Critical Infrastructure Protection Reliability Standard CIP-015-1-Cyber Security-Internal Network Security Monitoring, 79178-79183 [2024-22231]

Agencies

• DEPARTMENT OF ENERGY
• Federal Energy Regulatory Commission

[Federal Register Volume 89, Number 188 (Friday, September 27, 2024)]
[Proposed Rules]
[Pages 79178-79183]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-22231]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 40

[Docket No. RM24-7-000]


Critical Infrastructure Protection Reliability Standard CIP-015-
1--Cyber Security--Internal Network Security Monitoring

AGENCY: Federal Energy Regulatory Commission.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Federal Energy Regulatory Commission (Commission) proposes 
to approve proposed Reliability Standard CIP-015-1 (Cyber Security--
Internal Network Security Monitoring), which the North American 
Electric Reliability Corporation (NERC), submitted in response to a 
Commission directive. In addition, the Commission proposes to direct 
that NERC develop certain modifications to proposed Reliability 
Standard CIP-015-1 to extend internal network security monitoring to 
include electronic access control or monitoring systems and physical 
access control systems outside of the electronic security perimeter.

DATES: Comments are due November 26, 2024.

ADDRESSES: Comments, identified by docket number, may be filed in the 
following ways. Electronic filing through https://www.ferc.gov, is 
preferred.
     Electronic Filing: Documents must be filed in acceptable 
native applications and print-to-PDF, but not in scanned or picture 
format.
     For those unable to file electronically, comments may be 
filed by USPS mail or by hand (including courier) delivery.
    [cir] Mail via U.S. Postal Service Only: Addressed to: Federal 
Energy Regulatory Commission, Secretary of the Commission, 888 First 
Street NE, Washington, DC 20426.
    [cir] Hand (Including Courier) Delivery: Deliver to: Federal Energy 
Regulatory Commission, 12225 Wilkins Avenue, Rockville, MD 20852.
    The Comment Procedures Section of this document contains more 
detailed filing procedures.

FOR FURTHER INFORMATION CONTACT: 
Margaret Steiner (Technical Information), Office of Electric 
Reliability, Federal Energy Regulatory Commission, 888 First Street NE, 
Washington, DC 20426, (202) 502 6704, [email protected]
Hampden T. Macbeth (Legal Information), Office of General Counsel, 
Federal Energy Regulatory Commission, 888 First Street NE, Washington, 
DC 20426, (202) 502 8957, [email protected]

SUPPLEMENTARY INFORMATION: 
    1. Pursuant to section 215(d)(2) of the Federal Power Act (FPA),\1\ 
the Commission proposes to approve proposed Critical Infrastructure 
Protection (CIP) Reliability Standard CIP-015-1 (Cyber Security--
Internal Network Security Monitoring). The North American Electric 
Reliability Corporation (NERC), the Commission-certified Electric 
Reliability Organization (ERO), submitted the proposed Reliability 
Standard for Commission approval in response to a Commission directive 
in Order No. 887.\2\ In addition, pursuant to section 215(d)(5) of the 
FPA,\3\ the Commission proposes to direct that NERC develop further 
modifications to Reliability Standard CIP-015-1, within 12 months of 
the effective date of a final rule in this proceeding, to extend 
Internal Network Security Monitoring (INSM) \4\ to include electronic 
access control or monitoring systems (EACMS) \5\ and physical access 
control systems (PACS) \6\ outside of the electronic security 
perimeter.
---------------------------------------------------------------------------

    \1\ 16 U.S.C. 824o(d)(2).
    \2\ Internal Network Sec. Monitoring for High & Medium Impact 
Bulk Elec. Sys. Cyber Sys., Order No. 887, 88 FR 8354 (Feb. 9, 
2023), 182 FERC ] 61,021 (2023).
    \3\ 16 U.S.C. 824o(d)(5).
    \4\ INSM is ``a subset of network security monitoring that is 
applied within a `trust zone,' such as an electronic security 
perimeter.'' Order No. 887, 182 FERC ] 61,021 at P 2.
    \5\ EACMS are ``Cyber Assets that perform electronic access 
control or electronic access monitoring of the Electronic Security 
Perimeter(s) or BES Cyber Systems. This includes Intermediate 
Systems.'' NERC, Glossary of Terms Used in NERC Reliability 
Standards, (July 22, 2024), https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf (NERC Glossary).
    \6\ PACS are ``Cyber Assets that control, alert, or log access 
to the Physical Security Perimeter(s), exclusive of locally mounted 
hardware or devices at the Physical Security Perimeter such as 
motion sensors, electronic lock control mechanisms, and badge 
readers.'' Id.
---------------------------------------------------------------------------

    2. In Order No. 887, the Commission directed that NERC develop new 
or modified CIP Reliability Standards that require INSM for CIP-
networked environments for all high impact bulk electric system (BES) 
Cyber Systems \7\ with and without external routable connectivity \8\ 
and medium impact BES Cyber Systems with external routable 
connectivity.\9\ Proposed Reliability Standard CIP-015-1 is partly 
responsive to the Commission's directives in Order No. 887 and advances 
the reliability of the Bulk-Power System by (1)

