Good morning Chairman and Commissioners,
In 2020, an attack on the global supply chain of the SolarWinds Orion software – an intrusion campaign targeting the networks of public and private organizations around the world – demonstrated how an attacker can bypass all network perimeter-based security controls traditionally used to identify malicious activity and compromise the networks of public and private organizations.
SolarWinds is just one example of the types of attacks that can bypass network perimeter protections. To address the risk of such attacks, item E-1 is a draft final rule directing the North American Electric Reliability Corporation, or NERC, to develop and submit for Commission approval new or modified Critical Infrastructure Protection Reliability Standards that require internal network security monitoring for all high impact Bulk Electric System, BES, Cyber Systems and medium impact BES Cyber Systems with external routable connectivity, as defined in the Reliability Standards. While the draft final rule requires internal network security monitoring for all high impact BES Cyber Systems, it limits the directive for medium impact BES Cyber Systems based on the type of network connection, such as IP based protocols. This connection allows the data captured through internal network security monitoring to flow to the cybersecurity professionals who use it to analyze and respond to attacks in real time.
Currently effective Reliability Standards focus on preventing unauthorized access and monitoring for communications at the perimeter of a network and not malicious movement within that network. If an attacker can circumvent or find a way through the perimeter, the attacker may move from device to device without detection and potentially establish command and control of the protected systems, including operational control over equipment used to operate the grid. Internal network security monitoring increases the chance of early detection of malicious activity, which in turn may allow for quicker mitigation and recovery from an attack.
Although this draft final rule focuses on the cyber systems posing the highest risk to the security of the Bulk-Power System from malicious activity, the draft final rule contemplates that extending internal network security monitoring to all medium impact BES Cyber Systems and at least a subset of low impact BES Cyber Systems in the future could be necessary to protect the security and reliability of the Bulk-Power System. Therefore, the draft final rule also directs NERC to conduct a study to guide future implementation of internal network security monitoring or other mitigation strategies for systems that would not otherwise be protected by the directives in the draft final rule.
This concludes our presentation. We are happy to take any questions you may have.