI. Environmental Analysis
97. The Commission is required to
prepare an Environmental Assessment
or an Environmental Impact Statement
for any action that may have a
significant adverse effect on the human
environment.173 The Commission has
categorically excluded certain actions
from this requirement as not having a
significant effect on the human
environment. Included in the exclusion
are rules that are clarifying, corrective,
or procedural or that do not
substantially change the effect of the
regulations being amended.174 The
actions directed herein fall within this
categorical exclusion in the
Commission’s regulations.
VII. Regulatory Flexibility Act
98. The Regulatory Flexibility Act of
1980 (RFA) 175 generally requires a
description and analysis of final action
that will have significant economic
impact on a substantial number of small
entities.
99. By only proposing to direct NERC,
the Commission-certified ERO, to
develop modified Reliability Standards
for INSM at BES Cyber Systems, this
final action will not have a significant
or substantial impact on entities other
than NERC.176 Therefore, the
Commission certifies that this final
action will not have a significant
economic impact on a substantial
number of small entities.
100. Any Reliability Standards
proposed by NERC in compliance with
this rulemaking will be considered by
the Commission in future proceedings.
As part of any future proceedings, the
Commission will make determinations
pertaining to the Regulatory Flexibility
Act based on the content of the
Reliability Standards proposed by
NERC.
VIII. Document Availability
101. In addition to publishing the full
text of this document in the Federal
Register, the Commission provides all
interested persons an opportunity to
view and/or print the contents of this
document via the internet through the
Commission’s Home Page (https://
www.ferc.gov).
102. From the Commission’s Home
Page on the internet, this information is
available on eLibrary. The full text of
this document is available on eLibrary
in PDF and Microsoft Word format for
viewing, printing, and/or downloading.
To access this document in eLibrary,
type the docket number excluding the
last three digits of this document in the
docket number field.
103. User assistance is available for
eLibrary and the FERC’s website during
normal business hours from FERC
Online Support at 202–502–6652 (toll
free at 1–866–208–3676) or email at
ferconlinesupport@ferc.gov, or the
174 18
173 Reguls.
Implementing the Nat’l Env’t. Pol’cy
Act, Order No. 486, 52 FR 47897 (Dec. 17, 1987),
FERC Stats. & Regs. Preambles 1986–1990 ¶ 30,783
(1987) (cross-referenced at 41 FERC ¶ 61,284).
PO 00000
Frm 00019
Fmt 4700
Sfmt 4700
8367
CFR 380.4(a)(2)(ii).
U.S.C. 601–612.
176 See, e.g., Cyber Sec. Incident Reporting
Reliability Standards, Order No. 848, 83 FR 36727
(July 31, 2018), 164 FERC ¶ 61,033, at P 103 (2018).
175 5
E:\FR\FM\09FER1.SGM
09FER1
8368
Federal Register / Vol. 88, No. 27 / Thursday, February 9, 2023 / Rules and Regulations
determined, with the concurrence of the
Administrator of the Office of
Information and Regulatory Affairs of
OMB, that this action is not a ‘‘major
rule’’ as defined in section 351 of the
Small Business Regulatory Enforcement
Fairness Act of 1996.
Public Reference Room at (202) 502–
8371, TTY (202) 502–8659. Email the
Public Reference Room at
public.referenceroom@ferc.gov.
IX. Effective Date and Congressional
Notification
104. This final action is effective
April 10, 2023. The Commission has
Appendix A—Commenters
By the Commission.
Abbreviation
Commenter
BPA ......................................................
CDWR ..................................................
Consumers ...........................................
Conway .................................................
Cynalytica .............................................
Electricity Canada ................................
Entergy .................................................
EPSA ....................................................
Idaho Power .........................................
Indicated Trade Associations ...............
Bonneville Power Administration.
California Department of Water Resources State Water Project.
Consumers Energy Company.
Tim Conway.
Cynalytica, Inc.
Electricity Canada.
Entergy.
Electric Power Supply Association.
Idaho Power Company.
Edison Electric Institute, the American Public Power Association, the Large Public Power Council, the
National Rural Electric Cooperative Association, and the Electric Power Supply Association.
ISO/RTO Council.
International Transmission Company.
Juniper Networks.
Microsoft Corporation.
Midwest Reliability Organization NERC Standards Review Forum.
North American Generator Forum.
North American Electric Reliability Corporation, Midwest Reliability Organization, Northeast Power Coordinating Council, Inc., ReliabilityFirst Corporation, SERC Reliability Corporation, Texas Reliability
Entity, Inc., and Western Electricity Coordinating Council.
Nozomi Networks.
Operational Technology Cybersecurity Coalition.
United States Bureau of Reclamation.
Transmission Access Policy Study Group.
ISO/RTO Council ..................................
ITC ........................................................
Juniper Networks ..................................
Microsoft ...............................................
MRO NSRF ..........................................
NAGF ....................................................
NERC ...................................................
Nozomi Networks .................................
OT Coalition .........................................
Reclamation ..........................................
TAPS ....................................................
New Orleans (COTP) or a designated
representative.
[FR Doc. 2023–01453 Filed 2–8–23; 8:45 am]
BILLING CODE 6717–01–P
The regulations in 33 CFR
165.846 will be enforced from noon on
February 17, 2023 until 11:59 p.m. on
February 21, 2023.
FOR FURTHER INFORMATION CONTACT: If
you have questions about this rule, call
or email Lieutenant Commander
William A. Stewart, Sector New
Orleans, U.S. Coast Guard; telephone
504–365–2246, email
William.A.Stewart@uscg.mil.
SUPPLEMENTARY INFORMATION: The Coast
Guard will enforce a security zone in 33
CFR 165.846 for events related to Mardi
Gras Celebration from noon on February
17, 2023 until 11:59 p.m. on February
21, 2023. This action is being taken to
provide security and protection for
visiting personnel during the events
related to the Mardi Gras celebration.
The security zone will cover all
navigable waters within 400 yards of the
Left Descending Bank on the Lower
Mississippi River from MM 94.4 to MM
95.1 AHP, New Orleans, LA. No person
or vessel may enter this security zone
unless authorized by the Captain of the
Port New Orleans (COTP) or a
designated representative. A designated
representative means any Coast Guard
DATES:
DEPARTMENT OF HOMELAND
SECURITY
Coast Guard
33 CFR Part 165
[Docket No. USCG–2023–0072]
Security Zone; Lower Mississippi
River, Mile Marker 94 to 97 Above Head
of Passes, New Orleans, LA
Coast Guard, DHS.
Notification of enforcement of
regulation.
AGENCY:
ACTION:
The Coast Guard will enforce
a security zone for all navigable waters
within 400 yards of the Left Descending
Bank (LDB) of the Lower Mississippi
River (LMR) Mile Marker (MM) 94.4 to
MM 95.1, Above Head of Passes (AHP),
New Orleans, LA. This security zone is
necessary to provide security and
protection for visiting personnel during
the events related to the Mardi Gras
celebration. No person or vessel may
enter this security zone unless
authorized by the Captain of the Port
SUMMARY:
khammond on DSKJM1Z7X2PROD with RULES
Issued: January 19, 2023.
Debbie-Anne A. Reese,
Deputy Secretary.
VerDate Sep<11>2014
16:00 Feb 08, 2023
Jkt 259001
PO 00000
Frm 00020
Fmt 4700
Sfmt 4700
commissioned, warrant, or petty officer
of the U.S. Coast Guard assigned to
units under the operational control of
Sector New Orleans; to include a
Federal, State, and/or local officer
designated by or assisting the COTP in
the enforcement of the security zone. To
seek permission to enter, contact the
COTP or a designated representative by
telephone at (504) 365–2545 or VHF–
FM Channel 16 or 67. Those in the
security zone must transit at their
slowest speed and comply with all
lawful orders or directions given to
them by the COTP or a designated
representative.
In addition to this notification of
enforcement in the Federal Register, the
Coast Guard will inform the public of
the enforcement period of this security
zone through Broadcast Notices to
Mariners (BNMs) and Marine Safety
Information Bulletin (MSIB).
Dated: February 3, 2023.
K.K. Denning,
Captain, U.S. Coast Guard, Captain of the
Port Sector New Orleans.
[FR Doc. 2023–02799 Filed 2–8–23; 8:45 am]
BILLING CODE 9110–04–P
E:\FR\FM\09FER1.SGM
09FER1
]]>Agencies
[Federal Register Volume 88, Number 27 (Thursday, February 9, 2023)]
[Rules and Regulations]
[Pages 8354-8368]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-01453]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
18 CFR Part 40
[Docket No. RM22-3-000; Order No. 887]
Internal Network Security Monitoring for High and Medium Impact
Bulk Electric System Cyber Systems
AGENCY: Federal Energy Regulatory Commission, Department of Energy.
ACTION: Final action.
-----------------------------------------------------------------------
SUMMARY: The Federal Energy Regulatory Commission (Commission) is
directing the North American Electric Reliability Corporation (NERC) to
develop and submit within 15 months of the effective date of this final
action for Commission approval new or modified Reliability Standards
that require internal network security monitoring within a trusted
Critical Infrastructure Protection networked environment for all high
impact bulk electric system (BES) Cyber Systems with and without
external routable connectivity and medium impact BES Cyber Systems with
external routable connectivity. In addition, the Commission directs
NERC to perform a study of all low impact BES Cyber Systems with and
without external routable connectivity and medium impact BES Cyber
Systems without external routable connectivity, as set forth in the
final action, and to submit its study report to the Commission within
12 months of the issuance of this final action.
DATES: This final agency action is effective April 10, 2023.
FOR FURTHER INFORMATION CONTACT: Cesar Tapia (Technical Information),
Office of Electric Reliability, Federal Energy Regulatory Commission,
888 First Street NE, Washington, DC 20426, (202) 502-6559,
[email protected].
Leigh Faugust (Legal Information), Office of the General Counsel,
Federal Energy Regulatory Commission, 888 First Street NE, Washington,
DC 20426, (202) 502-6396, [email protected].
Seth Yeazel, Office of the General Counsel, Federal Energy
Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202)
502-6890, [email protected].
SUPPLEMENTARY INFORMATION:
Table of Contents
Paragraph No.
I. Introduction...................................... 1
II. Background....................................... 7
A. Section 215 and the Mandatory Reliability 7
Standards.......................................
B. Internal Network Security Monitoring.......... 8
C. Notice of Proposed Rulemaking................. 13
III. Need for Reform................................. 18
IV. Discussion....................................... 23
A. Overview...................................... 23
B. INSM for High and Medium Impact BES Cyber 31
Systems.........................................
1. Comments.................................. 32
2. Commission Determination.................. 48
C. INSM for Low Impact BES Cyber Systems......... 59
1. Comments.................................. 61
2. Commission Determination.................. 67
D. Security Objectives........................... 69
1. Comments.................................. 70
2. Commission Determination.................. 76
E. Standards Development Timeframe............... 80
1. Comments.................................. 81
[[Page 8355]]
2. Commission Determination.................. 85
F. NERC Study and Report on INSM Implementation.. 87
V. Information Collection Statement.................. 91
VI. Environmental Analysis........................... 96
VII. Regulatory Flexibility Act...................... 97
VIII. Document Availability.......................... 100
IX. Effective Date and Congressional Notification.... 103
I. Introduction
1. Pursuant to section 215(d)(5) of the Federal Power Act (FPA),\1\
the Commission directs the North American Electric Reliability
Corporation (NERC) to develop new or modified Critical Infrastructure
Protection (CIP) Reliability Standards that require internal network
security monitoring (INSM) for CIP-networked environments for all high
impact bulk electric system (BES) Cyber Systems \2\ with and without
external routable connectivity and medium impact BES Cyber Systems with
external routable connectivity.\3\ Further, the Commission directs NERC
to submit a report within 12 months of issuance of this final action
that studies the feasibility of implementing INSM at all low impact BES
Cyber Systems \4\ and medium impact BES Cyber Systems without external
routable connectivity (i.e., BES Cyber Systems not subject to the new
or revised Reliability Standards).\5\
---------------------------------------------------------------------------
\1\ 16 U.S.C. 824o(d)(5) (The Commission may order the Electric
Reliability Organization to submit to the Commission a proposed
reliability standard or a modification to a reliability standard
that addresses a specific matter if the Commission considers such a
new or modified reliability standard appropriate to carry out this
section.).
\2\ BES Cyber Systems are defined as ``one or more BES Cyber
Assets logically grouped by a responsible entity to perform one or
more reliability tasks.'' See NERC, Glossary of Terms Used in NERC
Reliability Standards (2022) (NERC Glossary), https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf. BES Cyber
Systems are categorized as high, medium, or low impact depending on
the functions of the assets housed within each system and the risk
they potentially pose to the reliable operation of the Bulk-Power
System. Reliability Standard CIP-002-5.1a (BES Cyber System
Categorization) sets forth criteria that registered entities apply
to categorize BES Cyber Systems as high, medium, or low impact
depending on the adverse impact that loss, compromise, or misuse of
those BES Cyber Systems could have on the reliable operation of the
BES. The impact level (i.e., high, medium, or low) of BES Cyber
Systems, in turn, determines the applicability of security controls
for BES Cyber Systems that are contained in the remaining CIP
Reliability Standards (i.e., Reliability Standards CIP-003-8 to CIP-
013-1).
