Document headings vary by document type but may contain the following:
See the Document Drafting Handbook for more details.
AGENCY:
Federal Energy Regulatory Commission.
ACTION:
Notice of proposed rulemaking.
SUMMARY:
The Federal Energy Regulatory Commission (Commission) proposes to approve proposed Reliability Standard CIP-015-1 (Cyber Security—Internal Network Security Monitoring), which the North American Electric Reliability Corporation (NERC), submitted in response to a Commission directive. In addition, the Commission proposes to direct that NERC develop certain modifications to proposed Reliability Standard CIP-015-1 to extend internal network security monitoring to include electronic access control or monitoring systems and physical access control systems outside of the electronic security perimeter.
DATES:
Comments are due November 26, 2024.
ADDRESSES:
Comments, identified by docket number, may be filed in the following ways. Electronic filing through http://www.ferc.gov, is preferred.
- Electronic Filing: Documents must be filed in acceptable native applications and print-to-PDF, but not in scanned or picture format.
- For those unable to file electronically, comments may be filed by USPS mail or by hand (including courier) delivery.
○ Mail via U.S. Postal Service Only: Addressed to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE, Washington, DC 20426.
○ Hand (Including Courier) Delivery: Deliver to: Federal Energy Regulatory Commission, 12225 Wilkins Avenue, Rockville, MD 20852.
The Comment Procedures Section of this document contains more detailed filing procedures.
FOR FURTHER INFORMATION CONTACT:
Margaret Steiner (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502 6704, Margaret.Steiner@ferc.gov
Hampden T. Macbeth (Legal Information), Office of General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502 8957, Hampden.Macbeth@ferc.gov
SUPPLEMENTARY INFORMATION:
1. Pursuant to section 215(d)(2) of the Federal Power Act (FPA), the Commission proposes to approve proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-015-1 (Cyber Security—Internal Network Security Monitoring). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted the proposed Reliability Standard for Commission approval in response to a Commission directive in Order No. 887. In addition, pursuant to section 215(d)(5) of the FPA, the Commission proposes to direct that NERC develop further modifications to Reliability Standard CIP-015-1, within 12 months of the effective date of a final rule in this proceeding, to extend Internal Network Security Monitoring (INSM) to include electronic access control or monitoring systems (EACMS) and physical access control systems (PACS) outside of the electronic security perimeter.
Internal Network Sec. Monitoring for High & Medium Impact Bulk Elec. Sys. Cyber Sys., Order No. 887, 88 FR 8354 (Feb. 9, 2023), 182 FERC ¶ 61,021 (2023).
INSM is “a subset of network security monitoring that is applied within a `trust zone,' such as an electronic security perimeter.” Order No. 887, 182 FERC ¶ 61,021 at P 2.
EACMS are “Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.” NERC, Glossary of Terms Used in NERC Reliability Standards, (July 22, 2024), https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf (NERC Glossary).
PACS are “Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers.” Id.
2. In Order No. 887, the Commission directed that NERC develop new or modified CIP Reliability Standards that require INSM for CIP-networked environments for all high impact bulk electric system (BES) Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable connectivity. Proposed Reliability Standard CIP-015-1 is partly responsive to the Commission's directives in Order No. 887 and advances the reliability of the Bulk-Power System by (1) establishing requirements for INSM for network traffic inside an electronic security perimeter, and (2) requiring INSM for all high impact BES Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable connectivity to ensure the identification of anomalous network activity indicating an ongoing attack. Accordingly, we propose approving proposed Reliability Standard CIP-015-1.
NERC defines BES Cyber Systems as “One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.” See NERC Glossary. BES Cyber Systems are categorized as high, medium, or low impact depending on the functions of the assets housed within each system and the risk they potentially pose to the reliable operation of the Bulk-Power System. Reliability Standard CIP-002-5.1a (BES Cyber System Categorization) sets forth criteria that registered entities apply to categorize BES Cyber Systems as high, medium, or low impact depending on the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. The impact level ( i.e., high, medium, or low) of BES Cyber Systems, in turn, determines the applicability of security controls for BES Cyber Systems that are contained in the remaining CIP Reliability Standards ( i.e., Reliability Standards CIP-003-8 to CIP-013-1).
