FERC Proposes New Standards for INSM: Internal Network Security Monitoring (CIP-015-1)
The Federal Energy Regulatory Commission (FERC) has issued a new Notice of Proposed Rulemaking (NOPR) under Docket No. RM24-7-000. This proposed rule seeks to approve NERC’s proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-015-1. The new standard focuses on Internal Network Security Monitoring (INSM) to detect and address cyber threats within the electronic security perimeter of the Bulk Electric System (BES).
What’s New with CIP-015-1?
The CIP-015-1 standard introduces three critical requirements for responsible entities to ensure better internal network security:
1. Requirement R1: Entities must implement processes to monitor, detect, and assess anomalous activity within their networks, particularly focusing on high and medium impact BES Cyber Systems.
2. Requirement R2: There must be processes to retain data associated with anomalous network activity to ensure continuity in security monitoring and facilitate incident analysis.
3. Requirement R3: Collected data should be protected from unauthorized access or modification, ensuring the integrity of the security monitoring data.
These requirements are designed to enhance visibility and detect malicious activity that could potentially compromise critical infrastructure. FERC has highlighted that east-west (internal) network traffic, often missed by traditional perimeter defenses, is a key focus of this rule. This monitoring helps prevent the movement of attackers within a network and improves early detection and response times.
Key Directives for NERC
While the proposed standard improves internal network security, FERC is directing NERC to develop further modifications (meaning, get started on CIP-015-2). The Commission is concerned about potential gaps in coverage. Specifically, FERC wants to ensure that Electronic Access Control and Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) outside the Electronic Security Perimeter (ESP) are also subject to these security measures. FERC is giving NERC 12 months to submit modifications that will extend INSM requirements to these additional systems, as they are critical for securing BES Cyber Systems. Some have disputed that this is outside of the Electronic Security Perimeter and counter to the term “internal” in the INSM moniker.
Why Is This Important?
Recent cyber incidents have shown that perimeter defenses are not enough. Attackers are increasingly able to bypass perimeter security and move laterally within a network. FERC’s new proposed standard and its directive to expand internal network monitoring addresses this evolving threat landscape. By monitoring east-west traffic — the communication between systems inside the ESP — utilities should be better equipped to detect attacks early and mitigate potential damage.
Impacts on Utility Operators
Utility operators should begin preparing for these new standards by:
- Evaluate current internal network security practices to ensure they align with these proposed to be adopted and probable new INSM requirements.
- Assess and document internal network traffic to establish baselines for normal activity. If the current network isn’t architected in a way to allow for this, start by designing solutions to get the network to a place where you can perform INSM
- Enhancing monitoring capabilities for both BES Cyber Systems and related EACMS and PACS outside the ESP to meet the proposed expanded coverage.
The implementation of these standards will require utilities to improve their ability to detect and respond to threats that move laterally within their networks, reducing the risk of internal breaches.
What’s Next?
Comments on this NOPR are due 60 days from its publication in the Federal Register, and utilities should begin preparing to meet the expanded monitoring requirements. The final rule, once approved, will likely take effect in 12 months, giving entities time to align their monitoring processes with the new standard.
Ampyx Cyber is closely following these regulatory changes and stands ready to assist clients with implementing robust INSM strategies that meet FERC’s evolving standards. Contact us to discuss how we can help you ensure compliance and strengthen your network security.