\3\ NERC defines external routable connectivity as the ``ability
to access a BES Cyber System from a Cyber Asset that is outside of
its associated Electronic Security Perimeter via a bi-directional
routable protocol connection.'' See NERC Glossary.
\4\ For ease of reference, low impact BES Cyber Systems include
those with and without external routable connectivity.
\5\ For ease of reference, BES Cyber Systems not subject to the
new or revised Reliability Standards in this final action will be
referred to as all low impact BES Cyber Systems and medium impact
BES Cyber Systems without external routable connectivity.
---------------------------------------------------------------------------
2. INSM is a subset of network security monitoring that is applied
within a ``trust zone,'' \6\ such as an electronic security
perimeter.\7\ For the purpose of this rulemaking, the trust zone
applicable to INSM is the CIP-networked environment. INSM enables
continuing visibility over communications between networked devices
within a trust zone and detection of malicious activity that has
circumvented perimeter controls. Further, INSM facilitates the
detection of anomalous network activity indicative of an attack in
progress, thus increasing the probability of early detection and
allowing for quicker mitigation and recovery from an attack.
---------------------------------------------------------------------------
\6\ The U.S. Department of Homeland Security, Cybersecurity and
Infrastructure Security Agency (CISA) defines trust zone as a
``discrete computing environment designated for information
processing, storage, and/or transmission that share the rigor or
robustness of the applicable security capabilities necessary to
protect the traffic transiting in and out of a zone and/or the
information within the zone.'' CISA, Trusted Internet Connections
3.0: Reference Architecture, at 2 (July 2020), https://www.cisa.gov/sites/default/files/publications/CISA_TIC%203.0%20Vol.%202%20Reference%20Architecture.pdf.
\7\ An electronic security perimeter is ``the logical border
surrounding a network to which BES Cyber Systems are connected using
a routable protocol.'' NERC Glossary.
---------------------------------------------------------------------------
3. We find that, while the CIP Reliability Standards require
monitoring of the electronic security perimeter and associated systems
for high and medium impact BES Cyber Systems, the CIP-networked
environment remains vulnerable to attacks that bypass network
perimeter-based security controls traditionally used to identify the
early phases of an attack. This presents a gap in the currently
effective CIP Reliability Standards. To address this gap, we direct
NERC to develop new or modified CIP Reliability Standards requiring
INSM for all high impact BES Cyber Systems with and without external
routable connectivity and medium impact BES Cyber Systems with external
routable connectivity to ensure the detection of anomalous network
activity indicative of an attack in progress. These provisions will
increase the probability of early detection and allow for quicker
mitigation and recovery from an attack.
4. As discussed below, while the Commission's notice of proposed
rulemaking (NOPR) \8\ in this proceeding proposed to direct NERC to
address INSM for all high and medium impact BES Cyber Systems, we are
persuaded by commenters that raised certain concerns with the NOPR
proposal and, in this final action, limit our directive to all high
impact BES Cyber Systems with and without external routable
connectivity and medium impact BES Cyber Systems with external routable
connectivity.
---------------------------------------------------------------------------
\8\ See Internal Network Sec. Monitoring for High & Medium
Impact Bulk Elec. Sys. Cyber Sys., Notice of Proposed Rulemaking, 87
FR 4173 (Jan. 27, 2022), 178 FERC ] 61,038, at P 31 (2022) (INSM
NOPR).
---------------------------------------------------------------------------
5. While NERC has flexibility in developing the content of INSM
requirements, the new or modified CIP Reliability Standards must
address the specific concerns that we identify in this final action. In
particular, in this final action, we direct NERC to develop new or
modified CIP Reliability Standards that are forward-looking, objective-
based, and that address the following three security objectives that
pertain to INSM. First, any new or modified CIP Reliability Standards
should address the need for responsible entities to develop baselines
of their network traffic inside their CIP-networked environment.
Second, any new or modified CIP Reliability Standards should address
the need for responsible entities to monitor for and detect
unauthorized activity, connections, devices, and software inside the
CIP-networked environment. And third, any new or modified CIP
Reliability Standards should require responsible entities to identify
anomalous activity to a high level of confidence by: (1) logging
network traffic (we note that packet capture is one means of
accomplishing this goal); \9\
[[Page 8356]]
(2) maintaining logs and other data collected regarding network
traffic; and (3) implementing measures to minimize the likelihood of an
attacker removing evidence of their tactics, techniques, and procedures
\10\ from compromised devices.\11\
---------------------------------------------------------------------------
\9\ While the NOPR stated that ``any new or modified CIP
Reliability Standards should address the ability to support
operations and response by requiring responsible entities to . . .
log and packet capture network traffic,'' id. (citation omitted), we
clarify in this final action that ``packet capture'' is one example
of how to support that goal. Packet capture allows information to be
intercepted in real-time and stored for long-term or short-term
analysis, thus providing a network defender greater insight into a
network. Packet captures provide context to security events, such as
intrusion detection system alerts. See CISA, National Cybersecurity
Protection System Cloud Interface Reference Architecture, Volume 1,
General Guidance, at 13, 25 (July 24, 2020), https://www.cisa.gov/sites/default/files/publications/CISA_NCPS_Cloud_Interface_RA_Volume-1.pdf.
\10\ NIST defines tactics, techniques, and procedures as
describing the behavior of an actor, where ``Tactics are high-level
descriptions of behavior, techniques are detailed descriptions of
behavior in the context of a tactic, and procedures are even lower-
level, highly detailed descriptions in the context of a technique.''
NIST further explains that ``tactics, techniques, and procedures
could describe an actor's tendency to use a specific malware
variant, order of operations, attack tool, delivery mechanism (e.g.,
phishing or watering hole attack), or exploit.'' See NIST, NIST
Special Publication 800-150: Guide to Cyber Threat Information
Sharing, at 2 (Oct. 2016), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf.
\11\ INSM NOPR, 178 FERC ] 61,038 at P 31.
---------------------------------------------------------------------------
6. We also direct NERC to submit the new or modified CIP
Reliability Standards for Commission approval within 15 months of the
effective date of this final action. We believe that a 15-month
deadline provides sufficient time for NERC to develop responsive
standard(s) within NERC's standards development process.
7. Further, the Commission sought comment in the NOPR on the
possible implementation of INSM to detect malicious activity in
networks with low impact BES Cyber Systems but did not propose to
direct the development of Reliability Standards for INSM for low impact
BES Cyber Systems. In this final action, we direct NERC to conduct a
study to support future Commission actions to extend INSM requirements
to all low impact BES Cyber Systems and medium impact BES Cyber Systems
without external routable connectivity. Specifically, NERC should
include in its study a determination of: (1) ongoing risk to the
reliability and security of the Bulk-Power System posed by low and
medium impact BES Cyber Systems that would not be subject to the new or
modified Reliability Standards, including the number of low and medium
impact BES Cyber Systems not required to comply with the new or
modified standard; and (2) potential technological or other challenges
involved in extending INSM to additional BES Cyber Systems, as well as
possible alternative mitigating actions to address ongoing risks. We
believe that this information would provide the basis for further
Commission action, as warranted, regarding INSM or alternatives. We
direct NERC to file its study report with the Commission within 12
months of the issuance of this final action.
II. Background
A. Section 215 and the Mandatory Reliability Standards
8. FPA section 215 provides that the Commission may certify an
Electric Reliability Organization (ERO), the purpose of which is to
develop mandatory and enforceable Reliability Standards, subject to
Commission review and approval.\12\ Reliability Standards may be
enforced by the ERO, subject to Commission oversight, or by the
Commission independently.\13\ Pursuant to FPA section 215, the
Commission established a process to select and certify an ERO \14\ and
subsequently certified NERC.\15\
---------------------------------------------------------------------------
\12\ 16 U.S.C. 824o(c).
\13\ 16 U.S.C. 824o(e).
\14\ Rules Concerning Certification of the Elec. Reliability
Org.; & Procs. for the Establishment, Approval, & Enf't of Elec.
Reliability Standards, Order No. 672, 71 FR 8662 (Feb. 17, 2006),
114 FERC ] 61,104, order on reh'g, Order No. 672-A, 71 FR 19814
(Apr. 18, 2006), 114 FERC ] 61,328 (2006).
\15\ N. Am. Elec. Reliability Corp., 116 FERC ] 61,062, order on
reh'g and compliance, 117 FERC ] 61,126 (2006), aff'd sub nom.
Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
---------------------------------------------------------------------------
B. Internal Network Security Monitoring
9. INSM is designed to address as early as possible situations
where perimeter network defenses are breached by detecting intrusions
and malicious activity within a trust zone. INSM consists of three
stages: (1) collection; (2) detection; and (3) analysis. Taken
together, these three stages provide the benefit of early detection and
alerting of intrusions and malicious activity.\16\ Some of the tools
that may be used for INSM include: anti-malware; intrusion detection
systems; intrusion prevention systems; and firewalls.\17\ These tools
are multipurpose and can be used for collection, detection, and
analysis (e.g., forensics). Additionally, some of the tools (e.g.,
anti-malware, firewall, or intrusion prevention systems) have the
capability to block network traffic.
---------------------------------------------------------------------------
\16\ See Chris Sanders & Jason Smith, Applied Network Security
Monitoring, at 9-10 (Nov. 2013); see also ISACA, Applied Collection
Framework: A Risk-Driven Approach to Cybersecurity Monitoring (Aug.
18, 2020), https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2020/applied-collection-framework.
\17\ See NIST Special Publication 800-83, Guide to Malware
Incident Prevention and Handling for Desktops and Laptops, at 10-13
(July 2013), https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-83r1.pdf.
---------------------------------------------------------------------------
10. The benefits of INSM can be understood by first describing the
way attackers commonly compromise targets. Attackers typically follow a
systematic process of planning and execution to increase the likelihood
of a successful compromise.\18\ This process includes reconnaissance
(e.g., information gathering), choice of attack type and method of
delivery (e.g., malware delivered through a phishing campaign), taking
control of the entity's systems, and carrying out the attack (e.g.,
exfiltration of project files, administrator credentials, and employee
personal identifiable information). Thus, successful cyberattacks
require the attacker to: (1) gain access to a target system; and (2)
execute commands while in that system.
---------------------------------------------------------------------------
\18\ SANS Institute, Applying Security Awareness to the Cyber
Kill Chain (May 31, 2019), https://www.sans.org/blog/applying-security-awareness-to-the-cyber-kill-chain/.
---------------------------------------------------------------------------
11. INSM could better position an entity to detect malicious
activity that has circumvented perimeter controls and gained access to
the target system. Because an attacker that moves among devices
internal to a trust zone must use network pathways and required
protocols to send malicious communications, INSM will potentially alert
an entity of the attack and improve the entity's ability to stop the
attack at its early phases.
12. By providing visibility of network traffic that may only
traverse internally within a trust zone, INSM can warn entities of an
attack in progress. For example, properly placed, configured, and tuned
INSM capabilities such as intrusion detection system and intrusion
prevention system sensors could detect and/or block malicious activity
early and alert an entity of the compromise. INSM can also be used to
record network traffic for analysis, providing a baseline that an
entity can use to better detect malicious activity. Establishing
baseline network traffic allows entities to define what is and is not
normal and expected network activity and determine whether observed
anomalous activity warrants further investigation.\19\ The recorded
network traffic can also be retained to facilitate timely recovery and/
or perform a thorough post-incident analysis of malicious activity.
High quality data from collected network
[[Page 8357]]
traffic is important for recovering from cyberattacks as this type of
data allows for: (1) determining the timeframe for backup restoration;
(2) creating a record of the attack for incident reporting and
response; and (3) analyzing the attack itself to inform actions to
prevent it from happening again.\20\
---------------------------------------------------------------------------
\19\ See CISA, Best Practices for Securing Election Systems,
Security Tip (ST19-002) (Aug. 25, 2021), https://www.cisa.gov/tips/st19-002.
\20\ Help Net Security, Three Reasons Why Ransomware Recovery
Requires Packet Data (Aug. 2021), https://www.helpnetsecurity.com/2021/08/24/ransomware-recovery-packet-data/.
---------------------------------------------------------------------------
13. In summary, INSM better positions an entity to detect an
attacker in the early phases of an attack and reduces the likelihood
that an attacker can gain a strong foothold, including operational
control, on the target system. In addition to early detection and
mitigation, INSM may improve incident response by providing higher
quality data about the extent of an attack internal to a trust zone.
