Rule2023-01453
Internal Network Security Monitoring for High and Medium Impact Bulk Electric System Cyber Systems
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
February 9, 2023
Effective
April 10, 2023
Issuing agencies
Energy DepartmentFederal Energy Regulatory Commission
Abstract
The Federal Energy Regulatory Commission (Commission) is directing the North American Electric Reliability Corporation (NERC) to develop and submit within 15 months of the effective date of this final action for Commission approval new or modified Reliability Standards that require internal network security monitoring within a trusted Critical Infrastructure Protection networked environment for all high impact bulk electric system (BES) Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable connectivity. In addition, the Commission directs NERC to perform a study of all low impact BES Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems without external routable connectivity, as set forth in the final action, and to submit its study report to the Commission within 12 months of the issuance of this final action.
Full Text
<html>
<head>
<title>Federal Register, Volume 88 Issue 27 (Thursday, February 9, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 27 (Thursday, February 9, 2023)]
[Rules and Regulations]
[Pages 8354-8368]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-01453]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
18 CFR Part 40
[Docket No. RM22-3-000; Order No. 887]
Internal Network Security Monitoring for High and Medium Impact
Bulk Electric System Cyber Systems
AGENCY: Federal Energy Regulatory Commission, Department of Energy.
ACTION: Final action.
-----------------------------------------------------------------------
SUMMARY: The Federal Energy Regulatory Commission (Commission) is
directing the North American Electric Reliability Corporation (NERC) to
develop and submit within 15 months of the effective date of this final
action for Commission approval new or modified Reliability Standards
that require internal network security monitoring within a trusted
Critical Infrastructure Protection networked environment for all high
impact bulk electric system (BES) Cyber Systems with and without
external routable connectivity and medium impact BES Cyber Systems with
external routable connectivity. In addition, the Commission directs
NERC to perform a study of all low impact BES Cyber Systems with and
without external routable connectivity and medium impact BES Cyber
Systems without external routable connectivity, as set forth in the
final action, and to submit its study report to the Commission within
12 months of the issuance of this final action.
DATES: This final agency action is effective April 10, 2023.
FOR FURTHER INFORMATION CONTACT: Cesar Tapia (Technical Information),
Office of Electric Reliability, Federal Energy Regulatory Commission,
888 First Street NE, Washington, DC 20426, (202) 502-6559,
<a href="/cdn-cgi/l/email-protection#5c3f392f3d2e72283d2c353d1c3a392e3f723b332a"><span class="__cf_email__" data-cfemail="492a2c3a283b673d28392028092f2c3b2a672e263f">[email protected]</span></a>.
Leigh Faugust (Legal Information), Office of the General Counsel,
Federal Energy Regulatory Commission, 888 First Street NE, Washington,
DC 20426, (202) 502-6396, <a href="/cdn-cgi/l/email-protection#b8d4ddd1dfd096ded9cddfcdcbccf8deddcadb96dfd7ce"><span class="__cf_email__" data-cfemail="8ce0e9e5ebe4a2eaedf9ebf9fff8cceae9feefa2ebe3fa">[email protected]</span></a>.
Seth Yeazel, Office of the General Counsel, Federal Energy
Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202)
502-6890, <a href="/cdn-cgi/l/email-protection#790a1c0d1157001c18031c15391f1c0b1a571e160f"><span class="__cf_email__" data-cfemail="324157465a1c4b575348575e72545740511c555d44">[email protected]</span></a>.
SUPPLEMENTARY INFORMATION:
Table of Contents
Paragraph No.
I. Introduction...................................... 1
II. Background....................................... 7
A. Section 215 and the Mandatory Reliability 7
Standards.......................................
B. Internal Network Security Monitoring.......... 8
C. Notice of Proposed Rulemaking................. 13
III. Need for Reform................................. 18
IV. Discussion....................................... 23
A. Overview...................................... 23
B. INSM for High and Medium Impact BES Cyber 31
Systems.........................................
1. Comments.................................. 32
2. Commission Determination.................. 48
C. INSM for Low Impact BES Cyber Systems......... 59
1. Comments.................................. 61
2. Commission Determination.................. 67
D. Security Objectives........................... 69
1. Comments.................................. 70
2. Commission Determination.................. 76
E. Standards Development Timeframe............... 80
1. Comments.................................. 81
[[Page 8355]]
2. Commission Determination.................. 85
F. NERC Study and Report on INSM Implementation.. 87
V. Information Collection Statement.................. 91
VI. Environmental Analysis........................... 96
VII. Regulatory Flexibility Act...................... 97
VIII. Document Availability.......................... 100
IX. Effective Date and Congressional Notification.... 103
I. Introduction
1. Pursuant to section 215(d)(5) of the Federal Power Act (FPA),\1\
the Commission directs the North American Electric Reliability
Corporation (NERC) to develop new or modified Critical Infrastructure
Protection (CIP) Reliability Standards that require internal network
security monitoring (INSM) for CIP-networked environments for all high
impact bulk electric system (BES) Cyber Systems \2\ with and without
external routable connectivity and medium impact BES Cyber Systems with
external routable connectivity.\3\ Further, the Commission directs NERC
to submit a report within 12 months of issuance of this final action
that studies the feasibility of implementing INSM at all low impact BES
Cyber Systems \4\ and medium impact BES Cyber Systems without external
routable connectivity (i.e., BES Cyber Systems not subject to the new
or revised Reliability Standards).\5\
---------------------------------------------------------------------------
\1\ 16 U.S.C. 824o(d)(5) (The Commission may order the Electric
Reliability Organization to submit to the Commission a proposed
reliability standard or a modification to a reliability standard
that addresses a specific matter if the Commission considers such a
new or modified reliability standard appropriate to carry out this
section.).
\2\ BES Cyber Systems are defined as ``one or more BES Cyber
Assets logically grouped by a responsible entity to perform one or
more reliability tasks.'' See NERC, Glossary of Terms Used in NERC
Reliability Standards (2022) (NERC Glossary), <a href="https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf">https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf</a>. BES Cyber
Systems are categorized as high, medium, or low impact depending on
the functions of the assets housed within each system and the risk
they potentially pose to the reliable operation of the Bulk-Power
System. Reliability Standard CIP-002-5.1a (BES Cyber System
Categorization) sets forth criteria that registered entities apply
to categorize BES Cyber Systems as high, medium, or low impact
depending on the adverse impact that loss, compromise, or misuse of
those BES Cyber Systems could have on the reliable operation of the
BES. The impact level (i.e., high, medium, or low) of BES Cyber
Systems, in turn, determines the applicability of security controls
for BES Cyber Systems that are contained in the remaining CIP
Reliability Standards (i.e., Reliability Standards CIP-003-8 to CIP-
013-1).
\3\ NERC defines external routable connectivity as the ``ability
to access a BES Cyber System from a Cyber Asset that is outside of
its associated Electronic Security Perimeter via a bi-directional
routable protocol connection.'' See NERC Glossary.
\4\ For ease of reference, low impact BES Cyber Systems include
those with and without external routable connectivity.
\5\ For ease of reference, BES Cyber Systems not subject to the
new or revised Reliability Standards in this final action will be
referred to as all low impact BES Cyber Systems and medium impact
BES Cyber Systems without external routable connectivity.
---------------------------------------------------------------------------
2. INSM is a subset of network security monitoring that is applied
within a ``trust zone,'' \6\ such as an electronic security
perimeter.\7\ For the purpose of this rulemaking, the trust zone
applicable to INSM is the CIP-networked environment. INSM enables
continuing visibility over communications between networked devices
within a trust zone and detection of malicious activity that has
circumvented perimeter controls. Further, INSM facilitates the
detection of anomalous network activity indicative of an attack in
progress, thus increasing the probability of early detection and
allowing for quicker mitigation and recovery from an attack.
---------------------------------------------------------------------------
\6\ The U.S. Department of Homeland Security, Cybersecurity and
Infrastructure Security Agency (CISA) defines trust zone as a
``discrete computing environment designated for information
processing, storage, and/or transmission that share the rigor or
robustness of the applicable security capabilities necessary to
protect the traffic transiting in and out of a zone and/or the
information within the zone.'' CISA, Trusted Internet Connections
3.0: Reference Architecture, at 2 (July 2020), <a href="https://www.cisa.gov/sites/default/files/publications/CISA_TIC%203.0%20Vol.%202%20Reference%20Architecture.pdf">https://www.cisa.gov/sites/default/files/publications/CISA_TIC%203.0%20Vol.%202%20Reference%20Architecture.pdf</a>.
\7\ An electronic security perimeter is ``the logical border
surrounding a network to which BES Cyber Systems are connected using
a routable protocol.'' NERC Glossary.
---------------------------------------------------------------------------
3. We find that, while the CIP Reliability Standards require
monitoring of the electronic security perimeter and associated systems
for high and medium impact BES Cyber Systems, the CIP-networked
environment remains vulnerable to attacks that bypass network
perimeter-based security controls traditionally used to identify the
early phases of an attack. This presents a gap in the currently
effective CIP Reliability Standards. To address this gap, we direct
NERC to develop new or modified CIP Reliability Standards requiring
INSM for all high impact BES Cyber Systems with and without external
routable connectivity and medium impact BES Cyber Systems with external
routable connectivity to ensure the detection of anomalous network
activity indicative of an attack in progress. These provisions will
increase the probability of early detection and allow for quicker
mitigation and recovery from an attack.
4. As discussed below, while the Commission's notice of proposed
rulemaking (NOPR) \8\ in this proceeding proposed to direct NERC to
address INSM for all high and medium impact BES Cyber Systems, we are
persuaded by commenters that raised certain concerns with the NOPR
proposal and, in this final action, limit our directive to all high
impact BES Cyber Systems with and without external routable
connectivity and medium impact BES Cyber Systems with external routable
connectivity.
---------------------------------------------------------------------------
\8\ See Internal Network Sec. Monitoring for High & Medium
Impact Bulk Elec. Sys. Cyber Sys., Notice of Proposed Rulemaking, 87
FR 4173 (Jan. 27, 2022), 178 FERC ] 61,038, at P 31 (2022) (INSM
NOPR).
---------------------------------------------------------------------------
5. While NERC has flexibility in developing the content of INSM
requirements, the new or modified CIP Reliability Standards must
address the specific concerns that we identify in this final action. In
particular, in this final action, we direct NERC to develop new or
modified CIP Reliability Standards that are forward-looking, objective-
based, and that address the following three security objectives that
pertain to INSM. First, any new or modified CIP Reliability Standards
should address the need for responsible entities to develop baselines
of their network traffic inside their CIP-networked environment.
Second, any new or modified CIP Reliability Standards should address
the need for responsible entities to monitor for and detect
unauthorized activity, connections, devices, and software inside the
CIP-networked environment. And third, any new or modified CIP
Reliability Standards should require responsible entities to identify
anomalous activity to a high level of confidence by: (1) logging
network traffic (we note that packet capture is one means of
accomplishing this goal); \9\
[[Page 8356]]
(2) maintaining logs and other data collected regarding network
traffic; and (3) implementing measures to minimize the likelihood of an
attacker removing evidence of their tactics, techniques, and procedures
\10\ from compromised devices.\11\
---------------------------------------------------------------------------
\9\ While the NOPR stated that ``any new or modified CIP
Reliability Standards should address the ability to support
operations and response by requiring responsible entities to . . .
log and packet capture network traffic,'' id. (citation omitted), we
clarify in this final action that ``packet capture'' is one example
of how to support that goal. Packet capture allows information to be
intercepted in real-time and stored for long-term or short-term
analysis, thus providing a network defender greater insight into a
network. Packet captures provide context to security events, such as
intrusion detection system alerts. See CISA, National Cybersecurity
Protection System Cloud Interface Reference Architecture, Volume 1,
General Guidance, at 13, 25 (July 24, 2020), <a href="https://www.cisa.gov/sites/default/files/publications/CISA_NCPS_Cloud_Interface_RA_Volume-1.pdf">https://www.cisa.gov/sites/default/files/publications/CISA_NCPS_Cloud_Interface_RA_Volume-1.pdf</a>.
\10\ NIST defines tactics, techniques, and procedures as
describing the behavior of an actor, where ``Tactics are high-level
descriptions of behavior, techniques are detailed descriptions of
behavior in the context of a tactic, and procedures are even lower-
level, highly detailed descriptions in the context of a technique.''
