We’re finally in the home stretch for the long-anticipated updates to the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards, which introduce a new reliability standard: CIP-015-1 – Cyber Security – Internal Network Security Monitoring (INSM). In January 2023, the Federal Energy Regulatory Commission (FERC) issued Order 887 directing NERC, which it oversees, to create the standard.
CIP-015-1 made it through the NERC adoption process on May 9, 2024, and is pending approval by FERC. Once it’s approved (T0), all high-impact bulk electric systems (BESs) across the U.S. and Canada will have 36 months to implement INSM, and medium-impact BESs with external routable connectivity (ERC) will have 60 months to do so.
The new reliability standard reflects the need to monitor East-West traffic within trust zones to protect critical cyber assets in CIP network environments. This article will define INSM, summarize the CIP-015-1 requirements and explain why East-West traffic monitoring, whether required or not, is a smart move for a sector that is under increasing cyberattack from nation-state actors.
What Is Internal Network Security Monitoring?
INSM provides continuous visibility into how networked devices within a trusted zone are communicating with each other, allowing for early detection of malicious or anomalous activity within that zone. Once inside such a zone, an attacker must communicate with targeted assets using their protocols to execute commands or spread malware. The INSM would identify this traffic as anomalous and flag it for investigation.
The NERC FAQ for CIP-015-1 describes the full capabilities of an INSM as follows:
...For example, properly placed, configured, and tuned INSM capabilities such as intrusion detection system and intrusion prevention system sensors could detect and/or block malicious activity early and alert an entity of compromise. INSM can also be used to record network traffic for analysis, providing a baseline that an entity can use to better detect malicious activity. Establishing baseline network traffic allows entities to define what is and is not normal expected network activity and determine whether observed anomalous activity warrants further investigation. The recorded network traffic can also be retained to facilitate timely recovery and/or perform a thorough post-incident analysis of malicious activity.
Another way to think of INSM is in terms of traffic direction. Traditional network monitoring solutions monitor North-South traffic between Purdue levels or firewalls, but communications between devices within a zone have long been a blind spot. INSM solves for this. By definition, INSM refers solely to network monitoring, but safe, non-disruptive agents purpose-built for OT devices are an efficient complement. For example, Nozomi Arc endpoint sensors shed light on once unreachable, unmonitored areas of your environment where network sensors aren’t practical or are insufficient to detect East-West traffic, USB ports, log files, local network traffic and user activity.
What Are the NERC CIP-015-1 INSM Requirements?
NERC CIP-015-1 mandates network security monitoring within a trusted zone (referred to as an electronic security perimeter, or ESP), where critical cyber assets reside. It mandates implementation of technology that can detect intrusions and malicious activity to speed mitigation of an attack in progress. In keeping with the original FERC directive (paraphrased here), responsible entities must:
- Develop baselines of their traffic network inside the environment, including communications and protocols.
- Monitor and detect unauthorized activity, connections, devices and software.
- Identify anomalous activity by logging network traffic, maintaining logs and preventing attackers from removing evidence of their activities.
The new standard has three requirements for data collection, retention and protection. Following are brief summaries of each requirement, what it means and implementation considerations for BES asset owners.
R1 – Implement network data feed(s) to monitor network activity (including connections, devices and network communications), detect anomalous network activity and evaluate that activity to determine further action(s).
When implementing an INSM solution, responsible entities will need to identify what data sources will be collected to determine network baselines and develop criteria to evaluate anomalous activity… for every environment. A baseline within a substation will look very different than one for a control center. This would be an enormous amount of work unless it’s automated. A continuous internal monitoring solution instantly detects all connected assets and uses artificial intelligence trained on your environment to determine baseline behavior and recognize anomalies thereafter. Most upfront decisions will be made during system implementation based on best practices across hundreds of similar environments, with tuning as needed to minimize false positives and nuisance alerts.
R2 – Implement a policy to retain collected INSM data associated with anomalous network activity long enough to evaluate it and determine appropriate actions, including escalation processes.
To protect the integrity of INSM data, responsible parties can leverage existing security controls that protect data from other systems; i.e., limiting system access, appropriate segmentation and imposing multi-factor authentication. Recommended controls can be implemented during initial system configuration.
R3 – Retain network communications and other meta data collected with sufficient detail and duration to support analysis.
Because CIP-015-1 is objective and not prescriptive, responsible entities can determine for themselves how much data to retain for how long to ensure it’s available if needed to evaluate anomalous traffic. Again, existing data retention policies for incident investigation may well apply, with longer retention periods for higher-value data.
How Does INSM Close a Security Gap for Electric Utilities?
The current NERC CIP standards only require monitoring of traffic into and out of an ESP. CIP-005-7 requires using a traditional intrusion detection system to monitor ESPs at their electronic access point, and CIP-007-6 pertains specifically to anti-virus software. Both solutions rely on signatures to compare duplicated traffic to known signatures of malicious code. At least since 2018, however, malicious actors have been using increasingly sophisticated methods to evade detection by signature-based defenses. Once they have bypassed your ESP firewall, they can gain access to your critical cyber assets.
Unlike signature-based methods, INSMs compare actual incoming traffic to established baselines of expected activity.
Attend Energy Central’s Sept. 18 webinar featuring Ronny Fredericks, Nozomi Networks CTO, and Josh Sandler, EY Energy Cyber Regulatory practice lead: “Safeguarding Critical Infrastructure: Enhancing Hacker Detection for NERC CIP Compliance While Achieving FERC INSM NOPR Objectives”
Register Here
Stakeholder Challenges and How to Prepare for Them
Implementing behavior-based anomaly detection will help utilities better protect critical cyber assets within trusted zones. It will also impact various stakeholders and present them with new challenges that they may want to prepare for now. Here's a snapshot of those challenges and recommended strategies.
Meet the NERC CIP Standards Holistically with Nozomi Networks
CIP-015-1 is considered an objective-based standard vs. a prescriptive one, which means entities may implement the INSM method(s) of their choice to achieve the desired results. The Nozomi Networks platform supports the NERC CIP cybersecurity standards that require technology, including INSM.
The Nozomi Networks platform delivers:
- Asset Visibility & Vulnerability Assessment: Automated asset identification saves time and helps achieve a centralized view of your ICS and its related assets. Comprehensive vulnerability analysis supports prioritized and efficient risk reduction efforts with actionable insights on remediation steps, patches and upgrades.
- Network Monitoring & Threat Detection: AI-driven network monitoring and threat detection quickly identifies any anomalous activity in a CIP-networked environment, including within trusted zones where critical assets reside.
- Dashboards & Reporting: A NERC CIP-specific content pack helps teams demonstrate compliance for auditors quickly, and our dashboards, query capabilities and forensic tools identify root causes, enhance incident response efforts and facilitate NERC CIP incident reporting requirements.
To see how Nozomi Networks’ solution supports NERC CIP compliance requirements, download our mapping guide below.