Finally, INSM provides insight into east-west network traffic \21\
happening inside the network perimeter, which enables a more
comprehensive picture of the extent of an attack compared to data
gathered from the network perimeter alone.\22\
---------------------------------------------------------------------------
\21\ East-west traffic refers to the communications among BES
Cyber Systems and is the specific type of network traffic that
remains within the network perimeter. It may refer to communication
peer-to-peer industrial automation and control systems devices in a
network or to activity between servers or networks inside a data
center, rather than the data and applications that traverse networks
to the outside world. CISCO, Networking and Security in Industrial
Automation Environments Design Guide, at 111 (Aug. 2020), https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/Industrial_Automation/IA_Horizontal/DG/Industrial-AutomationDG.pdf;
The President's National Security Telecommunications Advisory
Committee, Report to the President on Software-Defined Networking,
at E-3 (Aug. 12, 2020), https://www.cisa.gov/sites/default/files/publications/NSTAC%20SDN%20Report%20%288-12-20%29.pdf.
\22\ CISA, CISA Analysis: FY2020 Risk and Vulnerability
Assessments (July 2021), https://www.cisa.gov/sites/default/files/publications/FY20-RVA-Analysis_508C.pdf.
---------------------------------------------------------------------------
C. Notice of Proposed Rulemaking
14. On January 20, 2022, the Commission issued the INSM NOPR
proposing to direct NERC to develop new or modified CIP Reliability
Standards to require INSM for high and medium impact BES Cyber Systems.
In the NOPR, the Commission preliminarily found that the currently
effective CIP Reliability Standards do not address INSM, thus leaving a
gap in the CIP Reliability Standards.\23\ The NOPR explained that
including INSM requirements in the CIP Reliability Standards would
ensure that responsible entities maintain visibility over
communications between networked devices within a trust zone rather
than simply monitoring communications at the network perimeter access
point(s) (i.e., at the boundary of an electronic security perimeter as
required by the current CIP requirements).\24\
---------------------------------------------------------------------------
\23\ INSM NOPR, 178 FERC ] 61,038 at PP 2, 14, 26.
\24\ Id. PP 2, 26.
---------------------------------------------------------------------------
15. The NOPR discussed various risks to trusted CIP networks posed
by the lack of requirements for INSM in the Standards, which include
attackers: (1) escalating privileges; (2) moving inside the CIP-
networked environment; and (3) executing unauthorized code.\25\ In the
context of supply chain risk, the NOPR explained that a malicious
update from a known software vendor could be downloaded directly to a
server as trusted code, and it would not set-off any alarms until
abnormal behavior occurred and was detected.\26\ The NOPR explained
that, because the CIP-networked environment is a trust zone, a
compromised server in the trust zone could be used to install malicious
updates directly onto devices that are internal to the CIP-networked
environment without detection. Further, in the context of an insider
threat, an employee with elevated administrative credentials could
identify and collect data, add accounts, delete logs, or even
exfiltrate data without being detected. The NOPR also pointed to the
SolarWinds attack as an example of how an attacker can bypass all
network perimeter-based security controls traditionally used to
identify the early phases of an attack.\27\ This supply chain attack
leveraged a trusted vendor to compromise the networks of public and
private organizations.\28\
---------------------------------------------------------------------------
\25\ Id. P 33.
\26\ Id. P 17.
\27\ Id. P 18 (citing FERC, NERC, SolarWinds and Related Supply
Chain Compromise, at 16 (July 7, 2021), https://cms.ferc.gov/media/solarwinds-and-related-supply-chain-compromise-0).
\28\ A threat actor gained access to the SolarWinds production
environment, ``pushed'' malicious code through legitimate updates to
customers and enabled the adversary to gain remote access and
network privileges allowing the actor to manipulate identity and
authentication mechanisms. SolarWinds and Related Supply Chain
Compromise at 7.
---------------------------------------------------------------------------
16. The NOPR sought comments on all aspects of the proposed
directive, and it also specifically solicited responses to the
following questions: (1) what are the potential challenges to
implementing INSM (e.g., cost, availability of specialized resources,
and documenting compliance); (2) what capabilities (e.g., software,
hardware, staff, and services) are necessary or appropriate for INSM to
meet the security objectives; (3) are the three security objectives for
INSM described in the NOPR necessary and sufficient and, if not
sufficient, what are other pertinent objectives that would support the
goal of having responsible entities successfully implement INSM; and
(4) what is a reasonable timeframe for developing and implementing
Reliability Standards for INSM.\29\
---------------------------------------------------------------------------
\29\ INSM NOPR, 178 FERC ] 61,038 at P 32.
---------------------------------------------------------------------------
17. While the Commission's proposed directives centered on high and
medium impact BES Cyber Systems, the Commission also sought comment on
the usefulness and practicality of implementing INSM to detect
malicious activity in networks with low impact BES Cyber Systems, as
well as potentially identifying a subset of low impact BES Cyber
Systems to which INSM requirements could apply.\30\ In particular, the
Commission sought comment on whether the same risks associated with
high and medium impact BES Cyber Systems also apply to low impact BES
Cyber Systems.\31\ Commensurate with their impact on the Bulk-Power
System, low impact BES Cyber Systems have fewer security controls and,
unlike high and medium impact BES Cyber Systems, are not subject to
monitoring at the network perimeter access point(s).\32\
---------------------------------------------------------------------------
\30\ Id. PP 4, 33-34.
\31\ Id. P 33.
\32\ See Version 5 Critical Infrastructure Protection
Reliability Standards, Order No. 791, 78 FR 72756 (Dec. 13, 2013),
145 FERC ] 61,160, at P 106 (2013), order on clarification and
reh'g, Order No. 791-A, 78 FR 24107 (Apr. 24, 2013), 146 FERC ]
61,188 (2014) (finding that categorizing assets as high, medium, or
low based on their impact on the reliable operation of the Bulk-
Power System, with all BES Cyber Systems being categorized as at
least low impact, offers more comprehensive protection than prior
versions of the standards and declining to require NERC to develop
specific controls for low impact facilities).
---------------------------------------------------------------------------
18. The comment period for the NOPR ended on March 28, 2022, and
the Commission received 22 sets of comments, including one late-filed
comment.\33\ A list of commenters appears in Appendix A.
---------------------------------------------------------------------------
\33\ The late-filed comment raised issues that were outside the
scope of this rulemaking. Accordingly, we do not address the comment
here.
---------------------------------------------------------------------------
III. Need for Reform
19. INSM is a component of a comprehensive cybersecurity strategy
as it provides an additional layer of defense against intrusions
regardless of the attack vector or whether existing security controls
failed. With INSM, an entity can maintain visibility over
communications between networked devices within a trust zone and detect
malicious activity that has circumvented perimeter controls.\34\
[[Page 8358]]
INSM facilitates the detection of anomalous network activity indicative
of an attack in progress, thus increasing the probability of early
detection and allowing for quicker mitigation and recovery from an
attack.\35\ Without INSM, an attacker may be able to move among devices
internal to a trust zone using network pathways and required protocols
to send malicious communications. Further, without INSM, an attacker
could exploit legitimate cyber resources to: (1) escalate privileges
(i.e., exploit a software vulnerability to gain administrator account
privileges); (2) move undetected inside the trust zone of the CIP-
networked environment; or (3) execute unauthorized code (e.g., a virus
or ransomware).
---------------------------------------------------------------------------
\34\ INSM NOPR, 178 FERC ] 61,038 at P 11.
\35\ Id. P 2.
---------------------------------------------------------------------------
20. Currently, network security monitoring in the CIP Reliability
Standards focuses on network perimeter defense and preventing
unauthorized access at the electronic security perimeter. While the CIP
Reliability Standards require monitoring of inbound and outbound
internet communications at the electronic security perimeter,\36\ the
currently effective CIP Reliability Standards do not require INSM
within trusted CIP-networked environments for BES Cyber Systems. This
leaves a gap in the CIP Reliability Standards for situations where
vendors or individuals with authorized access are considered secure and
trustworthy but could still introduce a cybersecurity risk, as well as
other attack vectors that can exploit this gap. Additionally, the lack
of INSM controls diminishes an essential component of a defense-in-
depth strategy and therefore may increase the time it takes an entity
to detect an intrusion and the time an attacker has to leverage
compromised user accounts and traverse unmonitored network
connections.\37\
---------------------------------------------------------------------------
\36\ See Reliability Standard CIP-005-6 (Electronic Security
Perimeter(s)).
\37\ INSM NOPR, 178 FERC ] 61,038 at P 31; see also Nat'l Sec.
Agency, Network Infrastructure Security Guide (June 2022), https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF.
---------------------------------------------------------------------------
21. The currently effective CIP Reliability Standards, while
offering a broad set of cybersecurity protections, do not require INSM.
For example, Reliability Standard CIP-005-6 (Electronic Security
Perimeter(s)), Requirement R1.5 addresses monitoring of network traffic
for malicious communications at the electronic security perimeter.
Under CIP-005-6 Requirement R1.5, the only locations that require
network security monitoring are the electronic security perimeter
electronic access points for high and medium impact BES Cyber Systems
at control centers. Additionally, Reliability Standard CIP-007-6
(System Security Management), Requirement R.4.1.3 addresses security
monitoring and requires the entity to detect malicious code for all
high and medium impact BES Cyber Systems and their associated
electronic access control or monitoring systems, physical access
control systems, and protected cyber assets. To comply with Reliability
Standard CIP-007-6 R.4.1.3, responsible entities must install security
monitoring tools at the device level but are not required to use INSM
methods, such as intrusion detection systems.\38\
---------------------------------------------------------------------------
\38\ Under Reliability Standard CIP-007-6, Requirement R.4.1.3,
an entity may choose, but is not required, to use system-generated
listing of network log in/log outs, or malicious code, or other
types of monitored network traffic only at the perimeter of all
medium and high impact BES Cyber Systems (and not within the trust
zone, unlike INSM). The related Measures for this provision provide
examples of acceptable evidence of compliance, including a paper or
system-generated listing of monitored activities for which the BES
Cyber System is configured to log and capable of detecting.
---------------------------------------------------------------------------
22. Further, the currently effective CIP Reliability Standards do
not require responsible entities to ensure that anomalous activity
within the trust zone can be identified with a high level of confidence
because the CIP Reliability Standards are focused on perimeter-based
security with limited internal security controls. The three INSM
security objectives--pertaining to (1) baselining, (2) monitoring and
detecting unauthorized activity, and (3) identification of anomalous
activity--aim to address this deficiency. As discussed below, new or
modified Reliability Standards responsive to this final action must
address these three objectives.
23. For the reasons discussed below, in this final action we affirm
the preliminary finding in the NOPR that the lack of INSM requirements
in the currently effective CIP Reliability Standards constitutes a
security gap. Further, we conclude that there is a sufficient basis for
a directive to NERC to require INSM in the CIP Reliability Standards
for all high impact BES Cyber Systems with and without external
routable connectivity and medium impact BES Cyber Systems with external
routable connectivity.\39\
---------------------------------------------------------------------------
\39\ INSM architecture generally relies on external routable
connectivity to achieve the full, real-time benefits of INSM, such
as the capability to transmit collected data from network traffic
and devices to a centralized location for further analysis by
cybersecurity professionals.
---------------------------------------------------------------------------
IV. Discussion
A. Overview
24. Pursuant to FPA section 215(d)(5), we direct NERC to develop
new or modified CIP Reliability Standards that require applicable
responsible entities to implement INSM for all high impact BES Cyber
Systems with and without external routable connectivity and medium
impact BES Cyber Systems with external routable connectivity. Given the
importance of timely addressing the identified security gap, we direct
that NERC submit responsive new or modified CIP Reliability Standards
within 15 months of the effective date of this final action. Based on
the comments received in response to the NOPR, we determine that the
record in this proceeding supports the development of mandatory
requirements for the implementation of INSM for all high impact BES
Cyber Systems with and without external routable connectivity and
medium impact BES Cyber Systems with external routable connectivity
that are within the control of responsible entities that fall within
the scope of our authority under FPA section 215.
25. Overall, commenters agree with the benefits of implementing
INSM as an additional layer of cybersecurity protection, although
commenters differ on the contours of a directive to NERC to address the
issue. NERC notes that while there may be challenges, INSM ``would be
an appropriate approach'' to address the risks identified in the
NOPR.\40\
---------------------------------------------------------------------------
\40\ NERC Comments at 3; see also EPSA Comments at 3; Idaho
Power Comments at 2; ISO/RTO Comments at 3.
---------------------------------------------------------------------------
26. NERC and other commenters support new or modified CIP
Reliability Standards that address INSM for high impact BES Cyber
Systems as a worthwhile improvement to the cybersecurity posture of the
Bulk-Power System.\41\ While no entities altogether oppose INSM for
high impact BES Cyber Systems, two commenters recommend limiting INSM
at high impact BES Cyber Systems to those located in a control center
or those systems with external routable connectivity.\42\
---------------------------------------------------------------------------
\41\ E.g., NERC Comments at 8; BPA Comments at 1; Trades
Comments at 1.
