CybrIQ for government · State & Local · Electric & gas utilities
CybrIQ
Government/State & Local/Electric & gas utilities
Electric, gas, and energy utilities

BES Cyber Asset inventory, ESP visibility, and the internal network security monitoring FERC Order 887 now expects.

FERC Order 887 (Jan 2023) directs NERC to develop new reliability standards requiring internal network security monitoring within Electronic Security Perimeters at high- and medium-impact BES Cyber Systems. The standards (CIP-015) are in development; the audit expectation has already started shifting. The recurring asks across electric, gas, and energy utilities — public power, IOUs, electric cooperatives, municipal utilities, gas operators — converge on the same evidence: a current, complete inventory of every device within and adjacent to the ESP, and a way to detect when something connects that shouldn't.

What's regulated and who's asking

  • NERC CIP-002 (Cyber System Categorization). Identify and categorize BES Cyber Systems by impact (low, medium, high). The categorization is built on the cyber-asset inventory.
  • NERC CIP-005 (Electronic Security Perimeters). Document the ESP, identify Electronic Access Points (EAPs), monitor traffic across the EAP. A current inventory of what's inside the ESP is the prerequisite.
  • NERC CIP-007 (Systems Security Management). Patch management, malicious code prevention, security event monitoring. Each is built on knowing what's there.
  • NERC CIP-010 (Configuration Change Management). Baseline configurations and tracking of changes. The baseline is the inventory.
  • FERC Order 887 / CIP-015 INSM. Internal network security monitoring inside the ESP. The standard requires visibility on east-west traffic and unauthorized connections inside the trust boundary.
  • DOE C2M2 (Cybersecurity Capability Maturity Model). Asset, change, and configuration management domain. Inventory is the foundation.
  • TSA Pipeline Security Directives. For utilities that operate gas pipeline or that have pipeline segments under TSA SD 02C (or successors), the critical cyber system inventory is the same line item.
  • State PUC and SRMA oversight. Public Utility Commissions, DOE as Sector Risk Management Agency, and CISA all coordinate on cybersecurity for the energy sector.
  • Industry coordination. E-ISAC, EEI for IOUs, APPA for public power, NRECA for rural electric cooperatives — each sets practice expectations through member sharing.

Why the inventory question is hard for an electric utility

  • Substation networks are the largest blind spot. Relays, RTUs, IEDs (Intelligent Electronic Devices), HMIs, station controllers — each running its own firmware, often from different vendors, on networks that the control-room IT team doesn't touch directly.
  • Vendor-supplied equipment changes labels. A protective relay shipped under one OEM's badge may have OEM-rebranded components from another vendor inside. Asset-register vendor fields are notoriously inconsistent.
  • The ESP boundary is administrative, not always physical. What's inside the ESP is defined by policy; what physically connects to that segment changes when contractors and vendors are on site.
  • Active scanning is forbidden. The 2003 Northeast blackout and subsequent incidents made aggressive scanning of BES Cyber Systems an absolute no.
  • Public power and rural cooperatives run with small IT teams. A municipal electric utility serving 30,000 customers may have one IT staff person responsible for both corporate IT and substation networks.
CybrIQ identification approach on energy-sector OT networks. Substation IEDs (SEL relays, GE Multilin, ABB, SIPROTEC), RTUs running DNP3 or IEC-61850, station HMIs, and OEM-supplied operational equipment are connected through managed switches inside the ESP. CybrIQ's External Scan Engine reads switch-side signals (link negotiation, MAC OUI, LLDP, port statistics, VLAN context) through SNMP with read-only credentials. The ESP-side segment is never actively scanned, never probed, and no agents are installed on BES Cyber Assets, relays, RTUs, or HMIs — which the BES operational constraint absolutely requires. SSL between ESE and the main instance, internal to the customer network. The main instance matches against the 750-million-device reference library including energy-sector OT families. Output: per-device inventory feeding CIP-002 categorization, ESP-side device list for CIP-005, audit-trail evidence for CIP-007 and CIP-010, inventory side of INSM under FERC Order 887. What never enters the ESP-side OT segment: SPAN ports, mirror ports, inline taps, packet capture, DPI, agents, vendor cloud connectivity.

How CybrIQ identifies devices in a utility environment

  • Switch-side, read-only signals. Identification through managed switches via SNMP with read-only credentials. No active probes of relays, RTUs, or IEDs. No agents on station controllers.
  • Energy-sector OT reference library. The Device DNA library identifies common substation device families — SEL relays, GE Multilin, ABB REF/REL, Siemens SIPROTEC, Schweitzer Engineering Laboratories products, Cooper, and the RTU families operating under DNP3/IEC-61850.
  • ESP inventory feeding CIP-002. The categorization-ready inventory is the export.
  • EAP-adjacent visibility. What sits inside the ESP and what sits at the EAP — including any maintenance laptop that connects.
  • INSM alignment under FERC Order 887. CybrIQ's continuous device-identification output is the inventory-side of INSM evidence. (CybrIQ does not replace traffic-side INSM tools; it complements them.)
  • Air-gap and substation-isolated operation. Reference-library updates ship as signed offline packages where the substation network is genuinely disconnected from corporate IT.

Reporting alignment

  • CIP-002 BES Cyber Asset list. Current per-asset inventory with vendor, model, location, function.
  • CIP-005 ESP documentation. Per-segment inventory aligned with the documented ESP.
  • CIP-007 patch and malicious-code baselines. Inventory is the input to the patch-management cycle and the malicious-code monitoring scope.
  • CIP-010 baseline configurations. Inventory deltas as evidence of configuration change.
  • CIP-015 INSM (in development). The inventory side of internal network security monitoring.
  • NERC audit deliverables. Signed exports with hash, dated to the audit window.
  • DOE C2M2 maturity self-assessment. Evidence for the asset, change, and configuration management domain.

Volt Typhoon and edge-pre-position context

CISA's Volt Typhoon advisories specifically name US energy-sector edge devices as targeted for pre-positioning. The defensive shape that the advisory argues for is exactly the inventory the standards have been asking for: continuous identification of every connected device, against a reference library that can flag unknown or anomalous classes, on the network segments where edge devices sit.

The CybrIQ approach to the edge-pre-position threat: the unauthorized-device or anomalous-class events surface within one polling interval (default 30 seconds), against the ESP-side and EAP-side networks where edge-pre-position would land. See the threat model page for the full T7 walkthrough.

Schedule a utility briefing

30 minutes. We walk CybrIQ against your specific ESP topology, your CIP audit cycle, your INSM posture under Order 887, and your DOE C2M2 maturity targets. Public power, electric coop, IOU, or gas — the briefing is shaped to your sector.

Request briefing