NERC’s Internal Network Security Monitoring (INSM) Standard: Why and Why Now?

NERC’s Internal Network Security Monitoring (INSM) Standard: Why and Why Now?

To reduce cybersecurity risks and exposure, NERC is in the process of developing a new standard requiring internal network security monitoring (INSM) within a trusted Critical Infrastructure Protection networked environment. The standard will apply to all high impact BES Cyber Systems with and without external routable connectivity and medium impact BES Cyber Systems with external routable connectivity. The standard could also include low impact BES Cyber Systems in the future.

According to the Federal Register, “INSM permits entities to monitor traffic once it is within a trusted zone, such as the Electronic Security Perimeter, to detect intrusions or malicious activity.” Given the increasingly sophisticated methods by which attackers gain access to critical systems, it is critical that entities move beyond protection of the electronic security perimeter and implement dynamic, continuous monitoring measures. NERC will revise a plan to include INSM into the existing CIP Reliability Standards for approval by July 9, 2024.

INSM technologies have multiple components and levels of sophistication, from asset inventory capacity to vulnerability management to threat detection and situational awareness. They offer a passive way to analyze network traffic and understand “baseline” network and process behaviors, built to dissect and deconflict industrial and proprietary protocols. INSM tools capture traffic from operational technology and industrial control system (ICS) components without embedded security features or controls. They can relay data from assets that do not support antivirus or agent-based security monitoring.

What’s Behind the Push for INSM Standards?

Three main drivers are relevant for the push to adopt INSM technologies: threat actors and criminal groups continue to thwart perimeter security defenses, supply chain risks and manipulation like the 2020 SolarWinds incident are one the rise, and the threat landscape continues to grow. Targeting of ICS in energy infrastructure is well documented, especially through joint sharing of intelligence and indicators of compromised released by the U.S. Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI).

In 2018 the DHS and FBI characterized cyber activity targeting the energy sector as “a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access [the actors] conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”

Since 2018, the threat landscape has only grown. Phishing campaigns and evasion techniques are more sophisticated, attacks have increased in frequency, and cyber threat actors are not the only concern for risk for owners and operators. Risks come from actors – external and internal – to include nation-state threat actors, criminal gangs, malicious insiders, suppliers, partners, and potentially customers. Structural equipment like legacy systems as well as IT equipment and software have created new business reliance on digital systems. Cyber incidents can be further exacerbated by natural disasters, physical and terrorist attacks, infrastructure disruption or degradation, and vice versa.

Meanwhile, utilities are regulated by law to limit the costs they pass to their customers to cover reasonable expenses as determined by regulators approving rate increases with transparent processes. Regulators must understand and articulate the nuances of continuous and dynamic cybersecurity needs amidst a sea of vendor products and philosophies. Yet despite increased focus on and desire for information sharing once a victim has experienced a cyberattack, there is no current law or mandate to continuously monitor for known exploitable vulnerabilities and threat actor activities, signatures, and TTPs.

The 4 I’s of Visibility

Without automated and real-time visibility, operators are left to manually gather available product vulnerability information and troubleshoot network security risks by reviewing static inventory lists and contemplating the MITRE ATT&CK Framework for ICS. They lack a way to detect network access and intruder probing and cannot identify any command-and-control capabilities an adversary might set up in their networks. They likely also miss accidental changes to networked assets, misconfiguration issues, outdated software and firmware, and have limited visibility for root cause analysis.

Today, monitoring solutions like Nozomi Networks incorporate intrusion detection for network security monitoring and both network and process anomaly detection, to identify known malicious threats on communications network andinvestigate assets for deeper pattern analysis and due diligence. This level of visibility provides both quality control and the ability to build custom alerts based on communications and process variables, to enhance security information, provide actionable intelligence, and enable risk reduction. These customizable alerts are based on the context of each network and process they are deployed in to help security analysts make faster, more informed decisions.

With the recent Cyber Incident Reporting for Critical Infrastructure (CIRCIA) law and the potential initialization of a Cyber Safety Review Board, incentives to leverage monitoring tools for proactive security has never been stronger. Security is a byproduct of operations, not the other way around. INSM tools can lead to the remediation of security events before it’s too late. Understanding and baselining both network communications and operational processes ensures visibility across:

  • Inventory: automate asset understanding of digital components, devices, and cyber-physical systems and infrastructure.
  • Integrity: of data at rest, in transit, in use, and in view of operators for security and purpose-built operations.
  • Impact: proactive assessments of risks, malfunction, and misconfiguration before an incident occurs.
  • Implementation: automate required mechanisms to capture interdependent data and communications once statically logged and reviewed.

Electric utilities have become increasingly aware of cybersecurity threats and the operational impacts they pose to their assets, operations, and grid reliability. The Nozomi Networks platform supports mandated NERC-CIP cybersecurity standards for operational technology (OT) and industrial control systems (ICS). The solution offers custom queries and assertions for monitoring and analyzing network traffic and reporting capabilities to demonstrate compliance.

For more information on how Nozomi Networks’ solution supports NERC CIP compliance requirements, read our mapping guide below.