87 FR 18 pgs. 4173-4180 - Internal Network Security Monitoring for High and Medium Impact Bulk Electric System Cyber Systems
Type: PRORULEVolume: 87Number: 18Pages: 4173 - 4180
Pages: 4173, 4174, 4175, 4176, 4177, 4178, 4179, 4180Docket number: [Docket No. RM22-3-000]
FR document: [FR Doc. 2022-01537 Filed 1-26-22; 8:45 am]
Agency: Energy Department
Sub Agency: Federal Energy Regulatory Commission
Official PDF Version: PDF Version
[top]
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
18 CFR Part 40
[Docket No. RM22-3-000]
Internal Network Security Monitoring for High and Medium Impact Bulk Electric System Cyber Systems
AGENCY:
Federal Energy Regulatory Commission, Department of Energy.
ACTION:
Notice of proposed rulemaking.
SUMMARY:
The Federal Energy Regulatory Commission (Commission) proposes to direct the North American Electric Reliability Corporation to develop and submit for Commission approval new or modified Reliability Standards that require internal network security monitoring within a trusted Critical Infrastructure Protection networked environment for high and medium impact Bulk Electric System Cyber Systems.
DATES:
Comments are due March 28, 2022.
ADDRESSES:
Comments, identified by docket number, may be filed in the following ways. Electronic filing through https://www.ferc.gov, is preferred.
• Electronic Filing: Documents must be filed in acceptable native applications and print-to-PDF, but not in scanned or picture format.
• For those unable to file electronically, comments may be filed by U.S. Postal Service mail or by hand (including courier) delivery.
? Mail via U.S. Postal Service only: Addressed to: Federal Energy Regulatory Commission, Office of the Secretary, 888 First Street NE, Washington, DC 20426.
? For delivery via any other carrier (including courier): Deliver to: Federal Energy Regulatory Commission, Office of the Secretary, 12225 Wilkins Avenue, Rockville, MD 20852.
FOR FURTHER INFORMATION CONTACT:
Cesar Tapia (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6559, cesar.tapia@ferc.gov
Kevin Ryan (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6840, kevin.ryan@ferc.gov
Milena Yordanova (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6194, milena.yordanova@ferc.gov
SUPPLEMENTARY INFORMATION:
1. Pursuant to section 215(d)(5) of the Federal Power Act (FPA), 1 the Commission proposes to direct the North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), to develop new or modified Reliability Standards that require network security monitoring internal to a Critical Infrastructure Protection (CIP) networked environment (internal network security monitoring or INSM) for high and medium impact Bulk Electric System (BES) Cyber Systems. 2 INSM is a subset of network security monitoring that is applied within a "trust zone,"? 3 such as an Electronic Security Perimeter (ESP), 4 and is designed to address situations where vendors or individuals with authorized access are considered secure and trustworthy but could still introduce a cybersecurity risk to a high or medium impact BES Cyber System.
Footnotes:
1 ?16 U.S.C. 824o(d)(5).
2 ?Reliability Standard CIP-002-5.1a (BES Cyber System Categorization) sets forth criteria that registered entities apply to categorize BES Cyber Systems as high, medium, or low depending on the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. The impact level ( i.e., high, medium, or low) of BES Cyber Systems, in turn, determines the applicability of security controls for BES Cyber Systems that are contained in the remaining CIP Reliability Standards ( i.e., Reliability Standards CIP-003-8 to CIP-013-1).
3 ?A trust zone is defined as a "discrete computing environment designated for information processing, storage, and/or transmission that share the rigor or robustness of the applicable security capabilities necessary to protect the traffic transiting in and out of a zone and/or the information within the zone." U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), Trusted internet Connections 3.0: Reference Architecture, at 2 (July 2020), https://www.cisa.gov/sites/default/files/publications/CISA_TIC%203.0%20Vol.%202%20Reference%20Architecture.pdf.
4 ?The NERC Glossary defines an ESP as "the logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol." NERC, Glossary of Terms Used in NERC Reliability Standards (June 28, 2021), https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf.
2. Although the currently effective CIP Reliability Standards offer a broad set of cybersecurity protections, they do not address INSM. This omission constitutes a gap in the CIP Reliability Standards. Including INSM requirements in the CIP Reliability Standards would ensure that responsible entities maintain visibility over communications between networked devices within a trust zone ( i.e., within an ESP), not simply monitor communications at the network perimeter access point(s), i.e., at the boundary of an ESP as required by the current CIP requirements. In the event of a compromised ESP, improving visibility within a network would increase the probability of early detection of malicious activities and would allow for quicker mitigation and recovery from an attack. In addition to improved incident response capabilities and situational awareness, INSM also contributes to better vulnerability assessments within an ESP, all of which support an entity's cybersecurity defenses and could reduce the impact of cyberattacks.
[top] 3. While the currently effective CIP Reliability Standards do not require INSM, NERC has recognized the proliferation and usefulness of network monitoring technology on the BES. For example, on January 4, 2021, NERC issued a Compliance Monitoring and Enforcement Program (CMEP) Practice Guide addressing Network Monitoring Sensors, Centralized Collectors, and Information Sharing. 5 NERC explained that the CMEP Practice Guide was developed in response to a U.S. Department of Energy (DOE) initiative "to advance technologies and systems that will provide cyber visibility, detection, and response capabilities for [industrial control systems] of electric utilities."? 6 As discussed below, in view
Footnotes:
5 ?NERC, ERO Enterprise CMEP Practice Guide: Network Monitoring Sensors, Centralized Collectors, and Information Sharing (June 4, 2021), https://www.nerc.com/pa/comp/guidance/CMEPPracticeGuidesDL/CMEP%20Practice%20Guide%20-%20Network%20Monitoring%20Sensors.pdf (CMEP Practice Guide).
