Operational Technology Cybersecurity Coalition’s Response to Docket No. RM22-3-000

Notice of Proposed Rulemaking on Internal Network Security Monitoring for High and Medium Impact Bulk Electric System Cyber Systems

FERC Office of Electric Reliability Team: The Operational Technology Cybersecurity Coalition (OT Coalition) appreciates the opportunity to submit comments to the teams from the Federal Energy Regulatory Commission (FERC) Office of Electric Reliability and the Department of Energy (DOE) in response to the Notice of Proposed Rulemaking (NOPR) under Docket Number RM22-3-000, Internal Network Security Monitoring (INSM) for High and Medium Impact Bulk Electric System (BES) Cyber Systems.1 The OT Coalition is a diverse group of leading industrial control system (ICS) and operational technology (OT) cybersecurity vendors, founded by Claroty, Forescout Technologies, Inc., Honeywell, Nozomi Networks, Tenable, and Tripwire. With decades of experience defending our country from cybersecurity threats, we have joined together to improve the cybersecurity of OT environments and consequently the nation’s critical infrastructure. We believe that the strongest, most effective approach to securing our collective defense is one that is open, vendor-neutral, and allows for diverse solutions and information sharing without compromising cybersecurity defenses. With the potential for the feedback submitted in response to this NOPR to inform both the decision-making process at FERC and the implementation process at the North American Electric Reliability Corporation (NERC), our response intends to give both organizations the information necessary to mitigate compliance costs without sacrificing the benefits of INSM-focused requirements within the broader Critical Infrastructure Protection (CIP) Reliability Standards. With that in mind, the OT Coalition recommends that any new or modified CIP Reliability Standards: (1) embrace vendor neutrality; (2) enhance the security of all systems; and (3) encourage automation. CIP Reliability Standards Must Embrace Vendor Neutrality CIP Reliability Standards focused on INSM must embrace vendor neutrality to reduce the technical friction and costs in time and money that would be associated with allowing non-interoperable approaches to INSM and mitigate the negative impact that proprietary approaches would have on collecting and managing the relevant data during an ongoing incident. As FERC and DOE are aware, data must be pulled and analyzed from multiple devices and applications to establish a baseline for network traffic. Many of the devices and applications in the grid today were either developed by competing manufacturers or, especially in the case of legacy infrastructure, designed with the presumption they would be deployed and remain air-gapped. Even those devices not designed with native IP-based components often end up being connected to other devices that are networked themselves. Further, the electric grid itself relies on several other sectors, including water and transportation, which can connect to or network with devices, software, or systems that are not otherwise present in the electric sector. Establishing continuous visibility within this disparate universe of components and applications and ensuring tools designed to monitor and react to traffic between them can do so in real-time is a requirement to secure High, Medium, and Low impact bulk electric systems (BES). Whether this is done through sensors at electronic access points (EAPs) or otherwise, the ability to quickly collect data, detect anomalies, analyze signals, and notify appropriate stakeholders will be hampered, and sometimes be impossible, if a vendor-specific platform, approach, or data format is permitted. Proprietary approaches to INSM will result in the sector suffering from silos or otherwise closed-wall environments, forcing asset owners and operators to settle among specific or sole solution providers. For less-resourced asset owners and operators, this approach is unsustainable. The artificially limited availability of solution providers will impact technology and workforce decisions as increasingly specialized tools and talents will be required, without alternatives. This will harm the ability to develop collective defense capabilities within the electric sector at large. Any INSM-related CIP Reliability Standards should explicitly embrace and support the concept of vendor neutrality to allow the sector to take advantage of the experiences and knowledge of all sector participants without limitation. CIP Reliability Standards Should Enhance the Security of All Systems INSM-related and perimeter monitoring requirements should eventually be extended to Low impact BES cyber systems, not just High and Medium impact ones, to allow for maximum visibility and increased resiliency while also encouraging the kind of economic scale necessary to minimize financial barriers for sector participants. To illustrate why, a few relevant examples include the following: NERC’s September 4, 2019 Lesson Learned document2 discusses a Denial-of-Service (DoS) event at a Low impact control center and multiple Low impact generation sites caused by the exploitation of a vendor’s firewall. NERC’s December 9, 2019 Supply Chain Risk Assessment3 noted that half of the Low impact locations of generation resources allowed third-party electronic access, which could be exploited to cause damaging effects beyond a local area. Search engines like Shodan4 can find and display internet-connected ICS devices and open ports that can be manipulated to allow unauthorized access.4 Threats to the reliability of the BES exist in all connected assets and systems regardless of their