Powering Up: The Bold Future of Cybersecurity Regulations for Utilities

According to recent news, many utility companies are looking to invest in new technologies over the next few years. A report from S&P Global found that projected capital expenditures for 45 US-based energy utilities companies would be over $182 billion, nearly ten percent more than its actual $166 billion spending in 2023. The report continues to identify the following planned infrastructure investments: 

• Updating transmission and distribution systems
• Building new natural gas, solar, and wind generation
• Implementing new technologies, including smart technology and cybersecurity tools

This last investment is supported by the Department of Energy’s (DOE) announcement that it opened applications for its Operational Technology Defender Fellowship 2025 Cohort. Although limited to only 15 participants, the Fellowship focuses on building a network of cyber defenders to mitigate cyber attacks’ risks to physical infrastructure. 

As companies within the utilities vertical plan their 2025 investments, understanding the current regulatory landscape and the potential future of regulatory compliance can help them make informed purchasing decisions. 

The Current Regulatory Landscape

As a fundamental critical infrastructure, the utility industry already manages cybersecurity compliance. 

FERC and NIST

Under the Energy Policy Act of 2005, the Federal Energy Regulatory Commission (FERC) has the authority to oversee the power grid’s reliability, including the power to approve mandatory cybersecurity reliability standards. In response to the increased use of smart technologies across the energy sector, the Energy Independence and Security Act of 2007 (EISA) assigned FERC and the National Institute of Standards and Technology (NIST) the responsibility for coordinating the development and adoption of smart grid guidelines and standards. 

NERC CIP

FERC certified the North American Electric Reliability Corporation (NERC) as the Electric Reliability Organization responsible for developing Critical Infrastructure Protection (CIP) cybersecurity reliability standards. Since 2008, NERC has published fourteen standards that are currently subject to enforcement.

Looking Ahead to 2025

As utility companies increasingly adopt Industrial Internet of Things (IIoT) devices and other smart technologies, both FERC, NIST, and NERC have set the slow gears of bureaucracy in motion to publish additional requirements and updates to their current standards. 

The Future of FERC

In April 2023, FERC issued an order providing for incentive-based rate treatment, attempting to encourage utilities to invest in Advanced Cybersecurity Technology and threat information sharing programs. 

FERC references the definition of Advanced Cybersecurity Technology listed in 18 CFR § 35.48(b):

any technology, operational capability, or service, including computer hardware, software, or a related asset, that enhances the security posture of public utilities through improvements in the ability to protect against, detect, respond to, or recover from a cybersecurity threat (as defined in section 102 of the Cybersecurity Act of 2015)

Within the published Final Rule, FERC notes that a covered cybersecurity investment must satisfy the following two eligibility criteria:

• Materially improve cybersecurity or participation in a threat information-sharing program
• Not already be mandated by the CIP Reliability Standards or otherwise mandated by local, state, or federal law

In essence, this FERC incentive seeks to help public and non-public utility companies purchase technologies that respond to new, evolving security threats. 

Of specific note, FERC released a final rule in January 2023, Order No. 887 Internal Network Security Monitoring for High and Medium Impact Bulk Electric System Cyber Systems. In this rule, FERC directed NERC to develop and submit a new or modified reliability standard related to internal network security monitoring. The rule identified three specific security objectives for responsible entities:

• Developing baselines for network traffic inside the CIP-networked environment
• Monitoring for and detection of unauthorized activity, connections, devices, and software inside the CIP-networked environment
• Identifying anomalous activity to a high level of the continent by logging network traffic, specifically noting that packet capture accomplishes this goal, maintaining logs and data about network traffic, minimizing attacker’s ability to remove evidence of tactics, techniques, and procedures from compromised devices 

The NERC Response

Currently, nearly all the NERC CIP standards have updates that are either listed as “Filed And Pending Regulatory Approval” or “Subject To Future Enforcement.” However, NERC has published the draft of a new standard CIP-015-1 Cyber Security Internal Network Security Monitoring that is currently listed as “Pending Regulatory Filing.” 

This new CIP contains the following new requirements:

• Requirement 1: Implement documented processes for internal network security monitoring
• Requirement 2: Implement, except during CIP Exceptional Circumstances, documented processes for retaining data used to detect anomalous network activity
• Requirement 3: Implement, except during CIP Exceptional Circumstances, documented processes to protect data collected under Requirement 1 and retained under Requirement 2 to mitigate the risk of unauthorized deletion or modification

Listed Measures for Compliance

Under each requirement, the draft rule suggests measures for achieving compliance.

Requirement 1

1.1. Implement, using a risk-based rationale, network data feed(s) to monitor network activity; including connections, devices, and network communications.

To meet this requirement, organizations need to, at minimum:

• Provide network documentation detailing the risk-based rationale for how data feeds were selected for data collection

1.2. Implement one or more method(s) to detect anomalous network activity using the network data feed(s) from Part 1.1.

To meet this requirement, organizations need to, at minimum, document:

• Anomalous network detection events
• Configurations for internal network security monitoring systems
• Network communication baselines used for detecting anomalous network activity
• Other methods used to detect anomalous network activity 

1.3. Implement one or more method(s) to evaluate anomalous network activity detected in Part 1.2. to determine further action(s)

To meet this requirement, organizations need to, at minimum, document:

• Methods used to evaluate anomalous activity
• Actions in response to detected anomalies
• Escalation processes that could include CIP-008 Cyber Security Incident Response Plan

Requirement 2

Examples of evidence used to prove compliance with this requirement include documentation of:

• Internal network security monitoring data retention processes
• System configurations
• System-generated reports showing data retention with appropriate timelines

Requirement 3

Examples of evidence used to prove compliance with this requirement include documentation demonstrating how internal network security monitoring data is protected from unauthorized deletion or modification risks. 

Asimily: Augmenting Traditional Network Security Tools to Monitor and Defend OT, IoT, and IIoT

Asimily was selected to participate in the second cohort of the Department of Energy’s Clean Energy Cybersecurity Accelerator (CECA). The CECA program evaluates solutions for identifying OT, IoT, and IT assets connected to utility infrastructures. With this participation, we contribute to raising the electric grid’s baseline security with our ability to support improved network security monitoring by identifying OT, IoT, and IIoT assets for protection against even the most advanced cyber threats.

By partnering with Asimily, energy and utility providers can protect their infrastructure from cyber threats and achieve compliance with NERC CIP’s upcoming internal network security monitoring standard. As a net new requirement, CIP-015-1 will require additional Advanced Cybersecurity Technology to assess, mitigate, detect, and respond to the new threats that these connected devices pose. Asimily’s platform covers the full range of CIP standards, including inventory, vulnerability handling, incident response, and disaster recovery planning.

Asimily’s inventory and vulnerability detection capabilities ensure you can identify critical assets and resolve business-critical weaknesses across your entire attack surface. In the event of a cyberattack, our platform, with its rapid response features, quickly captures packets to aid incident responders. With Asimily, security teams can keep a handle on their IoT attack surface and ensure they are as safe as possible, providing a sense of reassurance and security.