External routable connectivity is “[t]he ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.” NERC Glossary.
Order No. 887, 182 FERC ¶ 61,021 at P 49.
NERC Petition at 1, 13.
3. Proposed Reliability Standard CIP-015-1 is not, however, fully responsive to the Commission's directive to implement INSM for the “CIP-networked environment.” In particular, the proposed Standard may not adequately defend against attacks that circumvent network perimeter-based security controls. Attacks external to the electronic security perimeter may compromise systems, such as EACMS or PACS, and then infiltrate the perimeter as a trusted communication, thus limiting the effectiveness of an approach that employs INSM only within the electronic security perimeter. The Commission used the phrase “CIP-networked environment” in Order No. 887 to be necessarily broader than the electronic security perimeter. Accordingly, to address this reliability and security gap, the Commission proposes to direct that NERC develop modifications to the proposed Reliability Standard CIP-015-1 to extend INSM to include EACMS and PACS outside of the electronic security perimeter.
See Order No. 887, 182 FERC ¶ 61,021 at P 1.
Id. P 49.
I. Background
A. Section 215 and Mandatory Reliability Standards
4. Section 215 of the FPA provides that the Commission may certify an ERO, the purpose of which is to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently. Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO, and subsequently certified NERC.
Id. 824o(e).
Rules Concerning Certification of the Elec. Reliability Org.; & Procs. for the Establishment, Approval, & Enforcement of Elec. Reliability Standards, Order No. 672, 114 FERC ¶ 61,104, order on reh'g, Order No. 672-A, 114 FERC ¶ 61,328 (2006); see also18 CFR 39.4(b) (2024).
N. Am. Elec. Reliability Corp., 116 FERC ¶ 61,062, order on reh'g and compliance, 117 FERC ¶ 61,126 (2006), aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
B. Internal Network Security Monitoring
5. INSM is a subset of network security monitoring that is applied within a “trust zone,” such as an electronic security perimeter. The trust zone applicable to INSM is the CIP-networked environment for this notice of proposed rulemaking (NOPR) and Order No. 887. INSM enables continuing visibility over communications between networked devices within a trust zone and detection of malicious activity that has circumvented perimeter controls. Further, INSM facilitates the detection of anomalous network activity indicative of an attack in progress, thus increasing the probability of early detection and allowing for quicker mitigation and recovery from an attack.
The U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) defines trust zone as a “discrete computing environment designated for information processing, storage, and/or transmission that share the rigor or robustness of the applicable security capabilities necessary to protect the traffic transiting in and out of a zone and/or the information within the zone.” CISA, Trusted Internet Connections 3.0: Reference Architecture, 2 (July 2020), https://www.cisa.gov/sites/default/files/publications/CISA_TIC%203.0%20Vol.%202%20Reference%20Architecture.pdf.
Order No. 887, 182 FERC ¶ 61,021, at P 2.
6. INSM is designed to address as early as possible situations where perimeter network defenses are breached by detecting intrusions and malicious activity within a trust zone. INSM consists of three stages: (1) collection; (2) detection; and (3) analysis. Taken together, these three stages provide the benefit of early detection and alerting of intrusions and malicious activity. INSM better positions an entity to detect an attacker in the early phases of an attack and reduces the likelihood that an attacker can gain a strong foothold, including operational control, on the target system. In addition to early detection and mitigation, INSM may improve incident response by providing higher quality data about the extent of an attack internal to a trust zone. Finally, INSM provides insight into east-west network traffic happening inside the network perimeter, which enables a more comprehensive picture of the extent of an attack compared to data gathered from the network perimeter alone.
See Chris Sanders & Jason Smith, Applied Network Security Monitoring, 9-10 (2013); see also ISACA, Applied Collection Framework: A Risk-Driven Approach to Cybersecurity Monitoring (Aug. 18, 2020), https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2020/applied-collection-framework.
