FERC proposes internal monitoring requirements for bulk electric facilities to address security ‘gap’
New INSM requirements would fill a gap in utility security, say security experts, but others remain and the process to patch them is long.
“Internal network monitoring was definitely a gap in the CIP standards, and I’m glad it will be filled. But the real scandal is how many other gaps there are,” security consultant Tom Alrich said, pointing to ransomware, phishing and long-term attacks known as advanced persistent threats. Often, utilities are addressing these threats on their own, he said.
While current CIP requirements focus on preventing an attack, Miller said modern security also puts a focus on identifying breaches when countermeasures have failed. “The proposed rulemaking addresses this need,” he said.
Including INSM requirements in the CIP standards would ensure utilities maintain visibility over communications within their networks and “not simply monitor communications at the network perimeter,” the proposed rule says. In the event of a successful attack, improved internal monitoring “would increase the probability of early detection of malicious activities and would allow for quicker mitigation and recovery from an attack.”
The current lack of INSM requirements is important but “not critical,” Mark Carrigan, cyber vice president of process safety and operational technology cybersecurity at Hexagon PPM, said in an email.
“Implementing network monitoring technology is an important step to an overall security program, but it is not a ‘silver bullet’ that will dramatically reduce the risk to the nation’s critical infrastructure,” he said.
Depending upon the scope required for implementation, Carrigan also said the new rule “could be a very expensive initiative that will not have a dramatic improvement to security.” Older control systems operating critical infrastructure often cannot serve up information to a network monitoring solution, he said, and if those networks must be upgraded “it could cost a company millions of dollars, and the amount of risk reduction may not be worth the cost.”