\42\ See ITC Comments at 7; Idaho Power Comments at 2.
---------------------------------------------------------------------------
27. Support for requiring the implementation of INSM for medium
impact BES Cyber Systems varies, with a majority of commenters agreeing
that extending INSM to at least some medium impact BES Cyber Systems
could address the risks to the security of the Bulk-Power System
identified in
[[Page 8359]]
the NOPR.\43\ Several other commenters also recognize that the NOPR's
proposed directives regarding INSM are appropriate to address the
threats that high and medium impact BES Cyber Systems face, and their
potential impact on the reliable and secure operation of the Bulk-Power
System.\44\ Other commenters, however, either oppose the proposal for
medium impact BES Cyber Systems \45\ or advocate for delayed or limited
inclusion of medium impact BES Cyber Systems within the scope of CIP
Reliability Standards.\46\
---------------------------------------------------------------------------
\43\ NERC Comments at 3; Consumers Comments at 1-2; Cynalytica
Comments at 1; ISO/RTO Council Comments at 2-3; Juniper Comments at
1-2; Microsoft Comments at 1; MRO NSRF Comments at 1-2; NAGF
Comments at 1; Nozomi Networks Comments at 3; OT Coalition Comments
at 3; TAPS Comments at 14; Conway Comments at 1.
\44\ E.g., EPSA Comments at 3; Idaho Power Comments at 2; ISO/
RTO Comments at 3.
\45\ BPA Comments at 2.
\46\ EPSA Comments at 2; Idaho Power Comments at 2; Indicated
Trade Associations Comments at 9.
---------------------------------------------------------------------------
28. Commenters raise challenges that may arise during development
and implementation of CIP Reliability Standards requiring INSM for
medium impact BES Cyber Systems that do not have external routable
connectivity. These challenges include the large number of such medium
impact BES Cyber Systems, which pose staffing and resource constraints
for responsible entities and the possibility of supply chain
constraints limiting the availability of necessary hardware and
software tools to fully implement INSM.\47\ As discussed below, we are
persuaded by the comments raising challenges and thus modify the NOPR
proposal by directing that NERC develop new or modified Reliability
Standards requiring implementation of INSM for medium impact BES Cyber
Systems with external routable connectivity.
---------------------------------------------------------------------------
\47\ E.g., BPA Comments at 3; EPSA Comments at 3; Idaho Power
Comments at 2.
---------------------------------------------------------------------------
29. Further, we decline at this time to direct NERC to develop new
or modified CIP Reliability Standards to require INSM for low impact
BES Cyber Systems. NERC and most other commenters note that the risks
associated with high and medium impact BES Cyber Systems do not apply
to low impact BES Cyber Systems and that the costs associated with
implementing INSM for low impact BES Cyber Systems would not result in
a corresponding benefit to security.\48\
---------------------------------------------------------------------------
\48\ E.g., NERC Comments at 8; BPA Comments at 4-5; MRO NSRF
Comments at 4; NAGF Comments at 4.
---------------------------------------------------------------------------
30. Although we decline to direct NERC to develop new or modified
CIP Reliability Standards requiring INSM for medium impact BES Cyber
Systems without external routable connectivity and all low impact BES
Cyber Systems in this final action, we recognize the importance of
bolstering the cybersecurity of these systems. We believe that the
current lack of visibility at low impact BES Cyber Systems, as well as
medium impact BES Cyber Systems with similar configurations (i.e.,
serial-connected and other physical non-internet protocol based
industrial control system communications), may leave systems vulnerable
to cyberattacks that degrade the reliable and secure operation of the
Bulk-Power System. However, we also recognize that extending INSM
requirements to all low impact BES Cyber Systems would be difficult to
implement or audit, given that there is neither a requirement for
entities to identify their low impact BES Cyber Systems on an
individual basis nor a requirement for entities to identify an
electronic security perimeter for their low impact BES Cyber
Systems.\49\ Therefore, as discussed below, we direct NERC, pursuant to
Sec. 39.2(d) of the Commission's regulations,\50\ to submit to the
Commission a report discussing the results of the study assessing the
risks, implementation challenges, and potential solutions for all low
impact BES Cyber Systems and medium impact BES Cyber Systems without
external routable connectivity, within 12 months of the issuance of
this final action.
---------------------------------------------------------------------------
\49\ Reliability Standard CIP-003-8 (Security Management
Controls), Requirement R2, requires that an entity with low impact
BES Cyber Systems must implement a cybersecurity plan that includes
elements specified in Attachment 1 of CIP-003-8. While entities must
implement a plan that includes ``electronic access controls,'' the
NERC defined term ``Electronic Security Perimeter'' is not mentioned
in Attachment 1.
\50\ 18 CFR 39.2(d) (the ERO shall provide the Commission such
information as is necessary to implement section 215 of the FPA).
---------------------------------------------------------------------------
31. We address below the following issues raised in the NOPR and
NOPR comments: (1) the need for INSM Reliability Standards for all high
impact BES Cyber Systems with and without external routable
connectivity and medium impact BES Cyber Systems with and without
external routable connectivity; (2) the extension of INSM to all low
impact BES Cyber Systems; (3) security objectives of the new or
modified Reliability Standards; and (4) standard development and
implementation timelines. Further, we address the need for further
study to support future action as warranted to require INSM for medium
impact BES Cyber Systems without external routable connectivity and all
low impact BES Cyber Systems.
B. INSM for High and Medium Impact BES Cyber Systems
32. In the NOPR, the Commission proposed to direct NERC to develop
new or modified CIP Reliability Standards requiring that responsible
entities implement INSM for their high and medium impact BES Cyber
Systems.\51\ The Commission preliminarily found that INSM, as a
fundamental element of a zero-trust architecture,\52\ should improve
the cybersecurity posture of responsible entities with high and medium
impact BES Cyber Systems.\53\ The NOPR explained that the proposed
directive centers on high and medium impact BES Cyber Systems to
improve visibility within networks containing BES Cyber Systems whose
compromise could have a significant impact on the reliable operation of
the Bulk-Power System.\54\ The NOPR sought comments on all aspects of
the proposed directive to NERC to modify the CIP Reliability Standards
to require INSM for high and medium impact BES Cyber Systems.
---------------------------------------------------------------------------
\51\ INSM NOPR, 178 FERC ] 61,038 at PP 29, 31.
\52\ NIST defines zero-trust architecture as ``[a] security
model, a set of system design principles, and a coordinated
cybersecurity and system management strategy based on an
acknowledgement that threats exist both inside and outside
traditional network boundaries. The [zero-trust] security model
eliminates implicit trust in any one element, component, node, or
service and instead requires continuous verification of the
operational picture via real-time information from multiple sources
to determine access and other system responses.'' NIST, Computer
Security Resource Center Glossary, https://csrc.nist.gov/glossary/term/zero_trust_architecture.
\53\ INSM NOPR, 178 FERC ] 61,038 at P 30.
\54\ Id. P 3.
---------------------------------------------------------------------------
1. Comments
a. Implementation of INSM for High Impact BES Cyber Systems
33. NERC, BPA, Consumers, Cynalytica, ISO/RTO Council, Juniper
Networks, Microsoft, MRO NSRF, NAGF, Nozomi Networks, and Conway
support the NOPR's efforts to require INSM for high impact BES Cyber
Systems.\55\ NERC states its support for INSM as an ``appropriate
approach for consideration'' for high impact BES Cyber Systems.\56\
---------------------------------------------------------------------------
\55\ NERC Comments at 3; Consumers Comments at 1-2; Cynalytica
Comments at 1; ISO/RTO Council Comments at 2-3; Juniper Networks
Comments at 1-2; Microsoft Comments at 1; MRO NSRF Comments at 1-2;
NAGF Comments at 1; Nozomi Networks Comments at 1; Conway Comments
at 1.
\56\ NERC Comments at 8.
---------------------------------------------------------------------------
34. BPA recommends that the Commission limit its initial rulemaking
to only high impact BES Cyber Systems.\57\ BPA recognizes INSM as an
important cybersecurity protection but
[[Page 8360]]
recommends phased adoption of INSM and limiting the initial rulemaking
to high impact BES Cyber Systems, due to the resources and length of
time needed to make such changes to industrial control systems. BPA
recommends that the Commission, in a future proceeding, explore whether
INSM requirements should apply to remote medium and low impact
facilities without external routable connectivity.\58\
---------------------------------------------------------------------------
\57\ BPA Comments at 1.
\58\ Id. at 3.
---------------------------------------------------------------------------
35. Indicated Trade Associations and Idaho Power recommend limiting
the NOPR's proposal for high impact BES Cyber Systems. Indicated Trade
Associations explains that by prioritizing high impact BES Cyber
Systems, responsible entities would be able to ``gather operational
experience with INSM technologies.'' \59\ While Indicated Trade
Associations support implementation of INSM for high impact BES Cyber
Systems, they also ask the Commission to convene a forum prior to
issuing any directive. Idaho Power also tempers its support of the NOPR
recommendations, emphasizing that its support of INSM within BES Cyber
Systems is limited to those with external routable connectivity--
although also noting that the majority of high impact BES cyber systems
likely already have external routable connectivity.\60\
---------------------------------------------------------------------------
\59\ Indicated Trade Associations Comments at 9.
\60\ Idaho Power Comments at 2.
---------------------------------------------------------------------------
36. ITC's comments support limiting INSM to high impact BES Cyber
Systems located in control centers because they have larger numbers of
more diversely routed systems with greater external connectivity and
therefore more access for an attacker to exploit.\61\ According to ITC,
additional focus on the prevention of electronic security perimeter
breaches continues to be the most effective overall approach to
improving the cybersecurity of responsible entities. ITC also cautions
that implementing INSM as contemplated by the NOPR could cause
congestion and potentially slow the reactions of operators, who must
observe and respond quickly to system and customer needs.\62\
---------------------------------------------------------------------------
\61\ ITC Comments at 2-3.
\62\ Id. at 2.
---------------------------------------------------------------------------
Instead of INSM, ITC states that it and many other entities already
employ hub-and-spoke architecture \63\ for their electronic security
perimeters to protect the BES Cyber Systems and BES Cyber Assets within
them, which it asserts are inconsistent with (and in many cases,
duplicative of) the NOPR proposed directives. Further, ITC explains
that as its hub-and-spoke architecture uses few connections between BES
Cyber Assets and BES Cyber Systems within each electronic security
perimeter, monitoring of such ``fixed, small-scale network traffic''
provides little security benefit compared to the costs.\64\ ITC
recommends that the Commission consider other cybersecurity strategies
like application whitelisting \65\ for defense-in-depth, which it
asserts provide comparable security to INSM.\66\
---------------------------------------------------------------------------
\63\ ITC explains that hub-and-spoke architecture uses many,
relatively small, electronic security perimeters, each containing a
small number of BES Cyber Systems and/or Assets that are often in
close physical proximity to each other but using few connections
between Cyber Assets and Systems within each electronic security
perimeter. Id. at 4.
\64\ Id.
\65\ Whitelisting, also referred to as allowlisting, allows only
selected authorized programs to run, while all other programs are
blocked from running by default. It is used to establish a baseline
for authorized applications and file locations and prevents any
action that departs from that baseline. See CISA, Guidelines for
Application Whitelisting, (2013), https://www.cisa.gov/uscert/sites/default/files/documents/Guidelines%20for%20Application%20Whitelisting%20in%20Industrial%20Control%20Systems_S508C.pdf.
\66\ ITC Comments at 6.
---------------------------------------------------------------------------
37. Indicated Trade Associations and NAGF both note that entities
may not have the same internal networks or architectures and that some
may have implemented network segmentation or micro-segmentation of
their networks.\67\ NAGF explains that applying a complex and costly
INSM infrastructure may disincentivize the use of segmentation.\68\
---------------------------------------------------------------------------
\67\ Indicated Trade Associations Comments at 17; NAGF Comments
at 2. Network segmentation is one way of improving security by
dividing a larger network into multiple segments, which each act as
their own small network.
\68\ NAGF Comments at 2.
---------------------------------------------------------------------------
b. Implementation of INSM for Medium Impact BES Cyber Systems
38. NERC, Consumers, Cynalytica, ISO/RTO Council, Juniper Networks,
Microsoft, MRO NSRF, NAGF, Nozomi Networks, and Conway support the
NOPR's efforts to require INSM for medium impact BES Cyber Systems.\69\
---------------------------------------------------------------------------
\69\ NERC Comments at 3; Consumers Comments at 1-2; Cynalytica
Comments at 1; ISO/RTO Council Comments at 2-3; Juniper Networks
Comments at 1-2; Microsoft Comments at 1; MRO NSRF Comments at 1-2;
NAGF Comments at 1; Nozomi Networks Comments at 1; Conway Comments
at 1.