East-west traffic refers to the communications among BES Cyber Systems and is the specific type of network traffic that remains within the network perimeter. It may refer to communication peer-to-peer industrial automation and control systems devices in a network or to activity between servers or networks inside a data center, rather than the data and applications that traverse networks to the outside world. CISCO, Networking and Security in Industrial Automation Environments Design Guide, 111 (Aug. 2020), https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/Industrial_Automation/IA_Horizontal/DG/Industrial-AutomationDG.pdf; The President's National Security Telecommunications Advisory Committee, Report to the President on Software-Defined Networking, E-3 (Aug. 2020), https://www.cisa.gov/sites/default/files/publications/NSTAC%20SDN%20Report%20%288-12-20%29.pdf.
CISA, CISA Analysis: FY2020 Risk and Vulnerability Assessments (July 2021), https://www.cisa.gov/sites/default/files/publications/FY20-RVA-Analysis_508C.pdf.
C. Order No. 887
7. On January 19, 2023, in Order No. 887, the Commission issued a final rule that directed that NERC develop “new or modified CIP Reliability Standards requiring INSM for all high impact BES Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable connectivity to ensure the detection of anomalous network activity indicative of an attack in progress.” The Commission, noting that INSM is “applied within a `trust zone,' such as an electronic security perimeter,” stated that for the final rule the applicable trust zone for INSM is the CIP-networked environment.
Order No. 887, 182 FERC ¶ 61,021 at P 3.
Id. P 2.
8. The Commission explained that the currently effective CIP Reliability Standards focus on preventing unauthorized access at the electronic security perimeter and do not require INSM inside trusted CIP-networked environments. The Commission determined that this left a reliability gap when vendors or individuals with authorized access are deemed trustworthy but could still introduce a cybersecurity risk. The Commission then concluded that requirements to implement ISNM will “fill a gap in the current suite of CIP Reliability Standards and improve the cybersecurity posture of the Bulk-Power System.”
Id. P 20.
Id. An attacker could move among devices inside a trust zone and perform actions such as: (1) escalate privileges (such as gaining administrator account privileges through a vulnerability); (2) move undetected inside the CIP-networked environment; or (3) execute a virus, ransomware or another form of unauthorized code. Id. P 19.
Id. P 49 (citing NERC Comments in Response to Notice of Proposed Rulemaking under Docket No. RM22-3-000 at 4-5 (current CIP Standards require “malicious communications monitoring at the Electronic Access Point on the [electronic security perimeter], not necessarily monitoring of activity of those who already have access to the network”)). The Bulk-Power System is defined in the FPA as facilities and control systems necessary for operating an interconnected electric energy transmission network (or any portion thereof); and electric energy from generating facilities needed to maintain transmission system reliability. The term does not include facilities used in the local distribution of electric energy. 16 U.S.C. 824o(a)(1).
9. The Commission directed that NERC ensure that the new or modified CIP Reliability Standards address three security objectives for east-west network traffic. First, the new or modified CIP Reliability Standards should address the need for each responsible entity to develop a baseline for their network activity by analyzing for security purposes their network traffic and data flows. Second, the new or modified CIP Reliability Standards should address the need for responsible entities to monitor and detect “unauthorized activity, connections, devices, network communication protocols, and software” in the CIP-networked environment. Third, the new or modified CIP Reliability Standards should provide responsible entities with flexibility in determining how to best identify anomalous activity with a high level of confidence, so long as the methods ensure: (1) logging of network traffic; (2) maintaining the logs, and other data collected, regarding network traffic that are of “sufficient data fidelity to draw meaningful conclusions” to investigate an incident; and (3) maintaining the integrity of the logs and other data by employing measures that minimize the likelihood of an attacker removing evidence of their tactics, techniques, and procedures.
Order No. 887, 182 FERC ¶ 61,021 at PP 79-80.