[[Page 79179]]

establishing requirements for INSM for network traffic inside an 
electronic security perimeter, and (2) requiring INSM for all high 
impact BES Cyber Systems with and without external routable 
connectivity and medium impact BES Cyber Systems with external routable 
connectivity to ensure the identification of anomalous network activity 
indicating an ongoing attack.\10\ Accordingly, we propose approving 
proposed Reliability Standard CIP-015-1.
---------------------------------------------------------------------------

    \7\ NERC defines BES Cyber Systems as ``One or more BES Cyber 
Assets logically grouped by a responsible entity to perform one or 
more reliability tasks for a functional entity.'' See NERC Glossary. 
BES Cyber Systems are categorized as high, medium, or low impact 
depending on the functions of the assets housed within each system 
and the risk they potentially pose to the reliable operation of the 
Bulk-Power System. Reliability Standard CIP-002-5.1a (BES Cyber 
System Categorization) sets forth criteria that registered entities 
apply to categorize BES Cyber Systems as high, medium, or low impact 
depending on the adverse impact that loss, compromise, or misuse of 
those BES Cyber Systems could have on the reliable operation of the 
BES. The impact level (i.e., high, medium, or low) of BES Cyber 
Systems, in turn, determines the applicability of security controls 
for BES Cyber Systems that are contained in the remaining CIP 
Reliability Standards (i.e., Reliability Standards CIP-003-8 to CIP-
013-1).
    \8\ External routable connectivity is ``[t]he ability to access 
a BES Cyber System from a Cyber Asset that is outside of its 
associated Electronic Security Perimeter via a bi-directional 
routable protocol connection.'' NERC Glossary.
    \9\ Order No. 887, 182 FERC ] 61,021 at P 49.
    \10\ NERC Petition at 1, 13.
---------------------------------------------------------------------------

    3. Proposed Reliability Standard CIP-015-1 is not, however, fully 
responsive to the Commission's directive to implement INSM for the 
``CIP-networked environment.'' \11\ In particular, the proposed 
Standard may not adequately defend against attacks that circumvent 
network perimeter-based security controls. Attacks external to the 
electronic security perimeter may compromise systems, such as EACMS or 
PACS, and then infiltrate the perimeter as a trusted communication, 
thus limiting the effectiveness of an approach that employs INSM only 
within the electronic security perimeter. The Commission used the 
phrase ``CIP-networked environment'' in Order No. 887 to be necessarily 
broader than the electronic security perimeter.\12\ Accordingly, to 
address this reliability and security gap, the Commission proposes to 
direct that NERC develop modifications to the proposed Reliability 
Standard CIP-015-1 to extend INSM to include EACMS and PACS outside of 
the electronic security perimeter.
---------------------------------------------------------------------------

    \11\ See Order No. 887, 182 FERC ] 61,021 at P 1.
    \12\ Id. P 49.
---------------------------------------------------------------------------

I. Background

A. Section 215 and Mandatory Reliability Standards

    4. Section 215 of the FPA provides that the Commission may certify 
an ERO, the purpose of which is to develop mandatory and enforceable 
Reliability Standards, subject to Commission review and approval.\13\ 
Reliability Standards may be enforced by the ERO, subject to Commission 
oversight, or by the Commission independently.\14\ Pursuant to section 
215 of the FPA, the Commission established a process to select and 
certify an ERO,\15\ and subsequently certified NERC.\16\
---------------------------------------------------------------------------

    \13\ 16 U.S.C. 824o(c).
    \14\ Id. 824o(e).
    \15\ Rules Concerning Certification of the Elec. Reliability 
Org.; & Procs. for the Establishment, Approval, & Enforcement of 
Elec. Reliability Standards, Order No. 672, 114 FERC ] 61,104, order 
on reh'g, Order No. 672-A, 114 FERC ] 61,328 (2006); see also 18 CFR 
39.4(b) (2024).
    \16\ N. Am. Elec. Reliability Corp., 116 FERC ] 61,062, order on 
reh'g and compliance, 117 FERC ] 61,126 (2006), aff'd sub nom. 
Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
---------------------------------------------------------------------------

B. Internal Network Security Monitoring

    5. INSM is a subset of network security monitoring that is applied 
within a ``trust zone,'' \17\ such as an electronic security perimeter. 
The trust zone applicable to INSM is the CIP-networked environment for 
this notice of proposed rulemaking (NOPR) and Order No. 887.\18\ INSM 
enables continuing visibility over communications between networked 
devices within a trust zone and detection of malicious activity that 
has circumvented perimeter controls. Further, INSM facilitates the 
detection of anomalous network activity indicative of an attack in 
progress, thus increasing the probability of early detection and 
allowing for quicker mitigation and recovery from an attack.
---------------------------------------------------------------------------

    \17\ The U.S. Department of Homeland Security, Cybersecurity and 
Infrastructure Security Agency (CISA) defines trust zone as a 
``discrete computing environment designated for information 
processing, storage, and/or transmission that share the rigor or 
robustness of the applicable security capabilities necessary to 
protect the traffic transiting in and out of a zone and/or the 
information within the zone.'' CISA, Trusted Internet Connections 
3.0: Reference Architecture, 2 (July 2020), https://www.cisa.gov/sites/default/files/publications/CISA_TIC%203.0%20Vol.%202%20Reference%20Architecture.pdf.
    \18\ Order No. 887, 182 FERC ] 61,021, at P 2.
---------------------------------------------------------------------------

