22 September 2011
Protection of Critical Cyber Assets
[Federal Register Volume 76, Number 184 (Thursday, September 22, 2011)]
[Proposed Rules]
[Pages 58730-58741]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-24102]
[[Page 58730]]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
18 CFR Part 40
[Docket No. RM11-11-000]
Version 4 Critical Infrastructure Protection Reliability
Standards
AGENCY: Federal Energy Regulatory Commission.
ACTION:
-----------------------------------------------------------------------N
otice of proposed rulemaking.
SUMMARY: Under section 215 of the Federal Power Act, the Federal Energy
Regulatory Commission (Commission) proposes to approve eight modified
Critical Infrastructure Protection (CIP) Reliability Standards, CIP-
002-4 through CIP-009-4, developed and submitted to the Commission for
approval by the North American Electric Reliability Corporation (NERC),
the Electric Reliability Organization certified by the Commission. In
general, the CIP Reliability Standards provide a cybersecurity
framework for the identification and protection of ``Critical Cyber
Assets'' to support the reliable operation of the Bulk-Power System.
Proposed Reliability Standard CIP-002-4 requires the identification and
documentation of Critical Cyber Assets associated with Critical Assets
that support the reliable operation of the Bulk-Power System. The
``Version 4'' CIP Reliability Standards propose to modify CIP-002-4 to
include ``bright line'' criteria for the identification of Critical
Assets. The proposed Version 4 CIP Reliability Standards would replace
the currently effective Version 3 CIP Reliability Standards. The
Commission also proposes to approve the related Violation Risk Factors
and Violation Severity Levels with modifications, the implementation
plan, and effective date proposed by NERC.
DATES: Comments are due November 21, 2011.
ADDRESSES: You may submit comments, identified by docket number and in
accordance with the requirements posted on the Commission's Web site
http://www.ferc.gov. Comments may be submitted by any of the following
methods:
Agency Web Site: Documents created electronically using
word processing software should be filed in native applications or
print-to-PDF format and not in a scanned format, at
http://www.ferc.gov/docs-filing/efiling.asp.
Mail/Hand Delivery: Commenters unable to file comments
electronically must mail or hand deliver an original copy of their
comments to: Federal Energy Regulatory Commission, Secretary of the
Commission, 888 First Street, NE., Washington, DC 20426. These
requirements can be found on the Commission's Web site, see, e.g., the
``Quick Reference Guide for Paper Submissions,'' available at
http://www.ferc.gov/docs-filing/efiling.asp or via phone from FERC Online
Support at 202-502-6652 or toll-free at 1-866-208-3676.
FOR FURTHER INFORMATION CONTACT:
Jan Bargen (Technical Information), Office of Electric Reliability,
Division of Logistics and Security, Federal Energy Regulatory
Commission, 888 First Street, NE., Washington, DC 20426, (202) 502-
6333.
Edward Franks (Technical Information), Office of Electric Reliability,
Division of Logistics and Security, Federal Energy Regulatory
Commission, 888 First Street, NE., Washington, DC 20426, (202) 502-
6311.
Kevin Ryan (Legal Information), Office of the General Counsel, Federal
Energy Regulatory Commission, 888 First Street, NE., Washington, DC
20426, (202) 502-6840.
Matthew Vlissides (Legal Information), Office of the General Counsel,
Federal Energy Regulatory Commission, 888 First Street, NE.,
Washington, DC 20426, (202) 502-8408.
SUPPLEMENTARY INFORMATION:
September 15, 2011.
1. Under section 215 of the Federal Power Act (FPA),\1\ the
Commission proposes to approve eight modified Critical Infrastructure
Protection (CIP) Reliability Standards, CIP-002-4 through CIP-009-4.
The proposed ``Version 4'' CIP Standards were developed and submitted
for approval to the Commission by the North American Electric
Reliability Corporation (NERC), which the Commission certified as the
Electric Reliability Organization (ERO) responsible for developing and
enforcing mandatory Reliability Standards.\2\ In general, the CIP
Reliability Standards provide a cybersecurity framework for the
identification and protection of ``Critical Cyber Assets'' to support
the reliable operation of the Bulk-Power System.\3\ In particular, the
Version 4 CIP Reliability Standards propose to modify CIP-002-4 to
include ``bright line'' criteria for the identification of Critical
Assets, in lieu of the currently-required risk-based assessment
methodology that is developed and applied by applicable entities. In
addition, NERC developed proposed conforming modifications to the
remaining cybersecurity Reliability Standards, CIP-003-4 through CIP-
009-4.
---------------------------------------------------------------------------
\1\ 16 U.S.C. 824o (2006).
\2\ North American Electric Reliability Corp., 116 FERC ]
61,062, order on reh'g & compliance, 117 FERC ] 61,126 (2006), aff'd
sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
\3\ The NERC Glossary of Terms defines Critical Assets to mean
``Facilities, systems, and equipment which, if destroyed, degraded,
or otherwise rendered unavailable, would affect the reliability or
operability of the Bulk Electric System.''
---------------------------------------------------------------------------
2. The Commission proposes to approve Version 4, the Violation Risk
Factors (VRFs),the Violation Severity Levels (VSLs) with modifications,
the implementation plan, and effective date proposed by NERC. The
Commission also proposes to approve the retirement of the currently
effective Version 3 CIP Reliability Standards, CIP-002-3 to CIP-009-3.
The Commission seeks comments on these proposals to approve.
3. While we propose to approve the Version 4 CIP Standards, like
NERC, we recognize that the Version 4 CIP Standards represent an
``interim step'' \4\ to addressing all of the outstanding directives
set forth in Order No. 706.\5\ We believe that the electric industry,
through the NERC standards development process, should continue to
develop an approach to cybersecurity that is meaningful and
comprehensive to assure that the nation's electric grid is capable of
withstanding a Cybersecurity Incident.\6\ Below, we reiterate several
topics set forth in Order No. 706 that pertain to a tiered approach to
identifying Cyber Assets, protection from misuse, and a regional
perspective. We expect NERC will continue to improve the CIP Standards
to address these and other outstanding matters addressed in Order No.
706.
---------------------------------------------------------------------------
\4\ NERC Petition at 6.
\5\ Mandatory Reliability Standards for Critical Infrastructure
Protection, Order No. 706, 122 FERC ] 61,040, order on reh'g, Order
No. 706-A, 123 FERC ] 61,174 (2008), order on clarification, Order
No. 706-B, 126 FERC ] 61,229 (2009).
\6\ Section 215(a) of the FPA defines Cybersecurity Incident as
``a malicious act or suspicious event that disrupts, or was an
attempt to disrupt, the operation of those programmable electronic
devices and communication networks including hardware, software and
data that are essential to the reliable operation of the Bulk-Power
System.''
---------------------------------------------------------------------------
4. Moreover, as discussed below, the Commission seeks comments from
NERC and other interested persons on establishing a reasonable deadline
for NERC to satisfy the outstanding directives in Order No. 706
pertaining to the CIP Standards, using NERC's development timeline.
[[Page 58731]]
I. Background
A. Mandatory Reliability Standards
5. Section 215 of the FPA requires a Commission-certified ERO to
develop mandatory and enforceable Reliability Standards, which are
subject to Commission review and approval. Once approved, the
Reliability Standards may be enforced by the ERO, subject to Commission
oversight, or by the Commission independently.\7\
---------------------------------------------------------------------------
\7\ See 16 U.S.C. 824o(e).
---------------------------------------------------------------------------
6. Pursuant to section 215 of the FPA, the Commission established a
process to select and certify an ERO \8\ and, subsequently, certified
NERC as the ERO.\9\ On January 18, 2008, the Commission issued Order
No. 706 approving eight CIP Reliability Standards proposed by NERC.
---------------------------------------------------------------------------
\8\ Rules Concerning Certification of the Electric Reliability
Organization; and Procedures for the Establishment, Approval and
Enforcement of Electric Reliability Standards, Order No. 672, FERC
Stats. & Regs. ] 31,204, order on reh'g, Order No. 672-A, FERC
Stats. & Regs. ] 31,212 (2006).
\9\ North American Electric Reliability Corp., 116 FERC ]
61,062, order on reh'g & compliance, 117 FERC ] 61,126 (2006), aff'd
sub nom., Alcoa, Inc. v. FERC, 564 F.3d 1342 (DC Cir. 2009).
---------------------------------------------------------------------------
7. In addition, pursuant to section 215(d)(5) of the FPA,\10\ the
Commission directed NERC to develop modifications to the CIP
Reliability Standards to address various concerns discussed in the
Final Rule. In relevant part, the Commission directed the ERO to
address the following issues regarding CIP-002-1: (1) Need for ERO
guidance regarding the risk-based assessment methodology for
identifying Critical Assets; (2) scope of Critical Assets and Critical
Cyber Assets; (3) internal, management, approval of the risk-based
assessment; (4) external review of Critical Assets identification; and
(5) interdependency between Critical Assets of the Bulk-Power System
and other critical infrastructures. Subsequently, the Commission
approved Version 2 and Version 3 of the CIP Reliability Standards, each
version including changes responsive to some but not all of the
directives in Order No. 706.\11\
---------------------------------------------------------------------------
\10\ 16 U.S.C. 824o(d)(5).