6 ? Id. at 1.
4. We seek comments on all aspects of the proposed directive to NERC to modify the CIP Reliability Standards to require INSM for high and medium impact BES Cyber Systems. The proposed directive centers on high and medium impact BES Cyber Systems in order to improve visibility within networks containing BES Cyber Systems whose compromise could have a significant impact on the reliable operation of the BES. However, because low impact BES Cyber Systems have fewer security controls than high and medium impact BES Cyber Systems, we also seek comments on the usefulness and practicality of implementing INSM to detect malicious activity in networks with low impact BES Cyber Systems, including any potential benefits, technical barriers and associated costs.
5. Upon review of the filed comments, the Commission will consider whether to broaden the directives in the final rule to direct NERC to require INSM in the CIP Reliability Standards for low impact BES Cyber Systems or a defined subset of low impact BES Cyber Systems.
I. Background
A. Section 215 and Mandatory Reliability Standards
6. Section 215 of the FPA requires the Commission to certify an ERO to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. 7 Once approved, the Reliability Standards are enforceable in the United States by the ERO, subject to Commission oversight, or by the Commission independently. Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO, 8 and subsequently certified NERC. 9
Footnotes:
7 ?16 U.S.C. 824o.
8 ? Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, 71 FR 8662 (Feb. 17, 2006), 114 FERC ¶?61,104, order on reh'g, Order No. 672-A, 71 FR 19814 (Apr. 18, 2006), 114 FERC ¶?61,328 (2006).
9 ? North American Electric Reliability Corp., 116 FERC ¶?61,062, order on reh'g and compliance, 117 FERC ¶?61,126 (2006), aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
B. Network Security Monitoring and Internal Network Security Monitoring
1. Network Security Monitoring in Currently Effective CIP Reliability Standards
7. Currently, network security monitoring in the CIP Reliability Standards focuses on network perimeter defense and preventing unauthorized access at the network perimeter. While responsible entities are required to have a security program to implement various controls, 10 Reliability Standard CIP-005-6 (Electronic Security Perimeter(s)), Requirement R1.5 is the only requirement that addresses monitoring of network traffic for malicious communications at the ESP. In particular, this provision requires a responsible entity to have one or more methods for detecting known or suspected malicious communications for both inbound and outbound communications. Under Requirement R1.5, the only locations that require network security monitoring are the ESP electronic access points for high and medium impact BES Cyber Systems at control centers. The currently effective CIP Reliability Standards do not require entities to have a defined ESP for low impact BES Cyber Systems and, therefore, there is no requirement for network security monitoring for inbound or outbound communication of such systems.
Footnotes:
10 ? See, e.g., (1) network perimeter defenses (CIP-005-7, Requirement R1-Electronic Security Perimeter); (2) sensitive information control (CIP-011-2-Information Protection, CIP-004-6, Requirement R4-Access Management Program, and CIP-004-6, Requirement R5-Access Revocation); (3) anti-malware (CIP-007-6, Requirement R3-Malicious Code Prevention); (4) security awareness and training (CIP-004-6, Requirement R1-Security Awareness Program and CIP-004-6, Requirement R2-Cyber Security Training Program); and (5) configuration change management (CIP-010-4, Requirement R1-Configuration Change Management).
8. The CIP Reliability Standards also require entities to install security monitoring tools at the device level. For instance, Reliability Standard CIP-007-6 (System Security Management), Requirement R.4.1.3 addresses security monitoring and requires the entity to detect malicious code for all high and medium impact BES Cyber Systems and their associated Electronic Access Control or Monitoring Systems, Physical Access Control Systems, and Protected Cyber Assets. To comply with Reliability Standard CIP-007-6 (Systems Security Management), Requirement R.4.1.3, a responsible entity is not required to use INSM methods, such as an intrusion detection system. 11
Footnotes:
11 ?Under Reliability Standard CIP-007-6, Requirement R.4.1.3, an entity may choose, but is not required, to use system generated listing of network log in/log outs, or malicious code, or other types of monitored network traffic at the perimeter of all high and medium impact BES Cyber Systems. See Reliability Standard CIP-007-6 (Cyber Security-Systems Security Management), Requirement R.4.1.3, Measures (stating that examples of evidence of compliance may include, but are not limited to, a paper or system generated listing of monitored activities for which the BES Cyber System is configured to log and capable of detecting).
2. Internal Network Security Monitoring
9. INSM refers to network security monitoring inside of a trust-zone. INSM is designed to address situations where perimeter network defenses are breached by providing the earliest possible alerting and detection of intrusions and malicious activity within a trust zone. INSM consists of three stages: (1) Collection; (2) detection; and (3) analysis that, taken together, provide the benefit of early detection and alerting of intrusions and malicious activity. 12 Some of the tools used for INSM include: Anti-malware; Intrusion Detection Systems; Intrusion Prevention Systems; and firewalls. 13 These tools are multipurpose and can be used for collection, detection, and analysis ( e.g., forensics). Additionally, some of the tools ( e.g., anti-malware, firewall, or Intrusion Prevention Systems) have the capability to block network traffic.
Footnotes:
12 ? See Chris Sanders & Jason Smith, Applied Network Security Monitoring, at 9-10 (Nov. 2013).