NIST further explains that ``tactics, techniques, and procedures
could describe an actor's tendency to use a specific malware
variant, order of operations, attack tool, delivery mechanism (e.g.,
phishing or watering hole attack), or exploit.'' See NIST, NIST
Special Publication 800-150: Guide to Cyber Threat Information
Sharing, at 2 (Oct. 2016), <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf</a>.
\11\ INSM NOPR, 178 FERC ] 61,038 at P 31.
---------------------------------------------------------------------------
6. We also direct NERC to submit the new or modified CIP
Reliability Standards for Commission approval within 15 months of the
effective date of this final action. We believe that a 15-month
deadline provides sufficient time for NERC to develop responsive
standard(s) within NERC's standards development process.
7. Further, the Commission sought comment in the NOPR on the
possible implementation of INSM to detect malicious activity in
networks with low impact BES Cyber Systems but did not propose to
direct the development of Reliability Standards for INSM for low impact
BES Cyber Systems. In this final action, we direct NERC to conduct a
study to support future Commission actions to extend INSM requirements
to all low impact BES Cyber Systems and medium impact BES Cyber Systems
without external routable connectivity. Specifically, NERC should
include in its study a determination of: (1) ongoing risk to the
reliability and security of the Bulk-Power System posed by low and
medium impact BES Cyber Systems that would not be subject to the new or
modified Reliability Standards, including the number of low and medium
impact BES Cyber Systems not required to comply with the new or
modified standard; and (2) potential technological or other challenges
involved in extending INSM to additional BES Cyber Systems, as well as
possible alternative mitigating actions to address ongoing risks. We
believe that this information would provide the basis for further
Commission action, as warranted, regarding INSM or alternatives. We
direct NERC to file its study report with the Commission within 12
months of the issuance of this final action.
II. Background
A. Section 215 and the Mandatory Reliability Standards
8. FPA section 215 provides that the Commission may certify an
Electric Reliability Organization (ERO), the purpose of which is to
develop mandatory and enforceable Reliability Standards, subject to
Commission review and approval.\12\ Reliability Standards may be
enforced by the ERO, subject to Commission oversight, or by the
Commission independently.\13\ Pursuant to FPA section 215, the
Commission established a process to select and certify an ERO \14\ and
subsequently certified NERC.\15\
---------------------------------------------------------------------------
\12\ 16 U.S.C. 824o(c).
\13\ 16 U.S.C. 824o(e).
\14\ Rules Concerning Certification of the Elec. Reliability
Org.; & Procs. for the Establishment, Approval, & Enf't of Elec.
Reliability Standards, Order No. 672, 71 FR 8662 (Feb. 17, 2006),
114 FERC ] 61,104, order on reh'g, Order No. 672-A, 71 FR 19814
(Apr. 18, 2006), 114 FERC ] 61,328 (2006).
\15\ N. Am. Elec. Reliability Corp., 116 FERC ] 61,062, order on
reh'g and compliance, 117 FERC ] 61,126 (2006), aff'd sub nom.
Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
---------------------------------------------------------------------------
B. Internal Network Security Monitoring
9. INSM is designed to address as early as possible situations
where perimeter network defenses are breached by detecting intrusions
and malicious activity within a trust zone. INSM consists of three
stages: (1) collection; (2) detection; and (3) analysis. Taken
together, these three stages provide the benefit of early detection and
alerting of intrusions and malicious activity.\16\ Some of the tools
that may be used for INSM include: anti-malware; intrusion detection
systems; intrusion prevention systems; and firewalls.\17\ These tools
are multipurpose and can be used for collection, detection, and
analysis (e.g., forensics). Additionally, some of the tools (e.g.,
anti-malware, firewall, or intrusion prevention systems) have the
capability to block network traffic.
---------------------------------------------------------------------------
\16\ See Chris Sanders & Jason Smith, Applied Network Security
Monitoring, at 9-10 (Nov. 2013); see also ISACA, Applied Collection
Framework: A Risk-Driven Approach to Cybersecurity Monitoring (Aug.
18, 2020), <a href="https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2020/applied-collection-framework">https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2020/applied-collection-framework</a>.
\17\ See NIST Special Publication 800-83, Guide to Malware
Incident Prevention and Handling for Desktops and Laptops, at 10-13
(July 2013), <a href="https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-83r1.pdf">https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-83r1.pdf</a>.
---------------------------------------------------------------------------
10. The benefits of INSM can be understood by first describing the
way attackers commonly compromise targets. Attackers typically follow a
systematic process of planning and execution to increase the likelihood
of a successful compromise.\18\ This process includes reconnaissance
(e.g., information gathering), choice of attack type and method of
delivery (e.g., malware delivered through a phishing campaign), taking
control of the entity's systems, and carrying out the attack (e.g.,
exfiltration of project files, administrator credentials, and employee
personal identifiable information). Thus, successful cyberattacks
require the attacker to: (1) gain access to a target system; and (2)
execute commands while in that system.
---------------------------------------------------------------------------
\18\ SANS Institute, Applying Security Awareness to the Cyber
Kill Chain (May 31, 2019), <a href="https://www.sans.org/blog/applying-security-awareness-to-the-cyber-kill-chain/">https://www.sans.org/blog/applying-security-awareness-to-the-cyber-kill-chain/</a>.
---------------------------------------------------------------------------
11. INSM could better position an entity to detect malicious
activity that has circumvented perimeter controls and gained access to
the target system. Because an attacker that moves among devices
internal to a trust zone must use network pathways and required
protocols to send malicious communications, INSM will potentially alert
an entity of the attack and improve the entity's ability to stop the
attack at its early phases.
12. By providing visibility of network traffic that may only
traverse internally within a trust zone, INSM can warn entities of an
attack in progress. For example, properly placed, configured, and tuned
INSM capabilities such as intrusion detection system and intrusion
prevention system sensors could detect and/or block malicious activity
early and alert an entity of the compromise. INSM can also be used to
record network traffic for analysis, providing a baseline that an
entity can use to better detect malicious activity. Establishing
baseline network traffic allows entities to define what is and is not
normal and expected network activity and determine whether observed
anomalous activity warrants further investigation.\19\ The recorded
network traffic can also be retained to facilitate timely recovery and/
or perform a thorough post-incident analysis of malicious activity.
High quality data from collected network
[[Page 8357]]
traffic is important for recovering from cyberattacks as this type of
data allows for: (1) determining the timeframe for backup restoration;
(2) creating a record of the attack for incident reporting and
response; and (3) analyzing the attack itself to inform actions to
prevent it from happening again.\20\
---------------------------------------------------------------------------
\19\ See CISA, Best Practices for Securing Election Systems,
Security Tip (ST19-002) (Aug. 25, 2021), <a href="https://www.cisa.gov/tips/st19-002">https://www.cisa.gov/tips/st19-002</a>.
\20\ Help Net Security, Three Reasons Why Ransomware Recovery
Requires Packet Data (Aug. 2021), <a href="https://www.helpnetsecurity.com/2021/08/24/ransomware-recovery-packet-data/">https://www.helpnetsecurity.com/2021/08/24/ransomware-recovery-packet-data/</a>.
---------------------------------------------------------------------------
13. In summary, INSM better positions an entity to detect an
attacker in the early phases of an attack and reduces the likelihood
that an attacker can gain a strong foothold, including operational
control, on the target system. In addition to early detection and
mitigation, INSM may improve incident response by providing higher
quality data about the extent of an attack internal to a trust zone.
Finally, INSM provides insight into east-west network traffic \21\
happening inside the network perimeter, which enables a more
comprehensive picture of the extent of an attack compared to data
gathered from the network perimeter alone.\22\
---------------------------------------------------------------------------
\21\ East-west traffic refers to the communications among BES
Cyber Systems and is the specific type of network traffic that
remains within the network perimeter. It may refer to communication
peer-to-peer industrial automation and control systems devices in a
network or to activity between servers or networks inside a data
center, rather than the data and applications that traverse networks
to the outside world. CISCO, Networking and Security in Industrial
Automation Environments Design Guide, at 111 (Aug. 2020), <a href="https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/Industrial_Automation/IA_Horizontal/DG/Industrial-AutomationDG.pdf">https://www.cisco.com/c/en/us/td/docs/solutions/Verticals/Industrial_Automation/IA_Horizontal/DG/Industrial-AutomationDG.pdf</a>;
The President's National Security Telecommunications Advisory
Committee, Report to the President on Software-Defined Networking,
at E-3 (Aug. 12, 2020), <a href="https://www.cisa.gov/sites/default/files/publications/NSTAC%20SDN%20Report%20%288-12-20%29.pdf">https://www.cisa.gov/sites/default/files/publications/NSTAC%20SDN%20Report%20%288-12-20%29.pdf</a>.
\22\ CISA, CISA Analysis: FY2020 Risk and Vulnerability
Assessments (July 2021), <a href="https://www.cisa.gov/sites/default/files/publications/FY20-RVA-Analysis_508C.pdf">https://www.cisa.gov/sites/default/files/publications/FY20-RVA-Analysis_508C.pdf</a>.
---------------------------------------------------------------------------
C. Notice of Proposed Rulemaking
14. On January 20, 2022, the Commission issued the INSM NOPR
proposing to direct NERC to develop new or modified CIP Reliability
Standards to require INSM for high and medium impact BES Cyber Systems.
In the NOPR, the Commission preliminarily found that the currently
effective CIP Reliability Standards do not address INSM, thus leaving a
gap in the CIP Reliability Standards.\23\ The NOPR explained that
including INSM requirements in the CIP Reliability Standards would
ensure that responsible entities maintain visibility over
communications between networked devices within a trust zone rather
than simply monitoring communications at the network perimeter access
point(s) (i.e., at the boundary of an electronic security perimeter as
required by the current CIP requirements).\24\
---------------------------------------------------------------------------
\23\ INSM NOPR, 178 FERC ] 61,038 at PP 2, 14, 26.
\24\ Id. PP 2, 26.
---------------------------------------------------------------------------
15. The NOPR discussed various risks to trusted CIP networks posed
by the lack of requirements for INSM in the Standards, which include
attackers: (1) escalating privileges; (2) moving inside the CIP-
networked environment; and (3) executing unauthorized code.\25\ In the
context of supply chain risk, the NOPR explained that a malicious
update from a known software vendor could be downloaded directly to a
server as trusted code, and it would not set-off any alarms until
abnormal behavior occurred and was detected.\26\ The NOPR explained
that, because the CIP-networked environment is a trust zone, a
compromised server in the trust zone could be used to install malicious
updates directly onto devices that are internal to the CIP-networked
environment without detection. Further, in the context of an insider
threat, an employee with elevated administrative credentials could
identify and collect data, add accounts, delete logs, or even
exfiltrate data without being detected. The NOPR also pointed to the
SolarWinds attack as an example of how an attacker can bypass all
network perimeter-based security controls traditionally used to
identify the early phases of an attack.\27\ This supply chain attack
leveraged a trusted vendor to compromise the networks of public and
private organizations.\28\
---------------------------------------------------------------------------
\25\ Id. P 33.
\26\ Id. P 17.
\27\ Id. P 18 (citing FERC, NERC, SolarWinds and Related Supply
Chain Compromise, at 16 (July 7, 2021), <a href="https://cms.ferc.gov/media/solarwinds-and-related-supply-chain-compromise-0">https://cms.ferc.gov/media/solarwinds-and-related-supply-chain-compromise-0</a>).
\28\ A threat actor gained access to the SolarWinds production
environment, ``pushed'' malicious code through legitimate updates to
customers and enabled the adversary to gain remote access and
network privileges allowing the actor to manipulate identity and
authentication mechanisms. SolarWinds and Related Supply Chain
Compromise at 7.
---------------------------------------------------------------------------
16. The NOPR sought comments on all aspects of the proposed
directive, and it also specifically solicited responses to the
following questions: (1) what are the potential challenges to
implementing INSM (e.g., cost, availability of specialized resources,
and documenting compliance); (2) what capabilities (e.g., software,
hardware, staff, and services) are necessary or appropriate for INSM to
meet the security objectives; (3) are the three security objectives for
INSM described in the NOPR necessary and sufficient and, if not
sufficient, what are other pertinent objectives that would support the
goal of having responsible entities successfully implement INSM; and
(4) what is a reasonable timeframe for developing and implementing
Reliability Standards for INSM.\29\
---------------------------------------------------------------------------
\29\ INSM NOPR, 178 FERC ] 61,038 at P 32.
