Full Report
The Federal Energy Regulatory Commission (FERC) has published a final action notice that approves proposed Reliability Standard CIP-015-1... The post FERC greenlights proposed NERC Reliability Standard CIP-015-1, expands scope of internal network security rules appeared first on Industrial Cyber.
Analysis Summary
# Regulation/Compliance: NERC CIP-015-1 (Internal Network Security Monitoring)
## Overview
This regulation finalizes the approval of NERC Reliability Standard CIP-015-1, which mandates **Internal Network Security Monitoring (INSM)** for Industrial Control Systems (ICS) within the Electronic Security Perimeter (ESP) of the Bulk-Power System (BPS). A key directive is that NERC must develop modifications to extend this monitoring requirement to include **Electronic Access Control or Monitoring Systems (EACMS)** and **Physical Access Control Systems (PACS)** located *outside* the ESP, as these systems are considered part of the broader **CIP-networked environment**. The goal is to improve the detection of anomalous, malicious, or unauthorized network activity, particularly "east-west" traffic.
## Key Details
- Issuing Authority: Federal Energy Regulatory Commission (FERC), based on a proposal from the North American Electric Reliability Corporation (NERC).
- Effective Date: The final action notice is effective September 2, [Year of Publication].
- Jurisdiction: North America, specifically entities operating within the electric sector and managing the Bulk-Power System (BPS).
- Status: Final Action Approved, but requires further modifications (see Compliance Timeline).
## Requirements
### Mandatory Requirements
1. **Implement INSM within the Electronic Security Perimeter (ESP):** Responsible entities must implement Internal Network Security Monitoring for all High Impact BES Cyber Systems and Medium Impact BES Cyber Systems with external routable connectivity.
2. **Documentation Maintenance:** Entities are required to maintain documentation adequate to demonstrate compliance with the Reliability Standard (though no initial filings are required with FERC or NERC for CIP-015-1 itself).
3. **Modification Development (NERC Directive):** NERC is directed to develop modifications to CIP-015-1 within 12 months to extend INSM coverage to include **EACMS and PACS outside of the ESP**.
### Recommended Practices
1. **Voluntary Adoption of Additional INSM:** Responsible entities may voluntarily choose to adopt additional INSM practices, such as those recommended by organizations like OpenPolicy.
## Affected Organizations
- Industries: Electric Sector entities responsible for the reliable operation of the Bulk-Power System (BPS); specifically those responsible entities with High Impact BES Cyber Systems and Medium Impact BES Cyber Systems with external routable connectivity.
- Organization Size: Not explicitly size-dependent, but contingent on the impact level classification of their BES Cyber Systems.
- Geographic Scope: North America (where NERC standards apply).
## Compliance Timeline
- **Effective Date (Final Rule):** September 2, [Year of Publication/Action].
- **NERC Modification Deadline:** Within **12 months** of the effective date of the final rule, NERC must develop modifications to extend INSM to cover external EACMS and PACS.
- **Full Compliance Required:** The deadline for full compliance with the *modified* standard (including external EACMS/PACS monitoring) will be set by NERC after the modification drafting process is complete and approved.
## Implementation Guidance
### Assessment Phase
- Identify all High Impact and Medium Impact BES Cyber Systems that have external routable connectivity.
- Map the current network environment, including the ESP boundary and the location of associated EACMS and PACS.
- Determine current INSM coverage relative to east-west traffic within the ESP.
### Implementation Phase
- Deploy technical solutions to monitor internal network traffic ("east-west" communication) within the ESP as required by the currently approved CIP-015-1.
- Prepare for the future implementation phase mandated by the FERC directive, which will require configuring INSM tools to cover network connections/traffic related to external EACMS and PACS.
### Validation Phase
- Auditors will rely on entity documentation to verify compliance.
- Entities must proactively develop and maintain documentation that clearly demonstrates the implementation of required INSM controls and captures monitoring data.
## Technical Requirements
- **Internal Network Security Monitoring (INSM):** Required across the defined environment (initially, within the ESP).
- **Coverage:** Must specifically address "east-west" network traffic (traffic moving laterally across the network, not just North-South traffic entering/leaving the perimeter).
- **Future Scope:** INSM must eventually cover network connections among and between EACMS and PACS external to the ESP.
## Penalties & Enforcement
- Fines: Not explicitly detailed in the summary, but penalties are typically enforced through NERC and the ERO (Electricity Submitting Officer) based on non-compliance with approved Reliability Standards.
- Other Consequences: Failure to comply with FERC directives or NERC standards can lead to required remediation plans, audits, and potential penalties against the responsible entity.
- Enforcement: Periodic audits conducted by Commission and NERC staff, relying heavily on the entity’s maintained compliance documentation.
## Related Standards
- **NERC Critical Infrastructure Protection (CIP) Standards:** CIP-015-1 is one component of the broader CIP framework addressing cybersecurity for the BPS.
- **Order No. 887:** The FERC directive that formed the basis for requiring monitoring beyond the ESP.
- **NIST Frameworks:** While not explicitly mentioned as mandatory, standard cybersecurity best practices often align with NIST guidance for implementation detail.
## Resources
- Official Documentation: Federal Register publication of the final action notice (approving CIP-015-1).
- Guidance Documents: NERC's specific guides or compliance templates related to the deployment of INSM controls.
- Tools: Solutions capable of deep packet inspection and anomaly detection tailored for ICS/SCADA networks.
## Practical Recommendations
1. **Immediately Baseline Compliance:** Document current INSM implementation within the ESP as per the approved CIP-015-1 to satisfy initial audit requirements.
2. **Analyze External Systems:** Begin mapping current network communication pathways involving EACMS and PACS that sit outside the ESP to anticipate the scope of the next compliance phase.
3. **Prepare Documentation Strategy:** Establish robust documentation practices now, as documentation is the primary evidence used by auditors to verify adherence to objective-based reliability standards.
4. **Monitor NERC Development:** Closely track NERC's progress on modifying CIP-015-1 over the next 12 months to proactively plan for the extension of monitoring requirements.