{"id":3980,"date":"2023-02-28T14:49:02","date_gmt":"2023-02-28T14:49:02","guid":{"rendered":"https:\/\/itegriti.com\/kw022024\/?p=3980"},"modified":"2023-02-28T15:07:14","modified_gmt":"2023-02-28T15:07:14","slug":"ferc-rules-to-integrate-insm-into-cip-230222","status":"publish","type":"post","link":"https:\/\/itegriti.com\/kw022024\/2023\/compliance\/ferc-rules-to-integrate-insm-into-cip-230222\/","title":{"rendered":"FERC Rules to Integrate INSM into CIP 230222"},"content":{"rendered":"

Contrary to what many might believe, energy sustainability and security are not competing imperatives but complementary. The future of energy is decentralized, digitalized, and collaborative \u2013 and runs on smart grids that are reactive and flexible. Intelligent and digitized energy assets offer many benefits, but they are vulnerable to new forms of attack. In response, FERC is seeking to address mounting concerns that the current standards do not address potential vulnerabilities of internal networks to cyber threats.<\/em><\/p>\n

Today energy leaders face the vital challenge of balancing energy transition and security. Contrary to what many might believe, sustainability and security are not competing imperatives but complementary. Sustainability and security must be core characteristics of the future energy system, and FERC realizes that. The world can only achieve energy transition with solutions that address both simultaneously. While sustainability remains top of mind for leaders, the real emphasis is strengthening the security of energy systems.<\/p>\n

Energy security is a top priority<\/h2>\n

The energy security challenges we face today are not those of the past. New approaches are needed to deal with digitally connected energy assets and systems, extended supply chains, and emerging technologies at scale.<\/p>\n

The future of energy is decentralized, digitalized, and collaborative \u2013 and runs on smart grids that are reactive and flexible. Over the coming decades, customers will increasingly adopt intelligent energy devices, from smart lighting and thermostats to smart meters and rooftop solar photovoltaics. These distributed energy resources (DER) offer more choices and control over energy consumption, encourage clean energy practices to combat climate change, and provide resilience.<\/p>\n

Intelligent and digitized energy assets offer many benefits, but they are vulnerable to new forms of attack. The energy sector accounts for 16% of all detected cyber-attacks<\/a>. The energy industry is the third most targeted industry<\/a> by cybercriminals. Emergency response, incident reporting, and system design improvements are needed in response to this elevated threat level.<\/p>\n

Cybersecurity considerations for the US energy sector<\/h2>\n

The Department of Energy (DOE) has drafted a report<\/a> highlighting cybersecurity considerations for the energy sector with the introduction of DER. These trends can be summarized in the following points:<\/p>\n

Cyber-attacks against the grid supply<\/h3>\n

If a cyberattack could affect thousands or more DER or the overarching systems controlling DER, it would create availability and reliability concerns. Potential attack vectors for DER and the US energy grid are ransomware, supply-chain compromise, botnets, and DER worms.<\/p>\n

Exploitation of Operational Technology (OT)<\/h3>\n

Another trend is attackers exploiting and targeting OT systems. The examples of Ukraine and TRITON in the recent past are fine demonstrations of the impact of such attacks. Traditional attack vectors, such as poor data security and access controls, are relevant to new grid technologies. In addition, DER present new threat opportunities and will challenge traditional cybersecurity postures through their administration by many different parties.<\/p>\n

Implied trust and attacker innovation<\/h3>\n

Today, an implied trust relationship is typical for electric power control systems communications. For industrial systems to talk to one another, they must trust each other to provide accurate information and commands. Attackers who have inserted themselves into this trust relationship can poison these systems, causing them to act counter to reliability and resilience requirements.<\/p>\n

There are better models than implied trust relationships for DER systems. The sheer scale of DER deployment, the wide range of communications options, and the level of access required by various stakeholders underline that implied trust is not a resilient option for DER.<\/p>\n

FERC looks at moving energy security closer to zero trust<\/h2>\n

The latter \u2013 implied trust \u2013 is a big concern for FERC. Under the existing NERC CIP reliability standards, network security is focused on defending the security perimeter. Hence, FERC is seeking to address mounting concerns that the current standards do not address potential vulnerabilities of internal networks to cyber threats.<\/p>\n

For this reason, FERC has proposed new security requirements for high- and medium-impact bulk electric system (BES) facilities. The proposal would require these facilities to “maintain visibility over communications between networked devices<\/a>.” More specifically, FERC has directed NERC to develop new or modified Critical Infrastructure Protection (CIP) reliability standards that require internal network security monitoring (INSM) for the CIP-networked environments.<\/p>\n

INSM provides constant visibility of communications between networked devices within a trusted zone and detects malicious activity that has bypassed perimeter controls. Additionally, INSM allows for early detection of abnormal network activity, indicating a potential attack and increasing the chances for quick mitigation and recovery.<\/p>\n

INSM addresses situations where vendors or individuals with authorized access that are considered trustworthy might still introduce a cybersecurity risk. For example, the SolarWinds attack in 2020 demonstrated how an attacker could bypass network perimeter-based security controls to identify and thwart attacks. This supply chain attack leveraged a trusted vendor to compromise the networks of public and private organizations.<\/p>\n

FERC said<\/a> incorporating INSM requirements into the CIP Reliability Standards would help utilities maintain visibility over network communications. Utilities can detect an attacker\u2019s presence and movements and act before the attacker can fully compromise the network. INSM also improves vulnerability assessments and recovery from an attack.<\/p>\n

The new or modified CIP reliability standards will be forward-looking and objective-based and address three security objectives that pertain to INSM.<\/p>\n