13 ? See NIST Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, at pp. 10-13 (July 2013) (Explaining that anti-malware tools find and remove malware. Intrusion Detection Systems monitor a network for anomalous activity, which includes malicious activity or policy violations, and report them to security teams for further analysis. A firewall monitors and controls incoming and outgoing network traffic).
[top] 10. The benefits of INSM can be understood by first describing the way attackers commonly compromise targets. Attackers typically follow a systematic process of planning and execution to increase the likelihood of a successful compromise. 14 This process includes: Reconnaissance ( e.g., information gathering); choice of attack type and method of delivery ( e.g., malware delivered through a phishing campaign); taking control of the entity's systems; and carrying out the attack
Footnotes:
14 ?A widely accepted cybersecurity attack framework for describing the process that an effective adversary typically follows to increase the probability of a successful compromise is referred to as Cyber Kill Chain. The Cyber Kill Chain provides more detail on the specific steps that an attacker could follow. SANS Institute, Applying Security Awareness to the Cyber Kill Chain, (May 2019), https://www.sans.org/blog/applying-security-awareness-to-the-cyber-kill-chain/.
15 ? Id.
11. INSM could better position an entity to detect malicious activity that has circumvented perimeter controls. Because an attacker that moves among devices internal to a trust zone must use network pathways and required protocols to send malicious communications, INSM will potentially alert an entity of the attack and improve the entity's ability to stop the attack at its early phases.
12. By providing visibility of network traffic that may only traverse internally within a trust zone, INSM can warn entities of an attack in progress. For example, properly placed, configured, and tuned INSM capabilities such as intrusion detection system and intrusion prevention system sensors could detect and/or block malicious activity early and alert an entity of the compromise. INSM can also be used to record network traffic for analysis, providing a baseline that an entity can use to better detect malicious activity. Establishing baseline network traffic allows entities to define what is and is not normal and expected network activity and determine whether observed anomalous activity warrants further investigation. 16 The collected network traffic can also be retained to facilitate timely recovery and/or perform a thorough post-incident analysis of malicious activity.
Footnotes:
16 ? See CISA, Best Practices for Securing Election Systems, Security Tip (ST19-002), (Aug. 2021), https://www.cisa.gov/tips/st19-002.
13. In summary, INSM better postures an entity to detect an attacker in the early phases of an attack and reduces the likelihood that an attacker can gain a strong foothold and potential command and control, including operational control, on the target system. In addition to early detection and mitigation, INSM may improve incident response by providing higher quality data about the extent of an attack internal to a trust zone. High quality data from collected network traffic is important for recovering from cyberattacks as this type of data allows for: (1) Determining the timeframe for backup restoration; (2) creating a record of the attack for incident response and reporting; and (3) analyzing the attack itself to prevent it from happening again ( e.g., through lessons learned that can improve organizational policies, processes, and playbooks). 17 Finally, INSM allows entities to conduct internal assessments and prioritize any improvements based on their risk profile. 18
Footnotes:
17 ?Help Net Security, Three Reasons Why Ransomware Recovery Requires Packet Data, (Aug. 2021), https://www.helpnetsecurity.com/2021/08/24/ransomware-recovery-packet-data/.
18 ?CISA, CISA Analysis: FY2020 Risk and Vulnerability Assessments, (July 2021), https://www.cisa.gov/sites/default/files/publications/FY20-RVA-Analysis_508C.pdf.
II. Discussion
14. As discussed below, we believe that the absence of a requirement to conduct INSM for CIP networked environments containing high and medium impact BES Cyber Systems constitutes a gap in the Reliability Standards. Accordingly, pursuant to section 215(d)(5) of the FPA, we propose to direct NERC to develop new or modified Reliability Standards that address the use of INSM for high and medium impact BES Cyber Systems. We believe that requiring entities to implement INSM will improve visibility and awareness of communications between networked devices and between devices internal to trust zones ( i.e., ESPs), and increase the probability of detecting and mitigating malicious activity in the early phases of an attack.
15. We also seek comments on the usefulness and practicality of implementing INSM to detect malicious activity in networks with low impact BES Cyber System, including any potential benefits, technical barriers, and associated costs. The Commission may broaden its directive in a final rule to include low impact BES Cyber Systems, or some subset of low impact BES Cyber Systems, if the filed comments support such a directive. While the high and medium impact categories have defined thresholds, the low impact category of BES Cyber Systems is essentially a broad group of all BES Cyber Systems that do not satisfy the high or medium impact thresholds. Identifying a subset of low impact BES Cyber Systems to which INSM provisions would apply could allow entities to focus their resources on the assets with a more significant risk profile within the broad low impact tier of BES Cyber Systems. For example, a subset of low impact BES Cyber Systems to which INSM provisions could apply may be contained within control centers and backup control centers, transmission stations and substations, and/or generation resources. 19
Footnotes:
19 ?Reliability Standard CIP-002-5.1a (Cyber Security-BES Cyber System Categorization), Attachment 1, Section 3 (explaining that low impact rating is assigned to BES Cyber Systems that, among other requirements, are associated with assets such as control centers and backup control centers, transmission stations and substations, generation resources, etc.).
16. In the following sections, we discuss: (A) Current risks to trusted CIP networked environments; (B) how INSM is a widely recognized control against cyberattacks; (C) how the absence of INSM constitutes a gap in the CIP Reliability Standards; and (D) how the proposed directive would address the gap.