\11\ North American Electric Reliability Corp., 128 FERC ]
61,291 (2009), order denying reh'g and granting clarification, 129
FERC ] 61,236 (2009) (approving Version 2 of the CIP Reliability
Standards); North American Electric Reliability Corp., 130 FERC ]
61,271 (2010) (approving Version 3 of the CIP Reliability
Standards).
---------------------------------------------------------------------------
B. Current Version 3 CIP Reliability Standards
8. Reliability Standard CIP-002-3 addresses the identification of
Critical Assets and associated Critical Cyber Assets. Pursuant to CIP-
002-3, a responsible entity must develop a risk-based assessment
methodology to identify its Critical Assets. Requirement R1 specifies
certain types of assets that an assessment must consider for Critical
Asset status and also allows the consideration of additional assets
that the responsible entity deems appropriate. Requirement R2 requires
the responsible entity to develop a list of Critical Assets based on an
annual application of the risk-based assessment methodology developed
pursuant to Requirement R1. Requirement R3 provides that the
responsible entity must use the list of Critical Assets to develop a
list of associated Critical Cyber Assets that are essential to the
operation of the Critical Assets.
9. In addition, the Commission approved the following ``Version 3''
CIP Standards:
CIP-003-3 (Security Management Controls);
CIP-004-3 (Personnel & Training);
CIP-005-3 (Electronic Security Perimeter(s));
CIP-006-3 (Physical Security of Critical Cyber Assets);
CIP-007-3 (Systems Security Management);
CIP-008-3 (Incident Reporting and Response Planning);
CIP-009-3 (Recovery Plans for Critical Cyber Assets).
II. Proposed Version 4 CIP Reliability Standards
A. NERC Petition
10. On February 10, 2011, NERC filed a petition seeking Commission
approval of proposed Reliability Standards CIP-002-4 to CIP-009-4 and
requesting the concurrent retirement of the currently effective Version
3 CIP Reliability Standards, CIP-002-3 to CIP-009-3.\12\ The principal
differences are found in CIP-002, where NERC replaced the risk-based
assessment methodology for identifying Critical Assets with 17 uniform
bright line criteria for identifying Critical Assets. NERC does not
propose any changes to the process of identifying the associated
Critical Cyber Assets that are then subject to the cyber security
protections required by CIP-003 through CIP-009. NERC also submitted
proposed VRFs and VSLs and an implementation plan governing the
transition to Version 4. NERC proposed that the Version 4 CIP
Reliability Standards become effective the first day of the eighth
calendar quarter after applicable regulatory approvals have been
received.
---------------------------------------------------------------------------
\12\ NERC Petition at 1. The proposed Reliability Standards are
not attached to the NOPR. They are, however, available on the
Commission's eLibrary document retrieval system in Docket No. RM11-
11-000 and are available on the ERO's Web site, http://www.nerc.com.
Reliability Standards approved by the Commission are
not codified in the CFR.
---------------------------------------------------------------------------
11. On April 12, 2011, NERC made an errata filing correcting
certain errors in the petition and furnishing corrected exhibits and
the standard drafting team minutes. In the errata, NERC also replaced
the VRFs and VSLs in the February 10 petition with new proposed VRFs
and VSLs.\13\
---------------------------------------------------------------------------
\13\ NERC states that the Version 4 VRFs and VSLs are carried
over in part from the VRFs and VSLs in the Version 3 CIP Reliability
Standards. NERC Petition at 46. The Commission approved the Version
2 and 3 VRFs and VSLs in Docket Nos. RD10-6-001 and RD09-7-003 on
January 20, 2011 but required NERC to make modifications in a
compliance filing due by March 21, 2011. North American Electric
Reliability Corporation, 134 FERC ] 61,045 (2011). The February 10
petition did not carry over the modified Version 3 VRFs and VSLs
since it was filed before the March 21 compliance filing. NERC
submitted new Version 4 VRFs and VSLs that carried over the modified
Version 3 VRFs and VSLs in the April 12 errata. On June 6, 2011,
NERC filed the March 21, 2011 compliance filing in the present
docket, Docket No. RM11-11-000.
---------------------------------------------------------------------------
12. In its Petition, NERC states that the Version 4 CIP Standards
satisfy the Commission's criteria, set forth in Order No. 672, for
determining whether a proposed Reliability Standard is just,
reasonable, not unduly discriminatory or preferential and in the public
interest.\14\ According to NERC, CIP-002-4 achieves a specified
reliability goal by requiring the identification and documentation of
Critical Cyber Assets associated with Critical Assets that support the
reliable operation of the Bulk-Power System. NERC opines that the
Reliability Standard ``improves reliability by establishing uniform
criteria across all Responsible Entities for the identification of
Critical Assets.'' \15\ Further, NERC states that CIP-002-4 contains a
technically sound method to achieve its reliability goal by requiring
the identification and documentation of Critical Assets through the
application of the criteria set forth in Attachment 1 of CIP-002-4.
---------------------------------------------------------------------------
\14\ Order No. 672, FERC Stats. & Regs. ] 31,204 at P 323-337.
\15\ NERC Petition at 4.
---------------------------------------------------------------------------
13. NERC states that CIP-002-4 establishes clear and uniform
criteria for identifying Critical Assets on the Bulk-Power System.\16\
NERC also states that CIP-002-4 does not reflect any differentiation in
requirements based on size of the responsible entity. NERC asserts that
CIP-002-4 will not have negative effects on competition or restriction
of the grid. NERC also contends that the two-year implementation period
for CIP-002-4 is reasonable given the time it will take responsible
entities to determine
[[Page 58732]]
whether assets meet the criteria included in Attachment 1 and to
implement the controls required in CIP-003-4 through CIP-009-4 for the
newly identified assets.
---------------------------------------------------------------------------
\16\ Id. at 38.
---------------------------------------------------------------------------
14. Finally, NERC acknowledges that CIP-002-4 addresses some, but
not all, of the Commission's directives in Order No. 706. NERC explains
that the standard drafting team limited the scope of requirements in
the development of CIP Version 4 ``as an interim step'' limited to the
concerns raised by the Commission regarding CIP-002.\17\ NERC states
that it has taken a ``phased'' approach to meeting the Commission's
directives from Order No. 706 and, according to NERC, the standard
drafting team continues to address the remaining Commission directives.
According to NERC, the team will build on the bright line approach of
CIP Version 4.\18\
---------------------------------------------------------------------------
\17\ NERC Petition at 6 (citing Order No. 706, 122 FERC ] 61,040
at P 236).
\18\ NERC Petition at 6.
---------------------------------------------------------------------------
B. Proposed Reliability Standard CIP-002-4
15. Proposed Reliability Standard CIP-002-4 contains 3
requirements. Requirement R1, which pertains to the identification of
Critical Assets, provides:
The Responsible Entity shall develop a list of its identified
Critical Assets determined through an annual application of the
criteria contained in CIP-002-4 Attachment 1--Critical Asset
Criteria. The Responsible Entity shall update this list as
necessary, and review it at least annually.
Attachment 1 provides seventeen criteria to be used by all responsible
entities for the identification of Critical Assets pursuant to
Requirement R1. The thresholds pertain to specific types of facilities
such as generating units, transmission lines and control centers. For
example, Criterion 1.1 provides ``[e]ach group of generating units
(including nuclear generation) at a single plant location with an
aggregate highest rated net Real Power capability of the preceding 12
months equal to or exceeding 1500 MW in a single Interconnection.''
With regard to transmission, Criterion 1.6 provides ``Transmission
Facilities operated at 500 kV or higher,'' and Criterion 1.7 provides
``Transmission Facilities operated at 300 kV or higher at stations or
substations interconnected at 300 kV or higher with three or more other
transmission stations or substations.''
16. Reliability Standard CIP-002-4, Requirement R2 requires
responsible entities to develop a list of Critical Cyber Assets
associated with the Critical Assets identified pursuant to Requirement
R1. As in previous versions, the Requirement further states that to
qualify as a Critical Cyber Asset, the Cyber Asset must: (1) Use a
routable protocol to communicate outside the Electronic Security
Perimeter; (2) use a routable protocol within a control center; or (3)
be dial-up accessible. In the proposed version, in the context of
generating units at a single plant location, the Requirement limits the
designation of Critical Cyber Assets only to Cyber Assets shared by a
combination of generating units whose compromise could within 15
minutes result in the loss of generation capability equal to or higher
than 1500 MW.
17. Requirement R3 requires that a senior manager or delegate for
each responsible entity approve annually the list of Critical Assets
and the list of Critical Cyber Assets, even if the lists contain no
elements. As mentioned above, proposed Reliability Standards CIP-003-4
to CIP-009-4 only reflect conforming changes to accord with the CIP-
002-4 Reliability Standard.