    6. INSM is designed to address as early as possible situations 
where perimeter network defenses are breached by detecting intrusions 
and malicious activity within a trust zone. INSM consists of three 
stages: (1) collection; (2) detection; and (3) analysis. Taken 
together, these three stages provide the benefit of early detection and 
alerting of intrusions and malicious activity.\19\ INSM better 
positions an entity to detect an attacker in the early phases of an 
attack and reduces the likelihood that an attacker can gain a strong 
foothold, including operational control, on the target system. In 
addition to early detection and mitigation, INSM may improve incident 
response by providing higher quality data about the extent of an attack 
internal to a trust zone. Finally, INSM provides insight into east-west 
network traffic \20\ happening inside the network perimeter, which 
enables a more comprehensive picture of the extent of an attack 
compared to data gathered from the network perimeter alone.\21\
---------------------------------------------------------------------------

    \19\ See Chris Sanders & Jason Smith, Applied Network Security 
Monitoring, 9-10 (2013); see also ISACA, Applied Collection 
Framework: A Risk-Driven Approach to Cybersecurity Monitoring (Aug. 
18, 2020), https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2020/applied-collection-framework.
    \20\ East-west traffic refers to the communications among BES 
Cyber Systems and is the specific type of network traffic that 
remains within the network perimeter. It may refer to communication 
peer-to-peer industrial automation and control systems devices in a 
network or to activity between servers or networks inside a data 
center, rather than the data and applications that traverse networks 
to the outside world. CISCO, Networking and Security in Industrial 
Automation Environments Design Guide, 111 (Aug. 2020), https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/Industrial_Automation/IA_Horizontal/DG/Industrial-AutomationDG.pdf; 
The President's National Security Telecommunications Advisory 
Committee, Report to the President on Software-Defined Networking, 
E-3 (Aug. 2020), https://www.cisa.gov/sites/default/files/publications/NSTAC%20SDN%20Report%20%288-12-20%29.pdf.
    \21\ CISA, CISA Analysis: FY2020 Risk and Vulnerability 
Assessments (July 2021), https://www.cisa.gov/sites/default/files/publications/FY20-RVA-Analysis_508C.pdf.
---------------------------------------------------------------------------

C. Order No. 887

    7. On January 19, 2023, in Order No. 887, the Commission issued a 
final rule that directed that NERC develop ``new or modified CIP 
Reliability Standards requiring INSM for all high impact BES Cyber 
Systems with and without external routable connectivity and medium 
impact BES Cyber Systems with external routable connectivity to ensure 
the detection of anomalous network activity indicative of an attack in 
progress.'' \22\ The Commission, noting that INSM is ``applied within a 
`trust zone,' such as an electronic security perimeter,'' stated that 
for the final rule the applicable trust zone for INSM is the CIP-
networked environment.\23\
---------------------------------------------------------------------------

    \22\ Order No. 887, 182 FERC ] 61,021 at P 3.
    \23\ Id. P 2.
---------------------------------------------------------------------------

    8. The Commission explained that the currently effective CIP 
Reliability Standards focus on preventing unauthorized access at the 
electronic security perimeter and do not require INSM inside trusted 
CIP-networked environments.\24\ The Commission determined that this 
left a reliability gap when vendors or individuals with authorized 
access are deemed trustworthy but could still introduce a cybersecurity 
risk.\25\ The Commission then concluded that requirements to implement 
ISNM will ``fill a gap in the

[[Page 79180]]

current suite of CIP Reliability Standards and improve the 
cybersecurity posture of the Bulk-Power System.'' \26\
---------------------------------------------------------------------------

    \24\ Id. P 20.
    \25\ Id. An attacker could move among devices inside a trust 
zone and perform actions such as: (1) escalate privileges (such as 
gaining administrator account privileges through a vulnerability); 
(2) move undetected inside the CIP-networked environment; or (3) 
execute a virus, ransomware or another form of unauthorized code. 
Id. P 19.
    \26\ Id. P 49 (citing NERC Comments in Response to Notice of 
Proposed Rulemaking under Docket No. RM22-3-000 at 4-5 (current CIP 
Standards require ``malicious communications monitoring at the 
Electronic Access Point on the [electronic security perimeter], not 
necessarily monitoring of activity of those who already have access 
to the network'')). The Bulk-Power System is defined in the FPA as 
facilities and control systems necessary for operating an 
interconnected electric energy transmission network (or any portion 
thereof); and electric energy from generating facilities needed to 
maintain transmission system reliability. The term does not include 
facilities used in the local distribution of electric energy. 16 
U.S.C. 824o(a)(1).
---------------------------------------------------------------------------

    9. The Commission directed that NERC ensure that the new or 
modified CIP Reliability Standards address three security objectives 
for east-west network traffic. First, the new or modified CIP 
Reliability Standards should address the need for each responsible 
entity to develop a baseline for their network activity by analyzing 
for security purposes their network traffic and data flows. Second, the 
new or modified CIP Reliability Standards should address the need for 
responsible entities to monitor and detect ``unauthorized activity, 
connections, devices, network communication protocols, and software'' 
in the CIP-networked environment. Third, the new or modified CIP 
Reliability Standards should provide responsible entities with 
flexibility in determining how to best identify anomalous activity with 
a high level of confidence, so long as the methods ensure: (1) logging 
of network traffic; (2) maintaining the logs, and other data collected, 
regarding network traffic that are of ``sufficient data fidelity to 
draw meaningful conclusions'' to investigate an incident; and (3) 
maintaining the integrity of the logs and other data by employing 
measures that minimize the likelihood of an attacker removing evidence 
of their tactics, techniques, and procedures.\27\
---------------------------------------------------------------------------

