Skip to main content
The Dragos Blog

07.31.24 | 3 min read

Key Insights for NERC CIP-015 Compliance: Anomaly Detection vs. Detecting Anomalous Activity

In 2023, the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability Corporation (NERC) to develop requirements within the Critical Infrastructure Protection (CIP) Reliability Standards for Internal Network Security Monitoring (INSM) of all high impact Bulk Electric System (BES) Cyber Systems and medium impact BES Cyber Systems with External Routable Connectivity (ERC).

The new standard will require applicable organizations to implement continuous monitoring of communications between networked devices within a trusted zone. With this level of east-west traffic monitoring in place, organizations would be better equipped to identify potential adversarial traffic, and therefore, able to detect threats earlier and mitigate them more quickly. The output of this directive has been codified in the proposed INSM standard, NERC CIP-015.

Register for our webinar on the proposed NERC CIP-015 standard and the benefits of early planning and adoption.
Register Now

For a full breakdown of the proposed INSM standard, see our first blog in the Dragos INSM series for more details: Prepare to Implement NERC CIP-015 Internal Network Security Monitoring (INSM) Requirements. In this next blog in our series, we focus on NERC CIP-015 R1.2, which covers detecting anomalous network activity, and how the Dragos Platform is uniquely positioned to support organizations to meet these requirements.

Anomaly Detection vs. Detecting Anomalous Activity

The CIP-015 standard will require applicable entities to implement one or more method(s) to detect anomalous network activity using the network data feeds in place to monitor network activity, including connections, devices and network communications, as defined in from R1.1.

But what does “detecting anomalous network activity” mean?

Anomaly detection involves identifying patterns in network behavior that deviate from established norms. While essential for identifying such behavior, anomaly detection does not cover all anomalies. The challenge with relying solely on anomaly detection is its tendency to generate a high volume of false positives, potentially inundating organizations with alerts and enabling adversaries in evading detection.

How the industry may define anomaly detection often lacks inclusivity of specific, context-aware detection methods necessary for thorough security monitoring. To detect anomalous activity, organizations need comprehensive threat detection strategies to accurately identify and act on actual threats. This is how the Dragos Platform, an INSM system, stands apart from others in the industry.

Four Types of Threat Detection with the Dragos Platform

At Dragos, we utilize four types of threat detection to provide a comprehensive security solution to detect and response to potential adversarial activity. By integrating these four types of threat detection, the Dragos Platform enhances your ability to meet NERC CIP-015 requirements. This comprehensive approach not only detects anomalous activities but provides the context to evaluate the detections and thus, enables users to respond effectively, reduce unnecessary alerts, and enhance threat detection accuracy.

DetectionsDefinedValue of Detection Type
Behavioral DetectionCodifies malicious adversary tradecraft for detection regardless of specific indicators such as malware, capability, or infrastructure. These relate to Tactics, Techniques, and Procedures (TTPs) identified with specific threat activity groups or toolsets. These can include atomic threat behaviors (singular detections) and composite threat behaviors (multiple detections happening together).Provides high confidence and immediate transparency for analysts to diagnose the alert against expected behavior. Enables automatic investigation and easily integrates into defensive playbooks.
Indicators DetectionsIndicators detections are specific attributes or pieces of evidence that identify malicious activities known as Indicators of Compromise (IOCs) based on previously observed threat data.Indicators can be easily searched for context to quickly identify known threat activity. Can be utilized to properly prioritize and respond to activity observed.
Configuration DetectionsThe Dragos Platform builds a baseline of communications and devices within the environment. Configurations Detections alerts on deviations from a known architecture or changes to the established baseline.Given the frequency of configuration changes, it is mostly leveraged by security personnel for threat hunting or forensic examination in conjunction with other detections.
Modeling DetectionsOne form of anomaly detection. Modeling detections detect threats by defining what is “normal” and measuring against divergence.When detecting changes from the normal it can detect malicious actions and abnormal behavior identifying misconfigurations or failing assets.

Start Planning Your NERC CIP-015 Compliance Today

Early adoption can provide significant financial benefits and bolster your organization’s security posture. Utilize the incentives provided by FERC Order No. 893 for Advanced Cybersecurity Technology to protect your systems against emerging threats. FERC defines an “Advanced Cybersecurity Technology” as any technology, operational capability, or service that enhances the security posture of public utilities by protecting against, responding to, or recovering from a “cybersecurity threat.”

Contact Dragos today to learn how we can help your organization plan for these upcoming regulations and the steps to implement these advanced detection methods and overall, strengthen your internal network security monitoring capabilities to protect your organization.

CTA Image
Register for Our Webinar
Learn more from our industry experts on the proposed NERC CIP-015 standard and the benefits of early planning and adoption.

Ready to put your insights into action?

Take the next steps and contact our team today.