---------------------------------------------------------------------------
17. While the Commission's proposed directives centered on high and
medium impact BES Cyber Systems, the Commission also sought comment on
the usefulness and practicality of implementing INSM to detect
malicious activity in networks with low impact BES Cyber Systems, as
well as potentially identifying a subset of low impact BES Cyber
Systems to which INSM requirements could apply.\30\ In particular, the
Commission sought comment on whether the same risks associated with
high and medium impact BES Cyber Systems also apply to low impact BES
Cyber Systems.\31\ Commensurate with their impact on the Bulk-Power
System, low impact BES Cyber Systems have fewer security controls and,
unlike high and medium impact BES Cyber Systems, are not subject to
monitoring at the network perimeter access point(s).\32\
---------------------------------------------------------------------------
\30\ Id. PP 4, 33-34.
\31\ Id. P 33.
\32\ See Version 5 Critical Infrastructure Protection
Reliability Standards, Order No. 791, 78 FR 72756 (Dec. 13, 2013),
145 FERC ] 61,160, at P 106 (2013), order on clarification and
reh'g, Order No. 791-A, 78 FR 24107 (Apr. 24, 2013), 146 FERC ]
61,188 (2014) (finding that categorizing assets as high, medium, or
low based on their impact on the reliable operation of the Bulk-
Power System, with all BES Cyber Systems being categorized as at
least low impact, offers more comprehensive protection than prior
versions of the standards and declining to require NERC to develop
specific controls for low impact facilities).
---------------------------------------------------------------------------
18. The comment period for the NOPR ended on March 28, 2022, and
the Commission received 22 sets of comments, including one late-filed
comment.\33\ A list of commenters appears in Appendix A.
---------------------------------------------------------------------------
\33\ The late-filed comment raised issues that were outside the
scope of this rulemaking. Accordingly, we do not address the comment
here.
---------------------------------------------------------------------------
III. Need for Reform
19. INSM is a component of a comprehensive cybersecurity strategy
as it provides an additional layer of defense against intrusions
regardless of the attack vector or whether existing security controls
failed. With INSM, an entity can maintain visibility over
communications between networked devices within a trust zone and detect
malicious activity that has circumvented perimeter controls.\34\
[[Page 8358]]
INSM facilitates the detection of anomalous network activity indicative
of an attack in progress, thus increasing the probability of early
detection and allowing for quicker mitigation and recovery from an
attack.\35\ Without INSM, an attacker may be able to move among devices
internal to a trust zone using network pathways and required protocols
to send malicious communications. Further, without INSM, an attacker
could exploit legitimate cyber resources to: (1) escalate privileges
(i.e., exploit a software vulnerability to gain administrator account
privileges); (2) move undetected inside the trust zone of the CIP-
networked environment; or (3) execute unauthorized code (e.g., a virus
or ransomware).
---------------------------------------------------------------------------
\34\ INSM NOPR, 178 FERC ] 61,038 at P 11.
\35\ Id. P 2.
---------------------------------------------------------------------------
20. Currently, network security monitoring in the CIP Reliability
Standards focuses on network perimeter defense and preventing
unauthorized access at the electronic security perimeter. While the CIP
Reliability Standards require monitoring of inbound and outbound
internet communications at the electronic security perimeter,\36\ the
currently effective CIP Reliability Standards do not require INSM
within trusted CIP-networked environments for BES Cyber Systems. This
leaves a gap in the CIP Reliability Standards for situations where
vendors or individuals with authorized access are considered secure and
trustworthy but could still introduce a cybersecurity risk, as well as
other attack vectors that can exploit this gap. Additionally, the lack
of INSM controls diminishes an essential component of a defense-in-
depth strategy and therefore may increase the time it takes an entity
to detect an intrusion and the time an attacker has to leverage
compromised user accounts and traverse unmonitored network
connections.\37\
---------------------------------------------------------------------------
\36\ See Reliability Standard CIP-005-6 (Electronic Security
Perimeter(s)).
\37\ INSM NOPR, 178 FERC ] 61,038 at P 31; see also Nat'l Sec.
Agency, Network Infrastructure Security Guide (June 2022), <a href="https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF">https://media.defense.gov/2022/Jun/15/2003018261/-1/-1/0/CTR_NSA_NETWORK_INFRASTRUCTURE_SECURITY_GUIDE_20220615.PDF</a>.
---------------------------------------------------------------------------
21. The currently effective CIP Reliability Standards, while
offering a broad set of cybersecurity protections, do not require INSM.
For example, Reliability Standard CIP-005-6 (Electronic Security
Perimeter(s)), Requirement R1.5 addresses monitoring of network traffic
for malicious communications at the electronic security perimeter.
Under CIP-005-6 Requirement R1.5, the only locations that require
network security monitoring are the electronic security perimeter
electronic access points for high and medium impact BES Cyber Systems
at control centers. Additionally, Reliability Standard CIP-007-6
(System Security Management), Requirement R.4.1.3 addresses security
monitoring and requires the entity to detect malicious code for all
high and medium impact BES Cyber Systems and their associated
electronic access control or monitoring systems, physical access
control systems, and protected cyber assets. To comply with Reliability
Standard CIP-007-6 R.4.1.3, responsible entities must install security
monitoring tools at the device level but are not required to use INSM
methods, such as intrusion detection systems.\38\
---------------------------------------------------------------------------
\38\ Under Reliability Standard CIP-007-6, Requirement R.4.1.3,
an entity may choose, but is not required, to use system-generated
listing of network log in/log outs, or malicious code, or other
types of monitored network traffic only at the perimeter of all
medium and high impact BES Cyber Systems (and not within the trust
zone, unlike INSM). The related Measures for this provision provide
examples of acceptable evidence of compliance, including a paper or
system-generated listing of monitored activities for which the BES
Cyber System is configured to log and capable of detecting.
---------------------------------------------------------------------------
22. Further, the currently effective CIP Reliability Standards do
not require responsible entities to ensure that anomalous activity
within the trust zone can be identified with a high level of confidence
because the CIP Reliability Standards are focused on perimeter-based
security with limited internal security controls. The three INSM
security objectives--pertaining to (1) baselining, (2) monitoring and
detecting unauthorized activity, and (3) identification of anomalous
activity--aim to address this deficiency. As discussed below, new or
modified Reliability Standards responsive to this final action must
address these three objectives.
23. For the reasons discussed below, in this final action we affirm
the preliminary finding in the NOPR that the lack of INSM requirements
in the currently effective CIP Reliability Standards constitutes a
security gap. Further, we conclude that there is a sufficient basis for
a directive to NERC to require INSM in the CIP Reliability Standards
for all high impact BES Cyber Systems with and without external
routable connectivity and medium impact BES Cyber Systems with external
routable connectivity.\39\
---------------------------------------------------------------------------
\39\ INSM architecture generally relies on external routable
connectivity to achieve the full, real-time benefits of INSM, such
as the capability to transmit collected data from network traffic
and devices to a centralized location for further analysis by
cybersecurity professionals.
---------------------------------------------------------------------------
IV. Discussion
A. Overview
24. Pursuant to FPA section 215(d)(5), we direct NERC to develop
new or modified CIP Reliability Standards that require applicable
responsible entities to implement INSM for all high impact BES Cyber
Systems with and without external routable connectivity and medium
impact BES Cyber Systems with external routable connectivity. Given the
importance of timely addressing the identified security gap, we direct
that NERC submit responsive new or modified CIP Reliability Standards
within 15 months of the effective date of this final action. Based on
the comments received in response to the NOPR, we determine that the
record in this proceeding supports the development of mandatory
requirements for the implementation of INSM for all high impact BES
Cyber Systems with and without external routable connectivity and
medium impact BES Cyber Systems with external routable connectivity
that are within the control of responsible entities that fall within
the scope of our authority under FPA section 215.
25. Overall, commenters agree with the benefits of implementing
INSM as an additional layer of cybersecurity protection, although
commenters differ on the contours of a directive to NERC to address the
issue. NERC notes that while there may be challenges, INSM ``would be
an appropriate approach'' to address the risks identified in the
NOPR.\40\
---------------------------------------------------------------------------
\40\ NERC Comments at 3; see also EPSA Comments at 3; Idaho
Power Comments at 2; ISO/RTO Comments at 3.
---------------------------------------------------------------------------
26. NERC and other commenters support new or modified CIP
Reliability Standards that address INSM for high impact BES Cyber
Systems as a worthwhile improvement to the cybersecurity posture of the
Bulk-Power System.\41\ While no entities altogether oppose INSM for
high impact BES Cyber Systems, two commenters recommend limiting INSM
at high impact BES Cyber Systems to those located in a control center
or those systems with external routable connectivity.\42\
---------------------------------------------------------------------------
\41\ E.g., NERC Comments at 8; BPA Comments at 1; Trades
Comments at 1.
\42\ See ITC Comments at 7; Idaho Power Comments at 2.
---------------------------------------------------------------------------
27. Support for requiring the implementation of INSM for medium
impact BES Cyber Systems varies, with a majority of commenters agreeing
that extending INSM to at least some medium impact BES Cyber Systems
could address the risks to the security of the Bulk-Power System
identified in
[[Page 8359]]
the NOPR.\43\ Several other commenters also recognize that the NOPR's
proposed directives regarding INSM are appropriate to address the
threats that high and medium impact BES Cyber Systems face, and their
potential impact on the reliable and secure operation of the Bulk-Power
System.\44\ Other commenters, however, either oppose the proposal for
medium impact BES Cyber Systems \45\ or advocate for delayed or limited
inclusion of medium impact BES Cyber Systems within the scope of CIP
Reliability Standards.\46\
---------------------------------------------------------------------------
\43\ NERC Comments at 3; Consumers Comments at 1-2; Cynalytica
Comments at 1; ISO/RTO Council Comments at 2-3; Juniper Comments at
1-2; Microsoft Comments at 1; MRO NSRF Comments at 1-2; NAGF
Comments at 1; Nozomi Networks Comments at 3; OT Coalition Comments
at 3; TAPS Comments at 14; Conway Comments at 1.
\44\ E.g., EPSA Comments at 3; Idaho Power Comments at 2; ISO/
RTO Comments at 3.
\45\ BPA Comments at 2.
\46\ EPSA Comments at 2; Idaho Power Comments at 2; Indicated
Trade Associations Comments at 9.
---------------------------------------------------------------------------
28. Commenters raise challenges that may arise during development
and implementation of CIP Reliability Standards requiring INSM for
medium impact BES Cyber Systems that do not have external routable
connectivity. These challenges include the large number of such medium
impact BES Cyber Systems, which pose staffing and resource constraints
for responsible entities and the possibility of supply chain
constraints limiting the availability of necessary hardware and
software tools to fully implement INSM.\47\ As discussed below, we are
persuaded by the comments raising challenges and thus modify the NOPR
proposal by directing that NERC develop new or modified Reliability
Standards requiring implementation of INSM for medium impact BES Cyber
Systems with external routable connectivity.
---------------------------------------------------------------------------
\47\ E.g., BPA Comments at 3; EPSA Comments at 3; Idaho Power
Comments at 2.
---------------------------------------------------------------------------
29. Further, we decline at this time to direct NERC to develop new
or modified CIP Reliability Standards to require INSM for low impact
BES Cyber Systems. NERC and most other commenters note that the risks
associated with high and medium impact BES Cyber Systems do not apply
to low impact BES Cyber Systems and that the costs associated with
implementing INSM for low impact BES Cyber Systems would not result in
a corresponding benefit to security.\48\
---------------------------------------------------------------------------
\48\ E.g., NERC Comments at 8; BPA Comments at 4-5; MRO NSRF
Comments at 4; NAGF Comments at 4.
---------------------------------------------------------------------------
30. Although we decline to direct NERC to develop new or modified
CIP Reliability Standards requiring INSM for medium impact BES Cyber
Systems without external routable connectivity and all low impact BES
Cyber Systems in this final action, we recognize the importance of
bolstering the cybersecurity of these systems. We believe that the
current lack of visibility at low impact BES Cyber Systems, as well as
medium impact BES Cyber Systems with similar configurations (i.e.,
serial-connected and other physical non-internet protocol based
industrial control system communications), may leave systems vulnerable
to cyberattacks that degrade the reliable and secure operation of the
Bulk-Power System. However, we also recognize that extending INSM
requirements to all low impact BES Cyber Systems would be difficult to
implement or audit, given that there is neither a requirement for
entities to identify their low impact BES Cyber Systems on an
individual basis nor a requirement for entities to identify an
electronic security perimeter for their low impact BES Cyber
Systems.\49\ Therefore, as discussed below, we direct NERC, pursuant to
Sec. 39.2(d) of the Commission's regulations,\50\ to submit to the
Commission a report discussing the results of the study assessing the
risks, implementation challenges, and potential solutions for all low
impact BES Cyber Systems and medium impact BES Cyber Systems without
external routable connectivity, within 12 months of the issuance of
this final action.