A. Risks to Trusted CIP Networked Environment
17. Currently, the NERC CIP Reliability Standards require monitoring of the ESP and associated systems for high and medium impact BES Cyber Systems. However, even when the ESP is monitored and protected, the CIP networked environment ( i.e., trust zone) remains vulnerable to cyber threats like insider threats or supply chain attacks initiated by an adversary by infiltrating a trusted vendor, among other attack vectors. In the context of supply chain risk, a malicious update from a known software vendor could be downloaded directly to a server as trusted code, and it would not set-off any alarms until abnormal behavior occurred and was detected. Because the CIP networked environment is a trust zone, the compromised server in the trust zone could be used to install malicious updates directly onto devices that are internal to the CIP networked environment without detection. In the context of an insider threat, an employee with elevated administrative credentials could identify and collect data, add additional accounts, delete logs, or even exfiltrate data without being detected.
[top] 18. For example, the recent SolarWinds attack demonstrates how an attacker can bypass all network perimeter-based security controls traditionally used to identify the early phases of an attack. 20 On December 13, 2020, FireEye Inc., a cybersecurity solutions and forensics firm, identified a global intrusion campaign that introduced a compromise delivered through updates to the Orion network monitoring product from SolarWinds, a widely used IT infrastructure management software. 21 This supply
Footnotes:
20 ? See FERC, NERC, SolarWinds and Related Supply Chain Compromise, at 16 (July 7, 2021), https://cms.ferc.gov/media/solarwinds-and-related-supply-chain-compromise-0.
21 ?FireEye, Global Intrusion Campaign Leverages Software Supply Chain Compromise, (2020), https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html.
22 ?The White House, Fact Sheet: Imposing Costs for Harmful Foreign Activities by the Russian Government, (April 15, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/.
19. The supply chain is not the only attack vector used to gain malicious access to a system. While not jurisdictional for purposes of our reliability standards, the May 2021 large-scale ransomware attack targeting Colonial Pipeline provides an important example of an attack via one such vector that could halt an entity's operations. 23 In this case, the attacker gained the credentials to and exploited a legacy virtual private network profile that was not intended to be in use. 24 Although this attack was directed at the information technology (IT) systems of the pipeline, Colonial Pipeline decided to shut down operations as a precaution. 25 With tools such as INSM, a shutdown of operations may not be necessary as entities are better postured to timely detect and mitigate similar events in which an adversary successfully penetrates perimeter defenses and moves freely within the internal network.
Footnotes:
23 ?Colonial Pipeline, Media Statement Update: Colonial Pipeline System Disruption (May 9, 2021), https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption (stating that after learning of the attack, Colonial took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of Colonial's IT systems) (May 9, 2021 Colonial Pipeline Media Statement Update); Colonial Pipeline, Media Statement Update: Colonial Pipeline System Disruption, (May 8, 2021), https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption (On May 7, 2021 Colonial Pipeline Company learned it was the victim of a cybersecurity attack and determined that the incident involved ransomware).
24 ?Hearing Before The United States House Of Representatives Committee On Homeland Security (117th Congress), Testimony of Joseph Blount, President and Chief Executive Officer Colonial Pipeline Company, at 4 (June 9, 2021), https://www.congress.gov/117/meeting/house/112689/witnesses/HHRG-117-HM00-Wstate-BlountJ-20210609.pdf. See also Reuters, One Password Allowed Hackers to Disrupt Colonial Pipeline, CEO Tells Senators (June 8, 2021), https://www.reuters.com/business/colonial-pipeline-ceo-tells-senate-cyber-defenses-were-compromised-ahead-hack-2021-06-08/ (explaining that the legacy virtual private network had single-factor authentication, a password, and did not have a multi-factor authentication requirement in place).
25 ?May 9, 2021 Colonial Pipeline Media Statement Update.
20. In addition to early detection, INSM is critical for identifying malicious activities at the later stages of cybersecurity attacks. Absent INSM, an entity may not be alerted if an adversary establishes a command and control communication channel that interacts with the compromised system on a regular basis. 26 Once an attacker proceeds to the last phase of an attack, the attacker will have had time to compromise multiple devices, steal user credentials, and map the network extensively. 27 Removing an attacker at this level of penetration can be time consuming ( e.g., months to years), costly, and extremely difficult.
Footnotes:
26 ?A command and control communication channel is used to issue instructions to the compromised devices, download additional malicious payloads ( e.g., malware), which sit harmlessly until triggered, and exfiltrate data. See NSA, Cybersecurity Report: NSA/CSS Technical Cyber Threat Framework (Nov. 2018), https://www.nsa.gov/portals/75/documents/what-we-do/cybersecurity/professional-resources/ctr-nsa-css-technical-cyber-threat-framework.pdf.
27 ?Network mapping is used to compile an electronic inventory of the systems and the services on the network. See SANS Institute, Glossary of Terms, https://www.sans.org/security-resources/glossary-of-terms.
21. The serious operational consequences of such undetected penetration into a networked environment for the BES could include: (1) Loss of situational awareness monitoring; (2) loss of coordination capabilities during reliability events and system restoration activities; (3) unexpectedly large power flows; (4) loss of voice or data communication; (5) loss of protection systems; (6) loss of electric generation, transmission, or fuel supply, water supply/coolant; (7) power market disruption; and (8) loss of Critical Energy/Electric Infrastructure Information. 28 For example, if an attacker compromises high and/or medium impact BES Cyber Systems internal to a CIP networked environment ( i.e., trust zone) without INSM, the attacker could communicate with and move freely between devices within a trust zone with little likelihood of detection. The attacker could then access the Supervisory Control and Data Acquisition (SCADA)? 29 system and control equipment like circuit breakers? 30 dropping generating resources or load, and potentially causing BES instability or uncontrolled separation. 31
Footnotes:
28 ?SERC Reliability Corporation, 2020 SERC Reliability Risk Report, (Sept. 21, 2020), https://www.serc1.org/docs/default-source/committee/ec-reliability-risk-working-group/2020-reliability-risk-report.pdf?sfvrsn=e80ea39_2.