C. Additional Information Regarding Attachment 1 Criteria
18. In response to a Commission data request, NERC provided
additional information regarding the bright line criteria for
identifying Critical Assets.\19\ NERC provided some information
regarding the development of the criteria. Further, based on an
industry survey, NERC provided information regarding the estimated
number of Critical Assets and the number of Critical Assets that have
associated Critical Cyber Assets located in the United States that
would be identified pursuant to CIP-002-4. For example, NERC indicates
that the Version 4 CIP Standards would result in the identification of
532 control centers as Critical Assets with Critical Cyber Assets, and
another 21 control centers as Critical Assets without any associated
Critical Cyber Assets.\20\ Further, 201 control centers would not be
identified as Critical Assets. With regard to Blackstart Resources,
NERC's survey results indicate that CIP-002-4 would result in the
identification of approximately 234 Blackstart Resources as Critical
Assets with associated Critical Cyber Assets, 273 identified as
Critical Assets without Critical Cyber Assets, and 35 Blackstart
Resources not classified as Critical Assets.\21\
---------------------------------------------------------------------------
\19\ See April 17, 2011 Commission staff data request issued in
Docket No. RM11-11-000. NERC responded to the data request in
staggered filings, on May 27, 2011 and June 30, 2011.
\20\ NERC June 30, 2011 Data Response at 2-3.
\21\ Id. at 3-4. In the June 30, 2011 Data Response, NERC stated
that with respect to Blackstart Resources some responsible entities
indicated that they had not performed a complete analysis of their
systems based on CIP-002-4 and are unsure whether some units may be
classified as Critical Assets. Id. at 4.
---------------------------------------------------------------------------
III. Discussion
19. Pursuant to FPA section 215(d)(2), the Commission proposes to
approve CIP-002-4 to CIP-009-4 as just, reasonable, not unduly
discriminatory or preferential, and in the public interest. The
Commission proposes to approve the VRFs and VSLs, implementation plan,
and effective date proposed by NERC. The Commission also proposes to
approve the retirement of the currently effective Version 3 CIP
Reliability Standards CIP-002-3 to CIP-009-3 upon the effective date of
CIP-002-4 to CIP-009-4. The Commission seeks comments on these
proposals.
20. Further, as discussed below, the Commission seeks comments from
NERC and other interested persons on the proposal to establish a
reasonable deadline for NERC to satisfy the outstanding directives in
Order No. 706. Specifically, as explained in detail later, the
Commission requests comments on: (1) The proposal to establish a
deadline using NERC's development timeline for the next version of the
CIP Reliability Standards; (2) how much time NERC needs to develop and
file the next version of the CIP Reliability Standards; (3) other
potential approaches to Critical Cyber Asset identification; and (4)
whether the next version is anticipated to satisfy all of the
directives in Order No. 706.
A. The Commission Proposes To Approve the Version 4 CIP Reliability
Standards
21. The Commission, in giving due weight to NERC's Filing, proposes
to approve the Version 4 CIP Reliability Standards. The Commission also
proposes to approve the implementation plan and effective date proposed
by NERC. Version 4 provides a change in three respects: (1) Version 4
will result in the identification of certain types of Critical Assets
that may not be identified under the current approach; (2) Version 4
uses bright line criteria to identify Critical Assets, eliminating the
use of existing entity-defined risk-based assessment methodologies that
generally do not adequately identify Critical Assets; and (3) Version 4
provides a level of consistency and clarity regarding the
identification of Critical Assets lacking under Version 3. We
[[Page 58733]]
separately address each of these reasons for proposing to approve
Version 4 below.
1. Critical Asset Identification
22. In its Petition, NERC indicates that, after conducting reviews
of CIP-002 compliance, NERC ``determined that the existing
methodologies generally do not adequately identify all Critical
Assets.'' \22\ While recognizing that CIP version 4 is intended as an
``interim step,'' it appears that the proposed bright line criteria
will result in the identification of certain types of Critical Assets
(e.g. 500 kV substations) that may not be identified by the approach
that is currently in effect. This is reflected in NERC's June 30, 2011
data response, in which NERC presented industry survey data reflecting
the application of the bright line criteria in Version 4. To facilitate
an analysis of the data, NERC also provided observations and data from
several of its earlier industry surveys, including the 2009 ``CIP Self-
Certification Survey'' and 2010 ``CIP-002 Critical Asset Methodology
Data Request.''. For example, NERC states in the June 30, 2011 data
response that in the 2009 survey only 50 percent of substations rated
300 kV and above are classified as Critical Assets while that figure
would increase to 70 percent under Version 4.\23\
---------------------------------------------------------------------------
\22\ NERC Petition at 11.
\23\ Id. at 4.
---------------------------------------------------------------------------
23. The NERC petition indicates that 270 transmission substations
rated 500 kV and above are classified as Critical Assets under Version
3 while, according to the data response, the figure would rise to 437
under Version 4.\24\ This increase is consistent with Criterion 1.6 of
Attachment 1 to CIP-002-4, which identifies all transmission
substations rated 500 kV as Critical Assets. According to the data
response, the 25 percent of generation units rated 300 MVA and above
would be identified as Critical Assets under Version 4. Moreover, the
proportion of total Blackstart Resources classified as Critical Assets
increases due to the required 100 percent coverage of these under
Version 4.\25\ Further, the number of control centers identified as
Critical Assets increases from 425 under Version 3 to 553 under Version
4, the latter figure representing 74 percent of all control centers.
These figures represent increases in certain categories in Critical
Asset identification among generation, transmission, and control
centers. We also note that NERC's industry survey data indicates
decreases in the number of generation and blackstart resources
identified as Critical Assets with Critical Cyber Assets. While the
bright line thresholds result in the identification of a significant
number of additional generation plants rated above 1500 MVA as Critical
Assets, the thresholds also result in the identification of less
generation below 300 MVA.
---------------------------------------------------------------------------
\24\ Id. at 5.
\25\ NERC Petition at 17 (explaining that each Blackstart
Resource identified in a Transmission Operator's restoration plan is
a Critical Asset). In the June 30, 2011 Data Response, NERC's survey
found that responsible entities identified 93 percent of Blackstart
Resources as Critical Assets. NERC stated that confusion over the
term Blackstart Resource may have contributed to the lower
percentage, and that responsible entities will be educated on the
definition of Blackstart Resource prior to the effective date of
CIP-002-4. NERC June 30, 2011 Data Response at 4.
---------------------------------------------------------------------------
24. As NERC recognizes in its filing, the improvements in Critical
Asset identification under Version 4 represent an interim step in
complying with the directives in Order No. 706.\26\ As we discuss
below, Version 4 should not be viewed as an endpoint but as a step
towards eventual full compliance with Order No. 706.
2. Version 4 Removes Discretion in Identifying Critical Assets
25. The proposed Version 4 CIP Reliability Standards discards the
current risk-based methodology for identifying Critical Assets. Under
the current CIP-002-3, responsible entities are tasked with identifying
Critical Assets based on their own risk-based methodology. In the
Petition NERC points out that in Order No. 706 the Commission directed
NERC to ``provide reasonable technical support to assist entities in
determining whether their assets are critical to the Bulk-Power
System.'' \27\ NERC explains that it responded to the Commission's
direction by developing guidance documents to assist entities in
developing their risk-based methodologies and Critical Asset
identification.\28\
---------------------------------------------------------------------------
\27\ Id. at 10-11 (citing Order No. 706, 122 FERC ] 61,040 at P
255).
\28\ Id. at 11.
---------------------------------------------------------------------------
26. In its Petition, NERC states that it ``conducted various
reviews of risk-based methodologies developed by many entities of
varying sizes * * * and determined that the existing methodologies
generally do not adequately identify all Critical Assets.'' \29\ To
address this, NERC proposes to replace the current risk-based
methodology with uniform, bright line criteria, which will be used by
all responsible entities to identify Critical Assets.
---------------------------------------------------------------------------
\29\ Id.
---------------------------------------------------------------------------
27. While risk-based assessment methodologies have merit, we share
NERC's concerns about the existing application of the currently
effective CIP-002-3, Requirement 1. Thus, in this context, we believe
that a shift away from responsible entity-designed risk-based
methodologies for identifying Critical Assets, which NERC has found to
be inadequate, to the use of NERC-developed criteria is an improvement.
3. Version 4 Provides Consistency and Clarity in the Identification of
Critical Assets
28. In its June 30, 2011 data response, NERC states that the survey
results from 2009 generated concern ``about the apparent inconsistency
in the application of the standards across the system, as evidenced by
the apparent variation from region to region.'' \30\ NERC states that
it subsequently engaged with the Regional Entities and stakeholders to
better understand the data, with these efforts resulting in the
development of Version 4.
---------------------------------------------------------------------------
\30\ NERC June 30, 2011 Data Response at 3.
---------------------------------------------------------------------------
29. We believe that the application of uniform criteria is an
improvement over the current approach because they add greater
consistency and clarity in identifying Critical Assets. The risks posed
by cyber threats suggest a different approach than the possibly
inconsistent, inadequate methodologies for identifying Critical Assets,
as evidenced by NERC's conclusion that insufficient numbers of Critical
Assets were identified using the risk-based assessment methodology. As
an integrated system, the protection afforded for Critical Assets and
their Critical Cyber Assets is only as strong as its weakest link. In
this respect, allowing responsible entities to devise their own
methodologies for identifying Critical Assets, especially if these
methodologies prove to be weak, may compromise the Critical Assets and
Critical Cyber Assets of other responsible entities even if they have
adopted a more stringent methodology. The uniform system of Critical
Asset identification proposed by NERC in Version 4 helps to address
this weakness and places all responsible entities on an equal footing
with respect to Critical Asset identification.
