|
A Cryptome DVD is offered by Cryptome. Donate $25 for a DVD of the Cryptome 11-years archives of 41,000 files from June 1996 to June 2007 (~4.4 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost. |
7 August 2007
[Federal Register: August 6, 2007 (Volume 72, Number 150)][Proposed Rules] [Page 43969-44013] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr06au07-28] [[Page 43969]] ----------------------------------------------------------------------- Part IV Department of Energy ----------------------------------------------------------------------- Federal Energy Regulatory Commission ----------------------------------------------------------------------- 18 CFR Part 39 Mandatory Reliability Standards for Critical Infrastructure Protection; Proposed Rule [[Page 43970]] ----------------------------------------------------------------------- DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 39 [Docket No. RM06-22-000] Mandatory Reliability Standards for Critical Infrastructure Protection July 20, 2007. AGENCY: Federal Energy Regulatory Commission, Department of Energy. ACTION: Notice of proposed rulemaking. ----------------------------------------------------------------------- SUMMARY: Pursuant to section 215 of the Federal Power Act (FPA), the Federal Energy Regulatory Commission (Commission), proposes to approve eight Critical Infrastructure Protection (CIP) Reliability Standards submitted to the Commission for approval by the North American Electric Reliability Corporation (NERC). The CIP Reliability Standards require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets. In addition, pursuant to section 215(d)(5) of the FPA, the Commission proposes to direct NERC to develop modifications to the CIP Reliability Standards to address specific concerns identified by the Commission. Approval of these standards will help protect the nation's Bulk-Power System against potential disruptions from cyber attacks. DATES: Comments are due October 5, 2007. ADDRESSES: You may submit comments, identified by docket number by any of the following methods:Agency Web Site: http://ferc.gov. Follow the instructions for submitting comments via the eFiling link found in the Comment Procedures section of the preamble. Mail/Hand Delivery: Commenters unable to file comments electronically must mail or hand deliver an original and 14 copies of their comments to the Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street, NE., Washington, DC 20426. Please refer to the Comment Procedures section of the preamble for additional information on how to file paper comments. FOR FURTHER INFORMATION CONTACT: Gary Cohen (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street, NE., Washington, DC 20426, (202) 502-8321. Paul Silverman (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street, NE., Washington, DC 20426, (202) 502-8683. Regis Binder (Technical Issues), Office of Energy Markets and Reliability, Federal Energy Regulatory Commission, 888 First Street, NE., Washington, DC 20426, (202) 502-6460. Jan Bargen (Technical Issues), Office of Energy Markets and Reliability, Federal Energy Regulatory Commission, 888 First Street, NE., Washington, DC 20426, (202) 502-6333. SUPPLEMENTARY INFORMATION: Table of Contents Paragraph Numbers I. Background............................................... 2. A. EPAct 2005 and Mandatory Reliability Standards....... 2. B. Development of CIP Reliability Standards............. 7. C. CIP Assessment....................................... 11. II. Discussion.............................................. 13. A. General Issues....................................... 13. 1. Cyber Security Challenges........................ 13. 2. Applicability.................................... 21. 3. Compliance Measured by Outcome................... 32. 4. Implementation Plan.............................. 42. 5. Issues Presented by Terminology.................. 50. 6. Guidance for Improving CIP Reliability Standards. 87. B. Discussion of Each CIP Reliability Standard.......... 89. 1. CIP-002-1--Critical Cyber Asset Identification... 89. 2. CIP-003-1--Security Management Controls.......... 120. 3. CIP-004-1--Personnel and Training................ 149. 4. CIP-005-1--Electronic Security Perimeter(s)...... 176. 5. CIP-006-1--Physical Security of Critical Cyber 204. Assets............................................. 6. CIP-007-1--Systems Security Management........... 223. 7. CIP-008-1--Incident Reporting and Response 265. Planning........................................... 8. CIP-009-1--Recovery Plans for Critical Cyber 289. Assets............................................. C. Violation Risk Factors............................... 321. 1. Background....................................... 321. 2. Commission Proposal.............................. 324. III. Information Collection Statement....................... 332. IV. Environmental Analysis.................................. 339. V. Regulatory Flexibility Act Certification................. 340. VI. Comment Procedures...................................... 350. VII. Document Availability.................................. 353. Appendix A List of Commenters............................... .......... Appendix B Violation Risk Factors: Proposed Dispositions.... .......... Before Commissioners: Joseph T. Kelliher, Chairman; Suedeen G. Kelly, Marc Spitzer, Philip D. Moeller, and Jon Wellinghoff. 1. Pursuant to section 215 of the Federal Power Act (FPA), the Commission proposes to approve eight Critical Infrastructure Protection (CIP) Reliability Standards submitted to the Commission for approval by the North American Electric Reliability Corporation (NERC). The CIP Reliability Standards require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets.\1\ In [[Page 43971]] addition, pursuant to section 215(d)(5) of the FPA, the Commission proposes to direct NERC to develop modifications to the CIP Reliability Standards to address specific concerns identified by the Commission. --------------------------------------------------------------------------- \1\ In the context of the CIP Reliability Standards, cyber assets are programmable electronic devices and communication networks including hardware, software, and data. See note 69, infra. --------------------------------------------------------------------------- I. Background A. EPAct 2005 and Mandatory Reliability Standards 2. On August 8, 2005, the Electricity Modernization Act of 2005, which is Title XII, Subtitle A, of the Energy Policy Act of 2005 (EPAct 2005), was enacted into law.\2\ EPAct 2005 adds a new section 215 to the FPA, which requires a Commission-certified Electric Reliability Organization (ERO) to develop mandatory and enforceable Reliability Standards, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced by the ERO subject to Commission oversight, or the Commission can independently enforce Reliability Standards.\3\ --------------------------------------------------------------------------- \2\ Energy Policy Act of 2005, Pub. L. No. 109-58, Title XII, Subtitle A, 119 Stat. 594, 941 (2005), to be codified at 16 U.S.C. 824o. \3\ 16 U.S.C. 824o(e)(3). --------------------------------------------------------------------------- 3. On February 3, 2006, the Commission issued Order No. 672, implementing section 215 of the FPA.\4\ Pursuant to Order No. 672, the Commission certified one organization, NERC, as the ERO.\5\ The Reliability Standards developed by the ERO and approved by the Commission will apply to users, owners and operators of the Bulk-Power System, as set forth in each Reliability Standard. --------------------------------------------------------------------------- \4\ Rules Concerning Certification of the Electric Reliability Organization; Procedures for the Establishment, Approval and Enforcement of Electric Reliability Standards, Order No. 672, 71 FR 8662 (Feb. 17, 2006), FERC Stats. & Regs. ] 31,204 (2006), order on reh'g, Order No. 672-A, 71 FR 19814 (Apr. 18, 2006), FERC Stats. & Regs. ] 31,212 (2006). \5\ North American Electric Reliability Corp., 116 FERC ] 61,062 (ERO Certification Order), order on reh'g & compliance, 117 FERC ] 61,126 (ERO Rehearing Order) (2006), order on compliance, 118 FERC ] 61,030 (2007) (Jan. 2007 Compliance Order), appeal docket sub nom. Alcoa, Inc. v. FERC, No. 06-1426 (D.C. Cir. Dec. 29, 2006). --------------------------------------------------------------------------- 4. Pursuant to section 215(d)(2) of the FPA and Sec. 39.5(c) of the Commission's regulations, the Commission is required to give due weight to the technical expertise of the ERO with respect to the content of a Reliability Standard or to a Regional Entity organized on an Interconnection-wide basis with respect to a proposed Reliability Standard or a proposed modification to a Reliability Standard to be applicable within that Interconnection.\6\ --------------------------------------------------------------------------- \6\ 18 CFR 39.5(c)(1), to be codified at 16 U.S.C.824o. --------------------------------------------------------------------------- 5. The ERO must file with the Commission each new or modified Reliability Standard that it proposes to be made effective under section 215 of the FPA. The Commission can then approve or remand the Reliability Standard. The Commission also can, among other actions, direct the ERO to modify an approved Reliability Standard to address a specific matter if it considers this appropriate to carry out section 215 of the FPA.\7\ Only Reliability Standards approved by the Commission will become mandatory and enforceable. --------------------------------------------------------------------------- \7\ Section 215(d)(5) of the FPA. --------------------------------------------------------------------------- 6. On April 4, 2006, as modified on August 28, 2006, NERC submitted to the Commission a petition seeking approval of 107 proposed Reliability Standards. On March 16, 2007, the Commission issued a final rule, Order No. 693, approving 83 of these 107 Reliability Standards and directing other action related to these Reliability Standards.\8\ --------------------------------------------------------------------------- \8\ Mandatory Reliability Standards for the Bulk-Power System, Order No. 693, 72 FR 16416 (Apr. 4, 2007), FERC Stats. & Regs. ] 31,242 (2007); reh'g pending. --------------------------------------------------------------------------- B. Development of CIP Reliability Standards 7. In August 2003, NERC approved the Urgent Action 1200 standard, which was the first comprehensive cyber security standard for the electric industry. This voluntary standard applied to control areas (i.e., balancing authorities), transmission owners and operators, and generation owners and operators that perform defined functions. Specifically, it established a self-certification process relating to the security of system control centers of the applicable entities. The Urgent Action 1200 standard remained in effect on a voluntary basis until June 1, 2006, at which time the eight CIP Reliability Standards that are the subject of the current rulemaking replaced the Urgent Action 1200 standard. 8. On August 28, 2006, NERC submitted to the Commission for approval the following eight proposed CIP Reliability Standards:\9\ --------------------------------------------------------------------------- \9\ The proposed Reliability Standards are not proposed to be codified in the CFR and are not attached to the NOPR. They are, however, available on the Commission's eLibrary document retrieval system in Docket No. RM06-22-000 and are available on the ERO's Web site, http://www.nerc.com/filez/standards/Reliability_Standards.html#Critical_Infrastructure_Protection . --------------------------------------------------------------------------- CIP-002-1--Cyber Security--Critical Cyber Asset Identification: Requires a responsible entity to identify its critical assets and critical cyber assets using a risk-based assessment methodology. CIP-003-1--Cyber Security--Security Management Controls: Requires a responsible entity to develop and implement security management controls to protect critical cyber assets identified pursuant to CIP-002-1. CIP-004-1--Cyber Security--Personnel & Training: Requires personnel with access to critical cyber assets to have an identity verification and a criminal check. It also requires employee training. CIP-005-1--Cyber Security--Electronic Security Perimeters: Requires the identification and protection of an electronic security perimeter and access points. The electronic security perimeter is to encompass the critical cyber assets identified pursuant to the risk- based assessment methodology required by CIP-002-1. CIP-006-1--Cyber Security--Physical Security of Critical Cyber Assets: Requires a responsible entity to create and maintain a physical security plan that ensures that all cyber assets within an electronic security perimeter are kept in an identified physical security perimeter. CIP-007-1--Cyber Security--Systems Security Management: Requires a responsible entity to define methods, processes, and procedures for securing the systems identified as critical cyber assets, as well as the non-critical cyber assets within an electronic security perimeter. CIP-008-1--Cyber Security--Incident Reporting and Response Planning: Requires a responsible entity to identify, classify, respond to, and report cyber security incidents related to critical cyber assets. CIP-009-1--Cyber Security--Recovery Plans for Critical Cyber Assets: Requires the establishment of recovery plans for critical cyber assets using established business continuity and disaster recovery techniques and practices. 