Understanding Internal Network Security Monitoring (INSM)
Internal Network Security Monitoring (INSM) refers to the continuous monitoring of network traffic within a trusted security zone to detect and respond to malicious activity. It plays a crucial role in a comprehensive cybersecurity strategy, reinforcing a defense-in-depth approach. INSM is especially vital in cases where cyber threats bypass perimeter security controls such as firewalls.
The concern over perimeter security control breaches heightened following high-profile supply chain attacks, including the SolarWinds compromise. As a result, regulators have placed greater emphasis on internal network visibility.
NERC CIP and the Need for INSM
In the context of North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) environments, current Reliability Standards (e.g., CIP-005-7) mandate the monitoring of network traffic at the Electronic Security Perimeter (ESP) of high- and medium-impact Bulk Electric System (BES) Cyber Systems. However, these standards leave internal ESP gaps unaddressed, exposing organizations to potential threats.
To bridge this gap, NERC introduced CIP-015-1, a new standard aimed at enhancing internal network visibility and cybersecurity resilience.
What is NERC CIP-015-1?
In January 2023, the Federal Energy Regulatory Commission (FERC) directed NERC to incorporate INSM requirements within CIP Reliability Standards. The new CIP-015-1 standard applies to:
-
High-impact BES Cyber Systems (with or without External Routable Connectivity [ERC]).
-
Medium-impact BES Cyber Systems with ERC.
To meet these requirements, NERC initiated Project 2023-03 INSM, assembling a drafting team to develop the standard.
Key Changes Under CIP-015-1
The CIP-015-1 standard introduces three primary requirements:
R1: INSM Implementation
Responsible Entities must implement and document a process for INSM within their ESPs to detect and respond to anomalous activity. The implementation should include:
-
Network data feeds for monitoring connections, devices, and communications.
-
Detection and response mechanisms for anomalous activity.
-
Evidence documentation, including data feed selection, detection events, configuration settings, and response methods.
R2: INSM Data Retention
Entities must document and retain records of anomalous activity detected by INSM. Acceptable evidence includes:
-
Documentation of data retention policies.
-
System-generated reports validating compliance.
R3: INSM Data Protection
Organizations must document protections for collected and retained INSM data to prevent unauthorized deletion or modification. Evidence may include:
-
Security controls protecting stored data.
-
Access control policies ensuring data integrity.
Timeline for Implementation
Once approved, CIP-015-1 will apply to various Responsible Entities, including:
-
Balancing Authorities
-
Distribution Providers
-
Generator Operators & Owners
-
Reliability Coordinators
-
Transmission Operators & Owners
NERC submitted a Petition for Approval for CIP-015-1 in July 2023, and it is currently awaiting FERC approval. Upon approval, affected entities will have:
-
36 months to comply for all high- and medium-impact BES Cyber Systems with ERC.
-
60 months for all other medium-impact BES Cyber Systems with ERC.
-
The projected compliance deadline is late 2027 (subject to change).
Challenges and Considerations for Organizations
Organizations should not delay INSM implementation, as compliance presents several challenges:
-
Asset Inventory and Network Architecture Understanding
-
Identify and document existing Cyber Assets (hardware and software).
-
Assess network protocols and data flows.
-
Consider additional segmentation to improve monitoring effectiveness.
-
-
Optimal INSM Deployment Strategy
-
Determine optimal network monitoring points for comprehensive visibility.
-
Account for data storage requirements, as retention is mandatory.
-
-
Security and Compliance Measures
-
Implement protections to ensure data confidentiality, integrity, and availability.
-
Train cybersecurity teams to understand, deploy, and manage INSM effectively.
-
Final Thoughts
The adoption of NERC CIP-015-1 marks a significant step toward strengthening cybersecurity within critical infrastructure. As cyber threats evolve, INSM will play a pivotal role in enhancing detection, response, and overall resilience. Organizations should proactively prepare for compliance by assessing their network security posture, implementing monitoring solutions, and developing comprehensive cybersecurity strategies.
By taking action now, organizations can ensure a smoother transition to the new standard while reinforcing their cybersecurity defenses against increasingly sophisticated threats.
Insane Cyber is Here to Help
The movement towards enforcing network security monitoring for BES Cyber Systems comes as no surprise given the history of cyber-attacks against the electric sector across the world.
The Valkyrie Platform introduces a better way with automated monitoring to keep you protected from threats via visualizing all connected data points and directional data flows, near-instant data analysis and reporting, and continuous monitoring of host and network data.
If you are an asset owner struggling to identify monitoring solutions that will meet the NERC CIP 015-01 or how to tackle preparing for INSM implementation, reach out to us for help.
References
https://www.nerc.com/pa/Stand/Pages/Project%202016-02%20Modifications%20to%20CIP%20Standards.aspx
https://www.nerc.com/pa/Stand/Pages/Project-2023-03-INSM.aspx
https://www.nerc.com/pa/Stand/Pages/Project%202016-02%20Modifications%20to%20CIP%20Standards.aspx