    \27\ Order No. 887, 182 FERC ] 61,021 at PP 79-80.
---------------------------------------------------------------------------

D. NERC Petition and Proposed Reliability Standard CIP-015-1

    10. On June 24, 2024, NERC submitted for Commission approval 
proposed Reliability Standard CIP-015-1 and the associated violation 
risk factors and violation severity levels, implementation plan, and 
effective date.\28\ NERC states that proposed Reliability Standard CIP-
015-1 is intended to advance the reliability of the Bulk-Power System 
by providing a comprehensive suite of forward looking and objective-
based requirements for INSM.\29\
---------------------------------------------------------------------------

    \28\ NERC Petition at 2, 26-28. Proposed Reliability Standard 
CIP-015-1 is not attached to this NOPR. The proposed Reliability 
Standards are available on the Commission's eLibrary document 
retrieval system in Docket No. RM24-7-000 and on the NERC website, 
www.nerc.com.
    \29\ Id. at 4.
---------------------------------------------------------------------------

    11. NERC explains that the proposed Reliability Standard would 
address the directives in Order No. 887 by establishing three 
requirements for responsible entities to implement INSM systems and 
processes. Specifically:
     Requirement R1: responsible entities would be required to 
implement process(es) to monitor, detect, and evaluate anomalous 
activity in ``networks protected by the Responsible Entity's Electronic 
Security Perimeter(s)'' of high impact BES Cyber Systems and medium 
impact BES Cyber Systems with external routable connectivity.\30\
---------------------------------------------------------------------------

    \30\ Id., Ex. A (Proposed Reliability Standard CIP-015-1) at 6.
---------------------------------------------------------------------------

     Requirement R2: responsible entities would be required to 
implement process(es) for retaining INSM data associated with anomalous 
network activity as determined by the applicable responsible entities.
     Requirement R3: responsible entities would be required to 
implement process(es) to protect INSM monitoring data collected and 
retained in support of Requirements R1 and R2 to guard against the risk 
of unauthorized deletion or modification.
    According to NERC, Requirement R1 applies to data flows within 
``networks protected by the Responsible Entity's Electronic Security 
Perimeter(s).'' \31\ NERC states that proposed Reliability Standard 
CIP-015-1's scope is consistent with the plain language of Order No. 
887, which stated that INSM should apply within a trust zone, ``such as 
an electronic security perimeter,'' and that the trust zone for INSM is 
the ``CIP-networked environment.'' \32\ NERC states that its approach 
would provide the greatest benefits to the reliability of the Bulk-
Power System by focusing industry's limited resources on the most 
critical environment, ``networks protected by the Responsible Entity's 
Electronic Security Perimeter.'' \33\
---------------------------------------------------------------------------

    \31\ Id.
    \32\ NERC Petition at 16 (quoting Order No. 887, 182 FERC ] 
61,021 at P 2).
    \33\ Id. at 14, 17.
---------------------------------------------------------------------------

II. Discussion

A. Proposal To Approve Proposed Reliability Standard CIP-015-1

    12. Pursuant to section 215(d)(2) of the FPA, the Commission 
proposes to approve proposed Reliability Standard CIP-015-1 as just, 
reasonable, not unduly discriminatory or preferential, and in the 
public interest. The proposed Reliability Standard requires responsible 
entities to implement INSM within the electronic security perimeter for 
all high impact BES Cyber Systems with and without external routable 
connectivity and medium impact BES Cyber Systems with external routable 
connectivity. Consistent with the security objectives identified in 
Order No. 887, Requirement R1 of the proposed Standard would require 
responsible entities to implement INSM by mandating the collection, 
detection, analysis of and appropriate response to anomalous activity 
within the electronic security perimeter. Proposed Reliability Standard 
CIP-015-1, Requirement R2 would require responsible entities to retain 
INSM data related to anomalous activity. Proposed Reliability Standard 
CIP-015-1, Requirement R3 would require responsible entities to protect 
INSM data associated with anomalous network activity.
    13. Implementation of INSM within the electronic security perimeter 
will augment responsible entities' ability to detect anomalous or 
malicious activity and provide information to assist in determining an 
appropriate response through proposed Reliability Standard CIP-015-1, 
Requirements R1, R2, and R3. The proposed Reliability Standard improves 
the security posture of the industry by providing visibility into east-
west communications absent from previous Reliability Standards, 
improving the probability of detection for anomalous or malicious 
activity within the electronic security perimeter.
    14. Notwithstanding the improvements to security made by the 
proposed Standard, as discussed below, the proposed Reliability 
Standard does not fully implement the scope of protection contemplated 
in Order No. 887. By restricting the implementation of INSM to within 
the electronic security perimeter, a reliability and security gap 
remains by not implementing INSM for the entire CIP-networked 
environment, i.e., outside the electronic security perimeter inclusive 
of EACMS and PACS. To address this gap, we propose to direct NERC to 
develop modifications to the proposed Reliability Standard to include 
EACMS and PACS, thereby protecting the reliability and security of all 
trust zones of the CIP-networked environment. This approach--proposing 
to approve a Reliability Standard as enhancing protections and as a 
separate action under section 215(d)(5) of the FPA proposing to direct 
NERC to develop certain modifications to a Reliability Standard to 
address a reliability gap--is