9. NERC stated that these Reliability Standards provide a comprehensive set of requirements to protect the Bulk-Power System from malicious cyber attacks.\10\ They require Bulk-Power System users, owners, and operators to establish a risk-based vulnerability assessment methodology and use that methodology to identify and prioritize critical assets and critical cyber assets. Once the critical cyber assets are identified, the CIP Reliability Standards require, among other things, that the responsible entities establish plans, [[Page 43972]] protocols, and controls to safeguard physical and electronic access, to train personnel on security matters, to report security incidents, and to be prepared for recovery actions. Further, NERC explained that, because of the expanded scope of facilities and entities covered by the eight CIP Reliability Standards, and the investment in security upgrades required in many cases, NERC has also developed an implementation plan that provides for a three-year phase-in to achieve full compliance with all requirements.\11\ --------------------------------------------------------------------------- \10\ NERC Filing at 24. \11\ Id. at 24: Exhibit B (Implementation Plan for Cyber Security Standards). --------------------------------------------------------------------------- 10. Each proposed Reliability Standard uses a common organizational format that includes five sections, as follows: (A) Introduction, which includes ``Purpose'' and ``Applicability'' sub-sections; (B) Requirements; (C) Measures; (D) Compliance; and (E) Regional Differences. In this NOPR, these section titles are capitalized when referencing a designated provision of a Reliability Standard. C. CIP Assessment 11. On December 11, 2006, the Commission released a ``Staff Preliminary Assessment of the North American Electric Reliability Corporation's Proposed Mandatory Reliability Standards on Critical Infrastructure Protection'' (CIP Assessment). The CIP Assessment identified staff's preliminary observations and concerns regarding the eight proposed CIP Reliability Standards. The CIP Assessment described issues common to a number of the proposed CIP Reliability Standards. It also reviewed and identified issues regarding each individual CIP Reliability Standard but did not make specific recommendations regarding the appropriate action on a particular proposal. 12. Comments on the CIP Assessment were due by February 12, 2007. Entities that filed comments are listed in Appendix A to this NOPR. II. Discussion A. General Issues 1. Cyber Security Challenges 13. The CIP Reliability Standards represent the most thorough attempt to date to address cyber security issues that relate to the Bulk-Power System. For many years the control systems for the Bulk- Power System have operated in a stand-alone environment without computer or communication links to an external Information Technology (IT) infrastructure. However, over recent years, such stand-alone enclaves have been increasingly connected to both the corporate environment and the external world. 14. Modern computer and communication network interconnection brings with it the potential for cyber attacks on these systems. These concerns become particularly critical when several entities come under attack simultaneously. The CIP Assessment identified ``defense in depth'' as a widely recognized strategy to address cyber threats. Defense in depth involves the layering of various defense mechanisms in a way that either discourages an adversary from continuing an attack or aids in early detection of cyber threats. 15. A major challenge to preserving system protection is that changes occur rapidly in system architectures, technology, and threats. As a result, cyber security strategies must comprise a layered, interwoven approach to vigilantly protect the Bulk-Power System against evolving cyber security threats. 16. Cyber security involves a careful balance of the technologies available with the existing control equipment and the functions they perform. Cyber security does have purely technical components, which consist of the various available technologies to defend computer systems. The task of balancing technical options comes into play as one selects and combines the various available technologies into a comprehensive architecture to protect the specific computer environment. 17. A key to the successful cyber protection of the Bulk-Power System will be the establishment of CIP Reliability Standards that provide sound, reliable direction on how to choose among alternatives to achieve an adequate level of security, and the flexibility to make those choices. This conclusion is consistent with the lessons learned from the August 2003 blackout occurring in the central and northeastern United States. The identification of the causes of that and other previous major blackouts helped determine where existing Reliability Standards need modification or new Reliability Standards need to be developed to improve Bulk-Power System reliability. The U.S.--Canada Power System Blackout Task Force, in its Blackout Report, developed specific recommendations for the improving the then-current voluntary standards and development of new Reliability Standards.\12\ --------------------------------------------------------------------------- \12\ U.S.--Canada Power System Blackout Task Force, Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations (April 2004) (Blackout Report). The Blackout Report is available on the Internet at http://www.ferc.gov/industries/electric/indus-act/blackout.asp . --------------------------------------------------------------------------- 18. Thirteen of the 46 Blackout Report Recommendations relate to cyber security. They address topics such as the development of cyber security policies and procedures; strict control of physical and electronic access to operationally sensitive equipment; assessment of cyber security risks and vulnerability at regular intervals; capability to detect wireless and remote wireline intrusion and surveillance; guidance on employee background checks; procedures to prevent or mitigate inappropriate disclosure of information; and improvement and maintenance of cyber forensic and diagnostic capabilities.\13\ The proposed CIP Reliability Standards address these and related topics. --------------------------------------------------------------------------- \13\ See Blackout Report at 163-169, Recommendations 32-44. --------------------------------------------------------------------------- 19. As we noted in Order No. 693, the Blackout Report recommendations address key issues for assuring Bulk-Power System reliability and represent a well-reasoned and sound basis for action.\14\ Likewise, in this NOPR, the Commission recognizes the merits of specific Blackout Report recommendations as a basis for proposing certain modifications to the eight CIP Reliability Standards that the Commission proposes to approve. --------------------------------------------------------------------------- \14\ See Order No. 693 at P 234. --------------------------------------------------------------------------- 20. We recognize that the guidance and directives in the cyber security Reliability Standards themselves must also strike a reasonable balance. If the provisions are overly prescriptive they tend to become a ``one size fits all'' solution, which does not suit this environment, where systems vary greatly in architecture, technology, and risk profile. However, if Reliability Standards lack sufficient detail, they will provide little useful direction, thereby making compliance and enforcement difficult, allow flawed implementation of security mechanisms, and result in inadequate protection. The Commission will evaluate the proposed CIP Reliability Standards in the context of the above over-arching considerations. 2. Applicability 21. The Applicability section of each proposed CIP Reliability Standard identifies the following 11 categories of responsible entities that must comply [[Page 43973]] with the Reliability Standard: reliability coordinators, balancing authorities, interchange authorities, transmission service providers, transmission owners, transmission operators, generator owners, generator operators, load serving entities, NERC, and Regional Reliability Organizations. 22. The CIP Assessment raised two issues regarding applicability of the CIP Reliability Standards. First, it stated that, although it is likely that NERC and the Regional Entities \15\ are not directly subject to mandatory Reliability Standards, their compliance with the CIP Reliability Standards is important to the extent that they have cyber communications with users, owners or operators of the Bulk-Power System.\16\ The CIP Assessment suggested that NERC and Regional Entity compliance could be required pursuant to NERC's Rules of Procedure. Some commenters pointed out that NERC out-sources critical application systems that are relied upon by many responsible entities, such as the Interchange Distribution Calculator, and suggest that the out-source provider should be contractually compelled to comply with the CIP Reliability Standards, with NERC ultimately responsible for non- compliance.\17\ --------------------------------------------------------------------------- \15\ In Order No. 693, at P 157, the Commission directed NERC to remove all references to the Regional Reliability Organization and replace them with a reference to the Regional Entity where appropriate. This directive should apply to the CIP Reliability Standards as well. \16\ See CIP Assessment at 12-14. \17\ E.g., ISO-NE, ISO/RTO Council, and SPP. --------------------------------------------------------------------------- 23. Second, the CIP Assessment raised concerns about the appropriateness of a size threshold, below which small entities would be exempt from compliance. It explained that, while the assets and operations of a smaller entity may not have a major day-to-day operational impact on the Bulk-Power System, such an entity can provide a cyber gateway to compromise larger users, owners, or operators of the Bulk-Power System. When attacked simultaneously with the facilities of other small entities, the aggregate result could have an adverse impact on the reliability of the Bulk-Power System. Thus, the CIP Assessment suggested that a key to any determination of whether an entity should be subject to the CIP Reliability Standards is whether or not it is a user, owner, or operator of the Bulk-Power System and whether it has a cyber connection to other users, owners or operators of the Bulk-Power System. The CIP Assessment concluded that the CIP Reliability Standards should apply to all users, owners, or operators regardless of size, because a relatively small entity could have critical importance from a cyber security perspective. 24. A number of commenters stated that the focus should be on those entities that own or operate critical assets, rather than being addressed in terms of ``large'' or ``small'' size of entities.\18\ These commenters warn that a blanket waiver that uniformly exempts small entities from compliance with certain provisions of the proposed CIP Reliability Standards therefore would not be appropriate. NERC and other commenters maintain that applicability should not be determined based on cyber connections but, rather by identifying those users, owners and operators of the Bulk-Power System that own or operate critical assets and associated critical cyber assets. Another group of commenters urge that the Commission not impose the same compliance obligations on smaller entities as on larger entities when a violation by the smaller entity would not have a critical impact on the Bulk- Power System. They maintain that adverse impacts on the grid from small entities would be an uncommon occurrence and urge a case-by-case approach to granting waivers from compliance with the CIP Reliability Standards.\19\ --------------------------------------------------------------------------- \18\ E.g., Allegheny, California PUC, EEI, Georgia System, ISO- NE, MidAmerican, NERC, ReliabilityFirst, Northeast Utilities, NRECA, Ontario IESO, Tampa Electric, and Xcel. \19\ E.g., APPA/LPPC and Santa Clara. --------------------------------------------------------------------------- Commission Proposal 25. With regard to the applicability of the CIP Reliability Standards to the ERO, NERC has modified its Rules of Procedure to provide that the ERO will comply with each Reliability Standard that identifies the ERO as an applicable entity.\20\ Similarly, the delegation agreements between NERC and each of the eight Regional Entities expressly state that the Regional Entity is committed to comply with approved Reliability Standards.\21\ The Commission believes that this approach is sufficient and, accordingly, does not propose any additional measures or revisions on this issue. --------------------------------------------------------------------------- \20\ See NERC Rules of Procedure, section 100. \21\ See North American Electric Reliability Corp., 119 FERC ] 61,060 at P 4-5 (2007) (approving the delegation agreements and directing certain modifications). --------------------------------------------------------------------------- 26. The Commission's determinations in Order No. 693 are relevant to deciding the applicability of the CIP Reliability Standards to small entities. In Order No. 693, the Commission approved NERC's compliance registry process as a reasonable means ``to ensure that the proper entities are registered and that each knows which Commission-approved Reliability Standard(s) are applicable to it.'' \22\ Further, the Commission approved NERC registry criteria that identify specific categories of users, owners and operators of the Bulk-Power System and criteria for registering entities within each of the categories.