30. In addition, clear, bright line criteria should make it easier
for Regional Entities, NERC and the Commission to monitor responsible
entities and evaluate how they are identifying Critical Assets. A
single set of bright line criteria, as opposed to
[[Page 58734]]
myriad entity-designed risk-based methodologies, should improve the CIP
compliance process.
31. However, under the currently-effective CIP-002-3, an entity
that applies its risk-based assessment methodology considers specific
types of assets identified in Requirement R1, as well as ``any
additional assets that support the operation of the Bulk Electric
System that the Responsible Entity deems appropriate to include in its
assessment.'' Thus, currently, a responsible entity has the flexibility
to consider any assets it deems appropriate. The Commission also notes
that there are assets currently identified as Critical Assets which
would no longer be identified as Critical Assets under the Proposed
Reliability Standard CIP-002-4 bright line criteria for Critical Asset
identification. The Commission seeks comment whether, under CIP Version
4, a responsible entity retains the flexibility to identify assets
that, although outside of the bright line criteria, are essential to
Bulk-Power System reliability. Further, we seek comment whether the ERO
and/or Regional Entities would have the ability, either in an event-
driven investigation or compliance audit, to identify specific assets
that fall outside the bright-line criteria yet are still essential to
Bulk-Power System reliability and should be subject prospectively to
compliance with the CIP Reliability. If so, on what basis should that
decision be made?
32. In addition, the Commission is cognizant of one caution that
remains concerning a binary bright line criteria protection philosophy,
i.e., either an asset satisfies the threshold and is subject to
compliance or is below the threshold and not subject to compliance (as
opposed to a tiered approach to compliance as discussed below), in
terms of applying cybersecurity protections to Cyber Assets.
Specifically, bright line criteria that limit legally-mandated
cybersecurity protections to certain classes of Bulk-Power System
assets may indicate to an adversary the types of assets that fail to
meet the threshold and, therefore, are not subject to mandatory CIP
compliance. Therefore, the Commission encourages NERC to accelerate
development of the next version of the CIP Reliability Standards and to
address the concerns discussed herein in Section B.
4. Violation Risk Factors/Violation Severity Levels
33. NERC states that the proposed VRFs and VSLs are consistent with
those approved for the Version 3 CIP Reliability Standards.\31\ NERC
explains that each requirement in Version 4 is assigned a VRF and a set
of VSLs and that these elements support the determination of an initial
value range for the base penalty amount regarding violations of
requirements in Commission-approved Reliability Standards, as defined
in the ERO Sanction Guidelines.\32\
---------------------------------------------------------------------------
\31\ North American Electric Reliability Corp., 134 FERC ]
61,045 (2011) (approving Version 2 and 3 CIP Reliability Standards
VRFs and VSLs but requiring modifications in a compliance filing).
\32\ NERC Petition at 37.
---------------------------------------------------------------------------
34. The principal changes in the proposed Version 4 VRFs and VSLs
relate to CIP-002-4. NERC proposes to carry forward the Version 3 VRFs
and VSLs for all other Requirements (in CIP-003-4 through CIP-009-4),
for which no substantive revisions are proposed. CIP-002-4 no longer
contains sub-Requirements and, instead, each of three main Requirements
has a single VRF and set of VSLs, consistent with the methodology
proposed by NERC and approved by the Commission.\33\ The VRF
designations for the three Requirements in CIP-002-4 are consistent
with those assigned to similar Requirements in previous versions of the
CIP Reliability Standards and satisfy our established guidelines.
Therefore, the Commission proposes to approve the Version 4 VRFs
proposed by NERC and incorporate appropriately the modifications
directed to prior versions.
---------------------------------------------------------------------------
\33\ North American Electric Reliability Corp., 135 FERC ]
61,166, at 8 (2011).
---------------------------------------------------------------------------
35. With regard to the proposed Version 4 VSLs for CIP-002-4, we
are concerned that the VSLs for Requirement R1 and Requirement R2,
while carrying forward the wording from corresponding Version 3 VSLs,
do not adequately address the purpose of NERC's proposed bright line
criteria: To ensure accurate and complete identification of all
Critical Assets, so that all associated Critical Cyber Assets become
subject to the protections required by the CIP Standards.
36. More importantly, neither set of VSLs address the failure to
properly identify either Critical Assets or Critical Cyber Assets in
the first place. The failure to identify a Critical Asset, whether
inadvertently or through misapplication of the bright line criteria, is
paramount because if an Asset is not identified and included on the
Critical Asset list, its associated Cyber Assets will not be considered
under Requirement R2. Failure to identify those Cyber Assets as
Critical Cyber Assets under Requirement R2 then creates the ``weakest
link'' circumstance discussed in the Commission's order establishing
two CIP VSL Guidelines for analyzing the validity of VSLs pertaining to
cyber security.\34\
---------------------------------------------------------------------------
\34\ CIP VSL Guideline 1 states, ``Requirements where a single
lapse in protection can compromise computer network security, i.e.,
the ``weakest link'' characteristic, should apply binary rather than
gradated VSLs.''
---------------------------------------------------------------------------
37. Therefore, the Commission proposes to direct the ERO to modify
the VSLs for CIP-002-4, Requirements R1 and R2, to address a failure to
identify either Critical Assets or Critical Cyber Assets, as shown in
Appendix 1.\35\ The Commission proposes to approve the Version 4 VSLs
proposed by NERC, as modified, because they would then satisfy our
established guidelines, fully address the purpose of NERC's bright line
criteria, and incorporate appropriately the modifications directed to
prior versions.
---------------------------------------------------------------------------
\35\ NERC proposes to assign a Severe VSL for a violation of
Requirement R1 if a responsible entity does not develop a list of
its identified Critical Assets ``even if such list is null.'' NERC
does not propose to assign a VSL for a violation of Requirement R1
when a responsible entity fails to identify a Critical Asset that
falls within any of the Critical Asset Criteria in Attachment 1, or
fails to include an identified Critical Asset in its Critical Asset
list. NERC further proposes to assign a Severe VSL to a responsible
entity's violation of Requirement R2 only when it fails to include
in its list of Critical Cyber Assets a Critical Cyber Asset it has
identified. NERC does not propose to assign a VSL for a violation of
Requirement R2 resulting from a responsible entity's failure to
identify as a Critical Cyber Asset a Cyber Asset that qualifies as a
Critical Cyber Asset.
---------------------------------------------------------------------------
5. Implementation Plan and Effective Date
38. NERC proposes an effective date for full compliance with the
Version 4 CIP Standards of the first day of the eighth calendar quarter
after applicable regulatory approvals have been received. In addition,
NERC provides a detailed implementation plan for newly identified
Critical Assets and newly registered entities. NERC also presents a
number of scenarios intended to explain how CIP-002-4 will be
implemented. Depending on the situation, the implementation plan
establishes timelines and milestones for entities to reach full
compliance with CIP-002-4.
39. The Commission proposes to approve the effective date and
implementation plan for CIP-002-4. Under the scenarios presented by
NERC, we understand that entities with existing CIP compliance
implementation programs will effectively no longer use CIP-002-3 to
identify Critical Assets after approval of CIP-002-4 but rather will
apply the criteria in Attachment 1 of CIP-002-4. While some responsible
entities have already installed the necessary equipment and software to
address
[[Page 58735]]
cybersecurity, we recognize that other responsible entities may need to
purchase and install new equipment and software to achieve compliance
for assets that are brought within the scope of the protections under
the CIP-002-4 bright line criteria. Based on these considerations, the
Commission believes that the implementation plan proposed by NERC sets
reasonable deadlines for industry compliance.
B. Ongoing Development Efforts To Satisfy Directives Set Forth in Order
No. 706
40. As acknowledged by NERC, the proposed Version 4 CIP Reliability
Standards do not address all of the directives set forth in Order No.
706. Although the Commission proposes to approve CIP-002-4, we
highlight the need for NERC, working through the Reliability Standards
development process, to address all outstanding Order No. 706
directives as soon as possible.
41. Below, we discuss several directives in Order No. 706 that have
yet to be satisfied and propose to give guidance regarding the next
version of the CIP Reliability Standards, such as the need to address
the NIST framework, data network connectivity, and the potential misuse
of control centers or control systems and the adoption of a regional
perspective and oversight. Our guidance is intended to more fully
ensure that all Cyber Assets serving reliability functions of the Bulk-
Power System are within scope of the CIP Reliability Standards. In
addition, as discussed below, we seek comments from NERC and other
interested persons on a proposal to establish a deadline for NERC to
submit modified CIP Reliability Standards that address the outstanding
directives set forth in Order No. 706, using NERC's development
timeline.
