On January 19th, the FERC approved rules to improve the cybersecurity of the grid by issuing several directives to the North American Electric Reliability Corporation (NERC). Under the new rules, the NERC is required to develop and submit reliability standards for FERC approval that would require internal network security monitoring (INSM) for both medium-impact systems with high-speed internet connections and high-impact bulk electric system (BES) cyber systems with external routable connectivity.
Under the final rule, the FERC directs the NERC to assess the following:
study the feasibility of implementing INSM at bulk electric cyber systems that would not be addressed by the new or modified standard
assess the risks posed by the lack of INSM
evaluate all low-impact BES cyber systems (with and without external routable connectivity) and medium impact BES cyber systems (without external routable connectivity) and submit its findings to the FERC
Although the NERC has flexibility in developing the new requirements, the FERC has expressed that the new standards should address entities’ need to develop baselines of network traffic inside their BES networked environments. The FERC asserts that the problem of unauthorized activity, connections, devices and software inside networked environments may be greatly mitigated by logging network traffic and maintaining logs.
The rule will be effective 60 days following publication in the Federal Register. The NERC has 12 months to submit its report on low-impact bulk electric cyber systems and medium-impact systems with no broadband access and 15 months to submit the new standards for FERC approval.