\23\ --------------------------------------------------------------------------- \22\ Order No. 693 at P 92, quoting ERO Certification Order, 116 FERC ] 61,062 at P 689. \23\ Order No. 693 at P 93-95. NERC's Statement of Compliance Registry Criteria (Revision 3), approved by the Commission in Order No. 693, is available on NERC's Web site at: ftp://www.nerc.com/pub/sys/all_updl/ero/Statement_of_Compliance_ Registry--Criteria-- Rev3.pdf. --------------------------------------------------------------------------- 27. The Commission will also rely on the NERC registration process to determine applicability with the CIP Reliability Standards. In other words, an entity would be responsible to comply with the CIP Reliability Standards if the entity is (1) registered by NERC under one or more functional categories and (2) within a functional category for which the entity is registered as identified in the Applicability section of the CIP Reliability Standards. However, even though it is the Commission's present intention to rely on the NERC registration process to identify appropriate entities, we remain concerned about the possibility of entities not identified by the registration process becoming a weakness in the security of the Bulk-Power System. In this regard, we note that, in Order No. 693, the Commission explained that, ``if there is an entity that is not registered and NERC later discovers that the entity should have been subject to the Reliability Standards, NERC has the ability to add the entity, and possibly other entities of a similar class, to the registration list * * *.'' \24\ In addition, in Order No. 693, the Commission indicated that it would further examine applicability issues under section 215 of the FPA in a future proceeding, and notes the same intention here.\25\ --------------------------------------------------------------------------- \24\ Order No. 693 at P 97. \25\ Id. at P 77. --------------------------------------------------------------------------- 28. Regarding our concern about small entities becoming a gateway for cyber attacks, some commenters argue that the Commission should not focus on cyber connections to determine applicability of the CIP Reliability Standards. Others state that it would be uncommon for a small entity to cause an adverse impact upon the grid. The Commission's reliance upon the NERC registration process to determine the applicability of the CIP Reliability Standards is in part based upon our expectation that industry will use the ``mutual distrust'' posture discussed below regarding CIP- [[Page 43974]] 003-1. The term ``mutual distrust'' is used to denote how these ``outside world'' systems are treated by those inside the control system. A mutual distrust posture requires each responsible entity that has identified critical cyber assets to protect itself and not trust any communication crossing an electronic security perimeter, regardless of where that communication originates. 29. Similarly, the Commission is relying on the NERC registration process to include all critical assets and associated critical cyber assets. For example, if assets are important to the reliability of the Bulk-Power System, such as black start units, we would expect that the NERC registration process would identify the owners or operators of those units as critical, and require them to register, even though the facilities may be ``smaller'' or at low voltages. Demand side aggregators might also need to be included in the NERC registration process if their load shedding capacity would affect the reliability or operability of the Bulk-Power System. 30. As discussed later, as an initial compliance step, each entity that is responsible for compliance with the CIP Reliability Standards must identify critical assets through the application of a risk-based assessment as required by CIP-002-1. Whether that entity must comply with the remainder of the requirements in the CIP Reliability Standards would depend on the outcome of that assessment and the subsequent identification of critical cyber assets, also required by CIP-002-1. Thus, CIP-002-1 acts as a filter, determining which entities must comply with the remaining CIP requirements (i.e., CIP-003-1 through CIP-009-1). 31. The Commission agrees with the commenters that access to information essential to the operation of critical cyber assets by out- sourced entities that are not otherwise subject to the CIP Reliability Standards presents a potential vulnerability to the Bulk-Power System. We understand that, on occasion, NERC negotiates contracts with such third party vendors, and the products developed by the vendors are then used by responsible entities that, as owners of the critical cyber assets, are ultimately responsible for their cyber security protection under the CIP Reliability Standards. The Commission invites comment on whether and how such out-sourced entities should be contractually obligated to comply with the CIP Reliability Standards while satisfying their other contractual obligations. 3. Compliance Measured by Outcome a. Performance-Based Standards 32. The CIP Assessment expressed concern that the lack of specificity within the proposed CIP Reliability Standards could result in inadequate implementation efforts and inconsistent results.\26\ NERC, along with a number of other commenters, states that the CIP Reliability Standards are not prescriptive, positing that the level of specificity they embody is appropriate. NERC explains that the use of a performance-based structure frames the CIP Reliability Standards in terms of required results or outcomes with criteria for verifying compliance, but without prescribing the methods for achieving the required results. In other words, the specific means to achieve that outcome are left to the discretion of the responsible entity. Such an approach contrasts with a prescribed or design-based standard. NERC concludes that, when taken together, the proposed Reliability Standards constitute a comprehensive set of cyber security activities, stating that it is more important that a pre-defined, desirable outcome is achieved than prescribing the means to that end. --------------------------------------------------------------------------- \26\ CIP Assessment at 3. --------------------------------------------------------------------------- 33. The Commission generally agrees that use of performance-based standards is a part of the design of cyber security safeguards for the Bulk-Power System's critical assets. However, as we indicated in Order No. 672, performance-based standards may not always be appropriate, for example, in situations where ``the `how' may be inextricably linked to the Reliability Standard and may need to be specified to ensure the enforceability of the standard.'' \27\ Accordingly, where necessary, the Commission proposes to direct NERC to modify the CIP Reliability Standards to address the ``how.'' Moreover, the Commission is concerned that, while NERC explains that the CIP Reliability Standards are performance-based, the CIP Reliability Standards do not provide a mechanism to measure performance or otherwise determine whether a responsible entity has met the goals of a particular requirement set forth in the standards. --------------------------------------------------------------------------- \27\ Order No. 672 at P 260. The Commission also explained that, for some Reliability Standards, ``leaving out implementation features could [inter alia] sacrifice necessary uniformity in implementation * * *''. --------------------------------------------------------------------------- 34. The Commission believes that monitoring the performance of responsible entities identified in the CIP Reliability Standards involves three strategies. First, it is important that there be both internal and external oversight of the responsible entity's activities. While the proposed Reliability Standards embody internal management oversight strategies, there should also be oversight that embodies a wide-area view. Second, when flexibility is exercised in a way that excepts an entity from a Requirement, such action should be monitored, documented, and periodically revisited to determine consistency and effectiveness of the implementation. Third, reporting certain wide-area information and analysis to the Commission is vital to its role in ensuring that approved CIP Reliability Standards achieve on an ongoing basis an adequate level of cyber security protection to the Bulk-Power System. These three strategies are applied in our discussion below of various provisions of the CIP Reliability Standards. b. Adequacy of Outcomes 35. The CIP Assessment explained that many of the Requirements in the proposed CIP Reliability Standards consist of broad directives, and that the Measures and Compliance provisions focus largely on proper documentation. The Reliability Standards themselves do not explain the interplay between the Requirements, on one hand, and the Measures and Levels of Non-Compliance, on the other. 36. The CIP Assessment expressed the view that the focus of the Measures and Compliance provisions on documentation could be interpreted to suggest that possession of documentation can demonstrate compliance, regardless of the quality of its contents. It suggested that compliance with the CIP Reliability Standards must be understood in terms of compliance with the Requirements, which, according to NERC, define what an entity must do to be compliant and establishes an enforceable obligation. Comments 37. NERC and others do not share the CIP Assessment concern regarding the focus on documentation.\28\ NERC and ReliabilityFirst acknowledge the extensive use of documentation throughout the CIP Reliability Standards, but note that the majority of this documentation is used to demonstrate that the Requirements have been met. NERC indicates that, while the ``mere possession of documentation'' does not guarantee compliance, appropriate documentation is essential to demonstrate that steps to comply with the Requirements have been taken and will streamline after-the- [[Page 43975]] fact compliance audits. Similarly, EEI believes that the quality of the documentation is an important factor for assessing compliance and should be the subject of an audit. FirstEnergy and Santa Clara state that it would be helpful for NERC to provide guidance on what constitutes reasonable documentation. --------------------------------------------------------------------------- \28\ E.g., ReliabilityFirst, APPA/LPPC, and SPP. --------------------------------------------------------------------------- 38. Others raise concerns regarding the emphasis on documentation. For example, Duke Energy agrees with the CIP Assessment that the CIP Reliability Standards rely heavily on documentation to verify compliance. Duke Energy believes that the accumulation of documentation to facilitate audits may prove to be less than optimum for the CIP Reliability Standards and suggests that efforts to improve the CIP Requirements should gradually focus less on documentation, and more on the actual level of cyber security to be implemented by the responsible entity. ISA Group states that the CIP Reliability Standards do not specify clear Requirements and do not provide sufficient guidance. ISA Group believes that the clarity and detail of the Levels of Non- Compliance in terms of documentation give the impression that the documentation is the focus of the CIP Reliability Standards. Commission Proposal 39. The Commission agrees with NERC that, while documentation is necessary, the documentation by itself does not satisfy the Requirements of a Reliability Standard. Rather, implementation of the substance of the Requirements is most important in determining compliance. As we explained in Order No. 693, ``while Measures and Levels of Non-Compliance provide useful guidance to the industry, compliance will in all cases be measured by determining whether a party met or failed to meet the Requirement given the specific facts and circumstances of its use, ownership or operation of the Bulk-Power System.'' \29\ Moreover, the Commission recognized that: --------------------------------------------------------------------------- \29\ Order No. 693 at P 253. The most critical element of a Reliability Standard is the Requirements. As NERC explains, ``the Requirements within a standard define what an entity must do to be compliant * * * [and] binds an entity to certain obligations of performance under section 215 of the FPA.'' If properly drafted, a Reliability Standard may be enforced in the absence of specified Measures or Levels of Non- Compliance.\30\ --------------------------------------------------------------------------- \30\ Id., quoting NOPR at P 105 (footnote omitted). 40. To reiterate, while documentation set forth in the Measures and Levels of Non-Compliance plays an important role in assuring that a responsible entity is able to demonstrate to an auditor or others that it has complied with the substantive Requirement of a Reliability Standard, adequate documentation does not substitute for substantive compliance with the obligations and responsibilities set forth in the Requirement. 41. Related, certain Requirements of the CIP Reliability Standards obligate a responsible entity to develop and maintain a plan, policy or procedure. However, such Requirements do not always explicitly require implementation of the plan, policy or procedure.