FERC Directs NERC to Develop Internal Network Security Monitoring for High and Medium Impact Bulk Electric System Cyber Systems.

On January 19, 2023, the Commission issued a final rule that directs the North American Electric Reliability Corporation (“NERC”) to develop and submit reliability standards for monitoring high and medium impact bulk electric systems with high-speed internet connections. The Commission stated that the new reliability standards would assist entities in monitoring network traffic inside the bulk electric systems and detecting unauthorized activity inside those systems.

Under the Commission’s current Critical Infrastructure Protection (“CIP”) reliability standards, network security monitoring is focused on defending the security perimeter of networks and does not address potential vulnerabilities of the internal network to cyber threats. The new rule thus requires NERC to develop Internal Network Security Monitoring (“INSM”). FERC explains that INSM is used to detect situations where vendors or individuals with authorized access are considered trustworthy, but might still introduce a cybersecurity risk. These vendors can be leveraged by cyber attackers who ultimately compromise the internal networks of the bulk electric system. FERC stated that incorporating INSM requirements into the CIP reliability standards “would help to ensure that utilities maintain visibility over communications in their protected networks,” which would “help detect an attacker’s presence and movements and give the utility time to take action before an attacker can fully compromise the network.”

The Commission issued a Notice of Proposed Rulemaking for this rule on January 20, 2022, to address INSM for all high and medium impact bulk electric system cyber systems. The final rule explains that the Commission became persuaded by commenters to limit its final rule to only cover all high impact bulk electric system cyber systems with and without broadband access and medium impact bulk electric system cyber systems with broadband access. Thus, the Commission explains, the final rule focuses on cybersecurity systems that pose the highest risk to the security of bulk electric cyber systems. FERC explains that NERC may in the future extend INSM to medium and low impact bulk electric cyber systems with no broadband access. As such, the Commission also tasked NERC with studying the risks posed by the lack of INSM and studying the feasibility of implementing INSM at such unaddressed bulk electric cyber systems. The Commission directed NERC to submit the new standards to the Commission for approval within 15 months and submit its report on medium and low impact bulk electric system cyber systems with no broadband access within 12 months.

FERC’s order, issued in Docket No. RM22-3, can be found here.