29 ?SCADA is a system that aims to monitor and control field devices at remote sites. SCADA systems are critical as they help maintain efficiency by collecting and processing real-time data. See DPS Telecom, How Do SCADA Systems Work?, https://www.dpstele.com/scada/how-systems-work.php.
30 ?A circuit breaker is an electrical switch designed to protect an electrical circuit from damage caused by overcurrent/overload or short circuit. Its basic function is to interrupt current flow after protective relays detect a fault. See Eaton, Circuit Breaker Fundamentals, https://www.eaton.com/us/en-us/products/electrical-circuit-protection/circuit-breakers/circuit-breakers-fundamentals.html.
31 ?Electricity Information Sharing and Analysis Center (E-ISAC), Modular ICS Malware (Aug. 2017), https://www.eisac.com/cartella/Asset/00006542/TLP_WHITE_E-ISAC_SANS_Ukraine_DUC_6_Modular_ICS_Malware%20Final.pdf?parent=64412.
B. INSM Is a Widely Recognized Control Against Cyberattacks
[top] 22. Elements of INSM have been recognized and recommended by government officials and industry experts as necessary for the early detection and mitigation of cyberattacks. For example, on May 12, 2021, the President issued Executive Order No. 14028 on Improving the Nation's Cybersecurity, 32 which directly addresses cyber protection through increased visibility and data collection. 33 The Executive Order directs the Federal government and encourages the private sector to implement several aspects of INSM and emphasizes that the Federal government must improve its efforts to identify, deter, protect against, detect, and respond to the actions of sophisticated malicious actor cyber campaigns that threaten the security and privacy of the public sector, private sector, and the American people. 34 Further, the Executive Order instructs Federal agencies, among other things, to modernize their approach to cybersecurity by increasing visibility into threats and advancing toward zero
Footnotes:
32 ?Executive Order No. 14028, 86 FR 26633 (May 12, 2021), https://www.govinfo.gov/content/pkg/FR-2021-05-17/pdf/2021-10460.pdf.
33 ?The scope of protection includes systems that process data ( i.e., information technology) and those that run the vital machinery that ensures safety ( i.e., operational technology).
34 ?Executive Order No. 14028, 86 FR 26633, 26635, 26643 (May 12, 2021) (mandating that the "Federal Government shall employ all appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks" and "increas[e] the Federal Government's visibility into threats." The Executive Order further emphasizes that "cybersecurity requires more than government action" and "[t]he private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.").
35 ? Id. at 26635. Executive Order No. 14028 refers to zero trust architecture. Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero trust architecture uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location ( i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). See generally National Institute of Standards and Technology (NIST), NIST Special Publication 800-207 Zero Trust Architecture, (Aug. 2020), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf (providing a general definition of zero trust and general information and cases where zero trust may improve an entity's overall cybersecurity posture).
36 ?Executive Order No. 14028, 86 FR 26633, 26643 (May 12, 2021).
37 ? Id. at 26644.
23. In addition, on July 28, 2021, the President signed the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (National Security Memorandum) to comprehensively address cybersecurity for critical infrastructure. 38 The President emphasizes that "[r]ecent high-profile attacks on critical infrastructure around the world, including the ransomware attacks on the Colonial Pipeline and JBS Foods in the United States, demonstrate that significant cyber vulnerabilities exist across U.S. critical infrastructure, which is largely owned and operated by the private sector."? 39 The National Security Memorandum established an Industrial Control Systems Cybersecurity Initiative (Cybersecurity Initiative) to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings. 40 The Cybersecurity Initiative started with a pilot in the electricity sector and has wide participation, including participation by vendors that have implemented INSM in their products. 41
Footnotes:
38 ?National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, Section 2 (Industrial Control Systems Cybersecurity Initiative), (July 28, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/ (National Security Memorandum). See also The White House, Fact Sheet: Biden Administration Announces Further Actions to Protect U.S. Critical Infrastructure, (July 28, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/fact-sheet-biden-administration-announces-further-actions-to-protect-u-s-critical-infrastructure/ ) (The White House July 28, 2021 Fact Sheet).
39 ?The White House July 28, 2021 Fact Sheet. JBS is a meat processing company, which shut down all of its beef processing plants in the USA as a result of a ransomware attack. See U.S. Department of Agriculture, Statement from the U.S. Department of Agriculture on JBS USA Ransomware Attack, (June 2021), https://www.usda.gov/media/press-releases/2021/06/01/statement-us-department-agriculture-jbs-usa-ransomware-attack.
40 ?National Security Memorandum, Section 2 (Industrial Control Systems Cybersecurity Initiative).
41 ?White House July 28, 2021 Fact Sheet.