\31\ The Commission interprets such provisions to include an implicit requirement to implement the plan, policy or procedure; and to make a responsible entity subject to a non-compliance action for failing to implement the policy. Such an interpretation is reasonable to prevent the scenario in which the ERO, Regional Entity or the Commission could assess a penalty against a responsible entity for failure to develop a plan, policy or procedure that satisfies the Requirements of the Reliability Standard, but unable to assess a penalty against a responsible entity that has developed an adequate plan but fails to implement it. Further, the Commission proposes that the ERO, in developing modifications to the CIP Reliability Standards, include explicitly in such Requirements that a responsible entity must implement a plan, policy or procedure that it is required to develop. --------------------------------------------------------------------------- \31\ See, e.g., CIP-006-1, Requirement R1 (requiring a responsible entity to ``create and maintain a `physical security plan'' '); cf. CIP-003-1, Requirement R1 (requiring a responsible entity to ``document and implement a cyber security policy''). --------------------------------------------------------------------------- 4. Implementation Plan 42. Unlike the Reliability Standards approved in Order No. 693, which NERC formulated based on existing voluntary standards, the CIP Reliability Standards are new and require applicable entities in many cases to develop new cyber security systems and procedures, which will take time to develop and implement. To address this task, NERC developed an implementation plan that includes a proposed four-stage schedule for implementing the proposed CIP Reliability Standards over a three-year period.\32\ --------------------------------------------------------------------------- \32\ NERC August 28, 2006 Filing, Exhibit B ``Implementation Plan for Cyber Security Standards'' (Implementation Plan). --------------------------------------------------------------------------- 43. The Implementation Plan sets out a proposed schedule for accomplishing the various tasks associated with compliance with the CIP Reliability Standards. The schedule gives a timeline by calendar quarters for completing various tasks and prescribes milestones for when a responsible entity must: (1) ``Begin work;'' (2) ``be substantially compliant'' with a requirement; (3) ``be compliant'' with a requirement; and (4) ``be auditably compliant'' with a requirement. 44. According to the implementation plan, ``auditably compliant'' must be achieved in 2009 for certain Requirements by certain responsible entities, and in 2010 for the remainder. CIP Assessment 45. The CIP Assessment suggested that it may be possible to assess a responsible entity's level of compliance prior to the time when it achieves its ``auditably compliant'' status. It noted that, if a responsible entity is in the ``begin work'' phase, it has: (1) Developed and approved a plan to address the Requirements of a Reliability Standard; (2) identified and planned for necessary resources; and (3) begun implementing the Requirements. These are specific steps that an audit can examine. The CIP Assessment observed that the difference between the ``compliant'' and ``auditably compliant'' status for many of the Requirements is the accumulation of 12 months of compliance records. It sought comment on whether it would be beneficial to audit a responsible entity at the ``begin work'' and ``compliant'' stages, even though the responsible entity may not have the full 12 month accumulation of compliance records. Comments 46. A number of commenters agree that some type of assessment, although not necessarily in the form of an audit, is both possible and potentially beneficial prior to the time an entity achieves ``auditably compliant'' status.\33\ NERC agrees that there is a benefit to ensuring that responsible entities are moving timely toward ``auditably compliant'' status. While NERC believes that audits at an interim stage are not possible, it states that it plans to monitor progress through self-certification without assessing penalties. Other commenters oppose interim audits, stating that they could interfere with implementation plans and lead to penalties for non-compliance.\34\ --------------------------------------------------------------------------- \33\ E.g., Santa Clara, SPP, APPA/LPPC, NERC, Allegheny, Georgia Operators, ISO RTO Council, MidAmerican, SoCal Edison, and NRECA. \34\ E.g., ATC, EEI, National Grid, Tampa Electric, and FirstEnergy. --------------------------------------------------------------------------- [[Page 43976]] Commission Proposal 47. The Commission proposes to approve NERC's Implementation Plan, including the proposed timelines for achieving compliance. NERC indicates that the proposed timelines were developed with input from all sectors of the electric industry. Further, while some responsible entities have already installed the necessary equipment and software to address cyber security, the Commission recognizes that many responsible entities must purchase and install new equipment and software to achieve compliance. Based on these considerations, the Commission believes that the timetable proposed by NERC sets reasonable deadlines for industry compliance. 48. However, the Commission is concerned whether the industry will be fully prepared for compliance upon reaching the implementation deadline and will take reasonable action to protect the Bulk-Power System during this interim period. The Commission believes that NERC's plans to require self-certification during the interim period are helpful. NERC, however, does not indicate the interval for self- certification. We believe that an annual certification would not allow adequate monitoring of progress and propose to direct that the ERO develop a self-certification process with more frequent certifications, either tied to target dates in the schedule or perhaps quarterly or semi-annual certifications. While we agree with NERC that an entity should not be subject to a monetary penalty if it is unable to certify that it is on schedule, such an entity should explain to the ERO the reason it is unable to self-certify. The ERO and the Regional Entities should then work with such an entity either informally or, if appropriate, by requiring a remedial plan to assist such an entity in achieving full compliance in a timely manner. Further, the ERO and the Regional Entities should provide informational guidance, upon request, to assist a responsible entity in assessing its progress in reaching ``auditably compliant'' status. 49. To further address our concerns about the period prior to when responsible entities achieve full compliance with the CIP Reliability Standards, the Commission also proposes to direct the ERO to add a cyber security assessment to NERC's existing readiness reviews. In this readiness assessment process, the ERO should assist in the identification of best practices and deficiencies of the reviewed entities, both to help them prepare for implementation of the CIP Reliability Standards and to assess the status of their compliance efforts. The readiness reviews will also help the Commission to evaluate the potential effectiveness of the cyber security Reliability Standards before they are implemented by disclosing the progress made by reviewed entities in their CIP Reliability Standards implementation efforts. 5. Issues Presented by Terminology a. Business Judgment NERC Proposal 50. Each of the proposed CIP Reliability Standards incorporates the concept of ``reasonable business judgment'' as a guide for determining what constitutes appropriate compliance with those Reliability Standards. The Purpose statement of Reliability Standard CIP-002-1 provides that: These standards recognize the differing roles of each entity in the operation of the Bulk Electric System, the criticality and vulnerability of the assets needed to manage Bulk Electric System reliability, and the risks to which they are exposed. Responsible entities should interpret and apply Standards CIP-002 through CIP- 009 using reasonable business judgment. Each of the subsequent CIP Reliability Standards includes a statement that ``Responsible Entities should interpret and apply the Reliability Standard using reasonable business judgment.'' 51. NERC's Glossary of Terms Used in Reliability Standards (NERC glossary) does not define the term ``reasonable business judgment,'' and the CIP Reliability Standards do not otherwise suggest how the term is to be interpreted. NERC's Frequently Asked Questions (FAQ) document that accompanies the CIP Reliability Standards provides the only available guidance on the issue.\35\ It states that the phrase is meant ``to reflect--and to inform--any regulatory body or ultimate judicial arbiter of disputes regarding interpretation of these Standards--that responsible entities have a significant degree of flexibility in implementing these Standards.'' The FAQ document notes that there is a long history of judicial interpretation of the business judgment rule and suggests that this history is relevant to the use of this rule in the context of the CIP Reliability Standards. The document goes on to say: --------------------------------------------------------------------------- \35\ NERC included the FAQ document in its August 28, 2006 filing. The FAQ document is also available at ftp://www.nerc.com/pub/sys/all_updl/standards/sar/Revised_CIP-002-009_FAQs_06Mar06.pdf . Courts generally hold that the phrase indicates reviewing tribunals should not substitute their own judgment for that of the entity under review other than in extreme circumstances. A common formulation indicates the business judgment of an entity--even if incorrect in hindsight--should not be overturned as long as it was made (1) in good faith (not an abuse or indiscretion), (2) without improper favor or bias, (3) using reasonably complete (if imperfect) information as available at the time of the decision, (4) based on a rational belief that the decision is in the entity's business interest. This principle, however, does not protect an entity from --------------------------------------------------------------------------- simply failing to make a decision. CIP Assessment 52. The CIP Assessment acknowledged the importance of flexibility and discretion in implementing cyber security strategies. However, it expressed skepticism about the appropriateness of the business judgment rule in this context, given the unusually broad discretion it permits. The CIP Assessment thus expressed concern that such an approach to flexibility and discretion would unduly compromise the effectiveness of the CIP Reliability Standards and the ability to enforce compliance with them. 53. The CIP Assessment sought comment on: (1) Specific examples of the differing roles of entities in relationship to their potential impact on cyber security risks to Bulk-Power System reliability; (2) alternatives to reliance on the reasonable business judgment rule that would allow for recognition of differing roles of entities, vulnerability of assets, and exposure to risk but also permit effective enforcement of the CIP Reliability Standards; and (3) the ramifications of removing the ``reasonable business judgment'' language from the proposed CIP Reliability Standards while an alternative approach is developed using the ERO's Reliability Standards development process. Comments 54. A number of commenters stress the importance of flexibility and discretion in implementing the CIP Reliability Standards, but agree that it would not be reasonable to give the term ``business judgment'' the meaning it has in the context of corporate fiduciary responsibility.\36\ Other commenters state that the use of reasonable business judgment was not meant to allow entities to evade application of the CIP Reliability Standards, but they acknowledge that legal precedent [[Page 43977]] suggests that inclusion of the term could increase the potential for disputes.\37\ These commenters support the use of alternative terms to acknowledge the need for flexibility and discretion, such as ``reasonableness,'' ``good utility practice,'' or ``good engineering practices.'' --------------------------------------------------------------------------- \36\ E.g., California PUC, APPA/LPPC, EPSA, and Progress Energy. \37\ E.g., Duke, Progress Energy, Xcel, and National Grid. --------------------------------------------------------------------------- 55. Other commenters argue that the ``reasonable business judgment'' language is essential to provide balance in the implementation of the CIP Reliability Standards and should not be removed. Some indicate that use of the term was intended to allow consideration of cost or business implications of an action.\38\ For instance, NERC states that, if business considerations are left out of account, the CIP Reliability Standards would describe an impossibly high level of technical content, and the cost of implementing such a solution would approach an infinite amount of time, money, and resources. Commenters also state that use of reasonable business judgment allows every entity the flexibility to make the best choice for its unique situation.\39\ Finally, some commenters believe that the term reasonable business judgment will ensure that the CIP Reliability Standards are enforceable by permitting development of a record of industry practices over time that provides a body of reasonable, industry cyber security practices.