42. The stated purpose of Reliability Standard CIP-002 is the
accurate identification of Critical Cyber Assets. Both the currently-
effective and proposed CIP-002 Reliability Standards, along with
guidance NERC provided to industry,\36\ are structured in a staged
approach. First, an entity must identify Critical Assets. NERC defines
Critical Assets as ``facilities, systems, and equipment which, if
destroyed, degraded, or otherwise rendered unavailable, would affect
the reliability or operability of the Bulk Electric System.'' \37\
Second, based on the Critical Assets identified in the first step, an
entity must identify Cyber Assets supporting the Critical Assets. The
NERC Glossary defines Cyber Assets as ``programmable electronic devices
and communication networks including hardware, software, and data.''
\38\ Third, an entity should identify the Critical Cyber Assets by
determining, in accordance with the NERC Glossary, the ``Cyber Assets
essential to the reliable operation of the Critical Assets.'' \39\ In
Order No. 706, the Commission did not address whether or not the staged
approach outlined above was the only method for identifying Critical
Cyber Assets. Rather at that time, focus was placed on addressing
specific concerns with the first step--the identification of Critical
Assets. Recognizing CIP-002 as the cornerstone of the CIP Reliability
Standards,\40\ a failure to accurately identify Critical Assets could
greatly impact accurate Critical Cyber Asset identification and the
overall applicability of the protection measures afforded in CIP-003
through CIP-009.
---------------------------------------------------------------------------
\36\ North American Reliability Corporation Security Guideline
for the Electric Sector: ``Identifying Critical Cyber Assets''
Version 1.0, Effective June 17, 2010, at 4-5, and North American
Reliability Corporation Security Guideline for the Electric Sector:
``Identifying Critical Assets'' Version 1.0, Effective September 17,
2009.
\37\ NERC Glossary of Terms at 11.
\38\ Id.
\39\ Id.
\40\ Order No. 706, 122 FERC ] 61,040 at P 234.
---------------------------------------------------------------------------
43. In light of recent cybersecurity vulnerabilities, threats and
attacks that have exploited the interconnectivity of cyber systems,\41\
the Commission seeks comments regarding the method of identification of
Critical Cyber Assets \42\ to ensure sufficiency and accuracy. The
Commission recognizes that control systems that support Bulk-Power
System reliability are ``only as secure as their weakest links,'' and
that a single vulnerability opens the computer network and all other
networks with which it is interconnected to potential malicious
activity.\43\ Accordingly, the Commission believes that any criteria
adopted for the purposes of identifying a Critical Cyber Asset under
CIP-002 should be based upon a Cyber Asset's connectivity and its
potential to compromise the reliable operation \44\ of the Bulk-Power
System, rather than focusing on the operation of any specific Critical
Asset(s). The Commission seeks comments on this approach.
---------------------------------------------------------------------------
\41\ These include the discovery of Stuxnet, Night Dragon and
RSA breaches from advanced persistent threats in July 2010, February
2011 and March 2011 respectively, where systems were compromised.
\42\ In Order No. 706, the Commission declined to direct a
method for identifying Critical Cyber Assets, but stated that it may
revisit this circumstance in a future proceeding. See Order No. 706,
122 FERC ] 61,040 at P 284.
\43\ North American Electric Reliability Corp., 130 FERC ]
61,211, at P 15 (2010).
\44\ 16 U.S.C. 824o(a)(4). The term ``reliable operation'' means
``operating the elements of the bulk-power system within equipment
and electric system thermal, voltage, and stability limits so that
instability, uncontrolled separation, or cascading failures of such
system will not occur as a result of a sudden disturbance, including
a cybersecurity incident, or unanticipated failure of system
elements.''
---------------------------------------------------------------------------
44. Further, the Commission seeks comments on how to ensure that
the directives of Order No. 706 relative to CIP-002 with respect to the
concerns discussed below are addressed, resulting in a method that will
lead to sufficient and accurate Critical Cyber Asset identification.
45. The Commission believes that NERC should consider the following
three strategies to meet the outstanding directives and seeks comments
on these strategies. First, NERC should consider applicable features of
the NIST Risk Management Framework to ensure protection of all cyber
systems connected to the Bulk-Power System, including establishing CIP
requirements based on entity functional characteristics rather than
focusing on Critical Asset size. Second, such as in the consideration
of misuse, NERC should consider mechanisms for identifying Critical
Cyber Assets by examining all possible communication paths between a
given cyber resource and any asset supporting a reliability function.
Third, NERC should provide a method for review and approval of Critical
Cyber Asset lists from external sources such as the Regional Entities
or NERC. Each of these strategies is discussed below.
1. NIST Framework
46. In Order No. 706, the Commission directed NERC to ``monitor the
development and implementation'' of cybersecurity standards then being
developed by the National Institute of Standards and Technology
(NIST).\45\ The Commission also directed NERC to consider the
effectiveness of the NIST standards.\46\ At that time, the Commission
directed NERC to address any NIST provisions that will better protect
the Bulk-Power System in the Reliability Standards development
process.\47\ While the Commission determined not to require NERC to
adopt or incorporate elements of the NIST standards, Order No. 706 left
open the option of revisiting the NIST standards at a later time.\48\
The Commission is not here proposing to direct that NERC use elements
of the NIST standards. However, we continue
[[Page 58736]]
to believe that the NIST framework could provide beneficial input into
the NERC CIP Reliability Standards and we urge NERC to consider any
such provisions that will better protect the Bulk-Power System.
---------------------------------------------------------------------------
\45\ Order No. 706, 122 FERC ] 61,040 at P 233.
\46\ Id.
\47\ Id.
\48\ Id.
---------------------------------------------------------------------------
47. The NIST Risk Management Framework was developed to manage the
risks associated with all information systems, and offers a structured
yet flexible approach that can now be applied to the electric industry.
The NIST Risk Management Framework guides selection and specification
of cybersecurity controls and measures necessary to protect individuals
and the operations and assets of the organization, while considering
effectiveness, efficiency, and constraints due to applicable laws,
directives, policies, standards, or regulations. Each of the activities
in the Risk Management Framework has an associated NIST security
standard and/or guidance document that can be used by organizations
implementing the framework. The management of risk is a key element.
48. Two primary features of the NIST Framework are: (1) Customizing
protection to the mission of the cyber systems subject to protection
(similar to the role identified by the NERC Functional Model); and (2)
ensuring that all connected cyber systems associated with the Bulk-
Power System, based on their function, receive some level of
protection.\49\ The Bulk-Power System could benefit from each of these
tested approaches.
---------------------------------------------------------------------------
\49\ NIST SP800-53, Section 1.4, Organizational
Responsibilities.
---------------------------------------------------------------------------
a. NIST Approach and the NERC Functional Model
49. The purpose of the NERC CIP Reliability Standards is to specify
mandatory Requirements for responsible entities to establish, maintain,
and preserve the cybersecurity of key information technology systems'
assets, the use of which is essential to reliable operation of the
Bulk-Power System. The CIP Reliability Standards include Requirements
which are based upon the functional roles of the responsible entities
as specified in the NERC Functional Model.\50\ The identification of
cyber systems and assets used to execute these functional roles should
be the first step in identifying the systems for coverage under the CIP
Reliability Standards for protection. The Functional Model should be
used as a starting point when considering the applicability of the NIST
Framework for securing the operation of cyber assets to provide for the
Reliable Operation of the Bulk-Power System.
---------------------------------------------------------------------------
\50\ Reliability Functional Model, Function Definitions and
Functional Entities, Version 5, approved by NERC Board of Trustees
May 2010; and, Reliability Functional Model Technical Document
Version 5, approved by NERC Board of Trustees May 2010.
---------------------------------------------------------------------------
b. NIST Tiered Approach
50. If applied to the Bulk-Power System, the NIST Framework would
specify the level of protection appropriate for systems based upon
their importance to the reliable operation of the Bulk-Power System.
Cyber systems connected to the Bulk-Power System require availability,
integrity, and confidentiality to effectively ensure the reliability of
the Bulk-Power System.
51. The NIST Framework provides for a tiered approach to
cybersecurity protection where protection of some type would be applied
to all cyber assets connected to the Bulk-Power System. Under the NIST
Framework, cyber assets whose compromise or loss of operability could
result in a greater risk to Bulk-Power System reliability would be
subject to more rigorous cybersecurity protections compared to a less
important asset. The NIST Framework recognizes that all connected
assets require a baseline level of protection to prevent attackers from
gaining a foothold to launch further, even more devastating attacks on
other critical systems.
52. Using the NIST framework, all cyber assets would also be
reviewed to determine the appropriate level of cyber protection. The
level of protection required for a given cyber asset is based upon its
mission criticality and its innate technological risks.
2. Misuse of Control Systems
53. In Order No. 706, the Commission directed NERC to consider the
misuse of control centers and control systems in the determination of
Critical Assets.\51\ If a perpetrator is able to misuse an asset, the
attacker may navigate across and between control system data networks
in order to gain access to multiple sites, which could enable a
coordinated multi-site attack. Recent cybersecurity incidents \52\
illustrate the importance of restricting connectivity between control
systems and external networks, emphasizing the inherent risk exposure
created by networking critical cyber control systems. Future mechanisms
for identifying when cyber assets require protection will have to
examine all possible paths between a given cyber resource and any asset
supporting a reliability function.