---------------------------------------------------------------------------
39. NERC states that it supports the efforts to address the risks
identified in the NOPR (such as a bad actor leveraging vendors or
others with authorized access to a network to attack these systems) and
agrees that INSM is an appropriate approach to address such risks.\70\
NERC comments that INSM could benefit the CIP Reliability Standards as
a ``consistent means of gaining visibility and awareness'' within an
electronic security perimeter.\71\ Furthermore, NERC recognizes ``the
importance of maturing security controls pertaining to zero-trust
principles within Reliability Standards'' and agrees with the NOPR that
INSM would advance responsible entities' cybersecurity posture towards
zero-trust architecture.\72\ Both NERC and Conway explain that INSM
ensures that there is monitoring of east-west endpoint to endpoint
communications internal to the electronic security perimeter.\73\ ISO/
RTO Council and MRO NSRF, also supporting the NOPR proposal, state that
systems solutions for anomaly detection, such as east-west monitoring,
allow for more efficient summarizing of data and identification of
anomalies.\74\
---------------------------------------------------------------------------
\70\ NERC Comments at 3.
\71\ Id. at 5.
\72\ Id. at 6.
\73\ NERC Comments at 4-5; Conway Comments at 2.
\74\ ISO/RTO Council Comments at 4-5; MRO NSRF Comments at 2.
---------------------------------------------------------------------------
40. NAGF supports the NOPR proposal and states that INSM will
complement existing network security perimeter monitoring requirements
for high and medium impact BES Cyber Systems through improved internal
network communications visibility.\75\ In support of the NOPR proposal,
Consumers notes that it has already independently concluded that INSM
warrants investment and has implemented INSM for most of its high and
medium impact BES Cyber Systems within an electronic security
perimeter.\76\
---------------------------------------------------------------------------
\75\ NAGF Comments at 1.
\76\ Consumers Comments at 2.
---------------------------------------------------------------------------
41. Comments from technology vendors support the NOPR's proposed
directives to add INSM to the NERC CIP Reliability Standards.
Cynalytica and Microsoft both point to INSM as being crucial to a zero-
trust strategy.\77\ Cynalytica further opines ``that all BES Cyber
Systems should be monitored to ensure the visibility and operational
situational awareness that a true zero-trust strategy brings in support
of critical infrastructure resiliency.'' \78\ Microsoft also supports
directing NERC to develop Reliability Standards that require INSM for
high and medium
[[Page 8361]]
impact BES Cyber Systems.\79\ Nozomi and Juniper Networks also support
the proposal, asserting that, given the increasingly sophisticated
methods by which attackers gain access to critical systems, it is
critical that entities move beyond protection of the electronic
security perimeter and implement dynamic, persistent monitoring
measures.
---------------------------------------------------------------------------
\77\ Cynalytica Comments at 1; Microsoft Comments at 3
(asserting that the Commission's recommendations for implementation
of INSM on BES Cyber Systems is a cybersecurity best practice and is
consistent with a zero-trust security model and is consistent with
the White House zero-trust strategy published in January 2022
(citing White House, Moving the U.S. Government Toward Zero Trust
Cybersecurity Principles (Jan. 26, 2022), https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf)).
\78\ Cynalytica Comments at 4.
\79\ Microsoft Comments at 1.
---------------------------------------------------------------------------
42. CDWR, Electricity Canada, the OT Coalition, Reclamation, and
TAPs focus their comments on the effectiveness of using INSM to achieve
cybersecurity goals rather than explicitly supporting or opposing the
NOPR proposal to implement INSM for high and medium impact BES Cyber
Systems.\80\ For example, CDWR requests that the Commission consider
whether directives necessary to provide an adequate level of
reliability and security are also cost effective.\81\ And Electricity
Canada states that it agrees that INSM is an important part of an
overall cybersecurity strategy when implemented at appropriate
locations in a network.\82\
---------------------------------------------------------------------------
\80\ CDWR Comments at 4; Electricity Canada Comments at 2; OT
Coalition Comments at 3-4; Reclamation Comments at 3; TAPS Comments
at 1.
\81\ CDWR Comments at 4.
\82\ Electricity Canada Comments at 2.
---------------------------------------------------------------------------
c. Limiting INSM for Medium Impact BES Cyber Systems Based on External
Routable Connectivity
43. Although the NOPR did not distinguish the proposed directive
for medium impact BES Cyber Systems by risk, their location at control
centers, or the existence of external routable connectivity, commenters
raise the possibility of limiting INSM on those bases.
44. EPSA, supporting Indicated Trade Associations' request for the
Commission to convene a forum prior to issuing any directive, argues
that while high impact BES Cyber Systems are indisputably worthy of
INSM measures, any new requirements imposed on medium impact locations
should be commensurate with the risk posed by each individual location
that could be compromised. Therefore, EPSA asserts that if the
Commission does act before convening a forum, that it phase in new
requirements based on risk, for example beginning with high impact BES
Cyber Systems and only medium impact BES Cyber Systems at control
centers. EPSA states that this phased implementation would allow
entities to account for challenges while controlling costs and
constraints.\83\
---------------------------------------------------------------------------
\83\ EPSA Comments at 4.
---------------------------------------------------------------------------
45. ITC and Indicated Trade Associations support INSM for medium
impact BES Cyber Systems located at control centers. ITC asserts that
the Commission could direct NERC to develop a Reliability Standard
which requires INSM only for high and medium impact BES Cyber Systems
within control centers to achieve a more balanced risk-to-cost outcome.
According to ITC, controls centers generally do contain more diversely
routed Cyber Systems with greater external connectivity beyond the
electronic security perimeter, which provides more access for an
attacker to exploit.\84\ Further, as ITC explains, control centers'
electronic security perimeters already require network monitoring that
reduces the difficulty and expense of implementing INSM at these
locations.\85\ Similarly, while Indicated Trade Associations agree with
the Commission that implementation of INSM may improve the security
posture of entities owning or operating high impact BES Cyber Systems
and ``holds significant potential to increase grid visibility and
capability of detecting and mitigating malicious activity,'' \86\ they
propose limiting the implementation to high impact BES Cyber Systems
and medium impact BES Cyber Systems located at control centers.\87\
---------------------------------------------------------------------------
\84\ ITC Comments at 7.
\85\ Id.
\86\ Indicated Trade Associations Comments at 7.
\87\ Id. at 2.
---------------------------------------------------------------------------
46. Idaho Power states that it agrees with the Commission that
implementing INSM at medium impact BES Cyber Systems, in particular
those with external routable connectivity, is ``justified and necessary
for the threats these systems are facing.'' \88\ Idaho Power explains
that BES Cyber Systems with external routable connectivity provide an
additional remote attack vector which is not present in systems without
it, and warns that if there is a requirement for INSM for systems that
do not currently have external routable connectivity, entities may add
external routable connectivity (and therefore an additional attack
vector) in order to meet the INSM requirements.\89\ Idaho Power
recommends that, if the Commission were to require INSM at high and
medium impact BES Cyber Systems, the Commission should limit the
directive to BES Cyber Systems with external routable connectivity,
since external routable connectivity is arguably needed to take full
advantage of INSM.\90\ Although BPA recommends implementing INSM
initially only at high impact BES Cyber Systems, it states that if the
Commission orders implementation at medium impact BES Cyber Systems as
well, the Commission should limit the implementation to medium impact
BES Cyber Systems with external routable connectivity.\91\
---------------------------------------------------------------------------
\88\ Idaho Power Comments at 2.
\89\ Id.
\90\ Id.
\91\ BPA Comments at 3.
---------------------------------------------------------------------------
47. Commenters point out the following concerns if this final
action were to apply to all medium impact BES Cyber Systems, including
those without external routable connectivity: (1) lengthy timelines for
implementation; \92\ (2) lack of external routable connectivity at many
medium impact BES Cyber Systems, which is needed to effectively
implement INSM; \93\ (3) for large entities, the undertaking may be
sizable given their wider footprint for monitoring and detecting; \94\
(4) already limited personnel would be stretched thin and there may be
a shortage of qualified staff; \95\ and (5) costs would far exceed any
potential cybersecurity benefit.\96\
---------------------------------------------------------------------------
\92\ Id.
\93\ Id. at 1, 3; Idaho Power Comments at 2.
\94\ Indicated Trade Associations Comments at 10 (referring to
large entities with multi-state footprints and several hundred
physical locations).
\95\ Id. at 2; EPSA Comments at 4; ITC Comments at 5; TAPS
Comments at 4.
\96\ ITC Comments at 4; TAPS Comments at 3-5.
---------------------------------------------------------------------------
48. In its comments opposing INSM for medium impact BES Cyber
Systems, BPA explains that many medium impact BES Cyber Systems do not
have external routable connectivity and that these systems therefore
pose minimal risk to intrusion and do not strongly implicate the INSM
objectives identified by the Commission.\97\ Similar to BPA, Indicated
Trade Associations assert that not all medium impact BES Cyber Systems
have external routable connectivity and therefore conclude that without
this attack surface, there is less to monitor.\98\ Furthermore,
Indicated Trade Associations argue that medium impact BES Cyber Systems
without external routable connectivity do not contain the same risk, or
pose the same potential impact, as medium impact BES Cyber Systems with
external routable connectivity because an attacker does not have a path
to move beyond the local trust zone.\99\
---------------------------------------------------------------------------
\97\ BPA Comments at 4.
\98\ Indicated Trade Associations Comments at 9.
\99\ Id. at 9-10.
---------------------------------------------------------------------------
2. Commission Determination
49. Pursuant to FPA section 215(d)(5), we direct NERC to develop
new or modified CIP Reliability Standards that require INSM for CIP-
networked environments for all high impact BES
[[Page 8362]]
Cyber Systems with and without external routable connectivity and
medium impact BES Cyber Systems with external routable connectivity. We
determine that requirements to implement INSM as we direct in this
final action will fill a gap in the current suite of CIP Reliability
Standards and improve the cybersecurity posture of the Bulk-Power
System.\100\ Specifically, a requirement for INSM that augments
existing perimeter defenses will increase network visibility so that an
entity may understand what is occurring in its CIP-networked
environment and, thus, improve capability to timely detect potential
compromises.\101\ INSM also allows for the collection of data and
analysis required to implement a defense strategy, improves an entity's
incident investigation capabilities, and increases the likelihood that
an entity can better protect itself from a future cyberattack and
address any security gaps the attacker was able to exploit.
---------------------------------------------------------------------------
\100\ See, e.g., NERC Comments at 4-5 (current CIP Standards
require ``malicious communications monitoring at the Electronic
Access Point on the [electronic security perimeter], not necessarily
monitoring of activity of those who already have access to the
network'').
\101\ Id. at 5 (``CIP Reliability Standards could benefit from
consideration of internal network security monitoring requirements
as a consistent means of gaining visibility and awareness within an
[electronic security perimeter].'').
---------------------------------------------------------------------------
50. Moreover, the NOPR identified certain cyber-related risks that
implementation of INSM could mitigate through early detection, such as
a supply chain attack leveraging malicious updates from a known
software vendor (i.e., SolarWinds attack) and ransomware attacks.\102\
NERC and other commenters agree that INSM is an appropriate approach to
address such risks.\103\
---------------------------------------------------------------------------
\102\ INSM NOPR, 178 FERC ] 61,038 at PP 17-19.
\103\ E.g., NERC Comments at 6; Juniper Comments at 1.
---------------------------------------------------------------------------
51. We disagree with ITC's rationale for opposing the NOPR
proposal. In particular, we disagree with ITC's assertions that the
NOPR proposals are an ``overly aggressive implementation of'' zero-
trust architecture.\104\ As explained in the NOPR, while INSM is a
fundamental element of the zero-trust architecture, it is only one of
many aspects.\105\ Furthermore, ITC presents its statement that there
would only be little monitoring INSM could perform of its fixed, small-
scale network traffic, and thus provide ITC little benefit,\106\
without further context or explanation. Additionally, we disagree with
ITC's assertion that application whitelisting provides comparable
security to INSM. Application whitelisting is a security tool
implemented at the cyber asset level and does not monitor network
traffic, which is the purpose of INSM. Therefore, application
whitelisting and INSM are two distinct components of a defense-in-depth
strategy and two distinct components of zero-trust architecture.
---------------------------------------------------------------------------
\104\ ITC Comments at 2.
\105\ INSM NOPR, 178 FERC ] 61,038 at P 30.
\106\ ITC Comments at 5.
---------------------------------------------------------------------------
52. We are also not persuaded by ITC's objections to the NOPR
proposal based on ITC's claims regarding the relative limited
vulnerability of hub-and-spoke networks. A hub-and-spoke connection is
bound on both sides by electronic security perimeters. Like any other
BES Cyber Asset, the electronic access points of the hub and spoke
configuration are addressed by the currently effective CIP Reliability
Standards, but there is currently no required monitoring of network
traffic within the hub and spoke electronic security perimeters. We
disagree with ITC's assertion that hub-and-spoke architecture has lower
risk because it uses few connections between Cyber Assets and Cyber
Systems within each electronic security perimeter.\107\ INSM is a
cybersecurity capability that is indifferent to the architecture to
which it is applied. INSM is intended to monitor east-west network
traffic that does not traverse the access point. An architecture like
hub-and-spoke is not a substitute for a cybersecurity capability like
INSM.