[[Page 79181]]

consistent with Commission precedent.\34\
---------------------------------------------------------------------------

    \34\ See e.g., N. Am. Elec. Reliability Corp., 187 FERC ] 61,204 
(2024) (order approving Reliability Standard EOP-012-2 because it 
clarified the requirements for generator cold weather preparedness 
and by making other improvements and, in addition, directing that 
NERC submit modifications to Reliability Standard EOP-012-2 to 
address certain concerns); Critical Infrastructure Prot. Reliability 
Standard CIP-012-1--Cyber Sec.--Commc'ns between Control Ctrs., 
Order No. 866, 85 FR 7197 (Feb. 7, 2020), 170 FERC ] 61,031 (2020).
---------------------------------------------------------------------------

B. Scope of the CIP-Networked Environment

    15. NERC's proposed application of the term ``CIP-networked 
environment'' as limited to assets and systems within the electronic 
security perimeter is overly narrow. Order No. 887 used the term ``CIP-
networked environment'' purposefully to apply more broadly than the 
electronic security perimeter, specifically to include all assets and 
systems to which the CIP standards apply and may be the targets of 
attacks. As explained below, NERC's petition does not address that 
reliability and security gap because it does not require implementation 
of INSM at EACMS and PACS outside the electronic security perimeter.
    16. Excluding EACMS and PACS from the term ``CIP-networked 
environment'' is inconsistent with generally accepted approaches to 
cybersecurity. Under Reliability Standard CIP-002-5.1a and fundamental 
cybersecurity practices, similar systems within a network are grouped 
together to facilitate management, control, and monitoring of the 
networked environment.\35\ For example, EACMS are grouped together to 
allow for early detection of malicious activity within the CIP-
networked environment and potentially protect other grouped systems, 
such as BES Cyber Systems, with which the EACMS communicate. Thus, 
excluding certain grouped systems from protections--as is the case for 
EACMS and PACS in Reliability Standard CIP-015-1--leaves other grouped 
systems within the CIP-networked environment at risk. Here, the BES 
Cyber Systems would not benefit from monitoring of east-west (i.e., 
lateral) movement within the grouping of EACMS and PACS, which allows 
for early detection of anomalous or malicious activity.\36\ Otherwise, 
for example, a compromised EACMS grouping could provide an attacker 
with the opportunity to infiltrate other connected groups, such as BES 
Cyber Systems located within the electronic security perimeter, as an 
authenticated user or trusted communication.\37\
---------------------------------------------------------------------------

    \35\ Reliability Standard CIP-002.5.1a (BES Cyber System 
Categorization) (categorizing EACMS, PACS, protected cyber assets, 
and BES Cyber Systems into groups); see, e.g., Nat'l Sec. Agency, 
Network Infrastructure Security Guide, 1, 3-4 (Oct. 2023), https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF 
(recommending the grouping of similar network systems as a best 
practice for overall network security) (NSA Network Security Guide).
    \36\ See CISA, Cybersecurity Advisory: CISA Red Team Shares Key 
Findings to Improve Monitoring and Hardening of Networks, 2, 14 
(Feb. 2023), https://www.cisa.gov/sites/default/files/2023-03/aa23-059a-cisa_red_team_shares_key_findings_to_improve_monitoring_and_hardening_of_networks.pdf (finding that insufficient network monitoring 
contributed to a CISA red team avoiding detection and gaining access 
to an organization's network through lateral movement by leveraging 
access to an Active Directory system serving as an electronic access 
control system) (CISA Cybersecurity Advisory); Nat'l Inst. of 
Standards and Tech. (NIST), NIST SP 800-215 Guide to a Secure 
Enterprise Network Landscape, 5 (Nov. 2022), https://doi.org/10.6028/NIST.SP.800-215 (describing the limitations of a perimeter-
based security approach as not capturing threats from inside a 
network that can move laterally and remain undetected for an 
extended period of time) (NIST SP 800-215); NIST, NIST SP 800-82r3 
Guide to Operational Technology (OT) Security, 74 (Sept. 2023), 
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf (recommending the analyzing of information to differentiate 
between known and unknown communication as a necessary first step in 
implementing network security monitoring) (NIST SP 800-82r3). The 
term INSM is used by the Commission in Order No. 887, but the 
cybersecurity industry uses the term ``network security 
monitoring.'' Similarly, the CIP Standards use the terms ``EACMS'' 
and ``PACS,'' which are defined by the NERC Glossary, while NIST 
discusses the same concepts but does not use the same EACMS and PACS 
terminology.
    \37\ See CISA Cybersecurity Advisory at 2-6 (describing how a 
CISA Red Team was able to gain access to workstations and servers 
from an Active Directory system serving as an electronic access 
control system, which assisted in lateral movement to other 
networks).
---------------------------------------------------------------------------

    17. National Institute of Standards and Technology (NIST) guidance 
states that INSM monitoring needs to detect ``[a]ny threat that is 
already inside of a network [that] can move laterally and remain 
undetected for days or even months.'' \38\ According to the NIST 
guidance, east-west (lateral) monitoring (i.e., INSM) improves the 
probability of detection for malicious or anomalous activity and should 
not be isolated to only the most critical trust zones.\39\ While the 
terminology of EACMS and PACS is unique to the CIP Reliability 
Standards, these statements from NIST broadly include the concepts of 
EACMS and PACS and support the need for monitoring.
---------------------------------------------------------------------------