---------------------------------------------------------------------------
\51\ Order No. 706, 122 FERC ] 61,040 at P 282.
\52\ These include the discovery of Stuxnet, Night Dragon and
RSA breaches from advanced persistent threats in July 2010, February
2011 and March 2011 respectively, where systems were compromised.
---------------------------------------------------------------------------
54. In Order No. 706, the Commission expressed concerns regarding
the classification of control centers and the potential misuse of
control systems.\53\ With regard to control centers, the Commission
noted that responsible entities should be required to ``examine the
impact on reliability if the control centers are unavailable, due for
example to power or communications failures, or denial of service
attacks.'' \54\ In addition, the Commission stated that ``[r]esponsible
entities should also examine the impact that misuse of those control
centers could have on the electric facilities they control and what the
combined impact of those electric facilities could be on the
reliability of the Bulk-Power System.'' \55\ The Commission stated that
``when these matters are taken into account, it is difficult to
envision a scenario in which a reliability coordinator, transmission
operator or transmission owner control center or backup control center
would not properly be identified as a critical asset.'' \56\
---------------------------------------------------------------------------
\53\ Order No. 706, 122 FERC ] 61,040 at P 280-281.
\54\ Id. P 280.
\55\ Id.
\56\ Id.
---------------------------------------------------------------------------
55. In addition, the Commission raised concerns about the misuse of
a control system that controls more than one asset.\57\ Specifically,
the Commission noted that multiple assets, whether multiple generating
units, multiple transmission breakers, or perhaps even multiple
substations, could be taken out of service simultaneously due to a
failure or misuse of the control system. The Commission stated that
even if one or all of the assets would not be considered as a Critical
Asset on a stand alone basis, a simultaneous outage resulting from the
single point of control might affect the reliability or operability of
the Bulk-Power System. The Commission stated ``[i]n that case, the
common control system should be considered a Critical Cyber Asset.''
\58\
---------------------------------------------------------------------------
\57\ Id. P 281.
\58\ Id.
---------------------------------------------------------------------------
56. The Commission is concerned that the proposed CIP-002-4 bright
line criteria do not adequately address the Commission's prior
directive regarding the classification of control centers or take the
potential misuse of control systems into account in the identification
of Critical Assets. For example, the proposed bright line criteria
leave a number of Critical Assets
[[Page 58737]]
with potentially unprotected cyber assets, including a total of 222
\59\ control centers with no legal obligation to apply cybersecurity
measures. These potentially unprotected control centers involve an
unknown number of associated control systems.
---------------------------------------------------------------------------
\59\ NERC June 30, 2011 Data Response at 3.
---------------------------------------------------------------------------
57. Consider the following example: Electric grid control system
operation in part consists of the collection of raw data needed to run
the grid, collected by a SCADA system from intelligent electronic
devices (IEDs) (e.g., RTUs and synchrophasors). The SCADA data is
typically aggregated by an energy management system (EMS). The EMS may,
in some cases, calculate area control error (ACE) and transmit it to a
balancing authority, which in turn makes computer based decisions about
balancing load and generation. Those decisions are then used by the
balancing authority or generation operator as part of an automated
generation control (AGC) process. At each of these one or more sites,
there are many data network interconnection points with other entities,
(e.g., neighboring transmission operators, generation operators, and
reliability coordinators) and additional connectivity to corporate data
networks and elsewhere, employing several communications technologies.
This results in a complex interconnection of cyber assets (including
the data of those cyber assets) demanding vigilant protection.\60\
These cyber systems require comprehensive protection because the
interconnected system is only as strong as its weakest link.
---------------------------------------------------------------------------
\60\ See generally, Ron Ross, Managing Enterprise Risk in
Today's World of Sophisticated Threats, National Institute of
Standards and Technology (2007).
---------------------------------------------------------------------------
58. Any failure to take into account the interconnectivity of
control systems represents a significant reliability gap. Where modern
data networking technology is used for operation of the Bulk-Power
System (e.g., control systems, synchrophasors, smart grid), a network-
based cyber attack could result in multiple simultaneous outages of
grid equipment and cyber systems alike through misuse of a single point
of control (e.g., a SCADA control host system). Such an attack could
take place by way of a cyber system associated with an asset that falls
outside the CIP-002-4 bright line criteria yet is connected in common
with other cyber systems on the Bulk-Power System. The risk of a cyber
attack is greater now than when Order No. 706 was issued, as borne out
by the recent increased frequency and sophistication of cyber attacks.
It is critical, therefore, that the Commission's concerns regarding the
potential misuse of control centers and associated control systems be
addressed in the CIP Reliability Standards.
3. Regional Perspective
59. In Order No. 706, the Commission directed NERC to ``develop a
process of external review and approval of critical asset lists based
on a regional perspective.'' \61\ The Commission found that ``Regional
Entities must have a role in the external review to assure that there
is sufficient accountability in the process [and] * * * because the
Regional Entities and ERO are ultimately responsible for ensuring
compliance with Reliability Standards.'' \62\
---------------------------------------------------------------------------
\61\ Order No. 706, 122 FERC ] 61,040 at P 329.
\62\ Id. P 327.
---------------------------------------------------------------------------
60. The Commission is concerned that the lack of a regional review
in the identification of cyber assets might result in a reliability
gap. In Order No. 706, the Commission expressed concerns regarding the
need for developing a process of external review and approval of
Critical Asset lists based on a regional perspective, and that such
lists are considered from a wide-area view. This process would help to
identify trends in Critical Asset identification. Further, while we
recognize that individual circumstances may likely vary, an external
review will provide an appropriate level of consistency.\63\ For
example, reliability coordinators may communicate through a common
system and compromise of that system could propagate across multiple
regions. A cyber compromise can easily propagate across these data and
control networks with potential adverse consequences to the Bulk-Power
System on multi-region basis.
---------------------------------------------------------------------------
\63\ Id. P 322.
---------------------------------------------------------------------------
61. This problem may become exacerbated by any future revisions to
the CIP Reliability Standards that opt to reserve a high level of
independent authority to the registered entity to categorize and
prioritize its cyber assets. Looking forward, it will be essential for
NERC and the Regional Entities to actively review the designation of
cyber assets that are subject to the CIP Reliability Standards,
including those which span regions, in order to determine whether
additional cyber assets should be protected.
4. Summary
62. In summary, the Commission proposes to approve NERC's proposed
Version 4 CIP Standards pursuant to section 215(d)(2) of the FPA. As
discussed above, it appears that the Version 4 CIP Standards represent
an improvement in three respects in that they: (1) Will result in the
identification of certain types of Critical Assets that may not be
identified under the current approach; (2) use bright line criteria to
identify Critical Assets, thus limiting the discretion of responsible
entities when identifying Critical Assets; and (3) provide a level of
consistency and clarity regarding the identification of Critical
Assets.
63. While we believe that the Version 4 CIP Reliability Standards
satisfy the statutory standard for approval, we also believe that more
improvement is needed. As NERC explains in its Petition, the Version 4
CIP Reliability Standards are intended as ``interim'' and future
versions will build on Version 4. We believe that the electric
industry, through the NERC standards development process, should
continue to develop an approach to cybersecurity that is meaningful and
comprehensive to assure that the nation's electric grid is capable of
withstanding a Cybersecurity Incident.\64\ As discussed above, we
believe that some of the essential components of such a meaningful and
comprehensive approach to cybersecurity are set forth in Order No. 706.
---------------------------------------------------------------------------
\64\ Section 215(a) of the FPA defines Cybersecurity Incident as
``a malicious act or suspicious event that disrupts, or was an
attempt to disrupt, the operation of those programmable electronic
devices and communication networks including hardware, software and
data that are essential to the reliable operation of the Bulk-Power
System.''
---------------------------------------------------------------------------
[[Page 58738]]
5. Reasonable Deadline for Full Compliance With Order No. 706
64. The Commission issued Order No. 706 on January 18, 2008. In
Order No. 706, the Commission approved Version 1 of the CIP Reliability
Standards while also directing modifications pursuant to section
215(d)(5) of the FPA, some of which are described above. Later approved
versions of the CIP Reliability Standards, and now the proposed Version
4 CIP Reliability Standards, addressed some of the directives in Order
No. 706, but other directives remain unsatisfied.
65. Over three years have elapsed since the Commission issued the
Final Rule in January 2008. As discussed above, we believe that it is
important for the successful implementation of a comprehensive approach
to cybersecurity that NERC timely addresses the modifications directed
by the Commission in Order No. 706. Accordingly, the Commission
proposes to set a deadline for NERC to file the next version of the CIP
Reliability Standards, which NERC indicates will address all
outstanding Order No. 706 directives.\65\ This proposal is consistent
with the views expressed in the January 2011 Audit Report of the
Department of Energy's Inspector General, who found ``that the
Commission could have, but did not impose specific deadlines for the
ERO to incorporate changes to the CIP standards.'' \66\ Similarly, our
proposal is responsive to the Audit Report finding that ``the CIP
standards implementation approach and schedule approved by the
Commission were not adequate to ensure that systems-related risks to
the Nation's power grid were mitigated or addressed in a timely
manner.'' \67\
---------------------------------------------------------------------------
\65\ See NERC's May 27, 2011 Responses to Data Requests,
Response 1 (``[t]he standard drafting team expects that the filing
for the next version of the CIP Reliability Standards will address
the remaining FERC Order No. 706 directives'').