---------------------------------------------------------------------------
\107\ Id. at 4.
---------------------------------------------------------------------------
53. Finally, we disagree with ITC's assertion that the ``NOPR's
approach is also inconsistent with the Commission's long-standing risk-
based approach to reliability.'' \108\ The security objectives proposed
in the INSM NOPR are risk-based and objective.\109\ Furthermore,
malicious actors that compromise BES Cyber Systems within an electronic
security perimeter could have the opportunity to perform the same
functions as an authorized user, which includes operation of the Bulk-
Power System, as demonstrated by the Ukraine attacks referenced in the
INSM NOPR.\110\
---------------------------------------------------------------------------
\108\ Id.
\109\ INSM NOPR, 178 FERC ] 61,038 at P 31.
\110\ Id. P 21.
---------------------------------------------------------------------------
54. We are not persuaded by BPA's request to limit our directive to
INSM for high impact BES Cyber Assets based on resource and timing
concerns nor persuaded by ITC's assertion that INSM would lead to
congestion. Rather, we believe that our decision to limit our directive
at this time to those medium impact BES Cyber Assets with external
routable connectivity strikes a proper balance between limited
resources and the security benefits of INSM and adequately addresses
BPA's concerns and that technical concerns are better addressed during
NERC's standards drafting process or during the implementation of INSM.
Similarly, NAGF and Indicated Trade Associations' concern that
requiring INSM may discourage entities from using greater network
segmentation to enhance security is a specific technical concern better
raised and addressed during NERC's standards drafting process.
55. We agree with commenters that articulate the various benefits
of INSM. NERC and other commenters state that INSM ensures that there
is monitoring of east-west endpoint-to-endpoint communications internal
to the electronic security perimeter.\111\ Likewise, ISO/RTO Council
and MRO NSRF explain that systems solutions for anomaly detection, such
as east-west monitoring, allow for more efficient summarizing of data
and identification of anomalies.\112\ Accordingly, the record in this
proceeding supports incorporating INSM requirements into the CIP
Standards for high and medium impact BES Cyber Systems, as set forth in
this final action.
---------------------------------------------------------------------------
\111\ NERC Comments at 4-5; Conway Comments at 2.
\112\ ISO/RTO Council Comments at 4-5; MRO NSRF Comments at 2.
---------------------------------------------------------------------------
56. We are not persuaded by Indicated Trade Associations' and ITC's
suggestions to limit application of INSM to high impact BES Cyber
Systems and medium impact BES Cyber Systems located at control
centers.\113\ Limiting application of INSM to high impact BES Cyber
Systems and medium impact BES Cyber Systems located at control centers
would constitute too narrow an approach because the trust zone
associated with medium impact BES Cyber Systems encompasses systems
with a definitive potential to affect Bulk-Power System reliability. We
are, however, persuaded by commenters to limit the scope of our
directive with regard to medium impact BES Cyber Systems to those with
external routable connectivity. Idaho Power argues that the presence of
external routable connectivity is an appropriate limiting factor for
the directive,\114\ and BPA, while it recommends applying the directive
only to high impact BES Cyber Systems, states that if the directive
encompasses medium impact BES Cyber Systems then it should apply only
to medium impact BES Cyber Systems
[[Page 8363]]
with external routable connectivity.\115\ Control centers generally
already have external routable connectivity and are thus encompassed by
a directive to limit application of INSM for medium impact BES Cyber
Systems on the basis of external routable connectivity. For these
reasons, we believe that external routable connectivity is a preferable
approach to targeting the application of INSM.
---------------------------------------------------------------------------
\113\ ITC Comments at 7; Indicated Trade Associations Comments
at 11.
\114\ Idaho Power Comments at 2.
\115\ BPA Comments at 3.
---------------------------------------------------------------------------
57. Although not addressed in the NOPR, multiple commenters raised
concerns regarding the efficacy and practicality of requiring
implementation of INSM for medium impact BES Cyber Systems that lack
external routable connectivity.\116\ Simply stated, external routable
connectivity allows remote communication with a BES Cyber System
through use of a high-speed internet service to send information over a
network. Typically, external routable connectivity allows higher
quality data to flow from the field devices at substations to a
centralized location where cybersecurity professionals can perform
further analysis.
---------------------------------------------------------------------------
\116\ Id.; EPSA Comments at 2; Idaho Power Comments at 1; ITC
Comments at 7; Indicated Trade Associations Comments at 11.
---------------------------------------------------------------------------
58. Commenters explain that a system without external routable
connectivity, while not risk-free, is less vulnerable to attack than
systems with external routable connectivity.\117\ Likewise, according
to commenters, external routable connectivity is necessary to achieve
the full, real-time benefits of INSM.\118\ In consideration of these
concerns, we modify the NOPR proposal and direct NERC to develop new or
modified CIP Reliability Standards that require INSM for medium impact
BES Cyber Systems with external routable connectivity.
---------------------------------------------------------------------------
\117\ BPA Comments at 4; Indicated Trade Associations Comments
at 9; Idaho Power Comments at 2. Medium impact BES Cyber Systems
that lack external routable connectivity remain vulnerable to
insider threats and supply chain attacks.
\118\ See, e.g., BPA Comments at 2; Idaho Power Comments at 2.
---------------------------------------------------------------------------
59. While we agree with commenters regarding the challenges with
implementing INSM for medium impact BES Cyber Systems without external
routable connectivity such as costs and stretching thin limited
resources,\119\ we continue to believe that, if these challenges can be
adequately addressed, implementation of INSM for all medium impact BES
Cyber Systems would improve the cybersecurity posture of the Bulk-Power
System by allowing early detection and response to cyber intrusions in
BES Cyber Systems. Although we decline Indicated Trade Associations'
request to convene a forum to discuss INSM in the proceeding prior to a
directive as the robust comments provide an adequate basis for this
final action, we are directing NERC to conduct a study that pertains,
inter alia, to the challenges of, and solutions for, implementing INSM
at medium impact BES Cyber Systems without external routable
connectivity and all low impact BES Cyber Systems, as discussed in more
detail below.
---------------------------------------------------------------------------
\119\ E.g., Indicated Trade Associations Comments at 10.
---------------------------------------------------------------------------
C. INSM for Low Impact BES Cyber Systems
60. In the NOPR, the Commission stated that its proposal centered
on high and medium impact BES Cyber Systems but sought comment on the
usefulness and practicality of implementing INSM to detect malicious
activity in networks with low impact BES Cyber Systems, including any
potential benefits, technical barriers and associated costs.\120\ Low
impact BES Cyber Systems have fewer security controls and, unlike high
and medium impact BES Systems, are not subject to monitoring at the
network perimeter access point(s). The Commission particularly sought
comment on whether the same risks associated with high and medium
impact BES Cyber Systems apply to low impact BES Cyber Systems,
including escalating privileges, moving inside the CIP-networked
environment, and executing unauthorized code. The Commission further
sought comment on the appropriate scope of coverage for INSM for low
impact BES Cyber Systems, to the extent such risks exist.
---------------------------------------------------------------------------
\120\ INSM NOPR, 178 FERC ] 61,038 at P 33.
---------------------------------------------------------------------------
61. The Commission suggested that there may be benefits to having
INSM requirements apply to a defined subset of low impact BES Cyber
Systems and sought comment on possible criteria or methodology for
identifying an appropriate subset of low impact BES Cyber Systems that
could benefit from INSM.\121\ The Commission further pointed out that
there are currently no CIP requirements for low impact BES Cyber
Systems for monitoring communications at the electronic security
perimeter and therefore asked: (1) whether it makes sense to require
INSM while perimeter monitoring is not required; and (2) would it be
appropriate to address both perimeter monitoring and INSM for low
impact BES Cyber Systems.\122\
---------------------------------------------------------------------------
\121\ Id. P 34.
\122\ Id.
---------------------------------------------------------------------------
1. Comments
62. Technology solutions vendors Cynalytica, Microsoft, Nozomi
Networks, and OT Coalition support extending INSM to low impact BES
Cyber Systems.\123\ Microsoft recommends directing the implementation
of INSM for low impact BES Cyber Systems ``to the maximum extent
practicable.'' \124\ Cynalytica and Microsoft comment that risks within
low impact BES Cyber Systems are similar to those within higher impact
systems.\125\ Cynalytica, Microsoft, and Nozomi Networks all assert
that requiring all BES Cyber Systems to implement INSM at this time
would reduce cybersecurity risk and exposure.\126\ Cynalytica is of the
opinion that ``all BES Cyber Systems should be monitored to ensure the
visibility and operational situational awareness,'' as low impact BES
Cyber Systems ``could be used for operational intelligence gathering,
capabilities testing, or could be used to pivot among internal
systems.'' \127\
---------------------------------------------------------------------------
\123\ Cynalytica Comments at 4; Microsoft Comments at 1; Nozomi
Networks Comments at 3; OT Coalition Comments at 3-4.
\124\ Microsoft Comments at 1.
\125\ Cynalytica Comments at 4; Microsoft Comments at 11.
\126\ Cynalytica Comments at 4; Microsoft Comments at 1; Nozomi
Networks Comments at 3.
\127\ Cynalytica Comments at 4.
---------------------------------------------------------------------------
63. Microsoft elaborates that low impact BES Cyber Systems such as
distributed energy resources, along with their increasing use, may
increase the potential risks associated with low impact BES Cyber
Systems.\128\ Nozomi Networks recommends extending INSM to low impact
BES Cyber Systems as a possible way to both improve their security
risks and posture over time, as well as identify potential supply chain
security issues.\129\
---------------------------------------------------------------------------
\128\ Microsoft Comments at 11.
\129\ Nozomi Networks Comments at 3.
---------------------------------------------------------------------------
64. OT Coalition, supporting a phased implementation of INSM for
low impact BES Cyber Systems, warns that failure to account for the
risk of a low impact BES Cyber System ``being used as a lateral attack
vector is inexcusable.'' \130\ OT Coalition recommends that INSM-
related and perimeter monitoring requirements should be phased in over
time, e.g., over the course of five years and moving from larger to
smaller entities.
---------------------------------------------------------------------------
\130\ OT Coalition Comments at 4.
---------------------------------------------------------------------------
65. Other commenters, however, advocate against requiring INSM at
low impact BES Cyber Systems at this time. NERC, BPA, MRO NSRF, and
NAGF oppose requiring INSM for low impact BES Cyber Systems as part of
this
[[Page 8364]]
proceeding because of the extensive revisions to the CIP Reliability
Standards that would be needed and the correspondingly longer time such
revisions would take to implement.\131\ For example, NERC and MRO NSRF
point to the lack of any current requirement for a list of low impact
BES Cyber Systems.\132\ NERC and MRO NSRF also note that there is no
current requirement for low impact BES Cyber Systems to have an
electronic security perimeter.\133\ Thus, according to MRO NSRF, to
properly enact INSM at facilities with low impact BES Cyber Systems
would require upgrading all such facilities to one with the same
network architecture, protections, and monitoring as that of a facility
with high or medium BES Cyber Systems and that the ``cost and effort
associated with such an enterprise would not be justified.'' \134\
---------------------------------------------------------------------------
\131\ NERC Comments at 8; BPA Comments at 4-5; MRO NSRF Comments
at 4; NAGF Comments at 4.
\132\ NERC Comments at 8-9; MRO NSRF Comments at 4 (``Analysis
requires not just a monitoring system but a baseline inventory of
BES Cyber Assets to have something to benchmark against.'').
\133\ Id.
\134\ MRO NSRF Comments at 4.
---------------------------------------------------------------------------
66. NERC, BPA, CDWR, Consumers, EPSA, Idaho Power, MRO NSRF, NAGF,
TAPS, Conway, and Indicated Trade Associations all caution that
extending INSM requirements to low impact BES Cyber Systems at this
time would be infeasible or impractical from a cost, time, and
technical standpoint.\135\ Indicated Trade Associations, BPA, EPSA,
TAPS, and CDWR explain that the sheer number of low impact BES Cyber
Systems, which far exceeds that of medium and high impact BES Cyber
Systems, makes implementation of INSM at low impact BES Cyber Systems
impractical at this time, from a cost and time commitment
perspective.\136\ Reclamation notes that low impact BES Cyber Systems
pose inherently less risk and therefore may not benefit from INSM as
much as medium and high impact BES Cyber Systems.\137\ NERC and other
commenters explain that procuring the necessary support equipment, such
as relays, remote terminal units, and communications processors, would
be prohibitively expensive due to issues such as limited bandwidth,
remote proximity of the systems, and greater variety of communications
protocols.\138\ NERC states that expanding INSM requirements to apply
to low impact BES Cyber Systems would also pose scalability and
manageability issues, such as considering whether communications paths
would need to be enhanced to correct any latency or real-time
operations impact.\139\
---------------------------------------------------------------------------
\135\ NERC Comments at 8-9; BPA Comments at 4-5; CDWR Comments
at 4; Consumers Comments at 2; EPSA Comments at 4-5; Idaho Power
Comments at 2-3; MRO NSRF Comments at 4; NAGF Comments at 4; TAPS
Comments at 4-9; Conway Comments at 1; Indicated Trade Associations
Comments at 28.
