Internal Network Security Monitoring in OT

Internal Network Security Monitoring (INSM) for OT Environments

Internal Network Security Monitoring (INSM) is a process or solution that monitors activity on a network with the goal of identifying potential security incidents, risks, and vulnerabilities.

The Federal Energy Regulatory Commission (FERC) is in the process of implementing new NERC CIP standards requiring INSM in high and medium-impact bulk electric system (BES) environments.

While INSM is currently only a requirement for organizations under NERC’s jurisdiction, it goes beyond simply checking off a compliance box. Network security monitoring is key to better operational technology (OT) environment visibility, which enables both cybersecurity and operational improvements.

Network Monitoring vs. Network Security Monitoring

When it comes to OT environments and managing operational technology, those of us familiar with the space know that the systems were built with uptime or availability and the performance of the system in mind.

There’s typically some degree of monitoring in place that allows operations teams to ensure that everything is functioning as intended. In the Purdue Model, for example, Level 0 systems communicate with devices and Level 1 or 2, such as HMIs and PLCs.

But this type of monitoring isn’t enough to satisfy network security monitoring requirements. INSM requires visibility into the devices at the edge of your network and the ability to identify when something is behaving abnormally.

Staying Ahead of Internal Network Security Monitoring (INSM) Requirements

With new direction from FERC to update NERC CIP regulations by mandating INSM for high and medium BES, electric utilities are currently the only organizations that “have” to implement internal network security monitoring solutions.

This doesn’t mean that complying with INSM requirements is something other organizations managing OT and industrial control systems (ICS) should put off or deal with later. Taking steps toward implementing INSM is an opportunity to stay ahead of future compliance requirements while improving and maintaining your organization’s security and operational posture today.

The best way to implement effective security monitoring is to start with a small, easy-to-understand part of your environment. Going through that process will give you an idea of the data available at the edge and how it might enrich any new or existing workflows your team has in place.

Visibility as the Foundation of all Monitoring

Effective internal network monitoring, whether specifically for security purposes, operations, or both, starts with visibility. Knowing what devices are living at the edge and establishing a baseline for normal activity makes it easier to identify any deviations that need to be addressed.

Once your team starts to gather, aggregate, and analyze the data from your environment, it becomes easier to identify risks and vulnerabilities, along with any signs of potential compromise.

The ability to contextualize data and act on it is where network monitoring becomes effective network security monitoring. And it becomes even more effective when you start to leverage operator knowledge for better-informed intelligence and alerting.