Sunday, September 22, 2024

FERC will approve NERC CIP-015-1

At their monthly “Sunshine Meeting” on September 19, the Federal Energy Regulatory Commission (FERC) announced a Notice of Proposed Rulemaking (NOPR) that says they intend to approve CIP-015-1, the new NERC Reliability Standard for internal network security monitoring (INSM); they also announced there will be a two-month comment period before they are ready to issue their order approving the standard.

E&E News described this, and two other important FERC actions taken during the Sunshine Meeting, in this article (which is behind a paywall). The article quotes me regarding the NOPR:

The new standard “is needed because there's nothing in the [FERC] requirements now that deals with monitoring an internal network to catch intruders. It's all about preventing bad guys from penetrating the network in the first place,” said grid security consultant Tom Alrich.

“However, it's become painfully clear that nobody can count on keeping the bad guys out forever. Once in, they need to be detected as soon as possible, so they can be removed or at least prevented from causing damage,” Alrich added.

FERC’s NOPR wasn’t a surprise. In Order 887 of January 19, 2023, FERC ordered that NERC develop “requirements within the Critical Infrastructure Protection (CIP) Reliability Standards for internal network security monitoring (INSM) of all high impact BES Cyber Systems and medium impact BES Cyber Systems with External Routable Connectivity (ERC).”

The NERC Standards Drafting Team (SDT) that addressed Order 887 followed FERC’s instructions closely; the result was that FERC approved CIP-015-1 a little less than 4 months after final approval by the NERC Board of Trustees and submission to FERC. This is lightning fast in the NERC/FERC world.

What also wasn’t a surprise – since FERC does this very often when they approve a new or revised NERC CIP standard – was that FERC proposed to require that NERC add something to CIP-015-1. Specifically, they suggested they will direct NERC to expand the scope of CIP-015 to include high and medium impact Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS); the standard submitted to FERC includes only high and medium impact BES Cyber Systems (BCS) - which were all that FERC asked for in Order 887.

As in all cases where FERC has done this, the amendment will not be made to the standard that FERC proposes to approve, namely CIP-015-1. Instead, CIP-015-1 will come into effect as it stands now, once FERC issues their order after the comment period ends. Then another Standards Drafting Team (which could be the same one that developed CIP-015-1) will draft and seek approval for version 2 of CIP-015, numbered CIP-015-2. FERC’s rationale for ordering this change is interesting. It is discussed on pages 14-20 of the NOPR.

There is another interesting aspect of this development, which is nowhere referenced in the NOPR (and since it’s not legally linked with the subject of the NOPR, I would have been surprised if FERC had mentioned it): It is very likely that many (or even most) services offered for INSM will be based in the cloud. And since they will probably provide what a CIP auditor might consider to be “access monitoring”, they may be judged to fall under the EACMS definition: “Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Devices.”

Given that INSM services (or more specifically, the cloud-based software that implements the services) may be considered EACMS, they would need to comply with the large number of current NERC CIP Requirements and Requirements Parts that list EACMS in their scope. As such, they would run into exactly the same problem that other medium and high impact BES Cyber Systems, EACMS and PACS run into, when it comes to the question of implementing them in the cloud: Many of the CIP requirements that the provider would need to comply with would be close to impossible for any cloud service provider (CSP) to implement, unless they were willing to break their cloud business model – for example, by locking the physical assets containing a NERC entity’s BCS, EACMS and PACS in a single room, with access controlled by the entity (in order to comply with the requirements of CIP-006-6). Few if any CSPs will be willing to do this.

Ironically, this means that, if no other changes are made to the CIP standards (or perhaps to related documents like CMEP Practice Guides), NERC entities who wish to comply with CIP-015-1 once the three-year implementation period[i] finishes will have fewer compliance tools available to them than organizations not subject to NERC CIP compliance, since they might not be able to use cloud-based INSM services. This may result in higher costs, reduced functionality or both.

It might seem unlikely to you that the cloud/CIP problem, which is now under consideration by a new SDT, won’t be solved 3 ½ years from now - in other words, that new or revised CIP standards approved by NERC and FERC will be in effect. However, I think it’s quite unlikely that those standards will be in place that soon. On the other hand, maybe the fact that CIP-015-1 compliance will be mandatory 3 ½ years from now will help move the process along.

Are you a vendor of current or future cloud-based services or software that would like to figure out an appropriate strategy for selling to customers subject to NERC CIP compliance? Or are you a NERC entity that is struggling to understand what your current options are regarding cloud-based software and services? Please drop me an email so we can set up a time to discuss this!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.


[i] The implementation period for a new or revised NERC standard always starts soon after FERC approves the standard, specifically, after the order is published in the Federal Record.

No comments:

Post a Comment