D. NERC Petition and Proposed Reliability Standard CIP-015-1
10. On June 24, 2024, NERC submitted for Commission approval proposed Reliability Standard CIP-015-1 and the associated violation risk factors and violation severity levels, implementation plan, and effective date. NERC states that proposed Reliability Standard CIP-015-1 is intended to advance the reliability of the Bulk-Power System by providing a comprehensive suite of forward looking and objective-based requirements for INSM.
NERC Petition at 2, 26-28. Proposed Reliability Standard CIP-015-1 is not attached to this NOPR. The proposed Reliability Standards are available on the Commission's eLibrary document retrieval system in Docket No. RM24-7-000 and on the NERC website, www.nerc.com.
Id. at 4.
11. NERC explains that the proposed Reliability Standard would address the directives in Order No. 887 by establishing three requirements for responsible entities to implement INSM systems and processes. Specifically:
- Requirement R1: responsible entities would be required to implement process(es) to monitor, detect, and evaluate anomalous activity in “networks protected by the Responsible Entity's Electronic Security Perimeter(s)” of high impact BES Cyber Systems and medium impact BES Cyber Systems with external routable connectivity.
- Requirement R2: responsible entities would be required to implement process(es) for retaining INSM data associated with anomalous network activity as determined by the applicable responsible entities.
- Requirement R3: responsible entities would be required to implement process(es) to protect INSM monitoring data collected and retained in support of Requirements R1 and R2 to guard against the risk of unauthorized deletion or modification.
According to NERC, Requirement R1 applies to data flows within “networks protected by the Responsible Entity's Electronic Security Perimeter(s).” NERC states that proposed Reliability Standard CIP-015-1's scope is consistent with the plain language of Order No. 887, which stated that INSM should apply within a trust zone, “such as an electronic security perimeter,” and that the trust zone for INSM is the “CIP-networked environment.” NERC states that its approach would provide the greatest benefits to the reliability of the Bulk-Power System by focusing industry's limited resources on the most critical environment, “networks protected by the Responsible Entity's Electronic Security Perimeter.”
Id.
NERC Petition at 16 (quoting Order No. 887, 182 FERC ¶ 61,021 at P 2).
Id. at 14, 17.
II. Discussion
A. Proposal To Approve Proposed Reliability Standard CIP-015-1
12. Pursuant to section 215(d)(2) of the FPA, the Commission proposes to approve proposed Reliability Standard CIP-015-1 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. The proposed Reliability Standard requires responsible entities to implement INSM within the electronic security perimeter for all high impact BES Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable connectivity. Consistent with the security objectives identified in Order No. 887, Requirement R1 of the proposed Standard would require responsible entities to implement INSM by mandating the collection, detection, analysis of and appropriate response to anomalous activity within the electronic security perimeter. Proposed Reliability Standard CIP-015-1, Requirement R2 would require responsible entities to retain INSM data related to anomalous activity. Proposed Reliability Standard CIP-015-1, Requirement R3 would require responsible entities to protect INSM data associated with anomalous network activity.
13. Implementation of INSM within the electronic security perimeter will augment responsible entities' ability to detect anomalous or malicious activity and provide information to assist in determining an appropriate response through proposed Reliability Standard CIP-015-1, Requirements R1, R2, and R3. The proposed Reliability Standard improves the security posture of the industry by providing visibility into east-west communications absent from previous Reliability Standards, improving the probability of detection for anomalous or malicious activity within the electronic security perimeter.
14. Notwithstanding the improvements to security made by the proposed Standard, as discussed below, the proposed Reliability Standard does not fully implement the scope of protection contemplated in Order No. 887. By restricting the implementation of INSM to within the electronic security perimeter, a reliability and security gap remains by not implementing INSM for the entire CIP-networked environment, i.e., outside the electronic security perimeter inclusive of EACMS and PACS. To address this gap, we propose to direct NERC to develop modifications to the proposed Reliability Standard to include EACMS and PACS, thereby protecting the reliability and security of all trust zones of the CIP-networked environment. This approach—proposing to approve a Reliability Standard as enhancing protections and as a separate action under section 215(d)(5) of the FPA proposing to direct NERC to develop certain modifications to a Reliability Standard to address a reliability gap—is consistent with Commission precedent.
