The Scoop on NERC CIP-015-1 INSM
Dec 4, 2024
/
Industry Insight
Internal Network Security Monitoring (INSM)
Internal Network Security Monitoring (INSM) is the monitoring of network traffic within a trusted security zone focused on detecting malicious activity. It’s importance to a comprehensive cybersecurity strategy cannot be understated, as it adds to a defense in depth approach in the event that a malicious actor is able to bypass security perimeter defenses, such as firewalls.
The bypassing of perimeter security controls became a concern for regulators after supply chain attacks such as the Solar Winds compromise.
Concerning North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) environments, current Reliability Standards, such as CIP-005-7, require the monitoring of network traffic at the Electron Security Perimeter (ESP) of high and medium impact Bulk Electric System (BES) Cyber Systems.
However, this leaves unaddressed gaps within the ESP vulnerable to threats. To address the lack of internal network visibility, NERC drafted the new CIP-015-1 standard.
NERC CIP-015-1 INSM
In January 2023, the Federal Energy Regulatory Commission (FERC) directed NERC to develop INSM requirements within the CIP Reliability Standards for high impact BES Cyber Systems, with or without External Routable Connectivity (ERC), and medium impact BES Cyber Systems with ERC to address the current gaps in monitoring and detection. In response to this order, NERC set up a drafting team that created Project 2023-03 INSM.
So, what’s changing?
The new CIP-015-1 standard (a.k.a. the outcome of Project 2023-03 INSM) introduces three requirements:
R1. INSM Implementation
This requirement states that Responsible Entities must implement a documented process for INSM of high impact BES Cyber Systems and medium impact BES Cyber Systems with ERC within the Responsible Entity’s ESPs for detection and response capabilities. The INSM should include network data feeds to monitor connections, devices, and communications and be able to detect and provide methods to respond to anomalous activity.
Evidence of this documented process is required and can include network data feed details and how they were selected for collection, documentation of anomalous network detection events, configuration settings of the INSM, and methods used to evaluate anomalous activity.
R2. INSM Data Retention
This requirement states that the implementation and documentation on INSM data retention of anomalous activity is required, as well as evidence. Evidence can include documentation on the data retention process or a system generated report.
R3. INSM Data Protection
Lastly, implementation and documentation on protections of INSM monitoring data collected and retained to safeguard data from being deleted or modified is required. Evidence can include documentation on how the data is being protected from these risks.
Timeline
Once approved, the new regulations will apply to Responsible Entities such as Balancing Authorities, Distribution Providers, Generator Operators, Generator Owners, Reliability Coordinators, Transmission Operators, and Transmission Owners.
NERC submitted a Petition for Approval of the proposed Reliability Standard CIP-015-1 in July of this year, which is awaiting FERC approval. Once approved, Responsible Entities for all high and medium impact BES Cyber Systems with ERC will have 36 months to align to the new standards. All other Medium BES Cyber Systems with ERC will have 60 months. This effect date is forecasted to be in late 2027; however, it is subject to change.
Challenges
Organizations shouldn’t wait for the standard to become in effect to start implementing INSM in their protected environments as several challenges may arise. One of which is gathering an understanding of the Cyber Assets that exist and the network architecture currently in place.
This could include creating or updating an asset inventory that includes both Cyber Asset hardware and software in the environment, identifying the protocols in use and current data flows, and possibly developing additional segmentation within the network to reduce traffic flow so that INSM solutions can effectively digest data transfer.
Measures to identify where the best positions within the network for INSM should be analyzed so that all communications are effectively captured and consider the storage requirements as this data will be required to be retained via the standard.
Furthermore, consider the protections that must be in place, as mandated by the standard, to maintain the confidentiality, integrity, and availability of this data. Implementing INSM can be resource intensive, and the teams responsible will have to work together and likely require training and knowledge transfer to best understand how INSM can fit and where.
Insane Cyber is Here to Help
The movement towards enforcing network security monitoring for BES Cyber Systems comes as no surprise given the history of cyber-attacks against the electric sector across the world.
The Valkyrie Platform introduces a better way with automated monitoring to keep you protected from threats via visualizing all connected data points and directional data flows, near-instant data analysis and reporting, and continuous monitoring of host and network data.
If you are an asset owner struggling to identify monitoring solutions that will meet the NERC CIP 015-01 or how to tackle preparing for INSM implementation, reach out to us for help.
References
https://www.nerc.com/pa/Stand/Pages/Project%202016-02%20Modifications%20to%20CIP%20Standards.aspx
https://www.nerc.com/pa/Stand/Pages/Project-2023-03-INSM.aspx
https://www.nerc.com/pa/Stand/Pages/Project%202016-02%20Modifications%20to%20CIP%20Standards.aspx
