This post was updated on November 13, 2024
The long and winding road to enforcement of an internal network security monitoring (INSM) standard for U.S. and Canadian electric utilities continues — and widens. On Sept. 19, 2024, the Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NOPR) seeking to approve North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standard 015-1. Once it’s approved (T0), all high-impact bulk electric systems (BESs) across the U.S. and Canada will have 36 months to implement INSM, and medium-impact BESs with external routable connectivity (ERC) will have 60 months to do so.
This development solidifies what we already know, that perimeter defenses are not enough to protect utilities; internal monitoring is also required. So much so, FERC believes, that in the same NOPR it directs NERC to extend INSM to include electronic access control or monitoring systems (EACMS) and physical access control systems (PACS) outside the electronic security perimeter. NERC will have 12 months from the effective date of the final rule to submit its “responsive revised” reliability standard.
While details about the extended INSM requirement aren't yet known, with approval of CIP-015-1 all but certain, it's time for utility operators to get started. This article will define INSM, summarize the CIP-015-1 requirements and explain how, as a continuous internal network security monitoring solution, the Nozomi Networks platform addresses them.
What Is Internal Network Security Monitoring?
INSM provides continuous visibility into how networked devices within a trusted zone are communicating with each other, allowing for early detection of malicious or anomalous activity within that zone. Once inside such a zone, an attacker must communicate with targeted assets using their protocols to execute commands or spread malware. The INSM would identify this traffic as anomalous and flag it for investigation.
The NERC FAQ for CIP-015-1 describes the full capabilities of an INSM as follows:
...For example, properly placed, configured, and tuned INSM capabilities such as intrusion detection system and intrusion prevention system sensors could detect and/or block malicious activity early and alert an entity of compromise. INSM can also be used to record network traffic for analysis, providing a baseline that an entity can use to better detect malicious activity. Establishing baseline network traffic allows entities to define what is and is not normal expected network activity and determine whether observed anomalous activity warrants further investigation. The recorded network traffic can also be retained to facilitate timely recovery and/or perform a thorough post-incident analysis of malicious activity.
Another way to think of INSM is in terms of traffic direction. Traditional network monitoring solutions monitor North-South traffic between Purdue levels or firewalls, but communications between devices within a zone have long been a blind spot. INSM solves for this. By definition, INSM refers solely to network monitoring, but safe, non-disruptive agents purpose-built for OT devices are an efficient complement. For example, Nozomi Arc endpoint sensors shed light on once unreachable, unmonitored areas of your environment where network sensors aren’t practical or are insufficient to detect East-West traffic, USB ports, log files, local network traffic and user activity.
What Are the NERC CIP-015-1 INSM Requirements?
NERC CIP-015-1 mandates network security monitoring within a trusted zone (referred to as an electronic security perimeter, or ESP), where critical cyber assets reside. It mandates implementation of technology that can detect intrusions and malicious activity to speed mitigation of an attack in progress. In keeping with the original FERC directive (paraphrased here), responsible entities must:
- Develop baselines of their traffic network inside the environment, including communications and protocols.
- Monitor and detect unauthorized activity, connections, devices and software.
- Identify anomalous activity by logging network traffic, maintaining logs and preventing attackers from removing evidence of their activities.
The new standard has three requirements for data collection, retention and protection. Following are the requirements, a brief discussion of what they mean and how, the Nozomi Networks platform helps.
R1: Responsible Entity shall implement one or more documented process(es) for internal network security monitoring (INSM) of high impact BES Cyber Systems (BCS) and medium impact BCS with External Routable Connectivity (ERC) within the Responsible Entity’s ESPs to increase the probability of detecting anomalous or unauthorized network activity.
Discussion: When implementing an INSM solution, responsible entities will need to identify what data sources will be collected to determine network baselines and develop criteria to evaluate anomalous activity… for every environment. A baseline within a substation will look very different than one for a control center. This would be an enormous amount of work unless it’s automated.
How Nozomi helps: The Nozomi Networks platform and implementation approach provide the technical capabilities, and multiple documentation elements which serve as inputs to the required documentation artifacts.