See e.g., N. Am. Elec. Reliability Corp., 187 FERC ¶ 61,204 (2024) (order approving Reliability Standard EOP-012-2 because it clarified the requirements for generator cold weather preparedness and by making other improvements and, in addition, directing that NERC submit modifications to Reliability Standard EOP-012-2 to address certain concerns); Critical Infrastructure Prot. Reliability Standard CIP-012-1—Cyber Sec.—Commc'ns between Control Ctrs., Order No. 866, 85 FR 7197 (Feb. 7, 2020), 170 FERC ¶ 61,031 (2020).
B. Scope of the CIP-Networked Environment
15. NERC's proposed application of the term “CIP-networked environment” as limited to assets and systems within the electronic security perimeter is overly narrow. Order No. 887 used the term “CIP-networked environment” purposefully to apply more broadly than the electronic security perimeter, specifically to include all assets and systems to which the CIP standards apply and may be the targets of attacks. As explained below, NERC's petition does not address that reliability and security gap because it does not require implementation of INSM at EACMS and PACS outside the electronic security perimeter.
16. Excluding EACMS and PACS from the term “CIP-networked environment” is inconsistent with generally accepted approaches to cybersecurity. Under Reliability Standard CIP-002-5.1a and fundamental cybersecurity practices, similar systems within a network are grouped together to facilitate management, control, and monitoring of the networked environment. For example, EACMS are grouped together to allow for early detection of malicious activity within the CIP-networked environment and potentially protect other grouped systems, such as BES Cyber Systems, with which the EACMS communicate. Thus, excluding certain grouped systems from protections—as is the case for EACMS and PACS in Reliability Standard CIP-015-1—leaves other grouped systems within the CIP-networked environment at risk. Here, the BES Cyber Systems would not benefit from monitoring of east-west ( i.e., lateral) movement within the grouping of EACMS and PACS, which allows for early detection of anomalous or malicious activity. Otherwise, for example, a compromised EACMS grouping could provide an attacker with the opportunity to infiltrate other connected groups, such as BES Cyber Systems located within the electronic security perimeter, as an authenticated user or trusted communication.
Reliability Standard CIP-002.5.1a (BES Cyber System Categorization) (categorizing EACMS, PACS, protected cyber assets, and BES Cyber Systems into groups); see, e.g., Nat'l Sec. Agency, Network Infrastructure Security Guide, 1, 3-4 (Oct. 2023), https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF (recommending the grouping of similar network systems as a best practice for overall network security) (NSA Network Security Guide).
See CISA, Cybersecurity Advisory: CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks, 2, 14 (Feb. 2023), https://www.cisa.gov/sites/default/files/2023-03/aa23-059a-cisa_red_team_shares_key_findings_to_improve_monitoring_and_hardening_of_networks.pdf (finding that insufficient network monitoring contributed to a CISA red team avoiding detection and gaining access to an organization's network through lateral movement by leveraging access to an Active Directory system serving as an electronic access control system) (CISA Cybersecurity Advisory); Nat'l Inst. of Standards and Tech. (NIST), NIST SP 800-215 Guide to a Secure Enterprise Network Landscape, 5 (Nov. 2022), https://doi.org/10.6028/NIST.SP.800-215 (describing the limitations of a perimeter-based security approach as not capturing threats from inside a network that can move laterally and remain undetected for an extended period of time) (NIST SP 800-215); NIST, NIST SP 800-82r3 Guide to Operational Technology (OT) Security, 74 (Sept. 2023), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf (recommending the analyzing of information to differentiate between known and unknown communication as a necessary first step in implementing network security monitoring) (NIST SP 800-82r3). The term INSM is used by the Commission in Order No. 887, but the cybersecurity industry uses the term “network security monitoring.” Similarly, the CIP Standards use the terms “EACMS” and “PACS,” which are defined by the NERC Glossary, while NIST discusses the same concepts but does not use the same EACMS and PACS terminology.