\136\ BPA Comments at 4; CDWR Comments at 4; EPSA Comments at 4;
TAPS Comments at 8; Indicated Trade Associations Comments at 28.
\137\ Reclamation Comments at 3.
\138\ NERC Comments at 8-9; Idaho Power Comments at 2-3; TAPS
Comments at 5-6; Indicated Trade Associations Comments at 28.
\139\ NERC Comments at 8-9.
---------------------------------------------------------------------------
67. NAGF and Consumers assert that requiring INSM implementation
for low impact BES Cyber Systems could displace efforts relating to
higher impact systems.\140\ TAPS comments that there are limited
incremental reliability benefits due to low impact BES Cyber Systems
being less likely to result in instability, uncontrolled separation, or
cascading failure. TAPS further argues that there are technical
barriers stemming from the diversity of low impact BES Cyber Systems
requiring customized implementation and highly specialized staff.\141\
---------------------------------------------------------------------------
\140\ Consumers Comments at 2; NAGF Comments at 4.
\141\ TAPS Comments at 3, 5.
---------------------------------------------------------------------------
2. Commission Determination
68. We find comments explaining the challenges of extending INSM
requirements to all low impact BES Cyber Systems are persuasive, and we
therefore decline to direct NERC to extend requirements for INSM to all
low impact BES Cyber Systems at this time. We agree with commenters
such as Microsoft, Cynalytica, and Nozomi Networks that the risks
within low impact BES Cyber Systems are similar to those within higher
impact systems and that implementing INSM at low impact BES Cyber
Systems would reduce cybersecurity risk and improve the overall
security posture of the Bulk-Power System. Nevertheless, we are
persuaded by NERC and other commenters that implementing INSM at all
low impact BES Cyber Systems could present certain challenges that
makes such a directive at this time impractical. We agree that
extending INSM requirements to all low impact BES Cyber Systems could
be difficult to scope, implement, or audit, given that there is no
requirement for entities to individually identify their low impact BES
Cyber Systems or electronic security perimeters for their low impact
BES Cyber Systems. Additionally, we accept the explanation of NERC and
other commenters that extending INSM to low impact BES Cyber Systems
could pose scalability and manageability issues,\142\ pose challenges
to limited company resources and specialization issues for locations
with small support staff,\143\ and require more highly specialized
staff.\144\
---------------------------------------------------------------------------
\142\ NERC Comments at 8-9.
\143\ NAGF Comments at 4.
\144\ TAPS Comments at 3, 5.
---------------------------------------------------------------------------
69. Although declining to direct NERC at this time to do so, we
believe that in the longer term it may be necessary that INSM be
extended to at least some subset of low impact BES Cyber Assets to
address the known risks associated with these assets. To address the
challenges raised by commenters and support this goal, we direct NERC
to study the hurdles and possible solutions of implementing INSM at all
low impact BES Cyber Assets, as discussed below.
D. Security Objectives
70. In the NOPR, the Commission proposed that new or modified CIP
Reliability Standards requiring INSM for high and medium impact BES
Cyber Systems should address three security objectives pertaining to
INSM.\145\ First, any new or modified CIP Reliability Standards should
address the need for each responsible entity to develop a baseline for
their network traffic, specifically for security purposes. Second, any
new or modified CIP Reliability Standards should address the need for
responsible entities to monitor for and detect unauthorized activity,
connections, devices, and software inside the CIP-networked
environment. Third, any new or modified CIP Reliability Standards
should address the ability to support operations and response by
requiring responsible entities to ensure that anomalous activity can be
identified to a high level of confidence by: (1) logging network
traffic at a sufficient level of detail; (2) maintaining logs and other
data collected regarding network traffic; and (3) implementing measures
to minimize the likelihood of an attacker removing evidence of their
tactics, techniques, and procedures.
---------------------------------------------------------------------------
\145\ INSM NOPR, 178 FERC ] 61,038 at P 31.
---------------------------------------------------------------------------
1. Comments
71. Cynalytica characterizes the security objectives listed in the
NOPR as a ``solid foundation'' and recommends that the CIP Reliability
Standards adopt the objectives.\146\ Microsoft, who strongly advocates
for the implementation of the zero-trust security model, asserts that
the security objectives from the NOPR align with
[[Page 8365]]
this model and are critical to maintaining network visibility to drive
threat detection and response in real time.\147\ NAGF characterizes the
security objectives listed in the NOPR as ``acceptable and meaningful''
and asserts that INSM will complement existing network perimeter
monitoring requirements.\148\
---------------------------------------------------------------------------
\146\ Cynalytica Comments at 3.
\147\ Microsoft Comments at 2, 4.
\148\ NAGF Comments at 1.
---------------------------------------------------------------------------
72. Specific to the security objectives proposed in the NOPR,
commenters provide guidance for the development of a baseline of
network traffic and suggest there could be alternative approaches.
Electricity Canada asserts that there may be other approaches to
analyzing network traffic besides baselining and suggests adopting
``simplified language'' that would not exclude the use of a type of
technology based on the type of security analysis performed.\149\
Electricity Canada recommends that the security objective should be to
monitor for and detect unauthorized ``network communication
protocols,'' rather than unauthorized ``software.'' \150\
---------------------------------------------------------------------------
\149\ Electricity Canada at 2.
\150\ Id. at 3.
---------------------------------------------------------------------------
73. Indicated Trade Associations explain that establishing a
baseline of legitimate network traffic is challenging and calls for
significant judgments unique to the implementation of INSM and that in
this context baselining can have many different meanings.\151\
According to Indicated Trade Associations, approaches to baselining
could include: (1) simply differentiating between alerts and false
positives as opposed to actual malicious activity; and (2) an expansive
approach of fully mapping every packet between every asset on a
network. Indicated Trade Associations states that the expenses and
challenges of baselining increase if an expansive definition of
baselining is adopted and recommends convening a forum to discuss and
agree upon a workable definition.\152\
---------------------------------------------------------------------------
\151\ Indicated Trade Associations Comments at 13-14.
\152\ Id. at 14-15.
---------------------------------------------------------------------------
74. Conway urges that the Commission include in its security
objectives language that focuses on desired operational capabilities,
which Conway avers would help shape individual analyst roles and
response actions and inform system operators and national response to
information shared.\153\ Conway explains that ``[i]n order for the INSM
. . . technologies to be meaningful or useful the sensors and
implementation approach must be ICS [industrial control systems]
protocol aware and provide detections.'' \154\
---------------------------------------------------------------------------
\153\ Conway Comments at 4.
\154\ Id. at 2.
---------------------------------------------------------------------------
75. Beyond the proposed security objectives, multiple commenters
generally support an objective, prioritized, flexible, and risk-based
approach to the implementation of INSM to BES Cyber Systems. BPA and
NAGF advocate for flexibility for the industry to develop risk-based
criteria for implementation of INSM to allow entities to focus on their
most important assets first and then consider whether other assets
should be protected in the same manner.\155\ ISO/RTO Council and MRO
NSRF emphasize that any new or modified CIP reliability standards
should allow registered entities the necessary flexibility to implement
the INSM solution most appropriate for their own environments.\156\
---------------------------------------------------------------------------
\155\ BPA Comments at 5; NAGF Comments at 4.
\156\ ISO/RTO Council Comments at 4-5; MRO NSRF Comments at 2.
---------------------------------------------------------------------------
76. Commenters suggest other security objectives that the
Commission and NERC should prioritize. For example, NAGF suggests an
objective of maintaining logs and records of network activities.\157\
Microsoft recommends that the Commission include a security objective
to ensure that the operator has the staff and procedures in place to
drive cybersecurity improvements from its INSM solution.\158\ Microsoft
explains that effective INSM implementation requires trained staff with
the ability to respond to a pre-defined set of alerts with the security
operations center or the network operations center. Microsoft further
recommends a security objective requiring an intrusion detection system
to perform threat vector analysis for assets on the network, to aid
security personnel in prioritizing patching targets in its critical
systems.\159\
---------------------------------------------------------------------------
\157\ NAGF Comments at 1.
\158\ Microsoft Comments at 9-10.
\159\ Id. at 10.
---------------------------------------------------------------------------
2. Commission Determination
77. We agree with commenters that, as a general matter, the CIP
Reliability Standards should be objective-based, technology neutral,
and provide flexibility to entities in identifying how to address the
three security objectives identified in the NOPR.
78. Regarding comments to include security objectives pertaining to
adequate staffing and training, we believe that these goals are
necessary to achieve the three objectives stated in the NOPR and need
not be set out as separate objectives.\160\ As described above,
commenters raise a number of thoughts and suggestions pertaining to
baselining, packet-level monitoring, logging, and capture of internal
network traffic.\161\ We expand our second security objective based on
Electricity Canada's recommendation to replace software with network
communication protocols by adding ``network communication protocols''
to the objective. However, we do not adopt other recommendations,
because these matters are better raised during NERC's standards
drafting process. We are not persuaded that such level of detail is
useful to incorporate within the Commission's final action. Instead,
NERC's standards drafting process is the appropriate forum to determine
the level of detail necessary to ensure the security objectives are met
by any new or modified CIP Reliability Standards.
---------------------------------------------------------------------------
\160\ Id. at 9-10.
\161\ See, e.g., Electricity Canada Comments at 2; EPSA Comments
at 2-6; ISO/RTO Council Comments at 4-5; MRO NSRF Comments at 2;
NAGF Comments at 1; Indicated Trade Associations Comments at 18-19.
---------------------------------------------------------------------------
79. We direct NERC to ensure that the new or modified CIP
Reliability Standards that require security controls for INSM for all
high impact BES Cyber Systems with and without external routable
connectivity and medium impact BES Cyber Systems with external routable
connectivity address three security objectives for east-west network
traffic. First, any new or modified CIP Reliability Standards should
address the need for each responsible entity to develop a baseline for
their network traffic by analyzing network traffic and data flows for
security purposes. Second, any new or modified CIP Reliability
Standards should address the need for responsible entities to monitor
for and detect unauthorized activity, connections, devices, network
communication protocols, and software inside the CIP-networked
environment, as well as encompass awareness of protocols used in
industrial control systems.\162\ Third, in response to the comments
requesting that any new or modified CIP Reliability Standards should be
objective-based, we clarify our NOPR proposal so that it is not
oriented toward specific technologies or activities, as discussed
below.
---------------------------------------------------------------------------
\162\ E.g., Conway Comments at 2; CISA, Industrial Control
Systems Cybersecurity Initiative: Considerations for ICS/OT
Monitoring Technologies with an Emphasis on Detection and
Information Sharing, at 2 (2021), https://www.cisa.gov/sites/default/files/publications/ICS-Monitoring-Technology-Considerations-Final-v2_508c.pdf.
---------------------------------------------------------------------------
80. We agree that any new or modified CIP Reliability Standards
should provide flexibility to responsible entities in determining the
best way to identify anomalous activity to a high level of confidence,
so long as those
[[Page 8366]]
methods ensure: (1) logging of network traffic (we note that packet
capture is one means of accomplishing this goal); (2) maintaining those
logs, and other data collected, regarding network traffic that are of
sufficient data fidelity to draw meaningful conclusions and support
incident investigation; and (3) maintaining the integrity of those logs
and other data by implementing measures to minimize the likelihood of
an attacker removing evidence of their tactics, techniques, and
procedures (maintaining the integrity of logs and other data assures an
entity that analysis and findings from incident investigations are
representative of the actual incident and can aid in the mitigation of
current and future similar compromises).
E. Standards Development Timeframe
81. The Commission in the INSM NOPR requested comments on
reasonable timeframes for expeditiously developing and implementing
Reliability Standards for INSM given the importance of addressing this
reliability gap.\163\ The INSM NOPR also inquired as to potential
challenges to implementing INSM (e.g., cost, availability of
specialized resources, and documenting compliance).
---------------------------------------------------------------------------
\163\ INSM NOPR, 178 FERC ] 61,038 at P 32.
---------------------------------------------------------------------------
1. Comments
82. Among the few comments on the timeframe for developing new or
modified standards addressing INSM, ISO/RTO Council suggests a one-to-
two-year timeframe is appropriate.\164\ NERC requests that, given the
complexity of the subject matter, the Commission defer to NERC
regarding the appropriate timeline for standards development to better
assure that all relevant issues can receive the proper consideration in
the standards development process.\165\ Other commenters express
caution, and counsel the Commission balance the competing needs of
speed and quality in standards development.\166\ Others suggest an
iterative or staggered approach to standards development.\167\
---------------------------------------------------------------------------
\164\ ISO/RTO Council Comments at 3-6.