---------------------------------------------------------------------------
\49\ Reliability Standard CIP-003-8 (Security Management
Controls), Requirement R2, requires that an entity with low impact
BES Cyber Systems must implement a cybersecurity plan that includes
elements specified in Attachment 1 of CIP-003-8. While entities must
implement a plan that includes ``electronic access controls,'' the
NERC defined term ``Electronic Security Perimeter'' is not mentioned
in Attachment 1.
\50\ 18 CFR 39.2(d) (the ERO shall provide the Commission such
information as is necessary to implement section 215 of the FPA).
---------------------------------------------------------------------------
31. We address below the following issues raised in the NOPR and
NOPR comments: (1) the need for INSM Reliability Standards for all high
impact BES Cyber Systems with and without external routable
connectivity and medium impact BES Cyber Systems with and without
external routable connectivity; (2) the extension of INSM to all low
impact BES Cyber Systems; (3) security objectives of the new or
modified Reliability Standards; and (4) standard development and
implementation timelines. Further, we address the need for further
study to support future action as warranted to require INSM for medium
impact BES Cyber Systems without external routable connectivity and all
low impact BES Cyber Systems.
B. INSM for High and Medium Impact BES Cyber Systems
32. In the NOPR, the Commission proposed to direct NERC to develop
new or modified CIP Reliability Standards requiring that responsible
entities implement INSM for their high and medium impact BES Cyber
Systems.\51\ The Commission preliminarily found that INSM, as a
fundamental element of a zero-trust architecture,\52\ should improve
the cybersecurity posture of responsible entities with high and medium
impact BES Cyber Systems.\53\ The NOPR explained that the proposed
directive centers on high and medium impact BES Cyber Systems to
improve visibility within networks containing BES Cyber Systems whose
compromise could have a significant impact on the reliable operation of
the Bulk-Power System.\54\ The NOPR sought comments on all aspects of
the proposed directive to NERC to modify the CIP Reliability Standards
to require INSM for high and medium impact BES Cyber Systems.
---------------------------------------------------------------------------
\51\ INSM NOPR, 178 FERC ] 61,038 at PP 29, 31.
\52\ NIST defines zero-trust architecture as ``[a] security
model, a set of system design principles, and a coordinated
cybersecurity and system management strategy based on an
acknowledgement that threats exist both inside and outside
traditional network boundaries. The [zero-trust] security model
eliminates implicit trust in any one element, component, node, or
service and instead requires continuous verification of the
operational picture via real-time information from multiple sources
to determine access and other system responses.'' NIST, Computer
Security Resource Center Glossary, <a href="https://csrc.nist.gov/glossary/term/zero_trust_architecture">https://csrc.nist.gov/glossary/term/zero_trust_architecture</a>.
\53\ INSM NOPR, 178 FERC ] 61,038 at P 30.
\54\ Id. P 3.
---------------------------------------------------------------------------
1. Comments
a. Implementation of INSM for High Impact BES Cyber Systems
33. NERC, BPA, Consumers, Cynalytica, ISO/RTO Council, Juniper
Networks, Microsoft, MRO NSRF, NAGF, Nozomi Networks, and Conway
support the NOPR's efforts to require INSM for high impact BES Cyber
Systems.\55\ NERC states its support for INSM as an ``appropriate
approach for consideration'' for high impact BES Cyber Systems.\56\
---------------------------------------------------------------------------
\55\ NERC Comments at 3; Consumers Comments at 1-2; Cynalytica
Comments at 1; ISO/RTO Council Comments at 2-3; Juniper Networks
Comments at 1-2; Microsoft Comments at 1; MRO NSRF Comments at 1-2;
NAGF Comments at 1; Nozomi Networks Comments at 1; Conway Comments
at 1.
\56\ NERC Comments at 8.
---------------------------------------------------------------------------
34. BPA recommends that the Commission limit its initial rulemaking
to only high impact BES Cyber Systems.\57\ BPA recognizes INSM as an
important cybersecurity protection but
[[Page 8360]]
recommends phased adoption of INSM and limiting the initial rulemaking
to high impact BES Cyber Systems, due to the resources and length of
time needed to make such changes to industrial control systems. BPA
recommends that the Commission, in a future proceeding, explore whether
INSM requirements should apply to remote medium and low impact
facilities without external routable connectivity.\58\
---------------------------------------------------------------------------
\57\ BPA Comments at 1.
\58\ Id. at 3.
---------------------------------------------------------------------------
35. Indicated Trade Associations and Idaho Power recommend limiting
the NOPR's proposal for high impact BES Cyber Systems. Indicated Trade
Associations explains that by prioritizing high impact BES Cyber
Systems, responsible entities would be able to ``gather operational
experience with INSM technologies.'' \59\ While Indicated Trade
Associations support implementation of INSM for high impact BES Cyber
Systems, they also ask the Commission to convene a forum prior to
issuing any directive. Idaho Power also tempers its support of the NOPR
recommendations, emphasizing that its support of INSM within BES Cyber
Systems is limited to those with external routable connectivity--
although also noting that the majority of high impact BES cyber systems
likely already have external routable connectivity.\60\
---------------------------------------------------------------------------
\59\ Indicated Trade Associations Comments at 9.
\60\ Idaho Power Comments at 2.
---------------------------------------------------------------------------
36. ITC's comments support limiting INSM to high impact BES Cyber
Systems located in control centers because they have larger numbers of
more diversely routed systems with greater external connectivity and
therefore more access for an attacker to exploit.\61\ According to ITC,
additional focus on the prevention of electronic security perimeter
breaches continues to be the most effective overall approach to
improving the cybersecurity of responsible entities. ITC also cautions
that implementing INSM as contemplated by the NOPR could cause
congestion and potentially slow the reactions of operators, who must
observe and respond quickly to system and customer needs.\62\
---------------------------------------------------------------------------
\61\ ITC Comments at 2-3.
\62\ Id. at 2.
---------------------------------------------------------------------------
Instead of INSM, ITC states that it and many other entities already
employ hub-and-spoke architecture \63\ for their electronic security
perimeters to protect the BES Cyber Systems and BES Cyber Assets within
them, which it asserts are inconsistent with (and in many cases,
duplicative of) the NOPR proposed directives. Further, ITC explains
that as its hub-and-spoke architecture uses few connections between BES
Cyber Assets and BES Cyber Systems within each electronic security
perimeter, monitoring of such ``fixed, small-scale network traffic''
provides little security benefit compared to the costs.\64\ ITC
recommends that the Commission consider other cybersecurity strategies
like application whitelisting \65\ for defense-in-depth, which it
asserts provide comparable security to INSM.\66\
---------------------------------------------------------------------------
\63\ ITC explains that hub-and-spoke architecture uses many,
relatively small, electronic security perimeters, each containing a
small number of BES Cyber Systems and/or Assets that are often in
close physical proximity to each other but using few connections
between Cyber Assets and Systems within each electronic security
perimeter. Id. at 4.
\64\ Id.
\65\ Whitelisting, also referred to as allowlisting, allows only
selected authorized programs to run, while all other programs are
blocked from running by default. It is used to establish a baseline
for authorized applications and file locations and prevents any
action that departs from that baseline. See CISA, Guidelines for
Application Whitelisting, (2013), <a href="https://www.cisa.gov/uscert/sites/default/files/documents/Guidelines%20for%20Application%20Whitelisting%20in%20Industrial%20Control%20Systems_S508C.pdf">https://www.cisa.gov/uscert/sites/default/files/documents/Guidelines%20for%20Application%20Whitelisting%20in%20Industrial%20Control%20Systems_S508C.pdf</a>.
\66\ ITC Comments at 6.
---------------------------------------------------------------------------
37. Indicated Trade Associations and NAGF both note that entities
may not have the same internal networks or architectures and that some
may have implemented network segmentation or micro-segmentation of
their networks.\67\ NAGF explains that applying a complex and costly
INSM infrastructure may disincentivize the use of segmentation.\68\
---------------------------------------------------------------------------
\67\ Indicated Trade Associations Comments at 17; NAGF Comments
at 2. Network segmentation is one way of improving security by
dividing a larger network into multiple segments, which each act as
their own small network.
\68\ NAGF Comments at 2.
---------------------------------------------------------------------------
b. Implementation of INSM for Medium Impact BES Cyber Systems
38. NERC, Consumers, Cynalytica, ISO/RTO Council, Juniper Networks,
Microsoft, MRO NSRF, NAGF, Nozomi Networks, and Conway support the
NOPR's efforts to require INSM for medium impact BES Cyber Systems.\69\
---------------------------------------------------------------------------
\69\ NERC Comments at 3; Consumers Comments at 1-2; Cynalytica
Comments at 1; ISO/RTO Council Comments at 2-3; Juniper Networks
Comments at 1-2; Microsoft Comments at 1; MRO NSRF Comments at 1-2;
NAGF Comments at 1; Nozomi Networks Comments at 1; Conway Comments
at 1.
---------------------------------------------------------------------------
39. NERC states that it supports the efforts to address the risks
identified in the NOPR (such as a bad actor leveraging vendors or
others with authorized access to a network to attack these systems) and
agrees that INSM is an appropriate approach to address such risks.\70\
NERC comments that INSM could benefit the CIP Reliability Standards as
a ``consistent means of gaining visibility and awareness'' within an
electronic security perimeter.\71\ Furthermore, NERC recognizes ``the
importance of maturing security controls pertaining to zero-trust
principles within Reliability Standards'' and agrees with the NOPR that
INSM would advance responsible entities' cybersecurity posture towards
zero-trust architecture.\72\ Both NERC and Conway explain that INSM
ensures that there is monitoring of east-west endpoint to endpoint
communications internal to the electronic security perimeter.\73\ ISO/
RTO Council and MRO NSRF, also supporting the NOPR proposal, state that
systems solutions for anomaly detection, such as east-west monitoring,
allow for more efficient summarizing of data and identification of
anomalies.\74\
---------------------------------------------------------------------------
\70\ NERC Comments at 3.
\71\ Id. at 5.
\72\ Id. at 6.
\73\ NERC Comments at 4-5; Conway Comments at 2.
\74\ ISO/RTO Council Comments at 4-5; MRO NSRF Comments at 2.
---------------------------------------------------------------------------
40. NAGF supports the NOPR proposal and states that INSM will
complement existing network security perimeter monitoring requirements
for high and medium impact BES Cyber Systems through improved internal
network communications visibility.\75\ In support of the NOPR proposal,
Consumers notes that it has already independently concluded that INSM
warrants investment and has implemented INSM for most of its high and
medium impact BES Cyber Systems within an electronic security
perimeter.\76\
---------------------------------------------------------------------------
\75\ NAGF Comments at 1.
\76\ Consumers Comments at 2.
---------------------------------------------------------------------------
41. Comments from technology vendors support the NOPR's proposed
directives to add INSM to the NERC CIP Reliability Standards.
Cynalytica and Microsoft both point to INSM as being crucial to a zero-
trust strategy.\77\ Cynalytica further opines ``that all BES Cyber
Systems should be monitored to ensure the visibility and operational
situational awareness that a true zero-trust strategy brings in support
of critical infrastructure resiliency.'' \78\ Microsoft also supports
directing NERC to develop Reliability Standards that require INSM for
high and medium
[[Page 8361]]
impact BES Cyber Systems.\79\ Nozomi and Juniper Networks also support
the proposal, asserting that, given the increasingly sophisticated
methods by which attackers gain access to critical systems, it is
critical that entities move beyond protection of the electronic
security perimeter and implement dynamic, persistent monitoring
measures.
---------------------------------------------------------------------------
\77\ Cynalytica Comments at 1; Microsoft Comments at 3
(asserting that the Commission's recommendations for implementation
of INSM on BES Cyber Systems is a cybersecurity best practice and is
consistent with a zero-trust security model and is consistent with
the White House zero-trust strategy published in January 2022
(citing White House, Moving the U.S. Government Toward Zero Trust
Cybersecurity Principles (Jan. 26, 2022), <a href="https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf">https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf</a>)).