24. Furthermore, CISA and NIST have recommended detailed cybersecurity practices, which include elements of INSM, such as recommending that organizations conduct network baseline analysis on control systems and networks to understand approved communication flows and to monitor control systems for malicious activity on control systems. 42 Similarly, CISA and the Federal Bureau of Investigation published a joint cybersecurity advisory in response to illicit activities by a Chinese group known as APT40. 43 The activities of APT40 resulted in the theft of trade secrets, intellectual property, and other high-value information from companies and organizations in the United States and abroad. 44 The joint cybersecurity advisory recommended deployment of INSM measures such as active scanning and monitoring of internet-accessible applications for unauthorized access, modification, and anomalous activities; logging domain name service queries; developing and monitoring network and system baselines to allow for the identification of anomalous activity; and using baseline comparison to monitor Windows event logs and network traffic to detect when a user maps a privileged administrative share on a Windows system. 45
Footnotes:
42 ?CISA, Critical Infrastructure Control Systems Cybersecurity Performance Goals and Objectives (Sept. 21, 2021), https://www.cisa.gov/control-systems-goals-and-objectives.
43 ?Joint Cybersecurity Advisory, Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China's MSS Hainan State Security Department, (July 19, 2021), https://www.cisa.gov/uscert/sites/default/files/publications/CSA_TTPs-of-Indicted-APT40-Actors-Associated-with-China-MSS-Hainan-State-Security-Department.pdf.
44 ? Id. at 1.
45 ? Id. at 4-5.
25. Industry and government cybersecurity experts also supported the use of INSM at the Commission's 2021 Annual Reliability Technical Conference. 46 Panelists discussed the importance of improved visibility to detect cyberattacks by implementing network capabilities like INSM. 47 One panelist observed that recent attacks like SolarWinds and Colonial Pipeline "demonstrated how a coordinated attack could compromise our systems," and that they "really underscore[] the need for heightened visibility . . . more comprehensive logging of events, potentially other controls that you know go across all asset environments, but it should be done in a risk based way."? 48 Another panelist discussed additional benefits of INSM, stating that monitoring and having the appropriate logs are essential to perform a root cause analysis and understand the sequence of events that occurred, and collection of data ( i.e., logs), enabled by INSM, is also essential to gaining a deeper understanding of a cyberattack. 49
Footnotes:
46 ?Federal Energy Regulatory Commission, 2021 Annual Reliability Technical Conference, Transcript, Panel 3: Managing Cyber Risks in the Electric Power Sector, Docket No. AD21-11-000 (Sept. 30, 2021), https://www.ferc.gov/news-events/events/annual-commissioner-led-reliability-technical-conference-09302021.
47 ? Id. at 165 (Ben Miller, Vice President, Services and R&D, Dragos Inc.); 178:14:23 (Mark Fabro, President and Chief Security Scientist, Lofty Perch).
48 ? Id. at 200 (Manny Cancel, Senior Vice President and Chief Executive Officer, NERC E-ISAC).
49 ? Id. at 202:8-19 (Miller).
C. The Absence of INSM Constitutes a Gap in the Reliability Standards
26. While NERC's approved CIP Reliability Standards provide a broad set of cybersecurity protections, they do not require INSM. Currently, the only locations that require network security monitoring are the electronic access points at high and medium impact BES Cyber Systems at control centers. In these zones, trusted vendors or authorized individuals are the only users with access, but they are not subject to monitoring under the CIP Reliability Standards. Implementing INSM will help to detect and mitigate situations where malicious actors exploit this gap.
[top] 27. Given the increased sophistication of cyberattacks, relying on network perimeter defense and other existing controls leaves trust zones vulnerable. As the President's Deputy National Security Advisor for Cyber and Emerging Technology explained "[i]f you can't see a network, you can't defend a network."? 50 Panelists at the Commission's 2021 Annual Reliability Technical Conference confirmed this gap in the CIP Reliability Standards, explaining that there is
Footnotes:
50 ?The White House, Press Briefing by Press Secretary Jen Psaki and Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, (Feb. 17, 2021), https://www.whitehouse.gov/briefing-room/press-briefings/2021/02/17/press-briefing-by-press-secretary-jen-psaki-and-deputy-national-security-advisor-for-cyber-and-emerging-technology-anne-neuberger-february-17-2021/.
51 ?2021 Annual Reliability Technical Conference, Tr. 201:20-25; 202:1-7 (Miller).
52 ? Id.
53 ? Id. at 202:22-23 (Tony Hall, Manager, CIP Program, Louisville Gas and Electric Company and Kentucky Utilities Company).
54 ? Id. at 170:24-25; 171:1 (Puesh Kumar, Acting Principal Deputy Assistant Secretary, Office of Cybersecurity, Energy Security, and Emergency Response, U.S. Department of Energy).
28. NERC facilitated the voluntary use of INSM in its CMEP Practice Guide, which provides guidance on how to incorporate network sensors in the ESP while being compliant with the CIP Reliability Standards. These network sensors enable entities to use INSM, if they choose, and support implementation of the Essence Cybersecurity Tool. 55 However, the CMEP Practice Guide does not modify the CIP Reliability Standards to require INSM, leaving unaddressed the cybersecurity gap within trust zones.
Footnotes:
55 ?National Rural Electric Cooperative Association (NRECA), DOE Awards NRECA $6M to Take Essence Cybersecurity Tool to the Next Level (Sept. 29, 2020), https://www.electric.coop/doe-gives-nreca-6m-to-take-essence-cybersecurity-tool-to-the-next-level; NRECA, New Cyber Technology Provides Real-Time Defense (March 15, 2021), https://www.electric.coop/new-essence-cyber-technology-provides-real-time-defense.
