On January 19, 2023, the Federal Energy Regulatory Commission (FERC) issued Order No. 887 directing the North American Electric Reliability Corporation (NERC) to develop requirements within the Critical Infrastructure Protection (CIP) Reliability Standards for Internal Network Security Monitoring (INSM) of all high impact Bulk Electric System (BES) Cyber Systems and medium impact BES Cyber Systems with External Routable Connectivity (ERC). In Order No. 887, FERC directed NERC to submit these revisions for approval within 15 months of the final rule’s effective date, i.e. July 9, 2024. On May 9, 2024, the NERC Board of Trustees adopted CIP-015-1 – Cyber Security – Internal Network Security Monitoring. Next, NERC will submit a Petition for Approval of Proposed Reliability Standard CIP-015-1, which must be submitted by July 9, 2024.
While the NERC CIP-015-1 INSM requirements have not been formally approved by FERC, Dragos has been actively working with customers on their plans to meet INSM requirements. Why? Because now is the time to start to plan to implement these requirements. This process can take considerable time and entities should consider taking advantage of incentives sooner than later.
This blog is the first of a series that explores the new NERC CIP-015-1 INSM requirements for the electric utilities industry, the benefits, the incentives available to organizations for early adoption, and how companies can prepare to effectively meet this new standard. It also covers how the Dragos Platform enables entities to meet INSM requirements with its advanced network monitoring capabilities – network security monitoring for OT environments is what the Dragos Platform was built to do.
What Are the NERC CIP-015 INSM Requirements?
The CIP-networked environment faces vulnerabilities from cyber attacks that circumvent traditional network perimeter-based security controls aimed at detecting the initial stages of an attack. Proposed Reliability Standard CIP-015-1 mandates network security monitoring within a CIP-networked environment for High and Medium impact BES Cyber Systems. More specifically, the INSM requirements will mandate network security monitoring within trusted zones, such as Electronic Security Perimeters (ESP), to effectively detect intrusions and malicious activity.
These requirements include:
Data Collection
R1. Each Responsible Entity shall implement one or more documented process(es) for internal network security monitoring of networks protected by the Responsible Entity’s Electronic Security Perimeter(s) of high impact BES Cyber Systems and medium impact BES Cyber Systems with External Routable Connectivity to provide methods for detecting and evaluating anomalous network activity. The documented process(es) shall include each of the following requirement parts:
- 1.1. Implement, using a risk-based rationale, network data feed(s) to monitor network activity; including connections, devices, and network communications.
- 1.2. Implement one or more method(s) to detect anomalous network activity using the network data feed(s) from Part 1.1.
- 1.3. Implement one or more method(s) to evaluate anomalous network activity detected in Part 1.2. to determine further action(s).
Data Retention
R2. Each Responsible Entity shall implement, except during CIP Exceptional Circumstances, one or more documented process(es) to retain internal network security monitoring data associated with network activity determined to be anomalous by the Responsible Entity at a minimum until the action is complete in support of Requirement R1, Part 1.3.
Note: The Responsible Entity is not required to retain internal network security monitoring data that is not relevant to anomalous network activity detected in Requirement R1, Part 1.2.
Data Protection
R3. Each Responsible Entity shall implement, except during CIP Exceptional Circumstances, one or more documented process(es) to protect internal network security monitoring data collected in support of Requirement R1 and data retained in support of Requirement R2 to mitigate the risks of unauthorized deletion or modification.
You can view the final draft of CIP-015-1 here.
Why Internal Network Security Monitoring Is Crucial
Recent threat intelligence data underscores the critical need for enhanced monitoring within internal networks. The Dragos 2023 OT Cybersecurity Year in Review highlights the capabilities of threat groups like ELECTRUM and CHERNOVITE that necessitate implementing robust internal network security monitoring measures.
- ELECTRUM deployed the CRASHOVERRIDE malware as part of a cyber attack against a Ukrainian electric entity in 2016. The malware targeted hundreds of systems, aiming to disable control and SCADA systems, and launched a denial-of-service (DoS) attack on protective relays, causing potentially dangerous conditions and disrupting power services for several hours.