\78\ Cynalytica Comments at 4.
\79\ Microsoft Comments at 1.
---------------------------------------------------------------------------
42. CDWR, Electricity Canada, the OT Coalition, Reclamation, and
TAPs focus their comments on the effectiveness of using INSM to achieve
cybersecurity goals rather than explicitly supporting or opposing the
NOPR proposal to implement INSM for high and medium impact BES Cyber
Systems.\80\ For example, CDWR requests that the Commission consider
whether directives necessary to provide an adequate level of
reliability and security are also cost effective.\81\ And Electricity
Canada states that it agrees that INSM is an important part of an
overall cybersecurity strategy when implemented at appropriate
locations in a network.\82\
---------------------------------------------------------------------------
\80\ CDWR Comments at 4; Electricity Canada Comments at 2; OT
Coalition Comments at 3-4; Reclamation Comments at 3; TAPS Comments
at 1.
\81\ CDWR Comments at 4.
\82\ Electricity Canada Comments at 2.
---------------------------------------------------------------------------
c. Limiting INSM for Medium Impact BES Cyber Systems Based on External
Routable Connectivity
43. Although the NOPR did not distinguish the proposed directive
for medium impact BES Cyber Systems by risk, their location at control
centers, or the existence of external routable connectivity, commenters
raise the possibility of limiting INSM on those bases.
44. EPSA, supporting Indicated Trade Associations' request for the
Commission to convene a forum prior to issuing any directive, argues
that while high impact BES Cyber Systems are indisputably worthy of
INSM measures, any new requirements imposed on medium impact locations
should be commensurate with the risk posed by each individual location
that could be compromised. Therefore, EPSA asserts that if the
Commission does act before convening a forum, that it phase in new
requirements based on risk, for example beginning with high impact BES
Cyber Systems and only medium impact BES Cyber Systems at control
centers. EPSA states that this phased implementation would allow
entities to account for challenges while controlling costs and
constraints.\83\
---------------------------------------------------------------------------
\83\ EPSA Comments at 4.
---------------------------------------------------------------------------
45. ITC and Indicated Trade Associations support INSM for medium
impact BES Cyber Systems located at control centers. ITC asserts that
the Commission could direct NERC to develop a Reliability Standard
which requires INSM only for high and medium impact BES Cyber Systems
within control centers to achieve a more balanced risk-to-cost outcome.
According to ITC, controls centers generally do contain more diversely
routed Cyber Systems with greater external connectivity beyond the
electronic security perimeter, which provides more access for an
attacker to exploit.\84\ Further, as ITC explains, control centers'
electronic security perimeters already require network monitoring that
reduces the difficulty and expense of implementing INSM at these
locations.\85\ Similarly, while Indicated Trade Associations agree with
the Commission that implementation of INSM may improve the security
posture of entities owning or operating high impact BES Cyber Systems
and ``holds significant potential to increase grid visibility and
capability of detecting and mitigating malicious activity,'' \86\ they
propose limiting the implementation to high impact BES Cyber Systems
and medium impact BES Cyber Systems located at control centers.\87\
---------------------------------------------------------------------------
\84\ ITC Comments at 7.
\85\ Id.
\86\ Indicated Trade Associations Comments at 7.
\87\ Id. at 2.
---------------------------------------------------------------------------
46. Idaho Power states that it agrees with the Commission that
implementing INSM at medium impact BES Cyber Systems, in particular
those with external routable connectivity, is ``justified and necessary
for the threats these systems are facing.'' \88\ Idaho Power explains
that BES Cyber Systems with external routable connectivity provide an
additional remote attack vector which is not present in systems without
it, and warns that if there is a requirement for INSM for systems that
do not currently have external routable connectivity, entities may add
external routable connectivity (and therefore an additional attack
vector) in order to meet the INSM requirements.\89\ Idaho Power
recommends that, if the Commission were to require INSM at high and
medium impact BES Cyber Systems, the Commission should limit the
directive to BES Cyber Systems with external routable connectivity,
since external routable connectivity is arguably needed to take full
advantage of INSM.\90\ Although BPA recommends implementing INSM
initially only at high impact BES Cyber Systems, it states that if the
Commission orders implementation at medium impact BES Cyber Systems as
well, the Commission should limit the implementation to medium impact
BES Cyber Systems with external routable connectivity.\91\
---------------------------------------------------------------------------
\88\ Idaho Power Comments at 2.
\89\ Id.
\90\ Id.
\91\ BPA Comments at 3.
---------------------------------------------------------------------------
47. Commenters point out the following concerns if this final
action were to apply to all medium impact BES Cyber Systems, including
those without external routable connectivity: (1) lengthy timelines for
implementation; \92\ (2) lack of external routable connectivity at many
medium impact BES Cyber Systems, which is needed to effectively
implement INSM; \93\ (3) for large entities, the undertaking may be
sizable given their wider footprint for monitoring and detecting; \94\
(4) already limited personnel would be stretched thin and there may be
a shortage of qualified staff; \95\ and (5) costs would far exceed any
potential cybersecurity benefit.\96\
---------------------------------------------------------------------------
\92\ Id.
\93\ Id. at 1, 3; Idaho Power Comments at 2.
\94\ Indicated Trade Associations Comments at 10 (referring to
large entities with multi-state footprints and several hundred
physical locations).
\95\ Id. at 2; EPSA Comments at 4; ITC Comments at 5; TAPS
Comments at 4.
\96\ ITC Comments at 4; TAPS Comments at 3-5.
---------------------------------------------------------------------------
48. In its comments opposing INSM for medium impact BES Cyber
Systems, BPA explains that many medium impact BES Cyber Systems do not
have external routable connectivity and that these systems therefore
pose minimal risk to intrusion and do not strongly implicate the INSM
objectives identified by the Commission.\97\ Similar to BPA, Indicated
Trade Associations assert that not all medium impact BES Cyber Systems
have external routable connectivity and therefore conclude that without
this attack surface, there is less to monitor.\98\ Furthermore,
Indicated Trade Associations argue that medium impact BES Cyber Systems
without external routable connectivity do not contain the same risk, or
pose the same potential impact, as medium impact BES Cyber Systems with
external routable connectivity because an attacker does not have a path
to move beyond the local trust zone.\99\
---------------------------------------------------------------------------
\97\ BPA Comments at 4.
\98\ Indicated Trade Associations Comments at 9.
\99\ Id. at 9-10.
---------------------------------------------------------------------------
2. Commission Determination
49. Pursuant to FPA section 215(d)(5), we direct NERC to develop
new or modified CIP Reliability Standards that require INSM for CIP-
networked environments for all high impact BES
[[Page 8362]]
Cyber Systems with and without external routable connectivity and
medium impact BES Cyber Systems with external routable connectivity. We
determine that requirements to implement INSM as we direct in this
final action will fill a gap in the current suite of CIP Reliability
Standards and improve the cybersecurity posture of the Bulk-Power
System.\100\ Specifically, a requirement for INSM that augments
existing perimeter defenses will increase network visibility so that an
entity may understand what is occurring in its CIP-networked
environment and, thus, improve capability to timely detect potential
compromises.\101\ INSM also allows for the collection of data and
analysis required to implement a defense strategy, improves an entity's
incident investigation capabilities, and increases the likelihood that
an entity can better protect itself from a future cyberattack and
address any security gaps the attacker was able to exploit.
---------------------------------------------------------------------------
\100\ See, e.g., NERC Comments at 4-5 (current CIP Standards
require ``malicious communications monitoring at the Electronic
Access Point on the [electronic security perimeter], not necessarily
monitoring of activity of those who already have access to the
network'').
\101\ Id. at 5 (``CIP Reliability Standards could benefit from
consideration of internal network security monitoring requirements
as a consistent means of gaining visibility and awareness within an
[electronic security perimeter].'').
---------------------------------------------------------------------------
50. Moreover, the NOPR identified certain cyber-related risks that
implementation of INSM could mitigate through early detection, such as
a supply chain attack leveraging malicious updates from a known
software vendor (i.e., SolarWinds attack) and ransomware attacks.\102\
NERC and other commenters agree that INSM is an appropriate approach to
address such risks.\103\
---------------------------------------------------------------------------
\102\ INSM NOPR, 178 FERC ] 61,038 at PP 17-19.
\103\ E.g., NERC Comments at 6; Juniper Comments at 1.
---------------------------------------------------------------------------
51. We disagree with ITC's rationale for opposing the NOPR
proposal. In particular, we disagree with ITC's assertions that the
NOPR proposals are an ``overly aggressive implementation of'' zero-
trust architecture.\104\ As explained in the NOPR, while INSM is a
fundamental element of the zero-trust architecture, it is only one of
many aspects.\105\ Furthermore, ITC presents its statement that there
would only be little monitoring INSM could perform of its fixed, small-
scale network traffic, and thus provide ITC little benefit,\106\
without further context or explanation. Additionally, we disagree with
ITC's assertion that application whitelisting provides comparable
security to INSM. Application whitelisting is a security tool
implemented at the cyber asset level and does not monitor network
traffic, which is the purpose of INSM. Therefore, application
whitelisting and INSM are two distinct components of a defense-in-depth
strategy and two distinct components of zero-trust architecture.
---------------------------------------------------------------------------
\104\ ITC Comments at 2.
\105\ INSM NOPR, 178 FERC ] 61,038 at P 30.
\106\ ITC Comments at 5.
---------------------------------------------------------------------------
52. We are also not persuaded by ITC's objections to the NOPR
proposal based on ITC's claims regarding the relative limited
vulnerability of hub-and-spoke networks. A hub-and-spoke connection is
bound on both sides by electronic security perimeters. Like any other
BES Cyber Asset, the electronic access points of the hub and spoke
configuration are addressed by the currently effective CIP Reliability
Standards, but there is currently no required monitoring of network
traffic within the hub and spoke electronic security perimeters. We
disagree with ITC's assertion that hub-and-spoke architecture has lower
risk because it uses few connections between Cyber Assets and Cyber
Systems within each electronic security perimeter.\107\ INSM is a
cybersecurity capability that is indifferent to the architecture to
which it is applied. INSM is intended to monitor east-west network
traffic that does not traverse the access point. An architecture like
hub-and-spoke is not a substitute for a cybersecurity capability like
INSM.
---------------------------------------------------------------------------
\107\ Id. at 4.
---------------------------------------------------------------------------
53. Finally, we disagree with ITC's assertion that the ``NOPR's
approach is also inconsistent with the Commission's long-standing risk-
based approach to reliability.'' \108\ The security objectives proposed
in the INSM NOPR are risk-based and objective.\109\ Furthermore,
malicious actors that compromise BES Cyber Systems within an electronic
security perimeter could have the opportunity to perform the same
functions as an authorized user, which includes operation of the Bulk-
Power System, as demonstrated by the Ukraine attacks referenced in the
INSM NOPR.\110\
---------------------------------------------------------------------------
\108\ Id.
\109\ INSM NOPR, 178 FERC ] 61,038 at P 31.
\110\ Id. P 21.
---------------------------------------------------------------------------
54. We are not persuaded by BPA's request to limit our directive to
INSM for high impact BES Cyber Assets based on resource and timing
concerns nor persuaded by ITC's assertion that INSM would lead to
congestion. Rather, we believe that our decision to limit our directive
at this time to those medium impact BES Cyber Assets with external
routable connectivity strikes a proper balance between limited
resources and the security benefits of INSM and adequately addresses
BPA's concerns and that technical concerns are better addressed during
NERC's standards drafting process or during the implementation of INSM.
Similarly, NAGF and Indicated Trade Associations' concern that
requiring INSM may discourage entities from using greater network
segmentation to enhance security is a specific technical concern better
raised and addressed during NERC's standards drafting process.
55. We agree with commenters that articulate the various benefits
of INSM. NERC and other commenters state that INSM ensures that there
is monitoring of east-west endpoint-to-endpoint communications internal
to the electronic security perimeter.\111\ Likewise, ISO/RTO Council
and MRO NSRF explain that systems solutions for anomaly detection, such
as east-west monitoring, allow for more efficient summarizing of data
and identification of anomalies.\112\ Accordingly, the record in this
proceeding supports incorporating INSM requirements into the CIP
Standards for high and medium impact BES Cyber Systems, as set forth in
this final action.
---------------------------------------------------------------------------
\111\ NERC Comments at 4-5; Conway Comments at 2.