D. The Commission Proposed Directive Addresses the Identified Reliability Gap
29. Pursuant to section 215(d)(5) of the FPA, we propose to direct NERC to develop new or modified CIP Reliability Standards that require security controls for INSM for high and medium impact BES Cyber Systems. Based on the current threat environment discussed above, a requirement for INSM that augments existing perimeter defenses is critical to increasing network visibility so that an entity may understand what is occurring in its CIP networked environment, and thus improve capability to timely detect potential compromises. INSM also allows for the collection of data and analysis required to implement a defense strategy, improves an entity's incident investigation capabilities, and increases the likelihood that an entity can better protect itself from a future cyberattack and address any security gaps the attacker was able to exploit.
30. The proposal to direct NERC to add an INSM requirement to the existing set of CIP Reliability Standard is also consistent with Executive Order No. 14028, which calls for employing a zero trust cybersecurity approach, and the objectives of the President's July 2021 Cybersecurity Initiative targeting deployment of control system cybersecurity technologies in the electricity and other critical sectors. INSM is a fundamental element of the zero trust approach and should improve the cybersecurity posture of responsible entities with high and medium impact BES Cyber Systems.
1. High and Medium Impact BES Cyber Systems
31. To address the reliability gap and improve cybersecurity, we propose to direct that NERC, as the ERO, develop new or modified CIP Reliability Standards requiring that applicable responsible entities implement INSM for their high and medium impact BES Cyber Systems. Such new or modified Reliability Standards should address the following three security objectives that pertain to INSM. First, any new or modified CIP Reliability Standards should address the need for each responsible entity to develop a baseline for their network traffic by analyzing expected network traffic and data flows for security purposes. This objective reduces the likelihood that an attacker could exploit legitimate cyber resources to: (1) Escalate privileges, i.e., exploit software vulnerability to gain administrator account privileges; (2) move undetected inside a CIP networked environment ( i.e., trust zone); and (3) execute unauthorized code, e.g., a virus or ransomware. Second, any new or modified CIP Reliability Standards should address the need for responsible entities to monitor for and detect unauthorized activity, connections, devices, and software inside the CIP networked environment ( i.e., trust zone). This objective reduces detection time, which shortens the time an attacker has to leverage compromised user accounts and traverse over unmonitored network connections. And third, any new or modified CIP Reliability Standards should address the ability to support operations and response by requiring responsible entities to: (1) Log and packet capture? 56 network traffic; (2) maintain sufficient records to support incident investigation ( i.e., monitoring, collecting, and analyzing current and historical evidence); and (3) implement measures to minimize the likelihood of an attacker removing evidence of their Tactics, Techniques, and Procedures (TTPs)? 57 from compromised devices. Logging, including packet capture, of network traffic is critical for a responsible entity to assess the severity of the attack, assess the scope of systems compromised, and devise appropriate mitigations.
Footnotes:
56 ?Packet capture allows information to be intercepted in real-time and stored for long term or short-term analysis, this providing a network defender greater insight into a network. Packet captures provide context to security events, such as intrusion detection system alerts. See CISA, National Cybersecurity Protection System Cloud Interface Reference Architecture, Volume 1, General Guidance, at 13,25, (July 2020), https://www.cisa.gov/sites/default/files/publications/CISA_NCPS_Cloud_Interface_RA_Volume-1.pdf.
57 ?TTPs describe the behavior of an actor. Tactics are high-level descriptions of behavior, techniques are detailed descriptions of behavior in the context of a tactic, and procedures are even lower-level, highly detailed descriptions in the context of a technique. TTPs could describe an actor's tendency to use a specific malware variant, order of operations, attack tool, delivery mechanism ( e.g., phishing or watering hole attack), or exploit. See, NIST, NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing, (Oct. 2016), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf.
32. We seek comments on all aspects of the proposed directive, including the three objectives discussed above. In particular, we seek comments on: (1) What are the potential challenges to implementing INSM ( e.g., cost, availability of specialized resources, and documenting compliance); (2) what capabilities ( e.g., software, hardware, staff, and services) are appropriate for INSM to meet the security objectives described above; (3) are the security objectives for INSM described above necessary and sufficient and, if not sufficient, what are other pertinent objectives that would support the goal of a having responsible entities successfully implement INSM; and (4) what is a reasonable timeframe for expeditiously developing and implementing Reliability Standards for INSM given the importance of addressing this reliability gap?
2. Low Impact BES Cyber Systems
[top] 33. While our proposal is centered on high and medium impact BES Cyber Systems, we also seek comments on the usefulness and practicality of implementing INSM to detect malicious activity in networks with low impact BES Cyber Systems, including any
34. As discussed above, there may be benefits to having INSM requirements apply to a defined subset of low impact BES Cyber Systems. To better understand the potential benefits of such an approach, we first seek comment on possible criteria or methodology for identifying an appropriate subset of low impact BES Cyber Systems that could benefit from INSM. For example, should the subset focus on low impact BES Cyber Systems located at assets strategic for the reliable operation of the BES, such as control centers and backup control centers, transmission stations and substations, and/or generation resources. Second, we seek comment on the potential benefits or drawbacks of defining a subset of low impact BES Cyber Systems. For example, would focusing resources on the assets with a more significant risk profile within the broad low impact tier of BES Cyber Systems improve an entity's risk profile and avoid situations where an attacker exploits legitimate cyber resources without timely detection and response. Third, as discussed above, there are currently no CIP requirements for low impact BES Cyber Systems for monitoring communications at the ESP. 58 Would it make sense to require INSM when perimeter monitoring is not required? Would it be appropriate to address both perimeter monitoring and INSM for low impact BES Cyber Systems?
Footnotes:
58 ? See supra Para. 7.
