Staff Presentation for NOPR in RM22-3

Staff Presentation _ NOPR_RM22-3.pdf

FERC-725(1B), (NOPR in RM22-3) Procedures for Electric Reliability Standards, as proposed by the NOPR in Docket No. RM22-3

Staff Presentation for NOPR in RM22-3

OMB: 1902-0321

Document [pdf]
Download: pdf | pdf
1/20/22, 4:51 PM

Staff Presentation | Notice of Proposed Rulemaking (NOPR) Regarding Internal Network Security Monitoring for High and Medium…

HEADLINES

Staff Presentation | Notice of Proposed
Rulemaking (NOPR) Regarding Internal
Network Security Monitoring for High and
Medium Impact Bulk Electric System
Cyber Systems
January 20, 2022

Docket No. RM22-3

Item E-1 | News Release

Item E-1 is a draft Notice of Proposed Rulemaking (NOPR) that proposes, pursuant to section
215(d)(5) of the Federal Power Act, to direct the North American Electric Reliability Corporation
(NERC) to develop and submit for Commission approval new or modified Critical Infrastructure
Protection (CIP) Reliability Standards that require internal network security monitoring for
high and medium impact Bulk Electric System (BES) Cyber Systems.
The draft NOPR explains that the currently effective CIP Reliability Standards do not address
internal network security monitoring, and this omission constitutes a gap in the CIP Reliability
Standards.  Currently, network security monitoring in the CIP Reliability Standards focuses on
preventing unauthorized access to BES Cyber Systems at the network perimeter.  Including
internal network security monitoring requirements in the CIP Reliability Standards, as the draft
NOPR proposes, would complement existing perimeter requirements for high and medium
impact BES Cyber Systems by improving the visibility of communications inside the network.
The 2020 SolarWinds attack demonstrated how an attacker can bypass all network perimeterbased security controls traditionally used to identify the early phases of an attack.  This supply
chain attack leveraged a trusted vendor to compromise the networks of public and private
organizations, and SolarWinds customers had no reason to suspect the installation of
compromised updates because the attacker used an authenticated SolarWinds certificate. 
In the event of a compromised Electronic Security Perimeter, early detection of an attack
through internal network security monitoring reduces the time that an attacker has to gain a
strong foothold and potential command and control of protected systems, including
operational control over equipment like circuit breakers.  Internal network security monitoring
https://www.ferc.gov/news-events/news/staff-presentation-notice-proposed-rulemaking-nopr-regarding-internal-network-0

1/2

1/20/22, 4:51 PM

Staff Presentation | Notice of Proposed Rulemaking (NOPR) Regarding Internal Network Security Monitoring for High and Medium…

increases the chance of early detection of malicious activity, which in turn allows for quicker
mitigation and recovery from an attack.  In addition to improved incident response capabilities
and situational awareness, internal network security monitoring also contributes to better
vulnerability assessments within an Electronic Security Perimeter, all of which support an
entity’s cybersecurity defenses and could reduce the impact of cyberattacks. 
To address the current reliability gap and improve cybersecurity, the draft NOPR proposes to
direct that NERC develop new or modified CIP Reliability Standards requiring that applicable
responsible entities implement internal network security monitoring for their high and
medium impact BES Cyber Systems.
While centered on high and medium impact BES Cyber Systems, the draft NOPR also seeks
comments on the potential usefulness and practicality of implementing internal network
security monitoring to detect malicious activity in networks with low impact BES Cyber
Systems, including any potential benefits, technical barriers and associated costs.  Among
other specific questions, the draft NOPR seeks comment on possible criteria or methodologies
for identifying an appropriate subset of low impact BES Cyber Systems that could benefit from
internal network security monitoring.
Comments in response to the draft NOPR would be due 60 days following publication in the
Federal Register.
This concludes our presentation.  We are happy to take any questions you may have.
This page was last updated on January 20, 2022

https://www.ferc.gov/news-events/news/staff-presentation-notice-proposed-rulemaking-nopr-regarding-internal-network-0

2/2


File Typeapplication/pdf
File Modified2022-01-20
File Created2022-01-20

© 2024 OMB.report | Privacy Policy