    \38\ NIST SP 800-215 at 5.
    \39\ See id. (describing east-west traffic as ``largely 
invisible to security teams'' without INSM and that a threat inside 
a network can move east-west and ``remain undetected for days or 
even months'').
---------------------------------------------------------------------------

    18. Further, we find NERC's rationale for limiting INSM to within 
the electronic security perimeter unpersuasive. First, NERC contends 
that the devices supporting reliable operation are contained within the 
electronic security perimeter and thus industry resources are most 
effectively focused on data flows within the electronic security 
perimeter.\40\ We disagree. While the devices directly supporting the 
reliable operation of the Bulk-Power System are located within the 
electronic security perimeter, attacks that threaten reliability can 
still emanate from outside the electronic security perimeter from 
connected Cyber Assets, such as EACMS.\41\
---------------------------------------------------------------------------

    \40\ NERC Petition at 14.
    \41\ See, e.g., CISA Cybersecurity Advisory at 1-2 (a CISA Red 
Team was able to gain access to systems adjacent to the 
organization's sensitive business systems (SBSs) by moving laterally 
from workstations and servers through an Active Directory system; 
Phase I of the attack ended before the team could implement a viable 
plan to achieve access to a SBS).
---------------------------------------------------------------------------

    19. Second, NERC avers that requiring INSM implementation outside 
the electronic security perimeter could have the unintended effect of 
impeding an entity's ability to detect and respond to threats to their 
most critical systems due to alarm and alert fatigue from large volumes 
of generated data.\42\ Extending INSM implementation to include EACMS 
and PACS may generate large volumes of data; \43\ however, we believe 
that the data can be managed and that the security benefits of 
implementing INSM outside the electronic security perimeter outweigh 
the burden associated with increased volumes of data. Defining incident 
alerting thresholds and establishing a baseline for normal network 
activity can reduce the potential for alarm and alert fatigue.\44\ 
Restricting INSM to the assets within the electronic security perimeter 
could leave the most critical networks vulnerable to an attack from 
outside the electronic security perimeter. Assets such as EACMS are 
high value targets for an attack because if successfully compromised, 
EACMS would allow an attacker to infiltrate the perimeter as a trusted 
communication.\45\ Further,

[[Page 79182]]

declining to extend INSM implementation to EACMS and PACS outside the 
electronic security perimeter leaves a reliability gap because 
responsible entities will lack visibility into the high percentage of 
east-west traffic that occurs within the CIP-networked environment.\46\ 
Monitoring and alerting of east-west traffic enables quicker detection 
of malicious communications, minimizing potential harmful effects.\47\ 
Additionally, the collected data serves as invaluable forensic evidence 
in the event of an attempted or successful compromise of the CIP-
networked environment.
---------------------------------------------------------------------------

    \42\ NERC Petition at 14-15 n.45.
    \43\ See NIST SP 800-82r3 at 130 (discussing alert ``noise'' 
from typical network traffic that can result from implementation of 
network security monitoring).
    \44\ See id. at 127-128 (recommending that organizations define 
incident alert thresholds to establish an efficient incident 
detection capability as not all events and anomalies are malicious 
or require investigation and establish alerting thresholds on 
baselines of normal network traffic and data flows to reduce false 
positive and nuisance alarms).
    \45\ See, e.g., CISA Cybersecurity Advisory at 14 (finding a 
CISA red team gained access to an organization's network due to the 
lack of monitoring on endpoint management systems--high valued 
assets--that can include the monitoring system part of an EACMS).
    \46\ NIST states that over 75% of network traffic is now east-
west or server-to-server, i.e., traffic that is not covered by a 
perimeter-based defense approach. See NIST SP 800-215 at 5.
    \47\ See id. at 5.
---------------------------------------------------------------------------

    20. Third, NERC asserts that requiring INSM implementation outside 
the electronic security perimeter would not promote security and 
reliability inside the CIP-networked environment or that the cost of 
doing so would outweigh associated benefits.\48\ We disagree. EACMS and 
PACS are integral to the effective operation of BES Cyber Systems 
within the electronic security perimeter in providing services, such as 
centralized authentication, authorization, and monitoring, and serving 
as the access point to the electronic security perimeter.\49\ These 
assets are valued targets for an attacker and illustrate the need for a 
defense-in-depth strategy for cybersecurity.\50\ Implementing INSM 
outside the electronic security perimeter provides significant benefits 
in monitoring, detecting, and collecting malicious code or anomalous 
activity from attackers moving east-west within the EACMS or PACS 
network segments of the CIP-networked environment and is a fundamental 
cybersecurity practice.\51\
---------------------------------------------------------------------------

    \48\ NERC Petition at 15-16 n.46.
    \49\ NERC, Lessons Learned: CIP Version 5 Transition Program 
(Sept. 2015), https://www.nerc.com/pa/CI/tpv5impmntnstdy/LL_EACMS_Mixed_Trust_Authentication_Sep_10_2015_clean.pdf.
    \50\ See, e.g., CISA Cybersecurity Advisory at 2-6, 14.
    \51\ See NIST SP 800-215 at 5; NSA Network Security Guide at 3.
---------------------------------------------------------------------------

C. Proposed Directive

    21. Pursuant to section 215(d)(5) of the FPA, the Commission 
proposes to direct NERC to develop modifications to proposed 
Reliability Standard CIP-015-1 that would extend INSM to include EACMS 
and PACS outside the electronic security perimeter. We also propose 
directing NERC to submit the revised Reliability Standard for 
Commission approval within 12 months of the effective date of a final 
rule in this proceeding. We seek comment on all aspects of this 
proposal.

