The Federal Energy Regulatory Commission (“FERC”) issued a final rule (Order No. 887) directing the North American Electric Reliability Corporation (“NERC”) to develop new or modified Reliability Standards that require internal network security monitoring (“INSM”) within Critical Infrastructure Protection (“CIP”) networked environments.  This Order may be of interest to entities that develop, implement, or maintain hardware or software for operational technologies associated with bulk electric systems (“BES”).

The forthcoming standards will only apply to certain high- and medium-impact BES Cyber Systems.  The final rule also requires NERC to conduct a feasibility study for implementing similar standards across all other types of BES Cyber Systems.  NERC must propose the new or modified standards within 15 months of the effective date of the final rule, which is 60 days after the date of publication in the Federal Register.  

Background

According to the FERC news release, the 2020 global supply chain attack involving the SolarWinds Orion software demonstrated how attackers can “bypass all network perimeter-based security controls traditionally used to identify malicious activity and compromise the networks of public and private organizations.”  Thus, FERC determined that current CIP Reliability Standards focus on prevention of unauthorized access at the electronic security perimeter and that CIP-networked environments are thus vulnerable to attacks that bypass perimeter-based security controls.  The new or modified Reliability Standards (“INSM Standards”) are intended to address this gap by requiring responsible entities to employ INSM in certain BES Cyber Systems.  INSM is a subset of network security monitoring that enables continuing visibility over communications between networked devices that are in the so-called “trust zone,” a term which generally describes a discrete and secure computing environment.  For purposes of the rule, the trust zone is any CIP-networked environment.  In addition to continuous visibility, INSM facilitates the detection of malicious and anomalous network activity to identify and prevent attacks in progress.  Examples provided by FERC of tools that may support INSM include anti-malware, intrusion detection systems, intrusion prevention systems, and firewalls.   

New or Modified Reliability Standards

The INSM Standards will apply to all high-impact BES Cyber Systems and medium-impact BES Cyber Systems with external routable connectivity, defined as the ability to access a BES Cyber System from outside of its associated electronic security perimeter.  FERC declined to set an implementation timeframe for the forthcoming standards and instead directed NERC to recommend an implementation period when it submits its proposal.  Accordingly, the deadline for responsible entities to implement INSM could be years in the future.

Under the rule, the INSM Standards must:

  • (1) Address the need for responsible entities to develop baselines of their network traffic inside their CIP-networked environment; 
  • (2) Address the need for responsible entities to monitor for and detect unauthorized activity, connections, devices, and software inside the CIP-networked environment; and
  • (3) Require responsible entities to identify anomalous activity to a high level of confidence by:
    • (a) Logging network traffic;
    • (b) Maintaining logs and other data collected regarding network traffic; and
    • (c) Implementing measures to minimize the likelihood of an attacker removing evidence of their tactics, techniques, and procedures from compromised devices.

Feasibility Study

Within 12 months of the final rule, NERC must also submit a report that studies the feasibility of implementing INSM within medium-impact BES Cyber Systems without external routable connectivity and all low-impact BES Cyber Systems, which are not subject to the INSM Standards.

FERC has emphasized that the commissioned feasibility study should include a determination of:

(1) The ongoing risk to the reliability and security of the Bulk-Power System posed by low and medium-impact BES Cyber Systems that will not be subject to the INSM Standards; and

(2) The potential technological or other challenges involved in extending INSM to additional BES Cyber Systems, as well as possible alternative mitigating actions to address the risks posed.

Photo of Ashden Fein Ashden Fein

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing…

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Mr. Fein frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Additionally, Mr. Fein assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Mr. Fein served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Mr. Fein currently serves as a Judge Advocate in the U.S. Army Reserve.

Read more about Ashden Fein
Show more Show less
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath advises clients on a broad range of privacy and data security issues, including regulatory inquiries from the Federal Trade Commission, data breach notification obligations, compliance with consumer protection laws, and state and federal laws regarding educational and financial privacy.

Read more about Caleb Skeath
Photo of Web Leslie Web Leslie

Web Leslie represents and advises emerging and leading companies on a broad array of technology issues, including on cybersecurity, national security, investigations, and data privacy matters.

Web provides strategic advice and counsel on cybersecurity preparedness, data breach, cross-border privacy law, and government investigations…

Web Leslie represents and advises emerging and leading companies on a broad array of technology issues, including on cybersecurity, national security, investigations, and data privacy matters.

Web provides strategic advice and counsel on cybersecurity preparedness, data breach, cross-border privacy law, and government investigations, and helps clients navigate complex policy matters related to cybersecurity and national security.

In addition to his regular practice, Web also counsels pro bono clients on technology, immigration, and criminal law matters, including representing a client sentenced to life without parole by a non-unanimous jury in Louisiana.

Web previously served in government in various roles at the Department of Homeland Security, including at the Cybersecurity and Infrastructure Security Agency (CISA), where he specialized in cybersecurity policy, public-private partnerships, and interagency cyber operations. He also served as Special Assistant to the Secretary of Homeland Security.

Read more about Web Leslie
Show more Show less
Photo of Shayan Karbassi Shayan Karbassi

Shayan Karbassi is an associate in the firm’s Washington, DC office. He is a member of the firm’s Data Privacy and Cybersecurity and White Collar and Investigations Practice Groups. Shayan advises clients on a range of cybersecurity and national security matters. He also…

Shayan Karbassi is an associate in the firm’s Washington, DC office. He is a member of the firm’s Data Privacy and Cybersecurity and White Collar and Investigations Practice Groups. Shayan advises clients on a range of cybersecurity and national security matters. He also maintains an active pro bono practice.

Read more about Shayan Karbassi
Show more Show less