\40\ --------------------------------------------------------------------------- \38\ E.g., NERC, Southern, and PG&E. \39\ E.g., NERC, NU, PJM, Santa Clara, and Cleveland Public Power. \40\ E.g., IRC and Tampa Electric. --------------------------------------------------------------------------- 56. Some commenters argue that use of the term ``reasonable business judgment'' was not intended to trigger the exculpatory ``business judgment rule'' as used in connection with the actions of corporate directors.\41\ They contend the term was intended as a ``reasonableness'' standard that was meant to add a defined and objective measure for assessing an entity's actions in implementing the CIP Reliability Standards based on the entity's particular system and assets. EEI argues that while the NERC FAQ accurately describes traditional use of the reasonable business judgment rule in the context of corporate law, it does not articulate how this language is being used in the context of cyber security standards. EEI also states that it is unlikely that the FAQ document would control interpretation of the CIP Reliability Standards. --------------------------------------------------------------------------- \41\ E.g., Arizona Public Service, EEI, Progress Energy, SoCal, TEC, Duke, ReliabilityFirst and National Grid. --------------------------------------------------------------------------- 57. Finally, some commenters acknowledge that the traditional corporate business judgment rule does grant officers and directors broad discretion, but also contains elements that temper this discretion.\42\ To receive the benefit of the rule, a business decision must be made on an informed basis, in good faith and in honest belief that the action taken was in the best interests of the company. In addition, the person making the decision must act with the care that an ordinarily prudent person would reasonably be expected to exercise in a like position with similar circumstances. The commenters argue that these requirements permit the term reasonable business judgment to be adapted to the cyber security context. --------------------------------------------------------------------------- \42\ E.g., EEI and Progress Energy. --------------------------------------------------------------------------- Commission Proposal 58. For the reasons discussed below, the Commission proposes to direct the ERO to modify the CIP Reliability Standards to remove references to the ``reasonable business judgment'' language before compliance audits start in 2009. 59. The Commission agrees with commenters that flexibility and discretion are essential in implementing the CIP Reliability Standards and that implementing those Reliability Standards must be done on the basis of the specific facts and circumstances applicable in the individual case at hand. Cyber security problems do not lend themselves to one-size-fits-all solutions. In addition, the Commission acknowledges that cost can be a valid consideration in implementing the CIP Reliability Standards. However, the Commission believes that the traditional concept of reasonable business judgment is ill suited to the task of implementing an appropriate program of cyber security pursuant to FPA section 215. The concept of reasonable business judgment addresses the issue of whether a decision-making process conforms to certain standards. It was developed specifically to address the issue of how courts should approach business decisions made by a company's officers or directors, and the answer it provides is based on certain assumptions about how our economic system operates and who is most likely to have the knowledge and expertise needed to make appropriate business decisions. However, the concept of reasonable business judgment takes on a very different meaning when removed from its original context and applied to a different factual situation where very different assumptions apply. As explained below, when transferred to the realm of cyber security or Bulk-Power System reliability generally, recourse to reasonable business judgment is inconsistent with the purpose of FPA section 215. 60. Cyber standards are essential to protecting the Bulk-Power System against attacks by terrorists and others seeking to damage the grid. Because of the interconnected nature of the grid, an attack on one system can affect the entire grid. It is therefore unreasonable to allow each user, owner or operator to determine compliance with the CIP Reliability Standards based on its own ``business interests.'' Business convenience cannot excuse compliance with mandatory Reliability Standards. 61. While some commenters argue that references to reasonable business judgment in the CIP Reliability Standards were not intended to trigger the traditional corporate business judgment rule, the FAQ document can be read to suggest the contrary. In fact, the FAQ document states explicitly that ``reasonable business judgment'' means what the courts have said it means in the corporate context. It states that the phrase has an almost 200 year history in the common law nations and notes that ``[c]ourts generally hold that the phrase indicates reviewing tribunals should not substitute their own judgment for that of the entity under review other than in extreme circumstances.'' The FAQ document then goes on to list the elements of reasonable business judgment as the courts generally define it. The FAQ document nowhere states or suggests that the meaning and significance of reasonable business judgment is subject to some modification or qualification in the context of implementing and complying with the CIP Reliability Standards. 62. Moreover, as the FAQ document makes clear, compliance turns on whether a decision was ``based on a rational belief that the decision is in the entity's business interest.'' That test is fundamentally incompatible with Congress' decision to adopt a regime of mandatory Reliability Standards. As we stated above, the vulnerability of one entity can pose risks to the entire grid. We therefore cannot allow each user, owner or operator to determine compliance based on its own parochial business interests. The purpose of section 215 is to protect the national interest in grid reliability. 63. The business judgment rule was adopted in a context that is simply not appropriate for mandatory Reliability Standards. The business judgment rule recognizes that officers and directors [[Page 43978]] must have wide latitude if a company is to be managed properly and efficiently and that it is not in the interest of shareholders to create incentives for officers and directors to be overly cautious.\43\ Courts have noted that shareholders voluntarily undertake the risk of bad business judgments and investors who are adverse to such risk have alternative investment opportunities available to them.\44\ In the context of section 215, however, these principles do not apply. The issue under section 215 is not whether the management of a business is acting in the interest of its own shareholders, but rather whether an entity is taking appropriate action to avert risks that could threaten the entire grid. --------------------------------------------------------------------------- \43\ Cramer v. General Telephone and Electronics Corp., 582 F.2d 259 (3d Cir. 1978); Joy v. North, 692 F.2d 880 (2d Cir. 1982). \44\ Joy v. North, 692 F.2d 880 (2d Cir. 1982). --------------------------------------------------------------------------- 64. It is also notable that the business judgment rule is invoked, in the corporate governance context, only in extreme circumstances. Generally, to find an officer or director liable there must be evidence establishing that he or she acted fraudulently, in bad faith, or with gross or culpable negligence.\45\ Some cases refer to unconscionable conduct, illegal or oppressive acts, willful abuse of discretionary power or neglect of duty, and recklessness as situations that fall outside reasonable business judgment.\46\ While the FAQ document does not explain this point clearly, it does allude to it when it notes that the ``[c]ourts generally hold that the phrase indicates reviewing tribunals should not substitute their own judgment for that of the entity under review other than in extreme circumstances.'' (Emphasis supplied). --------------------------------------------------------------------------- \45\ In Re Bal Harbour Club, Inc., 316 F.3d 1192 (11th Cir. 2003) (Bal Harbour); Froelich v. Senior Campus Living LLC, 355 F.3d 802 (4th Cir. 2004); Poth v. Rassey, 281 F. Supp. 2d (E.D. Va. 2003) (Poth v. Rassey). \46\ Bal Harbour; Poth v. Rassey; Gray v. Manhattan Medical Center, Inc., (18 P.3d 291 (Kan. 2001); G & N Aircraft, Inc. v. Boehm, 743 N.E.2d 227 (Ind. 2001). --------------------------------------------------------------------------- 65. These criteria are plainly inappropriate for mandatory CIP Reliability Standards. For example, if an inadequate cyber plan caused a grid-wide disturbance or blackout, a violation could be established only in ``extreme circumstances'' where there was ``unconscionable conduct'' or ``recklessness'' or, as discussed above, where the entity's plan was not consistent with its ``own business interest.'' These highly deferential legal standards are not compatible with a mandatory reliability regime under section 215 of the FPA. We therefore propose to direct NERC to delete references to ``reasonable business judgment'' from the CIP Reliability Standards. 66. We wish to stress, however, that, even though we propose to delete the business judgment rule, we believe flexibility in the application of the CIP Reliability Standards remains appropriate. First, as discussed throughout this NOPR, the CIP Reliability Standards contain specific provisions that explicitly permit various alternative courses of action. More importantly, however, the CIP Reliability Standards do not simply allow the exercise of flexibility and discretion, they require it. Even with the various revisions and additions that the Commission is proposing in this NOPR, the CIP Reliability Standards constitute a relatively brief document, and the Requirements it contains are largely performance based. These Requirements for the most part are quite general and do not dictate specific solutions to cyber-security problems. Responsible entities therefore must interpret and apply them to their specific circumstances. The CIP Assessment explained: The task of balancing technical options comes into play as one selects and combines the various available technologies into a comprehensive architecture to protect the specific computer environment. The key to success is possessing cyber security standards that provide reliable direction on how to choose among alternatives to achieve an adequate level of security.\47\ \47\ CIP Assessment at 8. --------------------------------------------------------------------------- 67. Based on our careful consideration of this issue as discussed above, pursuant to section 215(d)(5) of the FPA and Sec. 39.5(f) of our regulations, the Commission proposes to direct that the ERO modify each of the proposed CIP Reliability Standards to remove references to the ``reasonable business judgment'' language before compliance audits start in 2009. b. ``Technical Feasibility'' and ``Acceptance of Risk'' 68. Two CIP Reliability Standards contain language that provides exceptions from compliance with a Requirement. This language takes two forms: one focuses on technical feasibility, and the other focuses on acceptance of risk. 69. Some provisions require a responsible entity to take action ``where technically feasible.'' \48\ The NERC glossary does not define the term ``technically feasible,'' and the Reliability Standards themselves do not specify how an entity is to determine whether an action is technically feasible. NERC's FAQ document provides the following guidance on the meaning of the phrase ``where technically feasible:'' \48\ The ``technically feasible'' phrase is found in CIP-005-1, Requirements R2.4, R2.6, R3.1, R3.2 and CIP-007-1, Requirements R4, R5.3, R6, R6.3. Additionally, CIP-007, Requirement R2.3 uses ``technical limitations'' to similar effect. --------------------------------------------------------------------------- Technical feasibility refers only to engineering possibility and is expected to be a ``can/cannot'' determination in every circumstance. It is also intended to be determined in light of the equipment and facilities already owned by the responsible entity. The responsible entity is not required to replace any equipment in order to achieve compliance with the Cyber Security Standards. When existing equipment is replaced, however, the responsible entity is expected to use reasonable business judgment to evaluate the need to upgrade the equipment so that the new equipment can perform a particular specified technical function in order to meet the requirements of these standards.\49\ \49\ FAQ Document at 1. --------------------------------------------------------------------------- Technical feasibility is here related to reasonable business judgment, but only in a situation where equipment is being replaced. Otherwise, the FAQ document treats technical feasibility in terms of objective engineering judgments regarding what is possible with existing equipment. 70. Some Requirements in the CIP Reliability Standards permit an entity not to take the actions specified in the Requirement if they ``document compensating measures applied to mitigate risk exposure or an acceptance of risk.'' \50\ The Reliability Standards do not provide explicit guidance on the circumstances in which it is appropriate to accept the risk of non-compliance. --------------------------------------------------------------------------- \50\ See CIP-007-1, Requirements R2.3, R3.2, and R4.1. --------------------------------------------------------------------------- CIP Assessment 71. In the discussion of specific Reliability Standards, the CIP Assessment expressed concern about the need to reference technical feasibility, either because the action in question appeared to be clearly technically feasible or because of the extremely limited number of situations in which technical feasibility could become an issue.