Dive Brief:
- The Federal Energy Regulatory Commission has proposed new security requirements for high- and medium-impact bulk electric system facilities that would require them to "maintain visibility over communications between networked devices" within discrete computing environments known as "trust zones." The agency is also taking comment on whether to apply the rule to low-impact facilities.
- The lack of internal network security monitoring (INSM) requirements is a "gap" in the North American Electric Reliability Corp.'s Critical Infrastructure Protection (CIP) standards, according to a notice of proposed rulemaking published Thursday in the Federal Register. Comments are due within 60 days.
- The rule would modernize the CIP security approach for the power sector, which "has historically focused on preventative controls" rather than detection, Ben Miller, vice president of professional services and research and development for Dragos, said in an email. But experts also say it is unclear how much security will be improved by the proposed change, and at what cost.
Dive Insight:
New INSM requirements would fill a gap in utility security, say security experts, but others remain and the process to patch them is long.
"Internal network monitoring was definitely a gap in the CIP standards, and I’m glad it will be filled. But the real scandal is how many other gaps there are," security consultant Tom Alrich said, pointing to ransomware, phishing and long-term attacks known as advanced persistent threats. Often, utilities are addressing these threats on their own, he said.
While current CIP requirements focus on preventing an attack, Miller said modern security also puts a focus on identifying breaches when countermeasures have failed. "The proposed rulemaking addresses this need," he said.
Including INSM requirements in the CIP standards would ensure utilities maintain visibility over communications within their networks and "not simply monitor communications at the network perimeter," the proposed rule says. In the event of a successful attack, improved internal monitoring "would increase the probability of early detection of malicious activities and would allow for quicker mitigation and recovery from an attack."
The current lack of INSM requirements is important but "not critical," Mark Carrigan, cyber vice president of process safety and operational technology cybersecurity at Hexagon PPM, said in an email.
"Implementing network monitoring technology is an important step to an overall security program, but it is not a 'silver bullet' that will dramatically reduce the risk to the nation's critical infrastructure," he said.
Depending upon the scope required for implementation, Carrigan also said the new rule "could be a very expensive initiative that will not have a dramatic improvement to security." Older control systems operating critical infrastructure often cannot serve up information to a network monitoring solution, he said, and if those networks must be upgraded "it could cost a company millions of dollars, and the amount of risk reduction may not be worth the cost."
As for applying the rule to low-impact facilities, Miller said there is off-the-shelf technology for OT detection monitoring.
Carrigan said the new requirements should not be added for lower impact facilities. "The problem with requiring a certain approach on all assets is that you can end up spending a lot of money on programs that do not reduce much risk," he said.
Alrich warned that the process to develop CIP standards is too complicated, and new standards should not be required to address new threats, "or as in this case, a longstanding threat."
"If we’re lucky, this new standard might be in force in three years, but it could very well take longer than that," Alrich said.