The Federal Energy Regulatory Commission is considering new regulations that would require owners and operators of bulk power systems to implement internal grid security monitoring.
The settlement would require the North American Electric Reliability Corporation to develop updated reliability standards that would include the requirement and cover high or medium impact systems, or systems that would have the most negative impact on reliability. operation of electrical systems en masse if they were to be compromised by a cyberattack.
“Based on the current threat environment…a requirement for [internal network monitoring] that augments existing perimeter defenses is critical to increasing network visibility so an entity can understand what is happening in its CIP networked environment, and thereby improve its ability to timely detect potential compromises,” said L. agency in a press release. note of the regulations proposed last week.
These surveillance technologies include versatile tools such as intrusion detection systems, anti-virus systems, and firewalls that help block malicious traffic. They would also potentially allow those owners and operators to more quickly detect cyberattacks or breaches occurring on their networks, establish baselines for what is considered “normal” behavior on their network, and potentially have a head start in detecting abnormal or malicious activity.
The committee is also seeking comments from members of the public on whether it is practical for the proposed guidance to also include industrial control systems designated as “low impact.” FERC said these systems generally have fewer security controls in place and there are concerns about how practical or useful it would be to implement similar standards.
Current regulatory standards for BES systems generally focus on implementing protections at the network perimeter and do not require such monitoring except for access points and for inbound and outbound traffic. Cybersecurity experts say this way of protecting systems and data is becoming increasingly outdated and fails to account for a range of modern attack vectors, like cloud environments, supply chain attacks that compromise trusted third-party technology providers and insider threats.
“In the context of supply chain risk, a malicious update from a known software vendor could be uploaded directly to a server as trusted code, and it would raise no alarms until ‘abnormal behavior occurs and is detected,’ the policy states.
This is more or less a description of how the federal government fell victim to Russian government hackers in the SolarWinds campaign. FERC is also concerned about other potential threats, such as disgruntled or compromised employees with elevated account privileges who “could identify and collect data, add additional accounts, delete logs, or even exfiltrate data undetected.” .
The federal government is increasingly focusing on improving the safety of bulk electrical systems, which are interconnected electrical power transmission networks that operate above a defined voltage threshold. In 2020, an executive order from the Trump administration designated the targeting and exploitation of cybersecurity vulnerabilities in the mass power system as a national emergency and imposed new restrictions on the purchase and use of certain foreign-made parts in BES systems. This ordinance defined such systems as all installations and transmission lines operating at 69,000 volts or more.
Padriac O’Reilly, co-founder of CyberSaint, a managed security provider, told SC Media that many high- and medium-impact BES entities already perform some form of internal network monitoring, but the FERC order can help drive further action or change to more advanced systems.
“Of course, most BES operators have some sort of internal oversight, but formalizing it will provide a much-needed boost to overall industry maturity,” O’Reilly said.
It’s also part of a large-scale press the Biden administration has made since taking office to improve visibility on threats to federal networks and devices. The White House has mandated federal agencies to move away from perimeter-based cybersecurity, identify all of their connected devices, improve logging practices, and implement threat detection and response technologies. terminals on individual devices.
Last week, the White House released a memo establishing the NSA as the “focal point” for visibility into cybersecurity threats that affect military and intelligence systems. The move gives the intelligence agency the authority to issue cybersecurity directives to other DOD agencies and components and requires those entities to send their logs, computer asset inventories, patch history, and other information to the NSA for centralized incident response for emerging cyber threats. . On the federal civilian side, the Cybersecurity and Infrastructure Security Agency (CISA) is preparing to use new congressional authorities to conduct a proactive threat hunt on other agency networks.