In 2023, the Federal Energy Regulatory Commission (FERC) directed the North American Electric Reliability Corporation (NERC) to develop requirements within the Critical Infrastructure Protection (CIP) Reliability Standards for Internal Network Security Monitoring (INSM) of all high impact Bulk Electric System (BES) Cyber Systems and medium impact BES Cyber Systems with External Routable Connectivity (ERC).
The new standard will require applicable organizations to implement continuous monitoring of communications between networked devices within a trusted zone. With this level of east-west traffic monitoring in place, organizations would be better equipped to identify potential adversarial traffic, and therefore, able to detect threats earlier and mitigate them more quickly. The output of this directive has been codified in the proposed INSM standard, NERC CIP-015.
For a full breakdown of the proposed INSM standard, see our first blog in the Dragos INSM series for more details: Prepare to Implement NERC CIP-015 Internal Network Security Monitoring (INSM) Requirements. In this next blog in our series, we focus on NERC CIP-015 R1.2, which covers detecting anomalous network activity, and how the Dragos Platform is uniquely positioned to support organizations to meet these requirements.
Anomaly Detection vs. Detecting Anomalous Activity
The CIP-015 standard will require applicable entities to implement one or more method(s) to detect anomalous network activity using the network data feeds in place to monitor network activity, including connections, devices and network communications, as defined in from R1.1.
But what does “detecting anomalous network activity” mean?
Anomaly detection involves identifying patterns in network behavior that deviate from established norms. While essential for identifying such behavior, anomaly detection does not cover all anomalies. The challenge with relying solely on anomaly detection is its tendency to generate a high volume of false positives, potentially inundating organizations with alerts and enabling adversaries in evading detection.
How the industry may define anomaly detection often lacks inclusivity of specific, context-aware detection methods necessary for thorough security monitoring. To detect anomalous activity, organizations need comprehensive threat detection strategies to accurately identify and act on actual threats. This is how the Dragos Platform, an INSM system, stands apart from others in the industry.
Four Types of Threat Detection with the Dragos Platform
At Dragos, we utilize four types of threat detection to provide a comprehensive security solution to detect and response to potential adversarial activity. By integrating these four types of threat detection, the Dragos Platform enhances your ability to meet NERC CIP-015 requirements. This comprehensive approach not only detects anomalous activities but provides the context to evaluate the detections and thus, enables users to respond effectively, reduce unnecessary alerts, and enhance threat detection accuracy.
Start Planning Your NERC CIP-015 Compliance Today
Early adoption can provide significant financial benefits and bolster your organization’s security posture. Utilize the incentives provided by FERC Order No. 893 for Advanced Cybersecurity Technology to protect your systems against emerging threats. FERC defines an “Advanced Cybersecurity Technology” as any technology, operational capability, or service that enhances the security posture of public utilities by protecting against, responding to, or recovering from a “cybersecurity threat.”
Contact Dragos today to learn how we can help your organization plan for these upcoming regulations and the steps to implement these advanced detection methods and overall, strengthen your internal network security monitoring capabilities to protect your organization.
Watch Our Webinar
Learn more from our industry experts on the proposed NERC CIP-015 standard and the benefits of early planning and adoption.
