In a significant move to strengthen the cybersecurity of the North American electric grid, the Federal Energy Regulatory Commission (FERC) released Order 887 in January 2023, which paved the way for NERC-CIP015, a new standard on Internal Network Security Monitoring (INSM). This directive, set forth by the North American Electric Reliability Corporation (NERC), addresses a critical gap in the existing Critical Infrastructure Protection (CIP) standards by focusing on internal network security.

Previously, NERC-CIP standards only required traditional security measures, relying on known rules and signatures to identify threats. With NERC-CIP015, electric cooperatives are now expected to monitor East-West traffic and detect anomalies within internal network zones. This move aims to improve the early detection of novel threats that bypass traditional defenses, such as firewalls and antivirus software.

Bridging the Internal Network Security Gap

As cyber threats evolve, attackers increasingly exploit lateral (East-West) movement within networks after breaching external defenses. INSM plays a crucial role by establishing a baseline of normal network activity, enabling systems to detect anomalies and alert operators when unexpected behavior is identified. This internal-focused security measure helps identify potential insider threats, compromised credentials, and emerging attack techniques that traditional security protocols might overlook.

The deployment timeline for INSM, if NERC-CIP015 is approved, will be staggered based on system impact:

• High-impact Bulk Electric Systems (BES) will have 36 months to implement INSM.
• Medium-impact BES with external routable connectivity (ERC) will have 60 months.

Given the preparation and operational changes involved, NERC advises electric cooperatives and utilities to begin implementing these standards as soon as possible to meet future compliance deadlines.

Key Requirements of NERC-CIP015 INSM

The NERC-CIP015 directive outlines three primary requirements to ensure a more robust cybersecurity infrastructure within electric systems:

1. Network Security Monitoring:
   • Risk-based monitoring: Requires a tailored approach to monitoring within Electronic Security Perimeters (ESPs) around high- and medium-impact systems. Monitoring data feeds capture information about connections, devices, and internal communication pathways.
   • Anomaly Detection: Systems must detect unexpected network behavior that could signify malicious activity.
   • Evaluation of anomalies: Any unusual activities detected must be analyzed to determine appropriate actions.
   • Evidence and documentation: Organizations need to document their monitoring processes, rationale, and network baselines to show compliance.

   Automation is key here, as creating accurate baselines for diverse environments, such as substations and control centers, requires real-time adaptation to normal behavior. INSM solutions driven by AI can streamline these baselines, reducing manual adjustments and improving threat detection.

2. Data Retention for Anomalous Activity:
   • A system must retain network security data linked to detected anomalies until related investigations and actions are completed. Compliance evidence includes configuration records and data retention process documentation.
3. Data Protection:
   • Measures must be in place to safeguard monitoring data against unauthorized changes or deletion. This ensures the integrity of security data for forensic analysis, should an incident occur.

Implementation Challenges and Considerations

Selecting an INSM solution can be challenging, given the variations in network environments and the technical requirements of each utility. Organizations should prioritize solutions that provide continuous visibility of East-West traffic, layer 7 application-level insights, and compatibility with existing infrastructures. Additional considerations for selecting an INSM solution include:

• Real-time traffic visibility: Ensures comprehensive monitoring of East-West traffic within trust zones to detect lateral movements.
• Deployment impact: Utilities should consider whether the INSM solution is inline, passive, or hybrid and the potential effects on network latency.
• Vendor experience: Choose vendors familiar with the unique demands of electric utilities and critical infrastructure, as these environments require specialized knowledge to avoid impacting sensitive OT systems.

The Industry’s Next Steps

The implementation of NERC-CIP015 will undoubtedly require new investments in technology and training, but the benefits are clear. By emphasizing visibility into East-West traffic within networks, organizations can detect and respond to security threats more effectively, addressing vulnerabilities that could disrupt power systems. As utilities work to align with these new standards, INSM solutions powered by AI, such as those provided by vendors like Darktrace, offer adaptive security through automated baselining, anomaly detection, and reduced need for manual tuning.

NERC-CIP015 reflects a forward-thinking approach to securing the nation’s electric infrastructure and represents a critical step toward a resilient power grid. For an industry reliant on interconnected networks, the ability to detect and respond to threats within the network is crucial for protecting essential services across North America.

Source: Darktrace