CIP-015: The Crucial Role of INSM in Strengthening Grid Security
By JASON SMITH, Larisa Breton, & Patrick Miller
Introducing CIP-015, a new regulation aimed at enhancing grid security by mandating Internal Network Security Monitoring (INSM) for high and medium impact Bulk Electric System (BES) Cyber Systems. This development, initiated by FERC Order No. 887, responds to the need for monitoring within trusted network zones to detect and mitigate potential cyber threats. CIP-015 emerges as a standalone standard after industry feedback, shifting towards an objective-based rather than prescriptive approach. The modified standard's focus is on monitoring, data protection, and retention, emphasizing its significance for utilities in strengthening their cybersecurity defenses.
What Happened?
On January 19, 2023 FERC Order No. 887 directed the North American Electric Reliability Corporation (NERC) to develop requirements within the Critical Infrastructure Protection (CIP) reliability standards to address Internal Network Security Monitoring (INSM) for high impact Bulk Electric System (BES) Cyber Systems (CS), referred to as BCS and medium impact BCS with External Routable Connectivity (ERC).
Originally the NERC Standards Drafting Team (SDT) integrated INSM requirements into the existing CIP-007 standard addressing Systems Security Management. The initial draft included provisions for Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) outside of the entity’s Electronic Security Perimeters (ESP) . After receiving industry comments and feedback the SDT determined INSM requirements did not fit within an existing standard. Thus, the SDT developed a new CIP standard, CIP-015 as a standalone regulatory requirement which addresses internal network security. INSM under CIP-015 will permit entities to monitor traffic within a trusted zone (e.g. ESP) to inspect for malicious activity and potential intrusions.
On March 19, 2024, the NERC Ballot Body voted down the most recent draft with only 48.52% approval, sending it back to the drafting team. The SDT is currently reviewing comments and revising the standard for the next ballot. Until then, here is what we know about the last draft and the trajectory of this standard.
The new proposed standard excludes EACMS and PACS that reside outside of the entity’s ESP and focuses solely on high and medium impact BCS Cyber Assets within the ESP. Therefore, the scope of the proposed standard will include any Protected Cyber Asset (PCA) within an ESP. Key elements to CIP-015 include:
Switched from the CIP table format to the traditional Requirement and Measures format.
Inclusion of CIP Exception Circumstances
INSM data retention will be determined by the Responsible Entity
Most importantly the standard will be “objective” based vs. “prescriptive”. This means that the standard will focus on an end result allowing the entity flexibility to determine the best path to achieve the result
Now, let’s dive into the requirements.
Requirement 1
Impact for Utilities:
Entities will need to develop a collection strategy that is both manageable and provides the ability to detect and evaluate anomalous activity. Keep in mind, “anomalous” is unexpected, undesired, unusual, or undetermined network traffic activity. It does not mean it is necessarily malicious.
The strategy will take time and require fine tuning. The MITRE ATT&CK framework describes three data sources used in collection that are valid for INSM (see the INSM technical rationale for details):
Network Content Creation
Network Traffic Content
Network Traffic Flow
Each of us will need to develop our approach, identify data sources, points of network convergence, and start creating a network baseline for measuring unauthorized activity. Importantly, these will all vary from environment to environment. For example, a baseline within a substation may be very different from a Control Center. Entities should document what they include and why. One location may be focusing on layer 2 collection and others may utilize Cisco NetFlow capture as an example. Overall, layer 2 and layer 3 data collection coupled with existing data collection tools such as SIEM and EDR will collectively provide a framework to achieve the security objectives of CIP-015. Additionally, a variety of levels to collect data will likely be implanted such as:
Full PCAP (SPAN/TAP)
SDN logs
Network Flow (NetFlow, NetStream, etc.)
Remote collection such as RSPAN
Once data sources have been identified, traffic duplication will have an impact. It is very possible a single ethernet packet will be captured multiple times. When selecting data collection points, this should be considered to reduce resource overhead and increase INSM efficiency. Given the complexities unique to each environment, it will be imperative for Responsible Entities to document their data collection design and justify data type and collection location decisions.
Evaluation of INSM data will require the development of criteria to evaluate anomalous activity, response actions, and escalation. Where applicable, existing CIP-008 Cyber Security Incident Response plans can be utilized. One may ask, “what is an appropriate response time (e.g. immediate, next day, next workday, etc.)?” The SDT has not prescribed mandatory response times. It will be incumbent on Responsible Entities to make the determination, substantiate the response time, and make a best effort. Suffice it to say, long response times will invite scrutiny.