- CHERNOVITE has been linked to developing the PIPEDREAM malware, specifically designed to target ICS environments. It targets specific Omron and Schneider Electric controllers, causing loss of view, control, and safety, and manipulates OPC-UA connections and targets Windows systems, making it capable of an end-to-end attack. PIPEDREAM is extensible enough to be used against multiple industrial sectors and represents the first cross-industry OT attack toolkit.
Given the rising threat, network security monitoring is vital for protecting the electric utilities. Soon, it will not just be important—it will be required, and rightly so.
Implementing methods to detect anomalies is core to the INSM requirement. This is crucial for tracking threat groups like ELECTRUM and CHERNOVITE by identifying unusual activities, enabling prompt and effective responses to potential threats. Baseline deviations, newness detections, and anomaly detections all play a role in spotting security threats.
The Dragos Platform takes these detections further with Indicators of Compromise (IOCs) derived from threat intelligence, behavioral detections analyzing network and user behavior, and composite detections that combine multiple methods for comprehensive security analysis. Stay tuned for the next blog in our series where we will dive into the Dragos Platform detection methods and their applications.
Consider Early Adopter Incentives Now
FERC issued Order No. 893 in 2023, which provides incentives to help utilities invest in advanced cybersecurity technology. Here’s the scoop.
Cybersecurity Regulatory Asset Incentive: Utilities can seek deferred cost recovery for new cybersecurity investments that are eligible for incentives. FERC specifically states, “that utilities seeking incentive-based rate treatment for cybersecurity investments made to comply with a Commission-approved cybersecurity-related CIP Reliability Standard before it becomes mandatory and enforceable for that utility will be permitted to seek incentive-based rate treatment for its cybersecurity expenses that began no earlier than three months before the date that the Commission’s approval of the Reliability Standard becomes effective.” This means utilities that start early can benefit from quicker financial returns.
This incentive is available until the utility’s next rate case. After that, cybersecurity investments can be included in the rate base, allowing for cost recovery through future rate cases.
NERC CIP-015-1 Implementation Timeline
To help organizations plan their compliance efforts, we’ve outlined the key milestones and deadlines for implementing CIP-015-1. The timeline below provides a clear view of the significant dates related to the adoption and enforcement of the INSM standards. Note that this timeline could change, but this is how it stands today.
| May 9, 2024 | NERC Board of Trustees adopted CIP-015-1 – Cyber Security – Internal Network Security Monitoring |
| Deadline: July 9, 2024 | NERC to submit a Petition for Approval of Proposed Reliability Standard CIP-015-1 |
| T₀ | FERC Order Approving Reliability Standard CIP-015-1 |
| T + 36 Months | CIP-015-1 goes into effect for all High and Medium impact BES Cyber Systems with ERC Control Centers (estimated to be October 2027 or January 2028) |
| T + 60 Months | CIP-015-1 goes into effect for all other Medium BES Cyber Systems with ERC |
Waiting should not be a strategy. Planning and implementation take time, and there are incentives available now for early adopters. By understanding these deadlines, utilities can better prepare for compliance and take advantage of these incentives to start seeing benefits sooner.
The Dragos Platform Enables Electric Utilities to Meet INSM Requirements
The Dragos Platform offers advanced network monitoring for NERC CIP environments, with non-evasive data collection for asset discovery, sophisticated anomaly detection (and beyond with composite detections, threat-driven IOCs, and behavioral detections), and robust analysis capabilities with case management, expert-authored playbooks for response, and comprehensive reporting capabilities.
Contact us today to learn how the Dragos Platform can help your organization plan for the new NERC CIP-015 requirements and, as a result, enhance your internal network security monitoring capabilities.
Request a Platform Demo
Related Posts
Dragos Platform Earns Highest Scores for Threat and Anomaly Detection, Vulnerability Management, and Product Security in New Forrester OT Security Wave
Implementing Zero Trust in Operational Technology (OT) Environments
Leveraging Insights from New Top Analyst Report for Your OT Environment
Ready to put your insights into action?
Take the next steps and contact our team today.