\51\ --------------------------------------------------------------------------- \51\ See, e.g., CIP Assessment at 26-27, 32-33. --------------------------------------------------------------------------- 72. The CIP Assessment noted that acceptance of risk raised special concern in a cyber environment. Where there are interconnected control systems, an acceptance of a cyber risk by one entity would actually be tantamount to an acceptance of risk on behalf of all entities connected with it because the first entity can serve as a gateway to the others as noted above. The entity that initially accepts the risk [[Page 43979]] becomes a ``weak link'' in the chain. The CIP Assessment noted that there is no provision in the proposed CIP Reliability Standards for oversight or consideration of the broader impacts of risk acceptance in individual cases. It sought comment on the appropriateness of risk acceptance and suggested that, if this concept is appropriate, clear guidance is needed to explain the limited circumstances in which it is appropriate. Comments 73. NERC states that the term ``technical feasibility'' is intended to be very limited in scope. It defines the term as the physical ability of in-place equipment or software to conform directly to some Requirement in the Reliability Standards or the ability of in-place equipment or software to perform its required function if modified in a way that would most directly conform to some Requirement. The term is used to prevent penalizing responsible entities unnecessarily in situations where they cannot change immediately or prudently to comply with a Requirement. NERC states that where the concept of technical feasibility applies, the responsible entity should document the technical issue and its mitigation plans or strategies. 74. Many commenters \52\ emphasize that the phrase ``where technically feasible'' is intended to permit flexibility, to permit the application of the Reliability Standards to a wide variety of situations, and to allow compliance with the Reliability Standards to evolve over time as technologies change. Some commenters note that in many cases it is not feasible to enhance equipment without replacing it. In some cases, off-the-shelf solutions are not available for various parts of the system. --------------------------------------------------------------------------- \52\ E.g., National Grid; ISO/RTO Council; PJM, Ontario IESO, SPP, and ISO-NE. --------------------------------------------------------------------------- 75. ISA Group states that the phrase ``where technically feasible'' could be eliminated entirely from the CIP Reliability Standards and replaced with an exception mechanism that requires a decision to invoke technical feasibility to be explicit and reviewable. The exception mechanism should require that there be alternative mitigation that provides the level of security that would otherwise have been achieved. California PUC argues that the phrase ``technically feasible'' should be removed unless there is a serious question about the actual feasibility of a requirement being imposed. 76. Most commenters support the ``acceptance of risk'' terminology with certain qualifications. NERC states that the concept of risk acceptance recognizes that flexibility and judgment are required to make prudent decisions, but does not allow an entity to do nothing. It also contends that acceptance of risk is a fundamental tenet of an audit process, which recognizes that not all systems or implementations can be perfect. Other commenters state that acceptance of risk is needed to allow for flexibility and that it can be workable if decisions to accept risk are documented, compensating or mitigating action is taken, and decisions to accept risk are transparent and subject to review and oversight.\53\ Some commenters state that any invocation of the risk acceptance provision should be subject to a sunset date or plan to achieve compliance.\54\ In contrast, Wisconsin Electric states that acceptance of risk could seriously endanger reliability and supports removal of the option to accept risk. --------------------------------------------------------------------------- \53\ E.g., Allegheny, MidAmerican and National Grid. \54\ E.g., MidAmerican and Allegheny. --------------------------------------------------------------------------- Commission Proposal 77. For the reasons discussed below, pursuant to section 215(d)(5) of the FPA and Sec. 39.5(f) of our regulations, the Commission proposes to direct that the ERO: (1) interpret the term ``technical feasibility'' narrowly as applying to the technical characteristics of existing assets and having no relation to the considerations of business judgment discussed above; (2) treat instances where technical feasibility is invoked as exceptions that require certain alternative courses of action; (3) eliminate the ``acceptance of risk'' option from the CIP Reliability Standards; and (4) develop an annual report that quantifies, on a wide-area basis, the frequency with which responsible entities invoke ``technical feasibility'' or other provisions that produce the same outcome. The reason the Commission believes these proposed safeguards are necessary, as well as additional details regarding these proposals, are provided below. Technical Feasibility 78. The Commission acknowledges that, in the near term, exceptions from compliance based on the concept of ``technical feasibility'' may be appropriate in a limited set of circumstances.\55\ However, responsible entities should not be permitted to invoke technical feasibility on the basis of ``reasonable business judgment,'' as NERC's FAQ suggests. We have already discussed the concerns that reasonable business judgment can create for effective cyber security. Nor should a responsible entity be able to except itself unilaterally from a Requirement of a mandatory Reliability Standard with no oversight. Unless invocation of the technical feasibility exception is carefully circumscribed, substantial opportunity for abuse, difficulty in enforcement and the continued allowance of unacceptable reliability risks could result. --------------------------------------------------------------------------- \55\ For example, it is understandable that some older ``legacy'' systems are not capable of utilizing certain cyber protection strategies needed to fully comply with the Requirements of these CIP Reliability Standards. In such a case, the responsible entity could be granted an exception upon the satisfactory submittal of a mitigation plan leading to compliance, by a date certain. --------------------------------------------------------------------------- 79. Therefore, the Commission proposes to require the ERO to establish a structure to require accountability from those who rely on ``technical feasibility'' as the basis for an exception. Such a structure would require a responsible entity to: (1) Develop and implement interim mitigation steps to address the vulnerabilities associated with each exception; (2) develop and implement a remediation plan to eliminate the exception, including interim milestones and a reasonable completion date; and (3) obtain written approval of these steps by the senior manager assigned with overall responsibility for leading and managing the entity's implementation of, and adherence to, the CIP Reliability Standards as provided in CIP-003-1, Requirement R2. This proposed structure should include a review by senior management of the expediency and effectiveness of the manner in which a responsible entity has addressed each of these three proposed conditions. In addition, the Commission proposes to require a responsible entity to report and justify to the ERO and the Regional Entity for approval each exception and its expected duration. In situations where any of the proposed conditions are not satisfied, the ERO or the Regional Entity would inform the responsible entity that its claim to an exception based on technical feasibility is insufficient and therefore not approved. Failure to timely rectify the deficiency would invalidate the exception for compliance purposes. 80. The Commission believes that it is important that the ERO, Regional Entities and the Commission understand the circumstances and manner in which responsible entities invoke the technical feasibility provision as well as other provisions that function as an exception to the CIP Reliability Standards. The Commission, [[Page 43980]] therefore, proposes to direct the ERO to submit an annual report that would include, at a minimum, the frequency of the use of such provisions, the circumstances or justifications that prompt their use, the interim mitigation measures used to address the vulnerabilities, and the milestone schedule to eliminate them and to bring the entities into compliance to eliminate future reliance on the exception. The Commission expects that the report would not provide a level of detail so as to contain critical energy infrastructure information, but would include sufficient information such that it is clear that the mitigation measures have addressed the interim vulnerabilities and the milestone schedules will be sufficient to bring the entities into compliance by a date certain in a timely manner. The report should include aggregated information with sufficient detail for the Commission to understand the frequency in which specific provisions are being invoked as well as mitigation and remediation plans over time and by region. Such information would allow the Commission to evaluate whether to initiate the development of additional Reliability Standards or require new Reliability Standards and/or modifications to existing Reliability Standards. 81. The Commission also seeks comment on additional categories of information that should be included in the content of this report that would be useful for the Commission, as well as the ERO and Regional Entities, in evaluating the invocation of technical feasibility and similar provisions, and the impact on protection of critical assets. 82. The Commission proposes to direct the ERO to consider making ``technically feasible,'' and derivative forms of that phrase as used in the CIP Reliability Standards, defined terms in NERC's glossary, pursuant to the prior clarifications, without any reference to reasonable business judgment. Acceptance of Risk 83. The Commission has several concerns regarding the references to ``acceptance of risk'' that appear in the CIP Reliability Standards. As proposed by NERC, there are no controls or limits on a responsible entity's use of this exception. For example, a responsible entity may invoke the ``acceptance of risk'' exception without any explanation, mitigation efforts, evaluation of the potential ramifications of accepting the risk, or other accountability. In essence, the phrase ``or an acceptance of risk'' allows a responsible Entity to opt out of certain provisions of a mandatory Reliability Standard at its discretion. 84. Further, there is no requirement that a responsible entity communicate to a responsible authority information related to the potential vulnerabilities created by a decision to accept risk and how they could affect Bulk-Power System reliability. The resulting uncertainty concerning who had invoked ``acceptance of risk'' and in what connection would mean that neither the ERO, Regional Entities nor others would know whether adequate cyber security precautions are in place to protect critical assets. The possibility that appropriate security measures for critical assets have not been implemented due to acceptance of risk and that no corresponding compensating or mitigating steps have been taken presents an undue and unacceptable risk to Bulk- Power System reliability. 85. Moreover, the Commission believes the acceptance of risk language does not serve any justifiable purpose. To the extent that an entity would invoke this exception because compliance is not technically feasible, it should rely on that exception, which with the Commission's proposal would have specific safeguards and limitations. To the extent that a responsible entity would invoke the acceptance of risk language because its business preference is not to expend resources on cyber vulnerability, we believe that is inappropriate for all the reasons discussed previously. A responsible entity should not be able to jeopardize critical assets of others, and create a significant and unknown risk to Bulk-Power System reliability, simply because it is willing to ``accept the risk'' that its own assets may be compromised. 86. Accordingly, the Commission proposes to direct that the ERO remove the ``acceptance of risk'' language from the CIP Reliability Standards. 6. Guidance for Improving CIP Reliability Standards 87. Several commenters discussed the proposed CIP Reliability Standards in relation to other standards that exist for governmental and industrial cyber security. MITRE and NIST suggest that more advanced cyber security standards have been developed that could provide a model in future improvements to the CIP Reliability Standards. In particular, they point to NIST Special Publication 800-53 Revision 1, Recommended Security Controls for Federal Information Systems (SP 800-53). MITRE believes that the relevant NIST publications, including Federal Information Processing Standards (FIPS) 199, FIPS 200, and SP 800-53, constitute a comprehensive and coherent basis for cyber security in the electric power sector. NIST recommends that the Commission consider a planned transition to cyber security standards that are identical to, consistent with, or based on SP 800-53 and related NIST standards and guidelines. Commission Proposal 88. The Commission declines to propose at this time that NERC incorporate any provisions of the NIST standards into the CIP Reliability Standards. However, the Commission expects NERC to monitor the development and implementation of the NIST standards to determine if they contain provisions that will better protect the Bulk-Power System.