III. Information Collection Statement

    22. The FERC-725B information collection requirements are subject 
to review by the Office of Management and Budget (OMB) under section 
3507(d) of the Paperwork Reduction Act of 1995. OMB's regulations 
require approval of certain information collection requirements imposed 
by agency rules. Upon approval of a collection of information, OMB will 
assign an OMB control number and expiration date. Respondents subject 
to the filing requirements will not be penalized for failing to respond 
to these collections of information unless the collections of 
information display a valid OMB control number. The Commission solicits 
comments on the need for this information, whether the information will 
have practical utility, the accuracy of the burden estimates, ways to 
enhance the quality, utility, and clarity of the information to be 
collected or retained, and any suggested methods for minimizing 
respondents' burden, including the use of automated information 
techniques.
    23. The Commission bases its paperwork burden estimates on the 
additional paperwork burden presented by the proposed revision to 
Reliability Standard CIP-015-1 as this is a new proposed Reliability 
Standard. Reliability Standards are objective-based and allow entities 
to choose compliance approaches best tailored to their systems. The 
NERC Compliance Registry, as of July 2024, identifies approximately 
1,636 unique U.S. entities that are subject to mandatory compliance 
with CIP Reliability Standards. Of this total, we estimate that 400 
entities will face an increased paperwork burden under proposed 
Reliability Standard CIP-015-1. Based on these assumptions, we estimate 
the following reporting burden:
---------------------------------------------------------------------------

    \52\ The paperwork burden estimate includes costs associated 
with the initial development of a policy to address the 
requirements.
    \53\ This burden applies in Year One to Year Three.
    The hourly cost for wages is based in part on the average of the 
occupational categories from the Bureau of Labor Statistics website 
(https://www.bls.gov/oes/current/naics2_22.htm) plus benefits:
    Legal (Occupation Code: 23-0000): $162.66.
    Electrical Engineer (Occupation Code: 17-2071): $79.31.
    Office and Administrative Support (Occupation Code: 43-0000): 
$48.59.
    ($162.66 + $79.31 + $48.59) / 3 = $96.85.
    The figure is rounded to $97.00 for use in calculating wage 
figures in this NOPR.

                                            Annual Changes Proposed by the NOPR in Docket No. RM24-7-000 \52\
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                    Annual
                                                  number of                                                                                    Cost per
                                     Number of    responses    Total number    Average burden & cost per   Total annual burden hours & total  respondent
                                    respondents      per       of responses          response \53\                    annual cost                 ($)
                                                  respondent
                                            (1)          (2)     (1) * (2) =  (4).......................  (3) * (4) = (5)...................   (5) / (1)
                                                                         (3)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Create one or more documented               400            1             400  40 hrs.; $3,880...........  16,000 hrs.; $1,552,000...........      $3,880
 process(es) (R1).
Create documentation detailing              400            1             400  60 hrs.; $5,820...........  24,000 hrs.; $2,328,000...........       5,820
 network data feed(s) and reason
 (R1.1).
Create documentation of: anomalous          400            1             400  60 hrs.; $5,820...........  24,000 hrs.; $2,328,000...........       5,820
 events and baseline used to
 detect anomalous events (R1.2).
Create documentation of methods             400            1             400  60 hrs.; $5,820...........  24,000 hrs.; $2,328,000...........       5,820
 to: evaluate anomalous activity;
 response to detected activity;
 and escalation process(es) (R1.3).
Create documentation of: data               400            1             400  60 hrs.; $5,820...........  24,000 hrs.; $2,328,000...........       5,820
 retention process(es); system
 configuration(s), or system-
 generated report(s) (R2).
Create documentation of how the             400            1             400  60 hrs.; $5,820...........  24,000 hrs.; $2,328,000...........       5,820
 collected data is being protected
 (R3).
                                   ---------------------------------------------------------------------------------------------------------------------
    Total burden for FERC-725B(5)   ...........  ...........           2,400  ..........................  136,000 hrs.; $13,192,000.........      32,980
     under CIP-015-1.
--------------------------------------------------------------------------------------------------------------------------------------------------------


[[Page 79183]]