III. Information Collection Statement
35. The information collection requirements contained in this Notice of Proposed Rulemaking are subject to review by the Office of Management and Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 1995. 59 OMB's regulations require approval of certain information collection requirements imposed by agency rules. 60 Upon approval of a collection of information, OMB will assign an OMB control number and expiration date. Respondents subject to the filing requirements of this rule will not be penalized for failing to respond to this collection of information unless the collection of information displays a valid OMB control number. Comments are solicited on the Commission's need for the information proposed to be reported, whether the information will have practical utility, ways to enhance the quality, utility, and clarity of the information to be collected, and any suggested methods for minimizing the respondent's burden, including the use of automated information techniques.
Footnotes:
59 ?44 U.S.C. 3507(d).
60 ?5 CFR 1320.11 (2021).
36. The proposal to direct NERC to develop new, or to modify existing, reliability standards (and the corresponding burden) are covered by, and already included in, the existing OMB-approved information collection FERC-725 (Certification of Electric Reliability Organization; Procedures for Electric Reliability Standards; OMB Control No. 1902-0225), 61 under Reliability Standards Development. 62 The reporting requirements in FERC-725 include the ERO's overall responsibility for developing Reliability Standards, such as any Reliability Standards that relate to internal network security monitoring for high and medium impact BES Cyber Systems.
Footnotes:
61 ?Another item for FERC-725 is pending review at this time, and only one item per OMB Control No. can be pending OMB review at a time. In order to submit this NOPR timely to OMB, we are using FERC-725(1B) (a temporary, placeholder information collection number).
62 ?Reliability Standards Development as described in FERC-725 covers standards development initiated by NERC, the Regional Entities, and industry, as well as standards the Commission may direct NERC to develop or modify.
IV. Environmental Analysis
37. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment. 63 The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended. 64 The actions proposed herein fall within this categorical exclusion in the Commission's regulations.
Footnotes:
63 ? Regulations Implementing the National Environmental Policy Act of 1969, Order No. 486, FERC Stats. & Regs. ¶?30,783 (1987) (cross-referenced at 41 FERC ¶?61,284).
64 ?18 CFR 380.4(a)(2)(ii) (2021).
V. Regulatory Flexibility Act Analysis
38. The Regulatory Flexibility Act of 1980 (RFA)? 65 generally requires a description and analysis of proposed rules that will have significant economic impact on a substantial number of small entities.
Footnotes:
65 ?5 U.S.C. 601-612.
39. We are proposing only to direct NERC, the Commission-certified ERO, to develop modified Reliability Standards that require internal network security monitoring within a trusted Critical Infrastructure Protection networked environment for high and medium impact BES Cyber Systems. 66 Therefore, this Notice of Proposed Rulemaking will not have a significant or substantial impact on entities other than NERC. Consequently, the Commission certifies that this Notice of Proposed Rulemaking will not have a significant economic impact on a substantial number of small entities. Any Reliability Standards proposed by NERC in compliance with this rulemaking will be considered by the Commission in future proceedings. As part of any future proceedings, the Commission will make determinations pertaining to the Regulatory Flexibility Act based on the content of the Reliability Standards proposed by NERC.
Footnotes:
66 ? Cf. Cyber Security Incident Reporting Reliability Standards, Notice of Proposed Rulemaking, 82 FR 61499 (Dec. 28, 2017), 161 FERC ¶?61,291 (2017) (proposing to direct NERC to develop and submit modifications to the NERC Reliability Standards to improve mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the BES).
V. Comment Procedures
40. The Commission invites interested persons to submit comments on the matters and issues proposed in this Notice of Proposed Rulemaking to be adopted, including any related matters or alternative proposals that commenters may wish to discuss. Comments are due March 28, 2022. Comments must refer to Docket No. RM22-3-000, and must include the commenter's name, the organization they represent, if applicable, and address in their comments. All comments will be placed in the Commission's public files and may be viewed, printed, or downloaded remotely as described in the Document Availability section below. Commenters on this proposal are not required to serve copies of their comments on other commenters.
[top] 41. The Commission encourages comments to be filed electronically via the eFiling link on the Commission's website at http://www.ferc.gov. The
42. Commenters that are not able to file comments electronically may file an original of their comment by USPS mail or by courier- or other delivery services. For submission sent via USPS only, filings should be mailed to: Federal Energy Regulatory Commission, Office of the Secretary, 888 First Street NE, Washington, DC 20426. Submission of filings other than by USPS should be delivered to: Federal Energy Regulatory Commission, 12225 Wilkins Avenue, Rockville, MD 20852.
VI. Document Availability
43. In addition to publishing the full text of this document in the Federal Register , the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the internet through the Commission's Home Page ( http://www.ferc.gov ). At this time, the Commission has suspended access to the Commission's Public Reference Room due to the President's March 13, 2020 proclamation declaring a National Emergency concerning the Novel Coronavirus Disease (COVID-19).
44. From the Commission's Home Page on the internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number excluding the last three digits of this document in the docket number field.
45. User assistance is available for eLibrary and the Commission's website during normal business hours from the Commission's Online Support at 202-502-6652 (toll free at 1-866-208-3676) or email at ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502-8371, TTY (202)502-8659. Email the Public Reference Room at public.referenceroom@ferc.gov .
By direction of the Commission.
Issued: January 20, 2022.
Debbie-Anne A. Reese,
Deputy Secretary.
[FR Doc. 2022-01537 Filed 1-26-22; 8:45 am]
BILLING CODE 6717-01-P