\56\ Several federal entities, such as the Tennessee Valley Authority and Western Area Power Administration, are subject to both the NIST standards and the Reliability Standards, and therefore are likely to have unique insights into the NIST standards. The Commission expects the ERO to seek and consider comments from those federal entities on the effectiveness of the NIST standards and on any implementation issues. Any provisions that will better protect the Bulk-Power System should be addressed in the ERO's Reliability Standards development process. The Commission may revisit this issue in future proceedings as part of an evaluation of existing Reliability Standards or the need for new Reliability Standards, or as part of assessing NERC's performance of its responsibilities as the ERO.\57\ --------------------------------------------------------------------------- \56\ The Commission is also aware that the Instrumentation, Systems, and Automation Society (ISA) is developing cyber security standards, referred to as ISA SP-99, and that other infrastructure sectors are considering adopting the ISA standards for their control systems. \57\ See Order No. 672 at P 186-91. --------------------------------------------------------------------------- B. Discussion of Each CIP Reliability Standard 1. CIP-002-1--Critical Cyber Asset Identification 89. Reliability Standard CIP-002-1 deals with the identification of critical cyber assets. The NERC glossary defines ``cyber assets'' as ``programmable electronic devices and communication networks including hardware, software, and data.'' It defines ``critical cyber assets'' as ``cyber assets essential to the reliable operation of critical assets.'' NERC defines ``critical assets'' as ``facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would [[Page 43981]] affect the reliability or operability of the Bulk Electric System.'' \58\ --------------------------------------------------------------------------- \58\ ``The term `reliable operation' means operating the elements of the bulk-power system within equipment and electric system thermal, voltage, and stability limits so that instability, uncontrolled separation, or cascading failures of such system will not occur as a result of a sudden disturbance, including a cybersecurity incident, or unanticipated failure of system elements.'' EPAct 2005, section 215(a)(4). --------------------------------------------------------------------------- 90. As the first step in identifying critical cyber assets, CIP- 002-1 requires each responsible entity to develop a risk-based assessment methodology to use in identifying its critical assets. Requirement R1 specifies certain types of assets that an assessment must consider for critical asset status and also allows the consideration of additional assets that the responsible entity deems appropriate. Requirement R2 requires the responsible entity to develop a list of critical assets based on an annual application of the risk- based assessment methodology. Requirement R3 provides that the responsible entity must use the list of critical assets to develop a list of associated critical cyber assets that are essential to the operation of the critical assets. CIP-002-1 requires an annual re- evaluation and approval by senior management of the lists of critical assets and critical cyber assets. 91. The CIP Assessment emphasized that, while CIP-002-1 through CIP-009-1 function as an integrated whole, CIP-002-1 is a key to the success of the cyber security framework that these Reliability Standards seek to create.\59\ The CIP Assessment also stressed that, because CIP-002-1 addresses the assessment methodology and process for identifying critical assets and critical cyber assets, it represents the critical first step that can fundamentally affect the chances for successful implementation of the remaining CIP Reliability Standards. The methodology and process used by a responsible entity must be stringent and rigorous. Otherwise, a responsible entity may fail to identify some facilities that are critical to effective cyber protection and, as a consequence, leave them vulnerable to an attack that could threaten the reliability of the Bulk-Power System. --------------------------------------------------------------------------- \59\ CIP Assessment at 16-17. --------------------------------------------------------------------------- 92. The Commission proposes to approve Reliability Standard CIP- 002-1 as mandatory and enforceable. In addition, the Commission proposes to direct the ERO to develop modifications to this Reliability Standard. In our discussion below, the Commission addresses its concerns in the following topic areas regarding CIP-002-1: (1) The proper risk-based assessment methodology for identifying critical assets and associated critical cyber assets; (2) internal approval of the risk assessment; (3) oversight of critical asset identification; and (4) interdependency analysis. a. Risk-Based Assessment Methodology 93. As mentioned above, CIP-002-1 requires each responsible entity to develop a risk-based assessment methodology to identify critical assets. CIP Assessment 94. The CIP Assessment noted that, while CIP-002-1 requires use of a risk-based assessment methodology, it does not provide direction on the nature and scope of that methodology, its basic features or the issues it should address. The CIP Assessment expressed concern that the absence of such direction could result in the Requirement being unevenly executed, which could result in inconsistency and inefficiency. It stated that, due to this lack of direction, the Reliability Standard does not provide a basis for evaluating whether the risk-based assessment methodology adopted by a particular entity will permit effective identification of all critical assets. 95. The CIP Assessment explained that proper risk-based assessment methodology is essential to achieve sufficient scope and implementation of critical infrastructure protection. Requirement R4 specifically contemplates the circumstance that a ``Responsible Entity may determine that it has no Critical Assets or Critical Cyber Assets,'' and correspondingly requires that a signed and dated record of management approval of the list of critical assets and critical cyber assets be kept ``even if such lists are null.'' The CIP Assessment pointed out, however, that a small entity whose operations may not have a major, day-to-day operational impact on the Bulk-Power System can have critical importance from a cyber security perspective, especially as a gateway to larger entities or when attacked simultaneously with other entities. The absence of adequate direction on what constitutes a proper risk-based assessment methodology may potentially result in entities improperly identifying a limited or ``null set'' of critical assets and critical cyber assets. This result could have serious adverse effects for Bulk-Power System reliability. Comments 96. Commenters generally agree that CIP-002-1 plays a crucial role because whether a responsible entity must comply with the substance of the remaining CIP Reliability Standards depends on whether it identifies critical cyber assets pursuant to CIP-002-1. Commenters also agree that the risk assessment methodology is the key to a responsible entity accurately identifying its critical assets and critical cyber security assets. 97. While some commenters agree with the CIP Assessment that the Requirement for the risk-based assessment methodology would benefit from additional guidance or specificity, the majority disagree. Among those who support the need for more specificity, Arizona Public Service expresses concern that CIP-002-1, as proposed, may place a responsible entity in the position of not having enough guidance on whether its risk-based methodology will result in the identification of all critical assets. 98. Ontario IESO agrees that the CIP Assessment's reasons for concern are valid, which stem from the fact that many assessments will be performed by entities not previously subject to compliance with NERC Reliability Standards, and from the potential disagreement between entities on what constitutes a critical asset. It also shares the concern that some entities may avoid declaring critical assets to avoid further compliance obligations with the CIP Reliability Standards. Ontario IESO emphasizes that an essential feature of a good assessment is the quality of the judgments that necessarily must be applied. Rather than making modifications to provide more explicit direction, Ontario IESO suggests that much of the concern associated with critical asset identification could be addressed by modifying the Reliability Standard to require that the responsible entity consult with its reliability coordinator, and granting the reliability coordinator the authority to make the final determination of critical assets within its territory. 99. NERC and others oppose including additional specificity, claiming that CIP-002-1 is specifically written to allow each responsible entity the flexibility to implement it as it applies to the specific circumstances within each organization, and at each location containing critical cyber assets.\60\ These commenters are concerned that a Commission directive to include additional guidance would restrict the needed flexibility. For example, APPA argues that the proposed provisions provide an adequate basis for evaluating the methodology, stating that prescribing a national-level ``one size fits all'' risk-based assessment methodology would [[Page 43982]] require a costly effort to comply, but would not result in measurable cyber security improvements. APPA adds that every entity's risk-based assessment will be subject to challenge by an audit team from time-to- time, which will include review by peer technical experts who share the goal of preventing any successful attack on critical assets. AMP-Ohio suggests that it would be inappropriate to divide the Bulk Electric System into a large number of small, discrete and in some cases rather isolated pieces and then to assign responsibility to each of these small pieces to determine what is or is not critical to the reliable operation of the Bulk Electric System. --------------------------------------------------------------------------- \60\ E.g., ReliabilityFirst, EEI, EPSA, and APPA. --------------------------------------------------------------------------- Commission Proposal 100. Most commenters on the CIP Assessment acknowledge the importance of CIP-002-1 in ensuring that an appropriate set of critical assets is identified. However, many commenters oppose any modification to CIP-002-1 to provide additional specificity regarding the risk assessment methodology for identifying critical assets, based on concerns that such specificity will impede the needed flexibility that is currently provided by the Reliability Standard. 101. The Commission recognizes the commenters' concerns and is mindful of the need for flexibility in the risk assessment process to take into account the individual circumstances of a responsible entity. Yet, the Commission is concerned that, without some additional guidance, each responsible entity will have to devise its own assessment methodology without sufficient assurance that the methodology is adequate to identify the types of assets necessary to protect the reliability of the Bulk-Power System. As explained by Ontario IESO, many responsible entities performing the risk assessment have not previously been subject to compliance with NERC's Reliability Standards. Further, there is a potential for disagreement among responsible entities regarding what constitutes a critical asset. 102. The Commission also is concerned that the risk assessment methodologies required by CIP-002-1 must place the proper emphasis on the possible consequences from an outage of a particular asset. Generically, risk assessments include consideration of both consequence (in this case, the effect of loss of availability of an asset on the reliable operation of the Bulk-Power System) and threat (the likelihood that an outage will occur, naturally or by malicious act). However, in this context we believe that the consequence of an outage should be the controlling factor. We note that the definition of ``critical assets'' is focused on the criticality of the assets, not the likelihood of an outage. 103. Accordingly, the Commission proposes to direct NERC to develop modifications to CIP-002-1 to provide some basic guidance on the content or considerations to be applied in a risk assessment methodology. We are not proposing that NERC develop specific details of a methodology that must be applied in all circumstances. However, the Commission believes that responsible entities would benefit from NERC providing some common understanding regarding the scope, purpose and basic direction of the risk assessment methodology. For example, the Reliability Standard should indicate that a proper risk-based assessment methodology to identify critical assets should examine (1) the consequences of the loss of the asset to the Bulk-Power System and (2) the consequence to the Bulk-Power System if an adversary gains control of the asset for intentional misuse. Such guidance could also address how a generation owner, or even a partial owner of generation, without a wide-area reliability perspective, should approach a risk- based assessment. 