As a continuous internal monitoring solution, our sensors instantly detect all connected assets and use artificial intelligence trained on your environment to determine baseline behavior and recognize anomalies thereafter. During implementation, the system can also be configured based on best practices across hundreds of similar environments to minimize false positives.
R1.1 Identify network data collection locations and methods, based on the network security risk(s), to monitor network activity including connections, devices, and network communications.
How Nozomi helps: Our deployment approach includes efforts to identify and document appropriate locations from which to monitor network activity.
R1.2 Implement one or more method(s) to detect anomalous network activity using the data collected at locations identified in Part 1.1.
How Nozomi helps: Our platform continuously monitors the network to detect malicious and anomalous network activity using the data collected.
R1.3 Implement one or more method(s) to evaluate activity detected in Part 1.2 to determine appropriate action.
How Nozomi helps: Our platform provides multiple capabilities to evaluate detected activity to determine appropriate action, such as the network graph, asset and network information, alerts (timelines and details), forensic comparison of baselines, playbooks including relevant methods, responses and escalation processes.
R2 Responsible Entity shall implement one or more documented process(es) to protect INSM data collected in support of Requirement R1 to mitigate the risks of unauthorized deletion or modification, except during CIP Exceptional Circumstances.
Discussion: To protect the integrity of INSM data, responsible parties can leverage existing security controls that protect data from other systems; i.e., limiting system access, appropriate segmentation and imposing multi-factor authentication. Recommended controls can be implemented during initial system configuration.
How Nozomi helps: Our platform offers adjustable retention settings, and images of the sensor, including all data, can be backed up to a desired location.
R3 Responsible Entity shall implement one or more documented process(es) to retain network communications data and other meta data collected with sufficient detail and duration to support the analysis in Requirement R1, Part 1.3, except during CIP Exceptional Circumstances.
Discussion: Because CIP-015-1 is objective and not prescriptive, responsible entities can determine for themselves how much data to retain for how long to ensure it’s available if needed to evaluate anomalous traffic. Again, existing data retention policies for incident investigation may well apply, with longer retention periods for higher-value data.
How Nozomi helps: Our platform provides the relevant system configuration details and reports to inform the required documentation.
How Does INSM Close a Security Gap for Electric Utilities?
The current NERC CIP standards only require monitoring of traffic into and out of an ESP. CIP-005-7 requires using a traditional intrusion detection system to monitor ESPs at their electronic access point, and CIP-007-6 pertains specifically to anti-virus software. Both solutions rely on signatures to compare duplicated traffic to known signatures of malicious code. At least since 2018, however, malicious actors have been using increasingly sophisticated methods to evade detection by signature-based defenses. Once they have bypassed your ESP firewall, they can gain access to your critical cyber assets.
Unlike signature-based methods, INSMs compare actual incoming traffic to established baselines of expected activity.
Stakeholder Challenges and How to Prepare for Them
Implementing behavior-based anomaly detection will help utilities better protect critical cyber assets within trusted zones. It will also impact various stakeholders and present them with new challenges that they may want to prepare for now. Here's a snapshot of those challenges and recommended strategies.
Meet the NERC CIP Standards Holistically with Nozomi Networks
CIP-015-1 is considered an objective-based standard vs. a prescriptive one, which means entities may implement the INSM method(s) of their choice to achieve the desired results. The Nozomi Networks platform supports the NERC CIP cybersecurity standards that require technology, including INSM.
The Nozomi Networks platform delivers:
- Asset Visibility & Vulnerability Assessment: Automated asset identification saves time and helps achieve a centralized view of your ICS and its related assets. Comprehensive vulnerability analysis supports prioritized and efficient risk reduction efforts with actionable insights on remediation steps, patches and upgrades.
- Network Monitoring & Threat Detection: AI-driven network monitoring and threat detection quickly identifies any anomalous activity in a CIP-networked environment, including within trusted zones where critical assets reside.
- Dashboards & Reporting: A NERC CIP content pack helps teams demonstrate compliance for auditors quickly, and our dashboards, query capabilities and forensic tools identify root causes, enhance incident response efforts and facilitate NERC CIP reporting requirements.
To see how Nozomi Networks’ solution supports NERC CIP compliance requirements, download our mapping guide below.