\66\ Department of Energy Inspector General Audit Report,
Federal Energy Regulatory Commission's Monitoring of Power Grid
Cybersecurity at 6 (January 2011).
\67\ Id. at 2.
---------------------------------------------------------------------------
66. The Commission understands that, under NERC's timeline for the
ongoing effort to address all outstanding Order No. 706 directives, it
anticipates submitting the next version of the CIP Reliability
Standards to the NERC Board of Trustees by the second quarter of 2012,
and filing that version the Commission by the end of the third quarter
of 2012.\68\
---------------------------------------------------------------------------
\68\ See NERC's May 27, 2011 Responses to Data Requests,
Response 1. See also North American Electric Reliability Corporation
Reliability Standards Development Plan 2011-2013 Informational
Filing Pursuant to Section 310 of the NERC Rules of Procedure,
Docket Nos. RM05-17-000, RM05-25-000, RM06-16-000 at 14 (filed April
5, 2011).
---------------------------------------------------------------------------
67. The Commission proposes to establish NERC's current development
timeline above as a deadline for compliance with the outstanding Order
No. 706 CIP Standard directives. The Commission seeks comments from
NERC and other parties concerning this proposal. Further, NERC and
other parties may propose and support an alternative compliance
deadline.
IV. Information Collection Statement
68. The Office of Management and Budget (OMB) regulations require
that OMB approve certain reporting and recordkeeping requirements
(collections of information) imposed by an agency.\69\ The information
contained here is also subject to review under section 3507(d) of the
Paperwork Reduction Act of 1995.\70\ We will submit this proposed rule
to OMB for review.
---------------------------------------------------------------------------
\69\ 5 CFR 1320.11.
\70\ 44 U.S.C. 3507(d).
---------------------------------------------------------------------------
69. As stated above, the Commission previously approved Reliability
Standards similar to the proposed Reliability Standards that are the
subject of the current rulemaking.\71\
---------------------------------------------------------------------------
\71\ North American Electric Reliability Corporation, 130 FERC ]
61,271 (2010).
---------------------------------------------------------------------------
70. The principal differences in the information collection
requirements and resulting burden imposed by the proposed Reliability
Standards in this rule are triggered by the proposed changes in
Reliability Standard CIP-002-4. The previous risk-based assessment
methodology for identifying Critical Assets will be replaced by 17
uniform ``bright line'' criteria for identifying Critical Assets (in
CIP-002-4, Attachment 1, ``Critical Asset Criteria''). Proposed
Reliability Standard CIP-002-4 would require each responsible entity to
use the bright line criteria as a ``checklist'' to identify Critical
Assets, initially and in an annual review, instead of performing the
more technical and individualized risk analysis involved in complying
with the currently-effective CIP Reliability Standards. As in past
versions, each Responsible Entity will then identify the Critical Cyber
Assets associated with its updated list of Critical Assets. If
application of the bright line criteria result in the identification of
new Critical Cyber Assets, such assets become subject to the remaining
standards (proposed CIP-003-4, CIP-004-4, CIP-005-4a, CIP-006-4c, CIP-
007-4, CIP-008-4, and CIP-009-4), and the information collection
requirements contained therein.
71. We estimate that the burden associated with the annual review
of the assets (by the estimated 1,501 entities) will be simplified by
the ``Critical Asset Criteria'' in proposed Reliability Standard CIP-
002-4. Rather than each entity annually reviewing and updating a Risk-
Based Assessment Methodology that frequently required technical
analysis and judgment decisions, the proposed bright line criteria will
provide a straight forward checklist for all entities to use. Thus, we
estimate that the proposal will reduce the burden associated with the
annual review, as well as provide a consistent and clear set of
criteria for all entities to follow.
72. The estimated changes to burden as contained in the proposed
rule in RM11-11 follow.
[[Page 58739]]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Annual burden
FERC-725B Data collection (per Number of respondents Average number of Average number of Effect of NOPR in RM11- hours upon
proposed Version 4) \72\ annual responses burden hours per 11, on total annual implementation of
per respondent response \73\ hours RM11-11
(1).................... (2) (3).................... (1) x (2) x (3)........
--------------------------------------------------------------------------------------------------------------------------------------------------------
Entities that (previously and now) 345 [no change]........ 1 1,880 [reduction of 40 reduction of 13,800 648,600
will identify at least one Critical hours from 1,920 to hours.
Cyber Asset [category a]. 1,880 hours].
Entities that (previously and now) 1,144 [reduction of 12 1 120 [no change]........ Reduction of 1,440 137,280
will not identify any Critical Cyber entities from 1156 to hours [for the 12
Assets [category b]. 1,144]. entities].
Entities that will newly identify a increase of 12 1 3,840 \75\............. increase of 46,080..... 46,080
Critical Asset/Critical Cyber Asset [formerly 0].
due to the requirements in RM11-11
\74\ [category c].
------------------------------------------------------------------------------------------------------------------
Net Total........................ 1,501 \72\............. .................. ....................... +30,840................ 831,960
--------------------------------------------------------------------------------------------------------------------------------------------------------
The revisions to the cost estimates based on requirements of this
proposed rule are:
---------------------------------------------------------------------------
\72\ The NERC Compliance Registry as of 9/28/2010 indicated that
2,079 entities were registered for NERC's compliance program. Of
these, 2,057 were identified as being U.S. entities. Staff concluded
that of the 2,057 U.S. entities, approximately 1,501 were registered
for at least one CIP related function. According to an April 7, 2009
memo to industry, NERC noted that only 31% of entities responding to
an earlier survey reported that they had at least one Critical
Asset, and only 23% reported having a Critical Cyber Asset. Staff
applied the 23% (an estimate unchanged for Version 4 standards) to
the 1,501 figure to estimate the number of entities that identified
Critical Assets under Version 3 CIP Standards.
\73\ Calculations for figures prior to applying reductions:
Respondent category b:
3 employees x (working 50%) x (40 hrs/week) x (2 weeks) = 120
hours.
Respondent category c:
20 employees x (working 50%) x (40 hrs/week) x (8 weeks) = 3200
hours.
20 employees x (working 20%) x (3200 hrs) = 640 hours.
Total = 3840.
Respondent category a:
50% of 3840 hours (category d) = 1920.
\74\ We estimate 12 (or 1%) of the existing entities that
formerly had no identified Critical Cyber Assets will have them
under the proposed Reliability Standards. This proposed rule does
not affect the burden for the 6 new U.S. Entities that were
estimated to newly register or otherwise become subject to the CIP
Standards each year in FERC-725B, and therefore are not included in
this chart.
\75\ This estimated burden estimate applies only to the first
three year audit cycle. In subsequent audit cycles these entities
will move into category a, or be removed from the burden as an
entity that no longer is registered for a CIP related function.
---------------------------------------------------------------------------
Each entity that has identified Critical Cyber Assets has
a reduction of 40 hours (345 entities x 40 hrs. x @$96/hour =
$1,324,800 reduction).
12 Entities that formerly had not identified Critical
Cyber Assets, but now will have them, has
[cir] A reduction of 120 hours and an increase of 3,840 hours (for
a net increase of 3,720 annual hours), giving 12 entities x 3,720
hrs.@$96/hour = $4,285,440.
[cir] Storage costs = 12 entities@$15.25/entity = $183.
Total Net Annual Cost for the FERC-725B requirements contained in
the NOPR in RM11-11 = $2,960,823 ($4,285,440 + $183 -$1,324,800).
The estimated hourly rate of $96 is the average cost of legal
services ($230 per hour), technical employees ($40 per hour) and
administrative support ($18 per hour), based on hourly rates from the
Bureau of Labor Statistics (BLS) and the 2009 Billing Rates and
Practices Survey Report.\76\ The $15.25 per entity for storage costs is
an estimate based on the average costs to service and store 1 GB of
data to demonstrate compliance with the CIP Standards.\77\
---------------------------------------------------------------------------
\76\ Bureau of Labor Statistics figures were obtained from
http://www.bls.gov/oes/current/naics2_22.htm, and 2009 Billing
Rates figure were obtained from http://www.marylandlawyerblog.com/2009/07
/average_hourly_rate_for_lawyer.html. Legal services were
based on the national average billing rate (contracting out) from
the above report and BLS hourly earnings (in-house personnel). It is
assumed that 25% of respondents have in-house legal personnel.
\77\ Based on the aggregate cost of an advanced data protection
server.
---------------------------------------------------------------------------
Title: Mandatory Reliability Standards, Version 4 Critical
Infrastructure Protection Standards.
Action: Proposed Collection FERC-725B.
