Full Report
The Federal Energy Regulatory Commission (FERC) has withdrawn its notice of inquiry and terminated the related rulemaking proceeding... The post FERC ends rulemaking on a CIP reliability standard, seeks input on coordinated cyberattack risks appeared first on Industrial Cyber.
Analysis Summary
# Regulation/Compliance: FERC CIP Standards Review Termination & Evolving Requirements
## Overview
This summary addresses the Federal Energy Regulatory Commission's (FERC) termination of the Notice of Inquiry (NOI) in Docket No. RM20-12-000, which had explored enhancing Critical Infrastructure Protection (CIP) Reliability Standards to better address data security, anomaly detection, mitigation, and the risk of coordinated cyberattacks, aligning with the NIST Cybersecurity Framework. While the specific NOI proceeding is terminated, FERC continues to approve and direct the development of new and updated CIP standards (like CIP-015-1 and CIP-003-11) based on the issues initially raised, indicating a sustained commitment to raising the cybersecurity bar for the Bulk-Power System (BPS).
## Key Details
- Issuing Authority: Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) (as the standards developer).
- Effective Date: The termination of the NOI (Docket No. RM20-12-000) filing will become effective July 31. However, related mandatory standards (e.g., CIP-015-1) are already active or nearing implementation deadlines.
- Jurisdiction: North America, specifically entities operating the Bulk-Power System (BPS).
- Status: Final (for the NOI termination); Active/Developing (for related CIP standards).
## Requirements
### Mandatory Requirements
*(Note: These requirements stem from subsequent FERC actions and standards developed following the initial RM20-12-000 inquiry, as the industry addresses the same concerns through formal standards development.)*
1. **Implement Internal Network Security Monitoring (INSM):** Registered entities must comply with Reliability Standard **CIP-015-1**, mandating INSM for Industrial Control Systems (ICS) within the Electronic Security Perimeter (ESP).
2. **Expand Security Coverage:** CIP-015-1 requirements will expand to cover electronic access control and physical access control systems within the specified timeframe (within the year).
3. **Address Supply Chain Risk (Low Impact Systems):** Entities must adhere to Reliability Standard **CIP-003-9** (and subsequent revisions like CIP-003-11) requiring methods for determining and disabling vendor remote access for low-impact Bulk Electric System (BES) cyber systems.
4. **Control Center Communications Security:** Compliance with standards addressing controls center communication, specifically ensuring confidentiality and integrity of real-time assessment and monitoring data (related to CIP-012-1 updates).
### Recommended Practices
1. **Address Coordinated Attack Vectors:** Continue analyzing and implementing measures to mitigate the risk of coordinated cyberattacks across geographically distributed targets, leveraging NERC programs and voluntary industry actions identified during the NOI process.
2. **Enhance Low-Impact System Protections:** Consider additional protections for low-impact BES cyber systems beyond what is strictly required by current standards.
3. **Gap Analysis against NIST Framework:** While direct mapping is cautioned against, organizations should assess CIP coverage against relevant categories within the NIST Cybersecurity Framework where gaps may still exist.
## Affected Organizations
- Industries: Electric utilities, power generation, transmission owners/operators, and reliability coordinators within the North American electric sector—anyone designated as a "registered entity" under NERC Critical Infrastructure Protection (CIP) standards.
- Organization Size: Primarily driven by designation as a BPS asset owner/operator, regardless of commercial size.
- Geographic Scope: North America (United States, Canada, and parts of Mexico covered by NERC Reliability requirements).
## Compliance Timeline
- **CIP-015-1 Approval:** Formally approved recently (as per the article context).
- **CIP-015-1 Implementation:** Registered entities must generally begin preparing for audits and implementing INSM measures immediately, with full compliance required according to the standard's approved compliance date (typically within 1-2 years of approval, though the article notes *within the year* for coverage expansion).
- **Final Deadline (General CIP):** Compliance deadlines for specific standards (like CIP-015-1, CIP-003-11) are set by NERC and approved by FERC; organizations must track the effective dates of newly approved standards.
## Implementation Guidance
### Assessment Phase
- **AS-IS Analysis:** Conduct a deep-dive assessment to map current security controls against mandatory requirements in active standards, particularly CIP-015-1 (internal network monitoring) and CIP-003-9/11 (supply chain/remote access).
- **Identify Gaps:** Specifically review internal electronic security perimeters (ESPs) to determine monitoring coverage for ICS, an area targeted by CIP-015-1.
### Implementation Phase
- **Deploy INSM Tools:** Implement and configure network security monitoring tools capable of inspecting traffic *inside* the ESP, focusing on real-time assessment and monitoring data integrity between control centers.
- **Vendor Access Control:** Formalize processes under CIP-003-9/11 for identifying, tracking, and disabling unauthorized or unauthorized remote vendor access to low-impact BES cyber systems.
### Validation Phase
- **Audit Preparation:** Prepare documentation demonstrating adherence to the new monitoring and access control requirements for impending NERC audits.
- **Testing:** Verify the effectiveness of monitoring tools in detecting anomalies originating internally or laterally within the control environment.
## Technical Requirements
1. **Internal Network Security Monitoring (CIP-015-1):** Monitoring must occur *inside* the ESP for ICS/BPS cyber systems, moving beyond perimeter defenses.
2. **Data Integrity and Confidentiality:** Protection measures must maintain the confidentiality and integrity of communication, especially real-time assessment and monitoring data between control centers (related to CIP-012-1 revisions).
3. **Vulnerability Management:** Requirements for determining and disabling vendor remote access mechanisms.
## Penalties & Enforcement
- Fines: While the article doesn't specify current RM20-12-000 penalties, enforcement for CIP violations generally involves significant monetary penalties leveled by FERC against registered entities for non-compliance with NERC Reliability Standards.
- Other Consequences: Mandatory corrective action plans, negative reliability assessments, and reputational damage.
- Enforcement: FERC enforces CIP standards through NERC audits and compliance filings. Non-compliance can lead to significant financial penalties and mandatory remediation.
## Related Standards
- **NERC CIP Reliability Standards:** The primary regulatory framework (e.g., CIP-003, CIP-015).
- **NIST Cybersecurity Framework (NIST CSF):** Used as a comparative benchmark by FERC staff, indicating areas where CIP standards should evolve to incorporate best practices for data security, detection, and mitigation.
## Resources
- Official Documentation: Federal Register notice regarding the termination of Docket No. RM20-12-000.
- Guidance Documents: NERC implementation guides specific to CIP-015-1 and CIP-003-11 for practical application.
- Tools: Solutions for network traffic analysis, intrusion detection systems capable of deep packet inspection within the control network.
## Practical Recommendations
1. **Prioritize CIP-015-1 Implementation:** Given its recent formal approval, immediately focus resources on deploying the required internal network monitoring capabilities for ICS environments.
2. **Monitor Regulatory Cross-Currents:** Be aware that FERC's closure of the NOI signals a shift from inquiry to direct standards development. Organizations should anticipate that regulatory expectations for anomaly detection and comprehensive risk management will continue to rise, regardless of potential broader deregulatory policy momentum.
3. **Review Low-Impact Assets:** Ensure rigorous adherence to supply chain/remote access controls (CIP-003) for low-impact systems, as these areas have been subject to recent standardization.