High, Medium, or Low impact designation. The majority of CIP standards are only mandated for High and Medium impact assets, but as NERC has recognized, “‘[e]ven in cases involving Low impact BES assets, an entity should strive for good cyber security policies and procedures by considering adopting security control for Low impact BES Cyber Assets above those required under the CIP Reliability Standards.”5 Moving to requiring better cybersecurity maturity for Low impact BES, rather than a suggestion of striving for such an improvement, is an important step towards achieving those transparency- and resiliency-related goals. As CIP-005-07, Requirement R1 outlines, BES cyber systems are to be segmented from other systems – and even from other BES – that have differing trust levels or requirements. This is done through EAPs in between each of the zones that are to be defined through an Electronic Security Perimeter (ESP) that also has the capability of detecting malicious inbound and outbound communications.6 With many of the OT environments designed with flat network topologies that generally, by their nature, lack defense in depth capabilities, there is an increased risk of suffering from a cyber incident due to the integration of a component or piece of software that was not initially required to be included within the INSM capabilities. Similarly, failure to collate and include data collected from these systems that are not being monitored can harm the ability to analyze all-source intelligence to the degree necessary to determine the true scope or gravity of the threat related to an incident. Extending the concept of ESPs and segmentation to include separating those assets that are covered by INSM capabilities and those that are not, with zone-specific policies throughout, will encourage consistent application of security requirements throughout the sector. This is one of several important steps that can be taken to improve sector cybersecurity maturity, as using virtual zoning will permit an owner or operator from having to reengineer platforms and move or replace assets. With new vulnerabilities being discovered regularly, failure to account for a Low impact system being used as a lateral attack vector is inexcusable. Many of these Low impact systems are integrated in such a way that, while they weren’t intended to be exposed to the same risks as High and Medium impact ones, they will be because of the continued convergence of IT/OT environments. However, with a risk-based approach in mind, the application of requirements associated with INSM and ESP to Low impact BES should be phased in (e.g., over five years, moving from larger to increasingly smaller entities over time) and account for mitigations that can be implemented from now, such as microsegmentation. Any INSM-related CIP Reliability Standards should focus on enhancing the security of the entire grid and apply to all BES cyber systems to provide relevant parties with complete visibility into one of the most targeted sectors out of the sixteen critical ones. CIP Reliability Standards Must Encourage Automation The architecture associated with implementing INSM in BES cyber systems should, to the extent possible, take advantage and encourage the adoption of automation throughout the process, permitting the use of up-to-date information and standards formats for sharing intelligence across sector participants. The increasing attack surface of electric sector participants, by its nature, threatens BES cyber systems connected to or otherwise remotely accessible from targeted networks. With unique circumstances present in the electric sector due to its reliance on physical and cyber infrastructure, organizational and technological complexity can quickly reach a level where even the largest asset owners and operators will struggle to manage a manual process. This can result in smaller or less-resourced participants choosing to either settle for a cybersecurity provider that makes unrealistic promises or recommends the cheapest path to compliance or ultimately work to qualify for an exemption. Through standardization, consistency in and automation of compliance-related actions can be supported and scaled effectively. As INSM-related requirements are standardized across High, Medium and, if extended, Low impact BES cyber systems, aspects of an INSM-based security policy can be prioritized for automation within an individual entity or a collective of entities, such as those serving rural or remote communities. Automation permitted through this form of standardization will also encourage vendor neutrality, which will be necessary to develop solutions that will be affordable while maintaining a degree of modularity and permitting owners and operators to shift solutions when desired or necessary. It will also facilitate implementing emerging but necessary cybersecurity technologies, such as those that take advantage of artificial intelligence and machine learning. Any INSM-related CIP Reliability Standards should ensure they can be optimized to encourage automation to provide, among other benefits, improved information collection and sharing across the sector as a whole. *** Again, the OT Coalition thanks FERC, DOE, and NERC for the opportunity to provide feedback that should inform the important work your organizations are undertaking to protect our nation’s entire electric grid, not just BES cyber systems. We welcome questions on our feedback and look forward to continuing to be a part of this discussion as it develops. https://elibrary.ferc.gov/eLibrary/filelist?accession_num=20220328-5206

Sincerely, Andrew Howell Executive Director, Operational Technology Cybersecurity Coalition ahowell@otcybercoalition.org