Project 2023-03 Internal Network Security Monitoring (INSM)

​​​​​​​​​​​Related Files​

Status
Board Adopted: May 9, 2024

Filed with FERC: June 24, 2024


Background
On January 19, 2023, the Federal Energy Regulatory Commission (FERC) issued Order No. 8871 directing NERC to develop requirements within the Critical Infrastructure Protection (CIP) Reliability Standards for internal network security monitoring (INSM) of all high impact BES Cyber Systems and medium impact BES Cyber Systems with External Routable Connectivity (ERC). INSM permits entities to monitor traffic once it is within a trusted zone, such as the Electronic Security Perimeter, to detect intrusions or malicious activity. Specifically, Order No. 887 directs NERC to develop Reliability Standards requirements that are “forward-looking, objective-based"2 and address three security objectives outlined in Order No. 887. FERC directed NERC to submit these revisions for approval by July 9, 2024.​

Standard(s) Affected: CIP-015-1

​Purpose/Industry Need
While the CIP Reliability Standards require monitoring of the Electronic Security Perimeter and associated systems for high and medium impact Bulk Electric System (BES) Cyber Systems, the CIP networked environment remains vulnerable to attacks that bypass network perimeter-based security controls traditionally used to identify the early phases of an attack. This presents a gap in the currently effective CIP Reliability St​andards. To address this gap, CIP Reliability Standards should be created or modified to require INSM for all high impact BES Cyber Systems and medium impact BES Cyber Systems with External Routable Connectivity (ERC) to ensure the detection of anomalous network activity indicative of an attack in progress. These provisions will increase the probability of early detection and allow for quicker mitigation and recovery from an attack. Current CIP Reliability Standards are insufficient to protect against insider threats or vulnerabilities that are exploited through supply chain attacks such as SolarWinds.

Subscribe to this project's observer mailing list 
Select "NERC Email Distribution Lists" from the "Service" drop-down menu and specify “Project 2023-03 Internal Network Security Monitoring  Observer List" in the Description Box.​

1 Internal Network Security Monitoring for High and Medium Impact Bulk electric System Cyber Systems, Order No. 887, 182 FERC ¶ 61,021 (Jan. 19, 2023).
2 Order No. 87 at P 5.


​DraftActionsDatesResultsConsideration of Comments

Final Draft

CIP-015-1
Clean | Redline | Redline of R2, R3, M2, and M3 language
*Please Note: The DT reversed the order of Requirements R2 and R3 to better align the order of the requirements. The redline of proposed Reliability Standard CIP-015-1 is reflective of that change. However, the DT found that it was difficult to distinguish the changes in the requirements and measures from the redlines due to re-ordering, so the DT made the re-ordering changes in green text, while the edits in the requirements and measures remain in redline.

Implementation Plan
Clean | Redline

 

Supporting Materials

VRF/VSL Justifications
Clean | Redline

Technical Rationale  
Clean | Redline

FAQ for CIP-015-1
Clean | Redline​










Final Ballot

Info

Vote​​​​​








04/24/24- 04/30/24







Ballot Results



Additional Ballot, Draft 2 of

CIP-015-1
Clean | Red​line​​ * updated
*​​Requirement R1 was updated to correct an error in the language from “BES Security Systems” to “BES Cyber Systems” to align with the clean version of Draft 2 of CIP-015-1.

Implementation Plan
Clean | Redline

 

Supporting Materials

Unofficial Comment Form


VRF/VSL Justifications

Clean | Redline

Technical Rationale  
Clean | Redline

FAQ for CIP-015-1​

Additional Ballot

Ballots Ope​n Reminder​​

Info*updated

Vote​​​​​



04/12/24- 04/17/24​
​​
​​​Ballot Results

Non-Binding Poll Result



Comment Period

Info

Submit Comments



04/05/24- 04/17/24​


Comments Received​


Consideration of Comments​
Additional Ballot, Draft 1 of

CIP-015-1

CIP-007-X
Based on comments received, the DT has created a new proposed Reliability Standard, CIP-015-1, rather than continue to propose revisions to CIP-007. As a result, there will be no changes to CIP-007 and it will revert to the currently-enforced version. The files above reflect the new CIP-015-1 and removal of Requirement R6 and its parts from CIP-007-X. EACMS and PACS outside of the ESP have been excluded from Draft 1 of CIP-015-1.

Implementation Plan
 
Supporting Materials


VRF/VSL Justifications

Initial Ballot of CIP-015 (additional ballot for the Project 2023-03)

Ballots Open Reminder​

Info

Vote






03/12/24- 03/18/24​

Ballot Results

Non-Binding Poll Result


















Consideration of Comments


Comment Period

Info

Submit Comments




02/27/24- 03/18/24​



Comments Received​


Ballot Pools

The existing CIP-007-X ballot pool is being used for all of the ballots associated with this project.


​​Waiver
Standards Committee accepted the waiver on February 21, 2024. 
Draft 1

CIP-007-X
Clean | Redline

Implementation Plan

 

Supporting Materials

Unofficial Comment Form

VRF/VSL Justifications

Technical Rationale  




Vote



01/08/24- 01/17/24​
​​Ballot Results

Non-Binding Poll Result
​​


Join Ballot Pools​​
B​allot Pools Forming Reminder​
12/14/23 - 01/02/24​





Comment​s Received​
​​





Consideration of Comments

Comment Period




12/14/23 - 01/17/24
Waiver

Waiver​ l Meeting ​Minutes

Standards Committee accepted the waiver on August 23, 2023. 
Standard Authorization Request (SAR)
Clean Redline​​
​​The Standards Committee accepted the SAR on August 23, 2023

Drafting Team Nominations

Supporting Materials

Unofficial Nomination Form (Word) 

Nomination Period





04/06/2023 – 05/05/2023



Supporting Materials

Unofficial Comment Form (Word)​

Comment Period

Info​

Submit Comments​
​​

04/06/2023 – 05/05/2023

​​

Comments Received​

 

​