Requirement 2
Impact for Utilities:
Protection of INSM data may leverage existing security controls used to protect BES Cyber System Information (BCSI) or EACMS. Possible controls to protect the integrity of INSM data could include:
Installing an INSM system with built-in methods that safeguard the integrity of stored data.
Granting only authorized personnel access to the INSM system.
Segmentation of the INSM system into an isolated network separate from operational technology (OT) and corporate networks.
Authentication and authorization systems used by the INSM system could be maintained at a higher assurance level than corporate authentication systems or separated from corporate authentication systems.
Implement two-factor authentication for access to the INSM system.
CIP-015-1 Requirement R2 is NOT intended to limit information sharing. The objective of Requirement R2 is to ensure the data is available and has integrity. Sharing IOCs, threat intelligence, and relevant information about adversary tactics, techniques, and procedures will continue to be part of a mature cybersecurity program.
Requirement 3
Impact for Utilities:
Each organization will be faced with the challenge of determining the appropriate amount of data to retain, allowing for the evaluation of anomalous traffic. CIP-015-1 does not require retention for a specified period of time. We will each have to decide what is appropriate to achieve security objectives. Likely some data types will be discarded quickly, others will need to be retained for short time frames, and others for longer periods of time. Each entity will have to set longer retention time frames for data that has higher cyber security value; while data with low cyber security value will be retained for shorter periods of time if at all.
As this is a new standard, entities will have to ask the following questions:
How will we demonstrate retention for audit purposes?
Does the retention data need to be retained for audit purposes?
Is documenting findings sufficient to demonstrate compliance?
Retaining all data is most likely not an option. Implementing varying retention policies by data type will be the most effective means. For example:
Full PCAP: retention of all data has high retention cost and value diminishes quickly with time
Investigation PCAP: retention of data specific to investigations has low retention cost and is evidence of data retention for audit purposes.
Alert/Notification PCAP: retention of data from alerts and notifications has low retention cost and is evidence of data retention for audit purposes.
Network Metadata: INSM related metadata is a record of past network communication and traffic or a summarization of that traffic. Examples include:
Network connection data
Network flow data
Network connection and session data
The key is proving your organization retained it long enough to complete the analysis. However each entity will have to demonstrate compliance processes without keeping all data.
Conclusion
The recently proposed/balloted draft did not receive the required two-thirds weighted segment majority as required to pass. Five key themes emerged from the industry comments:
Support for Excluding Certain Devices: Many respondents support the decision to exclude EACMS, PACS, and PCA devices outside of the ESP from the project's scope, appreciating the clarification and simplification this brings.
Creation of a New Standard: There's general support for establishing a new, objective-based standard (CIP-015-1) rather than revising existing standards. This approach is seen as clearer and more flexible for future expansions.
Requirement Clarity and Implementation: While there's agreement on the necessity of INSM within the ESP as outlined in Requirement R1, some call for clearer definitions, more detailed implementation guidance, and examples to avoid subjective interpretations.
Concerns Over Monitoring Standards Overlap: Some comments suggest the new standard might overlap with existing monitoring standards, advocating for consolidation or clearer differentiation to avoid redundancy and confusion.
Feedback on Implementation Plan: The proposed compliance timeline for implementing the standard (36 months for Control Centers and 60 months for others) receives mixed feedback, with some suggesting adjustments to ensure feasibility and cost-effectiveness.
These themes highlight a consensus on the direction of the INSM project, with specific suggestions for refinement to ensure clarity, effectiveness, and practical implementation. With this in mind, any new standard presents new challenges for us all. As this standard gets shaped on it’s path to approval, expect less of the big shifts and more of the detail and language refinements. The SDT must satisfy the directives in FERC Order 887 and it is getting closer. In other words, the general threads will remain the same in the next draft with specific modifications to satisfy the comments from the Ballot Body.
However the new draft turns out, INSM will require us to consider the specific facts and circumstances for each aspect of the deployment. The variety of network configurations, tool sets, budget, experienced staff and even supply chain challenges will impact the path forward uniquely for each organization. In some form a layered security approach will be a factor in the success of INSM programs as each tool and approach has strengths and weaknesses. Obstacles and challenges not anticipated will require both learning and time during the planning and implementation phases.
The point is, do not wait to get started. Share ideas with your peers and take advantage of your NERC Region’s outreach programs to include in your INSM tool bag.