\165\ NERC Comments at 3, 6-7.
\166\ Reclamation Comments at 2; Cynalytica Comments at 3.
\167\ NAGF Comments at 4; Conway Comments at 4.
---------------------------------------------------------------------------
83. Regarding timeframes for implementation of INSM (i.e., after
the proposed INSM standards become effective), commenters recommend
timeframes for implementation ranging from two to ten years, depending
on whether INSM is to be extended to high impact, medium impact, or low
impact BES Cyber Systems. Microsoft suggests a minimum of two years for
applicable registered entities to come into compliance with a new INSM
reliability standard based on typically budget cycles. Microsoft also
points out that entities would need to change their networks to include
INSM during a shutdown period, which occurs every 12 to 18 months.\168\
---------------------------------------------------------------------------
\168\ Microsoft Comments at 10.
---------------------------------------------------------------------------
84. MRO NSRF and BPA aver that full implementation of INSM for high
and medium impact BES Cyber Systems would require a minimum of three to
five years, and MRO NSRF suggests a staggered implementation
timeline.\169\ MRO NSRF cites several challenges that could affect the
implementation timeline, including: (1) supply chain constraints if
multiple entities are trying to obtain INSM tools in the same
timeframe; (2) shortages of qualified staff; and (3) higher cost due to
additional requirements, system configurations, and sudden increase in
demand.\170\ MRO NSRF did not provide specific cost estimates.
---------------------------------------------------------------------------
\169\ MRO NSRF Comments at 3; BPA Comments at 3.
\170\ MRO NSRF Comments at 1-2.
---------------------------------------------------------------------------
85. Indicated Trade Associations do not provide a specific period
but mention that implementing INSM for large entities would require a
sizable undertaking, because doing so would entail installing new or
upgraded network equipment, increasing network connectivity, and
installing multiple INSM monitoring devices requiring aggregation to
provide complete operating pictures or baselines.\171\
---------------------------------------------------------------------------
\171\ Indicated Trade Associations Comments at 10.
---------------------------------------------------------------------------
2. Commission Determination
86. We direct NERC to submit responsive new or modified CIP
Reliability Standards within 15 months of the effective date of this
final action. We believe that a 15-month deadline would provide
sufficient time for NERC to develop responsive new or modified
Standards within NERC's standards development process. This deadline is
within the range of ISO/RTO Council's suggested one-to-two-year
timeframe. Regarding NERC's request that the Commission not set a
deadline, we believe that most of the complexities cited by NERC are
resolved by our decision not to extend INSM in this final action to low
impact BES Cyber Systems and medium impact BES Cyber Systems without
external routable connectivity.
87. We decline to direct a specific implementation timeframe for
any new or modified standards. Commenters provide a wide range of
potential implementation timeframes and raise concerns regarding
resource availability and the need for flexibility in implementing new
or modified INSM Reliability Standards. Rather than setting the
implementation timeframe at this time, we believe NERC should propose
an implementation period by balancing the various concerns raised by
commenters as well as the need to timely address the identified gap in
the CIP Standards pertaining to INSM. When submitting the proposed CIP
Standards, NERC should provide its rationale for the chosen
implementation timeframe.
F. NERC Study and Report on INSM Implementation
88. While determining above that it is premature to require INSM
for medium impact BES Cyber Systems without external routable
connectivity and all low impact BES Cyber Systems, we recognize the
importance of bolstering the cybersecurity of those systems. We believe
that extending INSM to all medium impact BES Cyber Systems and at least
a subset of low impact BES Cyber Systems in the future could be
necessary to protect the security and the reliability of the Bulk-Power
System. To provide a basis for such action, we direct NERC, pursuant to
Sec. 39.2(d) of the Commission's regulations,\172\ to conduct a study
to guide the implementation of INSM, or other mitigation strategies,
for medium impact BES Cyber Systems without external routable
connectivity and all low impact BES Cyber Systems. The study shall
focus on two main topics: (1) risk and (2) challenges and solutions.
---------------------------------------------------------------------------
\172\ 18 CFR 39.2(d).
---------------------------------------------------------------------------
89. First, regarding risk, NERC should collect from registered
entities information on the number of low impact and medium impact BES
Cyber Systems that would not be subject to the new or revised
Reliability Standards, which would inform the scope of the risk from
systems without INSM. Next, NERC should provide an analysis regarding
the substantive risks posed by these BES Cyber Systems operating
without the implementation of INSM. Specifically, NERC should determine
the quantity of: (1) substation and generation locations that contain
medium impact BES Cyber Systems without external routable connectivity;
(2) low impact locations (including a breakdown by substations,
generations resources, and control centers) that contain low impact BES
Cyber Systems without external routable connectivity; and (3) low
impact locations that contain low impact BES Cyber Systems
[[Page 8367]]
with external routable connectivity (including a breakdown by
substations, generations resources, and control centers). NERC should
then discuss the risks to the security of the Bulk-Power System due to
the lack of an INSM requirement for the identified facilities.
90. Second, regarding challenges and solutions, NERC should
identify the potential technological, logistical, or other challenges
involved in extending INSM to additional BES Cyber Systems, as well as
possible alternative actions to mitigate the risk posed. For example,
as discussed in more detail above, challenges raised by commenters
include: (1) lengthy timelines for identifying the location of low
impact BES Cyber Systems; (2) the need to add external routable
connectivity at many medium impact BES Cyber Systems to effectively
implement INSM; (3) a wider footprint for monitoring and detecting for
larger entities; (4) shortages of qualified staff; and (5) supply chain
constraints.
91. NERC should consult with Commission staff to ensure that the
study adequately addresses the topics discussed above. We direct NERC
to submit the study report to the Commission within 12 months of the
issuance of this final action.
V. Information Collection Statement
92. The information collection requirements contained in this order
are subject to review by the Office of Management and Budget (OMB)
under section 3507(d) of the Paperwork Reduction Act of 1995. OMB's
regulations require approval of certain information collection
requirements imposed by agency rules. Upon approval of a collection of
information, OMB will assign an OMB control number and expiration date.
Respondents subject to the filing requirements of this rulemaking will
not be penalized for failing to respond to this collection of
information unless the collection of information displays a valid OMB
control number. Comments are solicited on the Commission's need for the
information proposed to be reported, whether the information will have
practical utility, ways to enhance the quality, utility, and clarity of
the information to be collected, and any suggested methods for
minimizing the respondent's burden, including the use of automated
information techniques.
93. The reporting requirements (and associated burden) proposed by
the NOPR in Docket No. RM22-3-000 are already covered by the OMB-
approved FERC-725. However, we are seeking clearance for this
collection of information under FERC-725(1B), which is a temporary
placeholder number. FERC-725(1B) is being used because FERC-725 (OMB
Control Number 1902-0225) is pending review at OMB for another
collection of information, and only one item per OMB control number can
be pending review at a time. Otherwise, the collection of information
for this final action would be submitted to OMB under FERC-725, as
discussed in the NOPR, since the reporting requirements and associated
burdens in this final action are already covered by FERC-725.
94. This final action requires that entities that are in the NERC
Compliance Registry have an obligation to respond to the Commission
directed NERC study, and thus there is a burden to be included in FERC-
725(1B) information collection requirements.
95. The NERC Compliance Registry, as of October 3, 2022, identifies
approximately 1,682 utilities, both public and non-public, in the U.S.
that may respond to the NERC study. For the following reasons, we are
using placeholders of one respondent, one response, and one burden hour
for FERC-725(1B) in order to submit this request to OMB for PRA review.
(1) We anticipate that the collection of information in this final
action will become part of FERC-725 when that collection becomes
available for revision.
(2) FERC-725 already includes burdens associated with the ERO's
responsibility for Reliability Standards Development
(3) In order to submit the collection of information in this final
action, we must submit it through the ROCIS system, which requires
figures for respondents, responses, and burdens.
96. To approximate NERC's cost for the temporary, placeholder FERC-
725(1B), we are using the estimated average of $91/hour (for wages and
benefits) for 2022 for a Commission employee. Therefore, the estimated
annual cost of the one placeholder burden hour is $91.
VI. Environmental Analysis
97. The Commission is required to prepare an Environmental
Assessment or an Environmental Impact Statement for any action that may
have a significant adverse effect on the human environment.\173\ The
Commission has categorically excluded certain actions from this
requirement as not having a significant effect on the human
environment. Included in the exclusion are rules that are clarifying,
corrective, or procedural or that do not substantially change the
effect of the regulations being amended.\174\ The actions directed
herein fall within this categorical exclusion in the Commission's
regulations.
---------------------------------------------------------------------------
\173\ Reguls. Implementing the Nat'l Env't. Pol'cy Act, Order
No. 486, 52 FR 47897 (Dec. 17, 1987), FERC Stats. & Regs. Preambles
1986-1990 ] 30,783 (1987) (cross-referenced at 41 FERC ] 61,284).
\174\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------
VII. Regulatory Flexibility Act
98. The Regulatory Flexibility Act of 1980 (RFA) \175\ generally
requires a description and analysis of final action that will have
significant economic impact on a substantial number of small entities.
---------------------------------------------------------------------------
\175\ 5 U.S.C. 601-612.
---------------------------------------------------------------------------
99. By only proposing to direct NERC, the Commission-certified ERO,
to develop modified Reliability Standards for INSM at BES Cyber
Systems, this final action will not have a significant or substantial
impact on entities other than NERC.\176\ Therefore, the Commission
certifies that this final action will not have a significant economic
impact on a substantial number of small entities.
---------------------------------------------------------------------------
\176\ See, e.g., Cyber Sec. Incident Reporting Reliability
Standards, Order No. 848, 83 FR 36727 (July 31, 2018), 164 FERC ]
61,033, at P 103 (2018).
---------------------------------------------------------------------------
100. Any Reliability Standards proposed by NERC in compliance with
this rulemaking will be considered by the Commission in future
proceedings. As part of any future proceedings, the Commission will
make determinations pertaining to the Regulatory Flexibility Act based
on the content of the Reliability Standards proposed by NERC.
VIII. Document Availability
101. In addition to publishing the full text of this document in
the Federal Register, the Commission provides all interested persons an
opportunity to view and/or print the contents of this document via the
internet through the Commission's Home Page (https://www.ferc.gov).
102. From the Commission's Home Page on the internet, this
information is available on eLibrary. The full text of this document is
available on eLibrary in PDF and Microsoft Word format for viewing,
printing, and/or downloading. To access this document in eLibrary, type
the docket number excluding the last three digits of this document in
the docket number field.
103. User assistance is available for eLibrary and the FERC's
website during normal business hours from FERC Online Support at 202-
502-6652 (toll free at 1-866-208-3676) or email at
[email protected], or the
[[Page 8368]]
Public Reference Room at (202) 502-8371, TTY (202) 502-8659. Email the
Public Reference Room at [email protected].
IX. Effective Date and Congressional Notification
104. This final action is effective April 10, 2023. The Commission
has determined, with the concurrence of the Administrator of the Office
of Information and Regulatory Affairs of OMB, that this action is not a
``major rule'' as defined in section 351 of the Small Business
Regulatory Enforcement Fairness Act of 1996.
By the Commission.
Issued: January 19, 2023.
Debbie-Anne A. Reese,
Deputy Secretary.
Appendix A--Commenters
------------------------------------------------------------------------
Abbreviation Commenter
------------------------------------------------------------------------
BPA.......................... Bonneville Power Administration.
CDWR......................... California Department of Water Resources
State Water Project.
Consumers.................... Consumers Energy Company.
Conway....................... Tim Conway.
Cynalytica................... Cynalytica, Inc.
Electricity Canada........... Electricity Canada.
Entergy...................... Entergy.
EPSA......................... Electric Power Supply Association.
Idaho Power.................. Idaho Power Company.
Indicated Trade Associations. Edison Electric Institute, the American
Public Power Association, the Large
Public Power Council, the National Rural
Electric Cooperative Association, and
the Electric Power Supply Association.
ISO/RTO Council.............. ISO/RTO Council.
ITC.......................... International Transmission Company.
Juniper Networks............. Juniper Networks.
Microsoft.................... Microsoft Corporation.
MRO NSRF..................... Midwest Reliability Organization NERC
Standards Review Forum.
NAGF......................... North American Generator Forum.
NERC......................... North American Electric Reliability
Corporation, Midwest Reliability
Organization, Northeast Power
Coordinating Council, Inc.,
ReliabilityFirst Corporation, SERC
Reliability Corporation, Texas
Reliability Entity, Inc., and Western
Electricity Coordinating Council.
Nozomi Networks.............. Nozomi Networks.
OT Coalition................. Operational Technology Cybersecurity
Coalition.
Reclamation.................. United States Bureau of Reclamation.
TAPS......................... Transmission Access Policy Study Group.
------------------------------------------------------------------------
[FR Doc. 2023-01453 Filed 2-8-23; 8:45 am]
BILLING CODE 6717-01-P