See CISA Cybersecurity Advisory at 2-6 (describing how a CISA Red Team was able to gain access to workstations and servers from an Active Directory system serving as an electronic access control system, which assisted in lateral movement to other networks).
17. National Institute of Standards and Technology (NIST) guidance states that INSM monitoring needs to detect “[a]ny threat that is already inside of a network [that] can move laterally and remain undetected for days or even months.” According to the NIST guidance, east-west (lateral) monitoring ( i.e., INSM) improves the probability of detection for malicious or anomalous activity and should not be isolated to only the most critical trust zones. While the terminology of EACMS and PACS is unique to the CIP Reliability Standards, these statements from NIST broadly include the concepts of EACMS and PACS and support the need for monitoring.
NIST SP 800-215 at 5.
See id. (describing east-west traffic as “largely invisible to security teams” without INSM and that a threat inside a network can move east-west and “remain undetected for days or even months”).
18. Further, we find NERC's rationale for limiting INSM to within the electronic security perimeter unpersuasive. First, NERC contends that the devices supporting reliable operation are contained within the electronic security perimeter and thus industry resources are most effectively focused on data flows within the electronic security perimeter. We disagree. While the devices directly supporting the reliable operation of the Bulk-Power System are located within the electronic security perimeter, attacks that threaten reliability can still emanate from outside the electronic security perimeter from connected Cyber Assets, such as EACMS.
NERC Petition at 14.
See, e.g., CISA Cybersecurity Advisory at 1-2 (a CISA Red Team was able to gain access to systems adjacent to the organization's sensitive business systems (SBSs) by moving laterally from workstations and servers through an Active Directory system; Phase I of the attack ended before the team could implement a viable plan to achieve access to a SBS).
19. Second, NERC avers that requiring INSM implementation outside the electronic security perimeter could have the unintended effect of impeding an entity's ability to detect and respond to threats to their most critical systems due to alarm and alert fatigue from large volumes of generated data. Extending INSM implementation to include EACMS and PACS may generate large volumes of data; however, we believe that the data can be managed and that the security benefits of implementing INSM outside the electronic security perimeter outweigh the burden associated with increased volumes of data. Defining incident alerting thresholds and establishing a baseline for normal network activity can reduce the potential for alarm and alert fatigue. Restricting INSM to the assets within the electronic security perimeter could leave the most critical networks vulnerable to an attack from outside the electronic security perimeter. Assets such as EACMS are high value targets for an attack because if successfully compromised, EACMS would allow an attacker to infiltrate the perimeter as a trusted communication. Further, declining to extend INSM implementation to EACMS and PACS outside the electronic security perimeter leaves a reliability gap because responsible entities will lack visibility into the high percentage of east-west traffic that occurs within the CIP-networked environment. Monitoring and alerting of east-west traffic enables quicker detection of malicious communications, minimizing potential harmful effects. Additionally, the collected data serves as invaluable forensic evidence in the event of an attempted or successful compromise of the CIP-networked environment.
NERC Petition at 14-15 n.45.
See NIST SP 800-82r3 at 130 (discussing alert “noise” from typical network traffic that can result from implementation of network security monitoring).
See id. at 127-128 (recommending that organizations define incident alert thresholds to establish an efficient incident detection capability as not all events and anomalies are malicious or require investigation and establish alerting thresholds on baselines of normal network traffic and data flows to reduce false positive and nuisance alarms).
See, e.g., CISA Cybersecurity Advisory at 14 (finding a CISA red team gained access to an organization's network due to the lack of monitoring on endpoint management systems—high valued assets—that can include the monitoring system part of an EACMS).
NIST states that over 75% of network traffic is now east-west or server-to-server, i.e., traffic that is not covered by a perimeter-based defense approach. See NIST SP 800-215 at 5.
See id. at 5.