\112\ ISO/RTO Council Comments at 4-5; MRO NSRF Comments at 2.
---------------------------------------------------------------------------
56. We are not persuaded by Indicated Trade Associations' and ITC's
suggestions to limit application of INSM to high impact BES Cyber
Systems and medium impact BES Cyber Systems located at control
centers.\113\ Limiting application of INSM to high impact BES Cyber
Systems and medium impact BES Cyber Systems located at control centers
would constitute too narrow an approach because the trust zone
associated with medium impact BES Cyber Systems encompasses systems
with a definitive potential to affect Bulk-Power System reliability. We
are, however, persuaded by commenters to limit the scope of our
directive with regard to medium impact BES Cyber Systems to those with
external routable connectivity. Idaho Power argues that the presence of
external routable connectivity is an appropriate limiting factor for
the directive,\114\ and BPA, while it recommends applying the directive
only to high impact BES Cyber Systems, states that if the directive
encompasses medium impact BES Cyber Systems then it should apply only
to medium impact BES Cyber Systems
[[Page 8363]]
with external routable connectivity.\115\ Control centers generally
already have external routable connectivity and are thus encompassed by
a directive to limit application of INSM for medium impact BES Cyber
Systems on the basis of external routable connectivity. For these
reasons, we believe that external routable connectivity is a preferable
approach to targeting the application of INSM.
---------------------------------------------------------------------------
\113\ ITC Comments at 7; Indicated Trade Associations Comments
at 11.
\114\ Idaho Power Comments at 2.
\115\ BPA Comments at 3.
---------------------------------------------------------------------------
57. Although not addressed in the NOPR, multiple commenters raised
concerns regarding the efficacy and practicality of requiring
implementation of INSM for medium impact BES Cyber Systems that lack
external routable connectivity.\116\ Simply stated, external routable
connectivity allows remote communication with a BES Cyber System
through use of a high-speed internet service to send information over a
network. Typically, external routable connectivity allows higher
quality data to flow from the field devices at substations to a
centralized location where cybersecurity professionals can perform
further analysis.
---------------------------------------------------------------------------
\116\ Id.; EPSA Comments at 2; Idaho Power Comments at 1; ITC
Comments at 7; Indicated Trade Associations Comments at 11.
---------------------------------------------------------------------------
58. Commenters explain that a system without external routable
connectivity, while not risk-free, is less vulnerable to attack than
systems with external routable connectivity.\117\ Likewise, according
to commenters, external routable connectivity is necessary to achieve
the full, real-time benefits of INSM.\118\ In consideration of these
concerns, we modify the NOPR proposal and direct NERC to develop new or
modified CIP Reliability Standards that require INSM for medium impact
BES Cyber Systems with external routable connectivity.
---------------------------------------------------------------------------
\117\ BPA Comments at 4; Indicated Trade Associations Comments
at 9; Idaho Power Comments at 2. Medium impact BES Cyber Systems
that lack external routable connectivity remain vulnerable to
insider threats and supply chain attacks.
\118\ See, e.g., BPA Comments at 2; Idaho Power Comments at 2.
---------------------------------------------------------------------------
59. While we agree with commenters regarding the challenges with
implementing INSM for medium impact BES Cyber Systems without external
routable connectivity such as costs and stretching thin limited
resources,\119\ we continue to believe that, if these challenges can be
adequately addressed, implementation of INSM for all medium impact BES
Cyber Systems would improve the cybersecurity posture of the Bulk-Power
System by allowing early detection and response to cyber intrusions in
BES Cyber Systems. Although we decline Indicated Trade Associations'
request to convene a forum to discuss INSM in the proceeding prior to a
directive as the robust comments provide an adequate basis for this
final action, we are directing NERC to conduct a study that pertains,
inter alia, to the challenges of, and solutions for, implementing INSM
at medium impact BES Cyber Systems without external routable
connectivity and all low impact BES Cyber Systems, as discussed in more
detail below.
---------------------------------------------------------------------------
\119\ E.g., Indicated Trade Associations Comments at 10.
---------------------------------------------------------------------------
C. INSM for Low Impact BES Cyber Systems
60. In the NOPR, the Commission stated that its proposal centered
on high and medium impact BES Cyber Systems but sought comment on the
usefulness and practicality of implementing INSM to detect malicious
activity in networks with low impact BES Cyber Systems, including any
potential benefits, technical barriers and associated costs.\120\ Low
impact BES Cyber Systems have fewer security controls and, unlike high
and medium impact BES Systems, are not subject to monitoring at the
network perimeter access point(s). The Commission particularly sought
comment on whether the same risks associated with high and medium
impact BES Cyber Systems apply to low impact BES Cyber Systems,
including escalating privileges, moving inside the CIP-networked
environment, and executing unauthorized code. The Commission further
sought comment on the appropriate scope of coverage for INSM for low
impact BES Cyber Systems, to the extent such risks exist.
---------------------------------------------------------------------------
\120\ INSM NOPR, 178 FERC ] 61,038 at P 33.
---------------------------------------------------------------------------
61. The Commission suggested that there may be benefits to having
INSM requirements apply to a defined subset of low impact BES Cyber
Systems and sought comment on possible criteria or methodology for
identifying an appropriate subset of low impact BES Cyber Systems that
could benefit from INSM.\121\ The Commission further pointed out that
there are currently no CIP requirements for low impact BES Cyber
Systems for monitoring communications at the electronic security
perimeter and therefore asked: (1) whether it makes sense to require
INSM while perimeter monitoring is not required; and (2) would it be
appropriate to address both perimeter monitoring and INSM for low
impact BES Cyber Systems.\122\
---------------------------------------------------------------------------
\121\ Id. P 34.
\122\ Id.
---------------------------------------------------------------------------
1. Comments
62. Technology solutions vendors Cynalytica, Microsoft, Nozomi
Networks, and OT Coalition support extending INSM to low impact BES
Cyber Systems.\123\ Microsoft recommends directing the implementation
of INSM for low impact BES Cyber Systems ``to the maximum extent
practicable.'' \124\ Cynalytica and Microsoft comment that risks within
low impact BES Cyber Systems are similar to those within higher impact
systems.\125\ Cynalytica, Microsoft, and Nozomi Networks all assert
that requiring all BES Cyber Systems to implement INSM at this time
would reduce cybersecurity risk and exposure.\126\ Cynalytica is of the
opinion that ``all BES Cyber Systems should be monitored to ensure the
visibility and operational situational awareness,'' as low impact BES
Cyber Systems ``could be used for operational intelligence gathering,
capabilities testing, or could be used to pivot among internal
systems.'' \127\
---------------------------------------------------------------------------
\123\ Cynalytica Comments at 4; Microsoft Comments at 1; Nozomi
Networks Comments at 3; OT Coalition Comments at 3-4.
\124\ Microsoft Comments at 1.
\125\ Cynalytica Comments at 4; Microsoft Comments at 11.
\126\ Cynalytica Comments at 4; Microsoft Comments at 1; Nozomi
Networks Comments at 3.
\127\ Cynalytica Comments at 4.
---------------------------------------------------------------------------
63. Microsoft elaborates that low impact BES Cyber Systems such as
distributed energy resources, along with their increasing use, may
increase the potential risks associated with low impact BES Cyber
Systems.\128\ Nozomi Networks recommends extending INSM to low impact
BES Cyber Systems as a possible way to both improve their security
risks and posture over time, as well as identify potential supply chain
security issues.\129\
---------------------------------------------------------------------------
\128\ Microsoft Comments at 11.
\129\ Nozomi Networks Comments at 3.
---------------------------------------------------------------------------
64. OT Coalition, supporting a phased implementation of INSM for
low impact BES Cyber Systems, warns that failure to account for the
risk of a low impact BES Cyber System ``being used as a lateral attack
vector is inexcusable.'' \130\ OT Coalition recommends that INSM-
related and perimeter monitoring requirements should be phased in over
time, e.g., over the course of five years and moving from larger to
smaller entities.
---------------------------------------------------------------------------
\130\ OT Coalition Comments at 4.
---------------------------------------------------------------------------
65. Other commenters, however, advocate against requiring INSM at
low impact BES Cyber Systems at this time. NERC, BPA, MRO NSRF, and
NAGF oppose requiring INSM for low impact BES Cyber Systems as part of
this
[[Page 8364]]
proceeding because of the extensive revisions to the CIP Reliability
Standards that would be needed and the correspondingly longer time such
revisions would take to implement.\131\ For example, NERC and MRO NSRF
point to the lack of any current requirement for a list of low impact
BES Cyber Systems.\132\ NERC and MRO NSRF also note that there is no
current requirement for low impact BES Cyber Systems to have an
electronic security perimeter.\133\ Thus, according to MRO NSRF, to
properly enact INSM at facilities with low impact BES Cyber Systems
would require upgrading all such facilities to one with the same
network architecture, protections, and monitoring as that of a facility
with high or medium BES Cyber Systems and that the ``cost and effort
associated with such an enterprise would not be justified.'' \134\
---------------------------------------------------------------------------
\131\ NERC Comments at 8; BPA Comments at 4-5; MRO NSRF Comments
at 4; NAGF Comments at 4.
\132\ NERC Comments at 8-9; MRO NSRF Comments at 4 (``Analysis
requires not just a monitoring system but a baseline inventory of
BES Cyber Assets to have something to benchmark against.'').
\133\ Id.
\134\ MRO NSRF Comments at 4.
---------------------------------------------------------------------------
66. NERC, BPA, CDWR, Consumers, EPSA, Idaho Power, MRO NSRF, NAGF,
TAPS, Conway, and Indicated Trade Associations all caution that
extending INSM requirements to low impact BES Cyber Systems at this
time would be infeasible or impractical from a cost, time, and
technical standpoint.\135\ Indicated Trade Associations, BPA, EPSA,
TAPS, and CDWR explain that the sheer number of low impact BES Cyber
Systems, which far exceeds that of medium and high impact BES Cyber
Systems, makes implementation of INSM at low impact BES Cyber Systems
impractical at this time, from a cost and time commitment
perspective.\136\ Reclamation notes that low impact BES Cyber Systems
pose inherently less risk and therefore may not benefit from INSM as
much as medium and high impact BES Cyber Systems.\137\ NERC and other
commenters explain that procuring the necessary support equipment, such
as relays, remote terminal units, and communications processors, would
be prohibitively expensive due to issues such as limited bandwidth,
remote proximity of the systems, and greater variety of communications
protocols.\138\ NERC states that expanding INSM requirements to apply
to low impact BES Cyber Systems would also pose scalability and
manageability issues, such as considering whether communications paths
would need to be enhanced to correct any latency or real-time
operations impact.\139\
---------------------------------------------------------------------------
\135\ NERC Comments at 8-9; BPA Comments at 4-5; CDWR Comments
at 4; Consumers Comments at 2; EPSA Comments at 4-5; Idaho Power
Comments at 2-3; MRO NSRF Comments at 4; NAGF Comments at 4; TAPS
Comments at 4-9; Conway Comments at 1; Indicated Trade Associations
Comments at 28.
\136\ BPA Comments at 4; CDWR Comments at 4; EPSA Comments at 4;
TAPS Comments at 8; Indicated Trade Associations Comments at 28.
\137\ Reclamation Comments at 3.
\138\ NERC Comments at 8-9; Idaho Power Comments at 2-3; TAPS
Comments at 5-6; Indicated Trade Associations Comments at 28.
\139\ NERC Comments at 8-9.
---------------------------------------------------------------------------
67. NAGF and Consumers assert that requiring INSM implementation
for low impact BES Cyber Systems could displace efforts relating to
higher impact systems.\140\ TAPS comments that there are limited
incremental reliability benefits due to low impact BES Cyber Systems
being less likely to result in instability, uncontrolled separation, or
cascading failure. TAPS further argues that there are technical
barriers stemming from the diversity of low impact BES Cyber Systems
requiring customized implementation and highly specialized staff.\141\
---------------------------------------------------------------------------
\140\ Consumers Comments at 2; NAGF Comments at 4.
\141\ TAPS Comments at 3, 5.