OMB Control No.: 1902-0248.
Respondents: Businesses or other for-profit institutions; not-for-
profit institutions.
Frequency of Responses: On Occasion.
Necessity of the Information: This proposed rule proposes to
approve the requested modifications to Reliability Standards pertaining
to critical infrastructure protection. The proposed Reliability
Standards help ensure the reliable operation of the Bulk-Power System
by providing a cybersecurity framework for the identification and
protection of Critical Assets and associated Critical Cyber Assets. As
discussed above, the Commission proposes to approve NERC's proposed
Version 4 CIP Standards pursuant to section 215(d)(2) of the FPA
because they represent an improvement to the currently-effective CIP
Reliability Standards.
Internal Review: The Commission has reviewed the proposed
Reliability Standards and made a determination that its action is
necessary to implement section 215 of the FPA.
73. Interested persons may obtain information on the reporting
requirements by contacting the following: Federal Energy Regulatory
Commission, 888 First Street, NE., Washington, DC 20426 [Attention:
Ellen Brown, Office of the Executive Director, e-mail:
DataClearance@ferc.gov, phone: (202) 502-8663, fax: (202) 273-0873].
74. For submitting comments concerning the collection(s) of
information and the associated burden estimate(s), please send your
comments to the Commission, and to the Office of Management and Budget,
Office of Information and Regulatory Affairs,
[[Page 58740]]
Washington, DC 20503 [Attention: Desk Officer for the Federal Energy
Regulatory Commission, phone: (202) 395-4638, fax: (202) 395-7285]. For
security reasons, comments to OMB should be submitted by e-mail to:
oira_submission@omb.eop.gov. Comments submitted to OMB should include
Docket Number RM11-11 and OMB Control Number 1902-0248.
V. Environmental Analysis
75. The Commission is required to prepare an Environmental
Assessment or an Environmental Impact Statement for any action that may
have a significant adverse effect on the human environment.\78\ The
Commission has categorically excluded certain actions from this
requirement as not having a significant effect on the human
environment. Included in the exclusion are rules that are clarifying,
corrective, or procedural or that do not substantially change the
effect of the regulations being amended.\79\ The actions proposed here
fall within this categorical exclusion in the Commission's regulations.
---------------------------------------------------------------------------
\78\ Order No. 486, Regulations Implementing the National
Environmental Policy Act of 1969, FERC Stats. & Regs., Regulations
Preambles 1986-1990 ] 30,783 (1987).
\79\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------
VI. Regulatory Flexibility Act Certification
76. The Regulatory Flexibility Act of 1980 (RFA) \80\ generally
requires a description and analysis of final rules that will have a
significant economic impact on a substantial number of small entities.
The RFA mandates consideration of regulatory alternatives that
accomplish the stated objectives of a proposed rule and that minimize
any significant economic impact on a substantial number of small
entities. The Small Business Administration's (SBA) Office of Size
Standards develops the numerical definition of a small business.\81\
The SBA has established a size standard for electric utilities, stating
that a firm is small if, including its affiliates, it is primarily
engaged in the transmission, generation and/or distribution of electric
energy for sale and its total electric output for the preceding twelve
months did not exceed four million megawatt hours.\82\
---------------------------------------------------------------------------
\80\ 5 U.S.C. 601-612.
\81\ 13 CFR 121.101.
\82\ 13 CFR 121.201, Sector 22, Utilities & n.1.
---------------------------------------------------------------------------
77. The Commission analyzed the affect of the proposed rule on
small entities. The Commission's analysis found that the DOE's Energy
Information Administration (EIA) reports that there were 3,276 electric
utility companies in the United States in 2009,\83\ and 3,015 of these
electric utilities qualify as small entities under the Small Business
Administration (SBA) definition. Of these 3,276 electric utility
companies, the EIA subdivides them as follows: (1) 875 Cooperatives of
which 843 are small entity cooperatives; (2) 1,841 municipal utilities,
of which 1,826 are small entity municipal utilities; (3) 128 political
subdivisions, of which 115 are small entity political subdivisions; (4)
171 power marketers, of which 113 individually could be considered
small entity power marketers; \84\ (5) 200 privately owned utilities,
of which 93 could be considered small entity private utilities; (6) 24
state organizations, of which 14 are small entity state organizations;
and (7) 9 federal organizations of which 4 are small entity federal
organizations.
---------------------------------------------------------------------------
\83\ See Energy Information Administration Database, Form EIA-
861, Dept. of Energy (2009), available at
http://www.eia.doe.gov/cneaf/electricity/page/eia861.html.
\84\ Most of these small entity power marketers and private
utilities are affiliated with others and, therefore, do not qualify
as small entities under the SBA definition.
---------------------------------------------------------------------------
78. Many of the entities that have not previously identified
Critical Assets and Critical Cyber Assets are considered small
entities. The new CIP version 4 bright line criteria generally result
in the identification of relatively larger Bulk-Power System equipment
as Critical Assets. For the most part, the small entities do not own or
operate these larger facilities. There is a limited possibility that
these entities would have facilities that meet the bright line criteria
and therefore be subject to the full CIP standards (CIP-002 through
CIP-009). The Commission expects only a marginal increase in the number
of small entities that will identify at least one Critical Asset under
the Version 4 CIP Reliability Standards that have not done so
previously.
79. The Commission estimates that only one percent (12) of the
small and medium-sized entities that have not previously identified
Critical Assets and Critical Cyber Assets will have an increased cost
due to the proposed Reliability Standards and their identification of
new Critical Cyber Assets. For each of those 12 entities, we anticipate
a cost increase associated with creating a cyber security program along
with the actual cyber security protections associated with the
identified Critical Cyber Assets. The Commission requests comment on
the potential implementation cost and subsequent cost increases that
could be experienced by such small entities. Small and medium-sized
entities that continue to have no Critical Assets will not see any
change in their burden.
80. In general, the majority of small entities are not required to
comply with mandatory Reliability Standards because they are not
regulated by NERC pursuant to the NERC Registry Criteria. Moreover, a
small entity that is registered but does not identify critical cyber
assets pursuant to CIP-002-4 will not have compliance obligations
pursuant to CIP-003-4 through CIP-009-4.
81. The Commission also investigated possible alternatives. These
included the Commission's adoption in Order No. 693 of the NERC
definition of bulk electric system, which reduces significantly the
number of small entities responsible for compliance with mandatory
Reliability Standards. The Commission also noted that small entities
could join a joint action agency or similar organization, which could
accept responsibility for compliance with mandatory Reliability
Standards on behalf of its members and also may divide the
responsibility for compliance with its members.
82. Based on the foregoing, the Commission certifies that the
proposed Reliability Standards will not have a significant impact on a
substantial number of small entities. Accordingly, no regulatory
flexibility analysis is required.
VII. Comment Procedures
83. The Commission invites interested persons to submit comments on
the matters and issues proposed in this notice to be adopted, including
any related matters or alternative proposals that commenters may wish
to discuss. Comments are due November 21, 2011. Comments must refer to
Docket No. RM11-11-000, and must include the commenter's name, the
organization they represent, if applicable, and their address in their
comments.
84. The Commission encourages comments to be filed electronically
via the eFiling link on the Commission's Web site at http://www.ferc.gov.
The Commission accepts most standard word processing
formats. Documents created electronically using word processing
software should be filed in native applications or print-to-PDF format
and not in a scanned format. Commenters filing electronically do not
need to make a paper filing.
85. Commenters unable to file comments electronically must mail or
hand deliver an original copy of their comments to: Federal Energy
Regulatory Commission, Secretary of the Commission, 888 First Street,
NE., Washington, DC 20426.
[[Page 58741]]
86. All comments will be placed in the Commission's public files
and may be viewed, printed, or downloaded remotely as described in the
Document Availability section below. Commenters on this proposal are
not required to serve copies of their comments on other commenters.
VIII. Document Availability
87. In addition to publishing the full text of this document in the
Federal Register, the Commission provides all interested persons an
opportunity to view and/or print the contents of this document via the
Internet through the Commission's Home Page (http://www.ferc.gov) and
in the Commission's Public Reference Room during normal business hours
(8:30 a.m. to 5 p.m. Eastern time) at 888 First Street, NE., Room 2A,
Washington, DC 20426.
88. From the Commission's Home Page on the Internet, this
information is available on eLibrary. The full text of this document is
available on eLibrary in PDF and Microsoft Word format for viewing,
printing, and/or downloading. To access this document in eLibrary, type
the docket number excluding the last three digits of this document in
the docket number field.
89. User assistance is available for eLibrary and the Commission's
Web site during normal business hours from FERC Online Support at 202-
502-6652 (toll free at 1-866-208-3676) or e-mail at
ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. E-mail the Public Reference Room at
public.referenceroom@ferc.gov.
List of Subjects in 18 CFR Part 40
Electric power, Electric utilities, Reporting and recordkeeping
requirements.
By direction of the Commission.
Nathaniel J. Davis, Sr.,
Deputy Secretary.
[FR Doc. 2011-24102 Filed 9-21-11; 8:45 am]
BILLING CODE 6717-01-P
|