20. Third, NERC asserts that requiring INSM implementation outside the electronic security perimeter would not promote security and reliability inside the CIP-networked environment or that the cost of doing so would outweigh associated benefits. We disagree. EACMS and PACS are integral to the effective operation of BES Cyber Systems within the electronic security perimeter in providing services, such as centralized authentication, authorization, and monitoring, and serving as the access point to the electronic security perimeter. These assets are valued targets for an attacker and illustrate the need for a defense-in-depth strategy for cybersecurity. Implementing INSM outside the electronic security perimeter provides significant benefits in monitoring, detecting, and collecting malicious code or anomalous activity from attackers moving east-west within the EACMS or PACS network segments of the CIP-networked environment and is a fundamental cybersecurity practice.
NERC Petition at 15-16 n.46.
NERC, Lessons Learned: CIP Version 5 Transition Program (Sept. 2015), https://www.nerc.com/pa/CI/tpv5impmntnstdy/LL_EACMS_Mixed_Trust_Authentication_Sep_10_2015_clean.pdf.
See, e.g., CISA Cybersecurity Advisory at 2-6, 14.
See NIST SP 800-215 at 5; NSA Network Security Guide at 3.
C. Proposed Directive
21. Pursuant to section 215(d)(5) of the FPA, the Commission proposes to direct NERC to develop modifications to proposed Reliability Standard CIP-015-1 that would extend INSM to include EACMS and PACS outside the electronic security perimeter. We also propose directing NERC to submit the revised Reliability Standard for Commission approval within 12 months of the effective date of a final rule in this proceeding. We seek comment on all aspects of this proposal.
III. Information Collection Statement
22. The FERC-725B information collection requirements are subject to review by the Office of Management and Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 1995. OMB's regulations require approval of certain information collection requirements imposed by agency rules. Upon approval of a collection of information, OMB will assign an OMB control number and expiration date. Respondents subject to the filing requirements will not be penalized for failing to respond to these collections of information unless the collections of information display a valid OMB control number. The Commission solicits comments on the need for this information, whether the information will have practical utility, the accuracy of the burden estimates, ways to enhance the quality, utility, and clarity of the information to be collected or retained, and any suggested methods for minimizing respondents' burden, including the use of automated information techniques.
23. The Commission bases its paperwork burden estimates on the additional paperwork burden presented by the proposed revision to Reliability Standard CIP-015-1 as this is a new proposed Reliability Standard. Reliability Standards are objective-based and allow entities to choose compliance approaches best tailored to their systems. The NERC Compliance Registry, as of July 2024, identifies approximately 1,636 unique U.S. entities that are subject to mandatory compliance with CIP Reliability Standards. Of this total, we estimate that 400 entities will face an increased paperwork burden under proposed Reliability Standard CIP-015-1. Based on these assumptions, we estimate the following reporting burden:
Annual Changes Proposed by the NOPR in Docket No. RM24-7-000
The paperwork burden estimate includes costs associated with the initial development of a policy to address the requirements.
This burden applies in Year One to Year Three.
The hourly cost for wages is based in part on the average of the occupational categories from the Bureau of Labor Statistics website ( http://www.bls.gov/oes/current/naics2_22.htm ) plus benefits:
Legal (Occupation Code: 23-0000): $162.66.
Electrical Engineer (Occupation Code: 17-2071): $79.31.
Office and Administrative Support (Occupation Code: 43-0000): $48.59.
($162.66 + $79.31 + $48.59) ÷ 3 = $96.85.
The figure is rounded to $97.00 for use in calculating wage figures in this NOPR.
The paperwork burden estimate includes costs associated with the initial development of a policy to address the requirements.
This burden applies in Year One to Year Three.
The hourly cost for wages is based in part on the average of the occupational categories from the Bureau of Labor Statistics website ( http://www.bls.gov/oes/current/naics2_22.htm ) plus benefits:
Legal (Occupation Code: 23-0000): $162.66.
Electrical Engineer (Occupation Code: 17-2071): $79.31.
Office and Administrative Support (Occupation Code: 43-0000): $48.59.
($162.66 + $79.31 + $48.59) ÷ 3 = $96.85.
The figure is rounded to $97.00 for use in calculating wage figures in this NOPR.