Critical Infrastructure Protection Reliability Standard CIP-015-1-Cyber Security-Internal Network Security Monitoring

DEPARTMENT OF ENERGY <SUBAGY>Federal Energy Regulatory Commission</SUBAGY> <CFR>18 CFR Part 40</CFR> <DEPDOC>[Docket No. RM24-7-000]</DEPDOC> <SUBJECT>Critical Infrastructure Protection Reliability Standard CIP-015-1—Cyber Security—Internal Network Security Monitoring</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Federal Energy Regulatory Commission. <HD SOURCE="HED">ACTION:</HD> Notice of proposed rulemaking. <SUM> <HD SOURCE="HED">SUMMARY:</HD> The Federal Energy Regulatory Commission (Commission) proposes to approve proposed Reliability Standard CIP-015-1 (Cyber Security—Internal Network Security Monitoring), which the North American Electric Reliability Corporation (NERC), submitted in response to a Commission directive. In addition, the Commission proposes to direct that NERC develop certain modifications to proposed Reliability Standard CIP-015-1 to extend internal network security monitoring to include electronic access control or monitoring systems and physical access control systems outside of the electronic security perimeter. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> Comments are due November 26, 2024. </EFFDATE> <HD SOURCE="HED">ADDRESSES:</HD> Comments, identified by docket number, may be filed in the following ways. Electronic filing through <E T="03">http://www.ferc.gov,</E> is preferred. • <E T="03">Electronic Filing:</E> Documents must be filed in acceptable native applications and print-to-PDF, but not in scanned or picture format. • For those unable to file electronically, comments may be filed by USPS mail or by hand (including courier) delivery. ○ <E T="03">Mail via U.S. Postal Service Only:</E> Addressed to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE, Washington, DC 20426. ○ <E T="03">Hand (Including Courier) Delivery:</E> Deliver to: Federal Energy Regulatory Commission, 12225 Wilkins Avenue, Rockville, MD 20852. The Comment Procedures Section of this document contains more detailed filing procedures. <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> <FP SOURCE="FP-1"> Margaret Steiner (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502 6704, <E T="03">Margaret.Steiner@ferc.gov</E> </FP> <FP SOURCE="FP-1"> Hampden T. Macbeth (Legal Information), Office of General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502 8957, <E T="03">Hampden.Macbeth@ferc.gov</E> </FP> </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> 1. Pursuant to section 215(d)(2) of the Federal Power Act (FPA), <SU>1</SU> <FTREF/> the Commission proposes to approve proposed Critical Infrastructure Protection (CIP) Reliability Standard CIP-015-1 (Cyber Security—Internal Network Security Monitoring). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted the proposed Reliability Standard for Commission approval in response to a Commission directive in Order No. 887. <SU>2</SU> <FTREF/> In addition, pursuant to section 215(d)(5) of the FPA, <SU>3</SU> <FTREF/> the Commission proposes to direct that NERC develop further modifications to Reliability Standard CIP-015-1, within 12 months of the effective date of a final rule in this proceeding, to extend Internal Network Security Monitoring (INSM)  <SU>4</SU> <FTREF/> to include electronic access control or monitoring systems (EACMS)  <SU>5</SU> <FTREF/> and physical access control systems (PACS)  <SU>6</SU> <FTREF/> outside of the electronic security perimeter. <FTNT> <SU>1</SU>  16 U.S.C. 824o(d)(2). </FTNT> <FTNT> <SU>2</SU>   <E T="03">Internal Network Sec. Monitoring for High & Medium Impact Bulk Elec. Sys. Cyber Sys.,</E> Order No. 887, 88 FR 8354 (Feb. 9, 2023), 182 FERC ¶ 61,021 (2023). </FTNT> <FTNT> <SU>3</SU>  16 U.S.C. 824o(d)(5). </FTNT> <FTNT> <SU>4</SU>  INSM is “a subset of network security monitoring that is applied within a `trust zone,' such as an electronic security perimeter.” Order No. 887, 182 FERC ¶ 61,021 at P 2. </FTNT> <FTNT> <SU>5</SU>  EACMS are “Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.” NERC, <E T="03">Glossary of Terms Used in NERC Reliability Standards,</E> (July 22, 2024), <E T="03">https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf</E> (NERC Glossary). </FTNT> <FTNT> <SU>6</SU>  PACS are “Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers.” <E T="03">Id.