---------------------------------------------------------------------------
2. Commission Determination
68. We find comments explaining the challenges of extending INSM
requirements to all low impact BES Cyber Systems are persuasive, and we
therefore decline to direct NERC to extend requirements for INSM to all
low impact BES Cyber Systems at this time. We agree with commenters
such as Microsoft, Cynalytica, and Nozomi Networks that the risks
within low impact BES Cyber Systems are similar to those within higher
impact systems and that implementing INSM at low impact BES Cyber
Systems would reduce cybersecurity risk and improve the overall
security posture of the Bulk-Power System. Nevertheless, we are
persuaded by NERC and other commenters that implementing INSM at all
low impact BES Cyber Systems could present certain challenges that
makes such a directive at this time impractical. We agree that
extending INSM requirements to all low impact BES Cyber Systems could
be difficult to scope, implement, or audit, given that there is no
requirement for entities to individually identify their low impact BES
Cyber Systems or electronic security perimeters for their low impact
BES Cyber Systems. Additionally, we accept the explanation of NERC and
other commenters that extending INSM to low impact BES Cyber Systems
could pose scalability and manageability issues,\142\ pose challenges
to limited company resources and specialization issues for locations
with small support staff,\143\ and require more highly specialized
staff.\144\
---------------------------------------------------------------------------
\142\ NERC Comments at 8-9.
\143\ NAGF Comments at 4.
\144\ TAPS Comments at 3, 5.
---------------------------------------------------------------------------
69. Although declining to direct NERC at this time to do so, we
believe that in the longer term it may be necessary that INSM be
extended to at least some subset of low impact BES Cyber Assets to
address the known risks associated with these assets. To address the
challenges raised by commenters and support this goal, we direct NERC
to study the hurdles and possible solutions of implementing INSM at all
low impact BES Cyber Assets, as discussed below.
D. Security Objectives
70. In the NOPR, the Commission proposed that new or modified CIP
Reliability Standards requiring INSM for high and medium impact BES
Cyber Systems should address three security objectives pertaining to
INSM.\145\ First, any new or modified CIP Reliability Standards should
address the need for each responsible entity to develop a baseline for
their network traffic, specifically for security purposes. Second, any
new or modified CIP Reliability Standards should address the need for
responsible entities to monitor for and detect unauthorized activity,
connections, devices, and software inside the CIP-networked
environment. Third, any new or modified CIP Reliability Standards
should address the ability to support operations and response by
requiring responsible entities to ensure that anomalous activity can be
identified to a high level of confidence by: (1) logging network
traffic at a sufficient level of detail; (2) maintaining logs and other
data collected regarding network traffic; and (3) implementing measures
to minimize the likelihood of an attacker removing evidence of their
tactics, techniques, and procedures.
---------------------------------------------------------------------------
\145\ INSM NOPR, 178 FERC ] 61,038 at P 31.
---------------------------------------------------------------------------
1. Comments
71. Cynalytica characterizes the security objectives listed in the
NOPR as a ``solid foundation'' and recommends that the CIP Reliability
Standards adopt the objectives.\146\ Microsoft, who strongly advocates
for the implementation of the zero-trust security model, asserts that
the security objectives from the NOPR align with
[[Page 8365]]
this model and are critical to maintaining network visibility to drive
threat detection and response in real time.\147\ NAGF characterizes the
security objectives listed in the NOPR as ``acceptable and meaningful''
and asserts that INSM will complement existing network perimeter
monitoring requirements.\148\
---------------------------------------------------------------------------
\146\ Cynalytica Comments at 3.
\147\ Microsoft Comments at 2, 4.
\148\ NAGF Comments at 1.
---------------------------------------------------------------------------
72. Specific to the security objectives proposed in the NOPR,
commenters provide guidance for the development of a baseline of
network traffic and suggest there could be alternative approaches.
Electricity Canada asserts that there may be other approaches to
analyzing network traffic besides baselining and suggests adopting
``simplified language'' that would not exclude the use of a type of
technology based on the type of security analysis performed.\149\
Electricity Canada recommends that the security objective should be to
monitor for and detect unauthorized ``network communication
protocols,'' rather than unauthorized ``software.'' \150\
---------------------------------------------------------------------------
\149\ Electricity Canada at 2.
\150\ Id. at 3.
---------------------------------------------------------------------------
73. Indicated Trade Associations explain that establishing a
baseline of legitimate network traffic is challenging and calls for
significant judgments unique to the implementation of INSM and that in
this context baselining can have many different meanings.\151\
According to Indicated Trade Associations, approaches to baselining
could include: (1) simply differentiating between alerts and false
positives as opposed to actual malicious activity; and (2) an expansive
approach of fully mapping every packet between every asset on a
network. Indicated Trade Associations states that the expenses and
challenges of baselining increase if an expansive definition of
baselining is adopted and recommends convening a forum to discuss and
agree upon a workable definition.\152\
---------------------------------------------------------------------------
\151\ Indicated Trade Associations Comments at 13-14.
\152\ Id. at 14-15.
---------------------------------------------------------------------------
74. Conway urges that the Commission include in its security
objectives language that focuses on desired operational capabilities,
which Conway avers would help shape individual analyst roles and
response actions and inform system operators and national response to
information shared.\153\ Conway explains that ``[i]n order for the INSM
. . . technologies to be meaningful or useful the sensors and
implementation approach must be ICS [industrial control systems]
protocol aware and provide detections.'' \154\
---------------------------------------------------------------------------
\153\ Conway Comments at 4.
\154\ Id. at 2.
---------------------------------------------------------------------------
75. Beyond the proposed security objectives, multiple commenters
generally support an objective, prioritized, flexible, and risk-based
approach to the implementation of INSM to BES Cyber Systems. BPA and
NAGF advocate for flexibility for the industry to develop risk-based
criteria for implementation of INSM to allow entities to focus on their
most important assets first and then consider whether other assets
should be protected in the same manner.\155\ ISO/RTO Council and MRO
NSRF emphasize that any new or modified CIP reliability standards
should allow registered entities the necessary flexibility to implement
the INSM solution most appropriate for their own environments.\156\
---------------------------------------------------------------------------
\155\ BPA Comments at 5; NAGF Comments at 4.
\156\ ISO/RTO Council Comments at 4-5; MRO NSRF Comments at 2.
---------------------------------------------------------------------------
76. Commenters suggest other security objectives that the
Commission and NERC should prioritize. For example, NAGF suggests an
objective of maintaining logs and records of network activities.\157\
Microsoft recommends that the Commission include a security objective
to ensure that the operator has the staff and procedures in place to
drive cybersecurity improvements from its INSM solution.\158\ Microsoft
explains that effective INSM implementation requires trained staff with
the ability to respond to a pre-defined set of alerts with the security
operations center or the network operations center. Microsoft further
recommends a security objective requiring an intrusion detection system
to perform threat vector analysis for assets on the network, to aid
security personnel in prioritizing patching targets in its critical
systems.\159\
---------------------------------------------------------------------------
\157\ NAGF Comments at 1.
\158\ Microsoft Comments at 9-10.
\159\ Id. at 10.
---------------------------------------------------------------------------
2. Commission Determination
77. We agree with commenters that, as a general matter, the CIP
Reliability Standards should be objective-based, technology neutral,
and provide flexibility to entities in identifying how to address the
three security objectives identified in the NOPR.
78. Regarding comments to include security objectives pertaining to
adequate staffing and training, we believe that these goals are
necessary to achieve the three objectives stated in the NOPR and need
not be set out as separate objectives.\160\ As described above,
commenters raise a number of thoughts and suggestions pertaining to
baselining, packet-level monitoring, logging, and capture of internal
network traffic.\161\ We expand our second security objective based on
Electricity Canada's recommendation to replace software with network
communication protocols by adding ``network communication protocols''
to the objective. However, we do not adopt other recommendations,
because these matters are better raised during NERC's standards
drafting process. We are not persuaded that such level of detail is
useful to incorporate within the Commission's final action. Instead,
NERC's standards drafting process is the appropriate forum to determine
the level of detail necessary to ensure the security objectives are met
by any new or modified CIP Reliability Standards.
---------------------------------------------------------------------------
\160\ Id. at 9-10.
\161\ See, e.g., Electricity Canada Comments at 2; EPSA Comments
at 2-6; ISO/RTO Council Comments at 4-5; MRO NSRF Comments at 2;
NAGF Comments at 1; Indicated Trade Associations Comments at 18-19.
---------------------------------------------------------------------------
79. We direct NERC to ensure that the new or modified CIP
Reliability Standards that require security controls for INSM for all
high impact BES Cyber Systems with and without external routable
connectivity and medium impact BES Cyber Systems with external routable
connectivity address three security objectives for east-west network
traffic. First, any new or modified CIP Reliability Standards should
address the need for each responsible entity to develop a baseline for
their network traffic by analyzing network traffic and data flows for
security purposes. Second, any new or modified CIP Reliability
Standards should address the need for responsible entities to monitor
for and detect unauthorized activity, connections, devices, network
communication protocols, and software inside the CIP-networked
environment, as well as encompass awareness of protocols used in
industrial control systems.\162\ Third, in response to the comments
requesting that any new or modified CIP Reliability Standards should be
objective-based, we clarify our NOPR proposal so that it is not
oriented toward specific technologies or activities, as discussed
below.
---------------------------------------------------------------------------
\162\ E.g., Conway Comments at 2; CISA, Industrial Control
Systems Cybersecurity Initiative: Considerations for ICS/OT
Monitoring Technologies with an Emphasis on Detection and
Information Sharing, at 2 (2021), <a href="https://www.cisa.gov/sites/default/files/publications/ICS-Monitoring-Technology-Considerations-Final-v2_508c.pdf">https://www.cisa.gov/sites/default/files/publications/ICS-Monitoring-Technology-Considerations-Final-v2_508c.pdf</a>.
---------------------------------------------------------------------------
80. We agree that any new or modified CIP Reliability Standards
should provide flexibility to responsible entities in determining the
best way to identify anomalous activity to a high level of confidence,
so long as those
[[Page 8366]]
methods ensure: (1) logging of network traffic (we note that packet
capture is one means of accomplishing this goal); (2) maintaining those
logs, and other data collected, regarding network traffic that are of
sufficient data fidelity to draw meaningful conclusions and support
incident investigation; and (3) maintaining the integrity of those logs
and other data by implementing measures to minimize the likelihood of
an attacker removing evidence of their tactics, techniques, and
procedures (maintaining the integrity of logs and other data assures an
entity that analysis and findings from incident investigations are
representative of the actual incident and can aid in the mitigation of
current and future similar compromises).
E. Standards Development Timeframe
81. The Commission in the INSM NOPR requested comments on
reasonable timeframes for expeditiously developing and implementing
Reliability Standards for INSM given the importance of addressing this
reliability gap.\163\ The INSM NOPR also inquired as to potential
challenges to implementing INSM (e.g., cost, availability of
specialized resources, and documenting compliance).
---------------------------------------------------------------------------
\163\ INSM NOPR, 178 FERC ] 61,038 at P 32.
---------------------------------------------------------------------------
1. Comments
82. Among the few comments on the timeframe for developing new or
modified standards addressing INSM, ISO/RTO Council suggests a one-to-
two-year timeframe is appropriate.\164\ NERC requests that, given the
complexity of the subject matter, the Commission defer to NERC
regarding the appropriate timeline for standards development to better
assure that all relevant issues can receive the proper consideration in
the standards development process.\165\ Other commenters express
caution, and counsel the Commission balance the competing needs of
speed and quality in standards development.\166\ Others suggest an
iterative or staggered approach to standards development.\167\
---------------------------------------------------------------------------
\164\ ISO/RTO Council Comments at 3-6.
\165\ NERC Comments at 3, 6-7.
\166\ Reclamation Comments at 2; Cynalytica Comments at 3.
\167\ NAGF Comments at 4; Conway Comments at 4.
---------------------------------------------------------------------------
83. Regarding timeframes for implementation of INSM (i.e., after
the proposed INSM standards become effective), commenters recommend
timeframes for implementation ranging from two to ten years, depending
on whether INSM is to be extended to high impact, medium impact, or low
impact BES Cyber Systems. Microsoft suggests a minimum of two years for
applicable registered entities to come into compliance with a new INSM
reliability standard based on typically budget cycles. Microsoft also
points out that entities would need to change their networks to include
INSM during a shutdown period, which occurs every 12 to 18 months.\168\
---------------------------------------------------------------------------
\168\ Microsoft Comments at 10.
---------------------------------------------------------------------------
84. MRO NSRF and BPA aver that full implementation of INSM for high
and medium impact BES Cyber Systems would require a minimum of three to
five years, and MRO NSRF suggests a staggered implementation
timeline.\169\ MRO NSRF cites several challenges that could affect the
implementation timeline, including: (1) supply chain constraints if
multiple entities are trying to obtain INSM tools in the same
timeframe; (2) shortages of qualified staff; and (3) higher cost due to
additional requirements, system configurations, and sudden increase in
demand.\170\ MRO NSRF did not provide specific cost estimates.
