Project 2023-03 Internal Network Security Monitoring (INSM)

Related Files

Status
A seven-day final ballot for Project 2023-03 Internal Network Security Monitoring is open through 8 p.m. Eastern, Tuesday, April 30, 2024 for the following standard and implementation plan:

• CIP-015-1 – Cyber Security – Internal Network Security Monitoring

• Implementation Plan

The Standards Committee approved waivers to the Standard Processes Manual at their August 2023 meeting, with the additional waiver approved in February 2024. These waivers were sought by NERC Standards for reduced formal comment and ballot periods to assist the drafting team in expediting the standards development process due to firm timeline expectations set by FERC Order No. 887. FERC Order No. 887 was issued under Docket No. RM22-3-000 on January 19, 2023.

Background

On January 19, 2023, the Federal Energy Regulatory Commission (FERC) issued Order No. 887¹ directing NERC to develop requirements within the Critical Infrastructure Protection (CIP) Reliability Standards for internal network security monitoring (INSM) of all high impact BES Cyber Systems and medium impact BES Cyber Systems with External Routable Connectivity (ERC). INSM permits entities to monitor traffic once it is within a trusted zone, such as the Electronic Security Perimeter, to detect intrusions or malicious activity. Specifically, Order No. 887 directs NERC to develop Reliability Standards requirements that are “forward-looking, objective-based"² and address three security objectives outlined in Order No. 887. FERC directed NERC to submit these revisions for approval by July 9, 2024.

Standard(s) Affected: CIP-015-1

Purpose/Industry Need
While the CIP Reliability Standards require monitoring of the Electronic Security Perimeter and associated systems for high and medium impact Bulk Electric System (BES) Cyber Systems, the CIP networked environment remains vulnerable to attacks that bypass network perimeter-based security controls traditionally used to identify the early phases of an attack. This presents a gap in the currently effective CIP Reliability Standards. To address this gap, CIP Reliability Standards should be created or modified to require INSM for all high impact BES Cyber Systems and medium impact BES Cyber Systems with External Routable Connectivity (ERC) to ensure the detection of anomalous network activity indicative of an attack in progress. These provisions will increase the probability of early detection and allow for quicker mitigation and recovery from an attack. Current CIP Reliability Standards are insufficient to protect against insider threats or vulnerabilities that are exploited through supply chain attacks such as SolarWinds.

Subscribe to this project's observer mailing list
Select "NERC Email Distribution Lists" from the "Service" drop-down menu and specify “Project 2023-03 Internal Network Security Monitoring Observer List" in the Description Box.

¹ Internal Network Security Monitoring for High and Medium Impact Bulk electric System Cyber Systems, Order No. 887, 182 FERC ¶ 61,021 (Jan. 19, 2023).
² Order No. 87 at P 5.

Draft	Actions	Dates	Results	Consideration of Comments
Final Draft CIP-015-1 Clean \| Redline \| Redline of R2, R3, M2, and M3 language Please Note: The DT reversed the order of Requirements R2 and R3 to better align the order of the requirements. The redline of proposed Reliability Standard CIP-015-1 is reflective of that change. However, the DT found that it was difficult to distinguish the changes in the requirements and measures from the redlines due to re-ordering, so the DT made the re-ordering changes in green text, while the edits in the requirements and measures remain in redline. Implementation Plan* Clean \| Redline Supporting Materials VRF/VSL Justifications Clean \| Redline Technical Rationale Clean \| Redline FAQ for CIP-015-1 Clean \| Redline	Final Ballot Info Vote	04/24/24- 04/30/24
Additional Ballot, Draft 2 of CIP-015-1 Clean \| Redline * updated Requirement R1 was updated to correct an error in the language from “BES Security Systems” to “BES Cyber Systems” to align with the clean version of Draft 2 of CIP-015-1. Implementation Plan* Clean \| Redline Supporting Materials Unofficial Comment Form VRF/VSL Justifications Clean \| Redline Technical Rationale Clean \| Redline FAQ for CIP-015-1	Additional Ballot Ballots Open Reminder Info*updated Vote	04/12/24- 04/17/24	Ballot Results CIP-015-1 Implementation Plan Non-Binding Poll Result CIP-015-1
	Comment Period Info Submit Comments	04/05/24- 04/17/24	Comments Received	Consideration of Comments
Additional Ballot, Draft 1 of CIP-015-1 Clean CIP-007-X Redline Based on comments received, the DT has created a new proposed Reliability Standard, CIP-015-1, rather than continue to propose revisions to CIP-007. As a result, there will be no changes to CIP-007 and it will revert to the currently-enforced version. The files above reflect the new CIP-015-1 and removal of Requirement R6 and its parts from CIP-007-X. EACMS and PACS outside of the ESP have been excluded from Draft 1 of CIP-015-1. Implementation Plan Clean \| Redline Supporting Materials Unofficial Comment Form VRF/VSL Justifications Clean \| Redline Technical Rationale	Initial Ballot of CIP-015 (additional ballot for the Project 2023-03) Ballots Open Reminder Info Vote	03/12/24- 03/18/24	Ballot Results CIP-015-1 Implementation Plan Non-Binding Poll Result CIP-015-1	Consideration of Comments
	Comment Period Info Submit Comments	02/27/24- 03/18/24	Comments Received
	Ballot Pools The existing CIP-007-X ballot pool is being used for all of the ballots associated with this project.	02/27/24- 03/18/24	Comments Received
Waiver	Standards Committee accepted the waiver on February 21, 2024.
Draft 1 CIP-007-X Clean \| Redline Implementation Plan Supporting Materials Unofficial Comment Form VRF/VSL Justifications Technical Rationale	Initial Ballot Ballots Open Reminder Info Vote	01/08/24- 01/17/24	Ballot Results CIP-007-X Implementation Plan Non-Binding Poll Result CIP-007-X
	Join Ballot Pools Ballot Pools Forming Reminder	12/14/23 - 01/02/24	Comments Received	Consideration of Comments
	Comment Period Info Submit Comments	12/14/23 - 01/17/24	Comments Received	Consideration of Comments
Waiver Waiver l Meeting Minutes	Standards Committee accepted the waiver on August 23, 2023.
Standard Authorization Request (SAR) Clean \| Redline	The Standards Committee accepted the SAR on August 23, 2023
Drafting Team Nominations Supporting Materials Unofficial Nomination Form (Word)	Nomination Period Info Submit Nominations	04/06/2023 – 05/05/2023
Standard Authorization Request Supporting Materials Unofficial Comment Form (Word)	Comment Period Info Submit Comments	04/06/2023 – 05/05/2023	Comments Received

Atlanta Office | 3353 Peachtree Road, NE Suite 600 North Tower, Atlanta, GA 30326 | 404-446-2560
Washington Office | 1401 H Street NW, Suite 410, Washington, DC 20005| 202-400-3000

Group Health Plan Transparency in Coverage Files*

*This link leads to the machine-readable files that are made available in response to the federal Transparency in Coverage Rule and includes negotiated service rates and out-of-network allowed amounts between health plans and healthcare providers. The machine-readable files are formatted to allow researchers, regulators, and application developers to more easily access and analyze data.

Project-2023-03-INSM // <![CDATA[ _spBodyOnLoadFunctionNames.push("setupPageDescriptionCallout"); // ]]>

Project-2023-03-INSM