The Federal Energy Regulatory Commission is mulling a new regulation that would mandate owners and operators of bulk electric systems to implement internal network security monitoring.
The regulation would direct the North American Electric Reliability Corporation to develop updated reliability standards that include the requirement and would cover high- or medium-impact systems, or systems that would have the most adverse impact on reliable bulk electric systems operations if they were to be compromised in a cyberattack.
"Based on the current threat environment … a requirement for [internal network monitoring] that augments existing perimeter defenses is critical to increasing network visibility so that an entity may understand what is occurring in its CIP networked environment, and thus improve capability to timely detect potential compromises,” the agency said in a notice of proposed rule-making last week.
Such monitoring technologies include multi-purpose tools like intrusion detection systems, antivirus systems and firewalls that allow for the blocking of malicious traffic. They would also potentially allow such owners and operators to more quickly detect cyberattacks or breaches happening on their networks, establish baselines for what is considered “normal” behavior on their network and potentially get a head start of detecting anomalous or malicious activity.
The commission is also seeking comment from members of the public on whether it is practical for the proposed directive to also include industrial control systems designated as “low impact.” FERC said these systems typically have fewer security controls in place and there are concerns around how practical or useful it would be to implement similar standards.
Current regulatory standards for BES systems generally emphasize implementing protections at the network perimeter, and do not require such monitoring except for access points and for inbound and outbound traffic. Cybersecurity experts say this way of protecting systems and data is becoming increasingly obsolete and fails to account for a range of modern attack vectors, like cloud environments, supply chain attacks that compromise trusted third-party technology providers and insider threats.
“In the context of supply chain risk, a malicious update from a known software vendor could be downloaded directly to a server as trusted code, and it would not set-off any alarms until abnormal behavior occurred and was detected,” the regulation reads.
This is more or less a description of how the federal government was victimized by Russian government hackers in the SolarWinds campaign. FERC is also concerned about other potential threats, like disgruntled or compromised employees with elevated account privileges who “could identify and collect data, add additional accounts, delete logs, or even exfiltrate data without being detected.”
The federal government has become increasingly focused on enhancing the security of bulk electric systems, which are interconnected electric energy transmission networks that operate above a defined voltage threshold. In 2020 a Trump administration executive order designated the targeting and exploitation of cybersecurity vulnerabilities in the bulk power system as a national emergency and imposed new restrictions on the purchase and use of certain foreign-made parts in BES systems. That order defined such systems as any facilities and transmission lines that operate at 69,000 volts or more.
Damon Small, a technical director at NCC Group, a consulting firm that advises companies on cybersecurity issues, said that while it is common for bulk electric system operators to monitor internal networks, they’re usually focused on network traffic passing between their Industrial Control Systems networks and IT networks.
“FERC seems to be suggesting that additional network monitoring is necessary within the OT and IT security boundaries,” Small said in an email, later adding that while the enhanced regulations and emphasis on more network monitoring are “a very good idea,” it will also be “costly to ramp up the existing staff to provide the additional employees required” to do so.
Padriac O’Reilly, co-founder of CyberSaint, a cybersecurity and IT risk management company, told SC Media that many high- and medium-impact BES entities already do some form of internal network monitoring, but the FERC order may help nudge further action or a shift to more advanced systems.
"Of course, most BES operators have some kind of internal monitoring, but formalizing it will give a much-needed push to overall industry maturity,” O’Reilly said.
It’s also part of a full-court press the Biden administration has made since coming into office to improve visibility over threats to federal networks and devices. The White House has imposed mandates on federal agencies to move away from perimeter-based cybersecurity, identify all their connected devices, improve logging practices and implement endpoint detection and response technologies on individual devices.
Last week, the White House issued a memo that established the NSA as the “focal point” for visibility over cybersecurity threats that affect military and intelligence systems. The move gives the intelligence agency the power to issue cybersecurity directives to other DOD agencies and components and puts those entities on the hook to send their logs, IT asset inventories, patching history and other information to the NSA for centralized incident response for emerging cyber threats. On the federal civilian side, the Cybersecurity and Infrastructure Security Agency (CISA) is gearing up to use new congressional authorities to conduct proactive threat hunting on other agency networks.