    24. The responses and burden hours for Years 1-3 will total 
respectively as follows:
     Year 1-3 each: 2,400 responses; 136,000 hours.
     The annual cost burden for each year One to Three is 
$13,192,000.
    25. Title: Mandatory Reliability Standards, Revised Critical 
Infrastructure Protection Reliability Standards.
    Action: Revision to FERC-725B information collection.
    OMB Control No.: 1902-0248.
    Respondents: Businesses or other for-profit institutions; not-for-
profit institutions.
    Frequency of Responses: On Occasion.
    Necessity of the Information: This NOPR proposes to approve the 
requested modifications to Reliability Standards pertaining to critical 
infrastructure protection. As discussed above, the Commission proposes 
to approve proposed Reliability Standard CIP-015-1 pursuant to section 
215(d)(2) of the FPA because it improves upon the currently-effective 
suite of cybersecurity CIP Reliability Standards.
    Internal Review: The Commission has reviewed the proposed 
Reliability Standard and made a determination that its action is 
necessary to implement section 215 of the FPA. Interested persons may 
obtain information on the reporting requirements by contacting the 
following: Federal Energy Regulatory Commission, 888 First Street NE, 
Washington, DC 20426 [Attention: Kayla Williams, Office of the 
Executive Director, email: [email protected], phone: (202) 502-
8663, fax: (202) 273-0873].
    26. For submitting comments concerning the collection(s) of 
information and the associated burden estimate(s), please send your 
comments to the Commission, and to the Office of Management and Budget, 
Office of Information and Regulatory Affairs, Washington, DC 20503 
[Attention: Desk Officer for the Federal Energy Regulatory Commission, 
phone: (202) 395-4638, fax: (202) 395-7285]. For security reasons, 
comments to OMB should be submitted by email to: 
[email protected]. Comments submitted to OMB should include 
Docket Number RM24-7-000 and OMB Control Number 1902-0248.

IV. Environmental Analysis

    27. The Commission is required to prepare an Environmental 
Assessment or an Environmental Impact Statement for any action that may 
have a significant adverse effect on the human environment.\54\ The 
Commission has categorically excluded certain actions from this 
requirement as not having a significant effect on the human 
environment. Included in the exclusion are rules that are clarifying, 
corrective, or procedural or that do not substantially change the 
effect of the regulations being amended.\55\ The action proposed herein 
falls within this categorical exclusion in the Commission's 
regulations.
---------------------------------------------------------------------------

    \54\ Reguls. Implementing the Nat'l Envtl Pol'y Act, Order No. 
486, 52 FR 47897 (Dec. 17, 1987), FERC Stats. & Regs. Preambles 
1986-1990 ] 30,783 (1987) (cross-referenced at 41 FERC ] 61,284).
    \55\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------

V. Regulatory Flexibility Act Certification

    28. The Regulatory Flexibility Act of 1980 (RFA) \56\ generally 
requires a description and analysis of proposed rules that will have 
significant economic impact on a substantial number of small entities. 
The Small Business Administration's (SBA) Office of Size Standards 
develops the numerical definition of a small business.\57\ The SBA 
revised its size standard for electric utilities (effective March 17, 
2023) to a standard based on the number of employees, including 
affiliates (from the prior standard based on megawatt hour sales).\58\ 
The Commission believes that because the obligations imposed upon 
industry are directed at only entities that own or operate high impact 
BES Cyber Systems with or without external routable connectivity or 
medium impact BES Cyber Systems with external routable connectivity 
that there are no entities that meet the SBA revised standard for 
electric utilities. Therefore, the Commission certifies that this NOPR 
will not have a significant economic impact on a substantial number of 
small entities. Accordingly, no regulatory flexibility analysis is 
required.
---------------------------------------------------------------------------

    \56\ 5 U.S.C. 601-612.
    \57\ 13 CFR 121.101.
    \58\ 13 CFR 121.201, Subsector 221 (Utilities).
---------------------------------------------------------------------------

VI. Comment Procedures

    29. The Commission invites interested persons to submit comments on 
the matters and issues proposed in this notice to be adopted, including 
any related matters or alternative proposals that commenters may wish 
to discuss. Comments are due November 26, 2024. Comments must refer to 
Docket No. RM24-7-000, and must include the commenter's name, the 
organization they represent, if applicable, and their address in their 
comments.
    30. All comments will be placed in the Commission's public files 
and may be viewed, printed, or downloaded remotely as described in the 
Document Availability section below. Commenters on this proposal are 
not required to serve copies of their comments on other commenters.
    31. The Commission encourages comments to be filed electronically 
via the eFiling link on the Commission's website at https://www.ferc.gov. The Commission accepts most standard word processing 
formats. Documents created electronically using word processing 
software must be filed in native applications or print-to-PDF format 
and not in a scanned format. Commenters filing electronically do not 
need to make a paper filing.
    32. Commenters that are not able to file comments electronically 
may file an original of their comment by USPS mail or by courier or 
other delivery services. For submission sent via USPS only, filings 
should be mailed to: Federal Energy Regulatory Commission, Office of 
the Secretary, 888 First Street NE, Washington, DC 20426. Submission of 
filings other than by USPS should be delivered to: Federal Energy 
Regulatory Commission, 12225 Wilkins Avenue, Rockville, MD 20852.

VII. Document Availability

    33. In addition to publishing the full text of this document in the 
Federal Register, the Commission provides all interested persons an 
opportunity to view and/or print the contents of this document via the 
internet through the Commission's Home Page (https://www.ferc.gov).
    34. From the Commission's Home Page on the internet, this 
information is available on eLibrary. The full text of this document is 
available on eLibrary in PDF and Microsoft Word format for viewing, 
printing, and/or downloading. To access this document in eLibrary, type 
the docket number excluding the last three digits of this document in 
the docket number field.
    35. User assistance is available for eLibrary and the Commission's 
website during normal business hours from FERC Online Support at 202-
502-6652 (toll free at 1-866-208-3676) or email at 
[email protected], or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at 
[email protected].

    By direction of the Commission.

    Issued: September 19, 2024.
Debbie-Anne A. Reese,
Acting Secretary.
[FR Doc. 2024-22231 Filed 9-26-24; 8:45 am]
BILLING CODE 6717-01-P