</E> </FTNT> 2. In Order No. 887, the Commission directed that NERC develop new or modified CIP Reliability Standards that require INSM for CIP-networked environments for all high impact bulk electric system (BES) Cyber Systems  <SU>7</SU> <FTREF/> with and without external routable connectivity  <SU>8</SU> <FTREF/> and medium impact BES Cyber Systems with external routable connectivity. <SU>9</SU> <FTREF/> Proposed Reliability Standard CIP-015-1 is partly responsive to the Commission's directives in Order No. 887 and advances the reliability of the Bulk-Power System by (1) establishing requirements for INSM for network traffic inside an electronic security perimeter, and (2) requiring INSM for all high impact BES Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable connectivity to ensure the identification of anomalous network activity indicating an ongoing attack. <SU>10</SU> <FTREF/> Accordingly, we propose approving proposed Reliability Standard CIP-015-1. <FTNT> <SU>7</SU>  NERC defines BES Cyber Systems as “One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.” <E T="03">See</E> NERC Glossary. BES Cyber Systems are categorized as high, medium, or low impact depending on the functions of the assets housed within each system and the risk they potentially pose to the reliable operation of the Bulk-Power System. Reliability Standard CIP-002-5.1a (BES Cyber System Categorization) sets forth criteria that registered entities apply to categorize BES Cyber Systems as high, medium, or low impact depending on the adverse impact that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. The impact level ( <E T="03">i.e.,</E> high, medium, or low) of BES Cyber Systems, in turn, determines the applicability of security controls for BES Cyber Systems that are contained in the remaining CIP Reliability Standards ( <E T="03">i.e.,</E> Reliability Standards CIP-003-8 to CIP-013-1). </FTNT> <FTNT> <SU>8</SU>  External routable connectivity is “[t]he ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection.” NERC Glossary. </FTNT> <FTNT> <SU>9</SU>  Order No. 887, 182 FERC ¶ 61,021 at P 49. </FTNT> <FTNT> <SU>10</SU>  NERC Petition at 1, 13. </FTNT> 3. Proposed Reliability Standard CIP-015-1 is not, however, fully responsive to the Commission's directive to implement INSM for the “CIP-networked environment.”  <SU>11</SU> <FTREF/> In particular, the proposed Standard may not adequately defend against attacks that circumvent network perimeter-based security controls. Attacks external to the electronic security perimeter may compromise systems, such as EACMS or PACS, and then infiltrate the perimeter as a trusted communication, thus limiting the effectiveness of an approach that employs INSM only within the electronic security perimeter. The Commission used the phrase “CIP-networked environment” in Order No. 887 to be necessarily broader than the electronic security perimeter. <SU>12</SU> <FTREF/> Accordingly, to address this reliability and security gap, the Commission proposes to direct that NERC develop modifications to the proposed Reliability Standard CIP-015-1 to extend INSM to include EACMS and PACS outside of the electronic security perimeter. <FTNT> <SU>11</SU>   <E T="03">See</E> Order No. 887, 182 FERC ¶ 61,021 at P 1. </FTNT> <FTNT> <SU>12</SU>   <E T="03">Id.</E> P 49. </FTNT> <HD SOURCE="HD1">I. Background</HD> <HD SOURCE="HD2">A. Section 215 and Mandatory Reliability Standards</HD> 4. Section 215 of the FPA provides that the Commission may certify an ERO, the purpose of which is to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. <SU>13</SU> <FTREF/> Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently. <SU>14</SU> <FTREF/> Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO, <SU>15</SU> <FTREF/> and subsequently certified NERC. <SU>16</SU> <FTREF/> <FTNT> <SU>13</SU>  16 U.S.C. 824o(c). </FTNT> <FTNT> <SU>14</SU>   <E T="03">Id.</E> 824o(e). </FTNT> <FTNT> <SU>15</SU>   <E T="03">Rules Concerning Certification of the Elec. Reliability Org.; & Procs. for the Establishment, Approval, & Enforcement of Elec. Reliability Standards,</E> Order No. 672, 114 FERC ¶ 61,104, <E T="03">order on reh'g,</E> Order No. 672-A, 114 FERC ¶ 61,328 (2006); <E T="03">see also</E> 18 CFR 39.4(b) (2024). </FTNT> <FTNT> <SU>16</SU>   <E T="03">N. Am. Elec. Reliability Corp.,</E> 116 F ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 49k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━