---------------------------------------------------------------------------
\169\ MRO NSRF Comments at 3; BPA Comments at 3.
\170\ MRO NSRF Comments at 1-2.
---------------------------------------------------------------------------
85. Indicated Trade Associations do not provide a specific period
but mention that implementing INSM for large entities would require a
sizable undertaking, because doing so would entail installing new or
upgraded network equipment, increasing network connectivity, and
installing multiple INSM monitoring devices requiring aggregation to
provide complete operating pictures or baselines.\171\
---------------------------------------------------------------------------
\171\ Indicated Trade Associations Comments at 10.
---------------------------------------------------------------------------
2. Commission Determination
86. We direct NERC to submit responsive new or modified CIP
Reliability Standards within 15 months of the effective date of this
final action. We believe that a 15-month deadline would provide
sufficient time for NERC to develop responsive new or modified
Standards within NERC's standards development process. This deadline is
within the range of ISO/RTO Council's suggested one-to-two-year
timeframe. Regarding NERC's request that the Commission not set a
deadline, we believe that most of the complexities cited by NERC are
resolved by our decision not to extend INSM in this final action to low
impact BES Cyber Systems and medium impact BES Cyber Systems without
external routable connectivity.
87. We decline to direct a specific implementation timeframe for
any new or modified standards. Commenters provide a wide range of
potential implementation timeframes and raise concerns regarding
resource availability and the need for flexibility in implementing new
or modified INSM Reliability Standards. Rather than setting the
implementation timeframe at this time, we believe NERC should propose
an implementation period by balancing the various concerns raised by
commenters as well as the need to timely address the identified gap in
the CIP Standards pertaining to INSM. When submitting the proposed CIP
Standards, NERC should provide its rationale for the chosen
implementation timeframe.
F. NERC Study and Report on INSM Implementation
88. While determining above that it is premature to require INSM
for medium impact BES Cyber Systems without external routable
connectivity and all low impact BES Cyber Systems, we recognize the
importance of bolstering the cybersecurity of those systems. We believe
that extending INSM to all medium impact BES Cyber Systems and at least
a subset of low impact BES Cyber Systems in the future could be
necessary to protect the security and the reliability of the Bulk-Power
System. To provide a basis for such action, we direct NERC, pursuant to
Sec. 39.2(d) of the Commission's regulations,\172\ to conduct a study
to guide the implementation of INSM, or other mitigation strategies,
for medium impact BES Cyber Systems without external routable
connectivity and all low impact BES Cyber Systems. The study shall
focus on two main topics: (1) risk and (2) challenges and solutions.
---------------------------------------------------------------------------
\172\ 18 CFR 39.2(d).
---------------------------------------------------------------------------
89. First, regarding risk, NERC should collect from registered
entities information on the number of low impact and medium impact BES
Cyber Systems that would not be subject to the new or revised
Reliability Standards, which would inform the scope of the risk from
systems without INSM. Next, NERC should provide an analysis regarding
the substantive risks posed by these BES Cyber Systems operating
without the implementation of INSM. Specifically, NERC should determine
the quantity of: (1) substation and generation locations that contain
medium impact BES Cyber Systems without external routable connectivity;
(2) low impact locations (including a breakdown by substations,
generations resources, and control centers) that contain low impact BES
Cyber Systems without external routable connectivity; and (3) low
impact locations that contain low impact BES Cyber Systems
[[Page 8367]]
with external routable connectivity (including a breakdown by
substations, generations resources, and control centers). NERC should
then discuss the risks to the security of the Bulk-Power System due to
the lack of an INSM requirement for the identified facilities.
90. Second, regarding challenges and solutions, NERC should
identify the potential technological, logistical, or other challenges
involved in extending INSM to additional BES Cyber Systems, as well as
possible alternative actions to mitigate the risk posed. For example,
as discussed in more detail above, challenges raised by commenters
include: (1) lengthy timelines for identifying the location of low
impact BES Cyber Systems; (2) the need to add external routable
connectivity at many medium impact BES Cyber Systems to effectively
implement INSM; (3) a wider footprint for monitoring and detecting for
larger entities; (4) shortages of qualified staff; and (5) supply chain
constraints.
91. NERC should consult with Commission staff to ensure that the
study adequately addresses the topics discussed above. We direct NERC
to submit the study report to the Commission within 12 months of the
issuance of this final action.
V. Information Collection Statement
92. The information collection requirements contained in this order
are subject to review by the Office of Management and Budget (OMB)
under section 3507(d) of the Paperwork Reduction Act of 1995. OMB's
regulations require approval of certain information collection
requirements imposed by agency rules. Upon approval of a collection of
information, OMB will assign an OMB control number and expiration date.
Respondents subject to the filing requirements of this rulemaking will
not be penalized for failing to respond to this collection of
information unless the collection of information displays a valid OMB
control number. Comments are solicited on the Commission's need for the
information proposed to be reported, whether the information will have
practical utility, ways to enhance the quality, utility, and clarity of
the information to be collected, and any suggested methods for
minimizing the respondent's burden, including the use of automated
information techniques.
93. The reporting requirements (and associated burden) proposed by
the NOPR in Docket No. RM22-3-000 are already covered by the OMB-
approved FERC-725. However, we are seeking clearance for this
collection of information under FERC-725(1B), which is a temporary
placeholder number. FERC-725(1B) is being used because FERC-725 (OMB
Control Number 1902-0225) is pending review at OMB for another
collection of information, and only one item per OMB control number can
be pending review at a time. Otherwise, the collection of information
for this final action would be submitted to OMB under FERC-725, as
discussed in the NOPR, since the reporting requirements and associated
burdens in this final action are already covered by FERC-725.
94. This final action requires that entities that are in the NERC
Compliance Registry have an obligation to respond to the Commission
directed NERC study, and thus there is a burden to be included in FERC-
725(1B) information collection requirements.
95. The NERC Compliance Registry, as of October 3, 2022, identifies
approximately 1,682 utilities, both public and non-public, in the U.S.
that may respond to the NERC study. For the following reasons, we are
using placeholders of one respondent, one response, and one burden hour
for FERC-725(1B) in order to submit this request to OMB for PRA review.
(1) We anticipate that the collection of information in this final
action will become part of FERC-725 when that collection becomes
available for revision.
(2) FERC-725 already includes burdens associated with the ERO's
responsibility for Reliability Standards Development
(3) In order to submit the collection of information in this final
action, we must submit it through the ROCIS system, which requires
figures for respondents, responses, and burdens.
96. To approximate NERC's cost for the temporary, placeholder FERC-
725(1B), we are using the estimated average of $91/hour (for wages and
benefits) for 2022 for a Commission employee. Therefore, the estimated
annual cost of the one placeholder burden hour is $91.
VI. Environmental Analysis
97. The Commission is required to prepare an Environmental
Assessment or an Environmental Impact Statement for any action that may
have a significant adverse effect on the human environment.\173\ The
Commission has categorically excluded certain actions from this
requirement as not having a significant effect on the human
environment. Included in the exclusion are rules that are clarifying,
corrective, or procedural or that do not substantially change the
effect of the regulations being amended.\174\ The actions directed
herein fall within this categorical exclusion in the Commission's
regulations.
---------------------------------------------------------------------------
\173\ Reguls. Implementing the Nat'l Env't. Pol'cy Act, Order
No. 486, 52 FR 47897 (Dec. 17, 1987), FERC Stats. & Regs. Preambles
1986-1990 ] 30,783 (1987) (cross-referenced at 41 FERC ] 61,284).
\174\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------
VII. Regulatory Flexibility Act
98. The Regulatory Flexibility Act of 1980 (RFA) \175\ generally
requires a description and analysis of final action that will have
significant economic impact on a substantial number of small entities.
---------------------------------------------------------------------------
\175\ 5 U.S.C. 601-612.
---------------------------------------------------------------------------
99. By only proposing to direct NERC, the Commission-certified ERO,
to develop modified Reliability Standards for INSM at BES Cyber
Systems, this final action will not have a significant or substantial
impact on entities other than NERC.\176\ Therefore, the Commission
certifies that this final action will not have a significant economic
impact on a substantial number of small entities.
---------------------------------------------------------------------------
\176\ See, e.g., Cyber Sec. Incident Reporting Reliability
Standards, Order No. 848, 83 FR 36727 (July 31, 2018), 164 FERC ]
61,033, at P 103 (2018).
---------------------------------------------------------------------------
100. Any Reliability Standards proposed by NERC in compliance with
this rulemaking will be considered by the Commission in future
proceedings. As part of any future proceedings, the Commission will
make determinations pertaining to the Regulatory Flexibility Act based
on the content of the Reliability Standards proposed by NERC.
VIII. Document Availability
101. In addition to publishing the full text of this document in
the Federal Register, the Commission provides all interested persons an
opportunity to view and/or print the contents of this document via the
internet through the Commission's Home Page (<a href="https://www.ferc.gov">https://www.ferc.gov</a>).
102. From the Commission's Home Page on the internet, this
information is available on eLibrary. The full text of this document is
available on eLibrary in PDF and Microsoft Word format for viewing,
printing, and/or downloading. To access this document in eLibrary, type
the docket number excluding the last three digits of this document in
the docket number field.
103. User assistance is available for eLibrary and the FERC's
website during normal business hours from FERC Online Support at 202-
502-6652 (toll free at 1-866-208-3676) or email at
<a href="/cdn-cgi/l/email-protection#e68083948589888a8f888395939696899492a680839485c8818990"><span class="__cf_email__" data-cfemail="395f5c4b5a56575550575c4a4c4949564b4d795f5c4b5a175e564f">[email protected]</span></a>, or the
[[Page 8368]]
Public Reference Room at (202) 502-8371, TTY (202) 502-8659. Email the
Public Reference Room at <a href="/cdn-cgi/l/email-protection#e19194838d8882cf9384878493848f8284938e8e8ca187849382cf868e97"><span class="__cf_email__" data-cfemail="9fefeafdf3f6fcb1edfaf9faedfaf1fcfaedf0f0f2dff9faedfcb1f8f0e9">[email protected]</span></a>.
IX. Effective Date and Congressional Notification
104. This final action is effective April 10, 2023. The Commission
has determined, with the concurrence of the Administrator of the Office
of Information and Regulatory Affairs of OMB, that this action is not a
``major rule'' as defined in section 351 of the Small Business
Regulatory Enforcement Fairness Act of 1996.
By the Commission.
Issued: January 19, 2023.
Debbie-Anne A. Reese,
Deputy Secretary.
Appendix A--Commenters
------------------------------------------------------------------------
Abbreviation Commenter
------------------------------------------------------------------------
BPA.......................... Bonneville Power Administration.
CDWR......................... California Department of Water Resources
State Water Project.
Consumers.................... Consumers Energy Company.
Conway....................... Tim Conway.
Cynalytica................... Cynalytica, Inc.
Electricity Canada........... Electricity Canada.
Entergy...................... Entergy.
EPSA......................... Electric Power Supply Association.
Idaho Power.................. Idaho Power Company.
Indicated Trade Associations. Edison Electric Institute, the American
Public Power Association, the Large
Public Power Council, the National Rural
Electric Cooperative Association, and
the Electric Power Supply Association.
ISO/RTO Council.............. ISO/RTO Council.
ITC.......................... International Transmission Company.
Juniper Networks............. Juniper Networks.
Microsoft.................... Microsoft Corporation.
MRO NSRF..................... Midwest Reliability Organization NERC
Standards Review Forum.
NAGF......................... North American Generator Forum.
NERC......................... North American Electric Reliability
Corporation, Midwest Reliability
Organization, Northeast Power
Coordinating Council, Inc.,
ReliabilityFirst Corporation, SERC
Reliability Corporation, Texas
Reliability Entity, Inc., and Western
Electricity Coordinating Council.
Nozomi Networks.............. Nozomi Networks.
OT Coalition................. Operational Technology Cybersecurity
Coalition.
Reclamation.................. United States Bureau of Reclamation.
TAPS......................... Transmission Access Policy Study Group.
------------------------------------------------------------------------
[FR Doc. 2023-01453 Filed 2-8-23; 8:45 am]
BILLING CODE 6717-01-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on February 9, 2023.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.