Internal Network Security Monitoring (INSM) for OT Environments

Internal Network Security Monitoring (INSM) is a process or solution that monitors activity on a network with the goal of identifying potential security incidents, risks, and vulnerabilities.

The Federal Energy Regulatory Commission (FERC) is in the process of implementing new NERC CIP standards requiring INSM in high and medium-impact bulk electric system (BES) environments.

While INSM is currently only a requirement for organizations under NERC’s jurisdiction, it serves a far greater purpose than simply checking off a compliance box. Network security monitoring is key to achieving a high level of visibility within operational technology (OT) environments, which in turn enables improvements in both cybersecurity and operations.

Network Monitoring vs. Network Security Monitoring

Those who are familiar with OT environments and managing operational technology understand that these systems were built to prioritize uptime, availability, and consistent system performance.

Typically, operations teams are leveraging at least some degree of monitoring to ensure that everything is functioning as intended. For example, many environments implement some form of the Purdue Model and thus actively verify that Level 0 systems communicate with Level 1 and 2 devices such as HMIs and PLCs.

This degree of monitoring, however, doesn’t satisfy network security monitoring requirements. INSM goes beyond the Purdue Model and requires visibility into devices at the edge of the network as well as the ability to identify abnormal behavior or other incidents.

Staying Ahead of Internal Network Security Monitoring (INSM) Requirements

As of this writing, only electric utilities will be required to implement INSM solutions in order to comply with FERC and the updated NERC CIP regulations.

However, that doesn’t mean INSM requirement compliance should be put off for later by other organizations managing OT and industrial control systems (ICS). Taking steps toward implementing INSM is an opportunity to stay ahead of future compliance requirements while improving and maintaining organizational security and operational integrity.

Though the regulations themselves can be daunting and complex, any organization can begin to implement organizational security monitoring by starting with a small, easy-to-understand part of the environment. That process will give organizations a good idea of what data is available at the operational edge. That data can then be used to enrich any new or existing workflows a team has in place.

Visibility as the Foundation of all Monitoring

Effective internal network monitoring, whether specifically for security purposes, operations, or both, starts with visibility.

Knowing what devices are living at the edge of the environment and establishing a baseline for normal activity allows any deviations to be addressed.

Once your team starts to gather, aggregate, and analyze the data from your environment, risks and vulnerabilities become easier to identify.

The ability to contextualize data and act on it is where network monitoring becomes effective network security monitoring.

The effectiveness of data monitoring is further amplified when organizations leverage operator knowledge for better-informed intelligence and alerting.