104. Further, we are concerned that relatively smaller registered entities, such as some resources, load-serving entities, and demand side aggregators, may have difficulty in determining whether a particular asset is ``critical'' for Bulk-Power System reliability, since, for example, the impact of their facilities may be dependent on their connection with a transmission owner or operator. We believe that such an entity may want to perform an accurate assessment but lack the regional view to make a determination on its own. Thus, we propose that the ERO and Regional Entities provide reasonable technical support to such entities that would assist them in determining whether their assets are critical to the Bulk-Power System. 105. Accordingly, pursuant to section 215(d)(5) of the FPA and Sec. 39.5(f) of our regulations, the Commission proposes to direct that the ERO develop modifications to CIP-002-1 through its Reliability Standards development process to provide additional guidance as to the features and functionality of an adequate risk-based assessment methodology, as discussed above. b. Internal Approval of Risk Assessment 106. Requirement R4 of CIP-002-1 requires that a senior manager ``or delegate(s)'' must approve annually the list of critical assets and critical cyber assets. The CIP Assessment suggested that that this senior management involvement should be extended to approving the risk- based assessment methodology developed pursuant to Requirement R1.\61\ Several commenters disagree,\62\ stating that this approval is implied by the requirement for senior management approval of the critical asset list and the critical cyber asset list. Other commenters generally believe that senior management approval of the risk-based assessment methodology would be a benefit.\63\ --------------------------------------------------------------------------- \61\ CIP Assessment at 17-18. \62\ NERC, ReliabilityFirst, and Santa Clara. \63\ E.g., APPA/LPPC, FirstEnergy, National Grid, Progress Energy, and Xcel. --------------------------------------------------------------------------- Commission Proposal 107. The Commission believes that senior management approval of the risk-based assessment methodology has clear benefits that exceed any additional burden placed on the responsible entities, and the rigor that the senior management approval would encourage is worth the effort. As explained in the CIP Assessment, since a poor methodology will likely result in an inadequate identification of critical assets and critical cyber assets, senior management awareness and approval of the chosen risk-based assessment methodology is of critical importance.\64\ It is not clear to the Commission that, as some commenters suggest, senior management approval of the risk-based assessment methodology is implicit in the requirement that senior management approve the critical asset list and critical cyber asset list. Commenters did not object to the concept, but only believed that it might be redundant. We believe this additional layer of oversight is important and should be made explicit. The Commission also notes that requiring this senior management approval helps to implement the Blackout Report's Recommendation 43, which calls for establishing ``clear authority and ownership for physical and cyber security.'' \65\ --------------------------------------------------------------------------- \64\ CIP Assessment at 18. \65\ See Blackout Report at 169, Recommendation 43. --------------------------------------------------------------------------- 108. Thus, pursuant to section 215(d)(5) of the FPA and Sec. 39.5(f) of our regulations, the Commission proposes to direct that the ERO develop a modification to CIP-002-1 through its Reliability Standards development process to include a requirement that a senior manager annually review and approve the risk-based assessment methodology. [[Page 43983]] c. Oversight of Critical Assets Identification 109. The CIP Assessment emphasized the underlying importance that each responsible entity develop accurate lists of critical assets and critical cyber assets. Several commenters note that responsible entities currently lack a wide-area view that would enable them to better assess the risks associated with certain assets.\66\ They suggest that guidance or oversight from an external organization could help ensure that responsible entities have properly identified critical assets from a regional perspective. Cleveland Public Power suggests that the Regional Entities should assume this role. Similarly, AMP-Ohio recommends that the Regional Entities should be responsible for identifying critical assets, with input from reliability coordinators and transmission planners. EPSA indicates that independent system operators (ISOs) and regional transmission organizations (RTOs) could provide guidance to individual companies in assessing critical assets and their vulnerability, in coordination with NERC and the Commission. --------------------------------------------------------------------------- \66\ E.g., AMP-Ohio, EPSA, and Cleveland Public Power. --------------------------------------------------------------------------- 110. NERC, however, opposes regional oversight, stating that ``[i]t is not the function of the standards to implement an oversight or hierarchical organization for determining risks or vulnerabilities.'' \67\ NERC suggests that regional perspective is gained through information sharing forums such as the Electricity Sector Information Sharing and Analysis Center (ESISAC) \68\ and NERC's Critical Infrastructure Protection Committee. --------------------------------------------------------------------------- \67\ NERC Comments, Attachment 1 at 17 (in response to a CIP Assessment suggestion regarding the need for regional perspective in CIP-003-1). \68\ The Electric Sector Information Sharing and Analysis Center was created based on a recommendation of Presidential Decision Directive 63, which defined specific infrastructures critical to the national economy and public well-being. ESISAC serves the Electricity Sector by facilitating communications between electricity sector participants, governmental entities, and other critical infrastructures. It is the job of the ESISAC to promptly disseminate threat indications, analyses, and warnings, together with interpretations, to assist electricity sector participants to take protective actions. NERC is functioning as the operator of the ESISAC. --------------------------------------------------------------------------- Commission Proposal 111. The Commission disagrees with commenters that suggest that the responsibility for identifying critical assets should be placed on the Regional Entities or another organization instead of the categories of applicable entities currently identified in CIP-002-1. Such an approach would shift primary responsibility away from the asset owner or operator. We believe that such a shift would not improve the identification of critical assets, but more likely overwhelm the Regional Entities. 112. On the other hand, the Commission believes that a formal or systematic approach to external oversight of the identification of critical assets would assure a wide-area view. Such an approach, on a regional basis, would better ensure that responsible entities are identifying similar assets. Even taking into account the individual circumstances of a responsible entity, we would expect certain trends in critical asset identification within a class of responsible entities, such as generator owners or transmission owners. If the vast majority of transmission owners, for example, identified a certain asset as critical, and a few did not, this result could be due to the unique circumstances of those transmission owners or from a flawed risk-based assessment methodology. However, without external oversight using a wide-area view, such trends or deviations would never be identified prior to an incident or audit, perhaps precluding a necessary adjustment to a particular critical asset list. In addition, a wide-area view would help to ensure that assets that have regional importance, such as for reactive power supply, are included as critical assets. 113. NERC suggests that such issues can be addressed through existing forums for the voluntary exchange of information on cyber security issues. The Commission believes that this matter is too important to leave to voluntary mechanisms. Accordingly, pursuant to section 215(d)(5) of the FPA and Sec. 39.5(f) of our regulations, the Commission proposes to direct that the ERO develop a modification to CIP-002-1 through its Reliability Standards development process to include a mechanism for the external review and approval of critical asset lists based on a regional perspective. While we propose that the Regional Entities should be responsible for this function, we will not exclude the possibility of a critical asset review process that allows for participation of other organizations, such as transmission planners and reliability coordinators. 114. Moreover, we note that the definition of ``critical cyber assets'' encompasses data.\69\ Thus, marketing or other data essential to the proper operation of a critical asset, and possibly the computer systems that produce or process that data, would be considered critical cyber assets subject to the CIP Reliability Standards. Therefore, the Commission proposes to direct the ERO to develop guidance on the steps that would be required to apply the CIP Reliability Standards to such data and to include computer systems that produce the data. --------------------------------------------------------------------------- \69\ The NERC Glossary defines ``Critical Cyber Assets'' as ``Cyber Assets essential to the reliable operation of critical assets.'' It defines ``Cyber Assets'' as ``programmable electronic devices and communication networks including hardware, software, and data.'' Therefore, marketing data or other system data that are essential to the proper operation of the critical asset may confer critical cyber asset status to those data and the computer systems that process them. --------------------------------------------------------------------------- 115. The Commission is concerned that all critical assets are identified, and interprets the phrase, ``[t]he risk-based assessment shall consider the following assets:'' in Requirement R1.2 to mean that a responsible entity must be able to show, based on the risk-based assessment methodology used, why specific assets were or were not chosen as critical assets. The Commission is also concerned that sufficient rigor is applied in examining whether control systems are determined to be critical assets. While it seems obvious that an evaluation of a control system for critical asset status would consider the potential loss of operability of the control center due to power or communications failure, we also believe that such an evaluation should include an examination of any misuse of the control system, the impact this misuse could have on any electric facilities that the responsible entity controls, and the combined impact of such facilities. Therefore, the Commission proposes to direct the ERO to modify Requirement R1.2 to clarify the requirement to show why specific assets were or were not chosen as critical assets, and to require the consideration of misuse of control systems. d. Interdependency 116. The CIP Assessment noted that CIP-002-1 does not address the issue of interdependency with other infrastructures and explained that there may be occasions where an electric sector asset, while not critical to Bulk-Power System reliability, may be crucial to the operation of another critical infrastructure.\70\ The CIP Assessment asked (1) whether this issue is appropriate for inclusion in CIP-002-1 and (2) whether this topic is an area for future coordination and collaboration with other industries and government agencies. --------------------------------------------------------------------------- \70\ CIP Assessment at 17. --------------------------------------------------------------------------- 117. Commenters generally agree that this issue is worthy of consideration and coordination and cooperation could be [[Page 43984]] advantageous. However, most commenters consider the topic outside the scope of CIP-002-1.\71\ By contrast, one commenter posits that there is a clear need to articulate that this type of interdependency analysis should be part of the responsible entity's determination of critical assets.\72\ --------------------------------------------------------------------------- \71\ E.g., APPA/LPPC, Duke, EEI, Georgia System, National Grid, NERC, ReliabilityFirst, SPP, Xcel, SoCal Edison, Progress Energy, and MidAmerican. \72\ ISA Group. --------------------------------------------------------------------------- Commission Proposal 118. Reliability Standard CIP-002-1 pertains to the identification of assets critical to Bulk-Power System reliability. While broader interdependency issues cannot be ignored, the Commission intends to revisit this matter through future proceedings and with other agencies. This work will help to inform the electric sector and this Commission about the need for future Reliability Standards, especially when the interdependent infrastructures affect generating capabilities, such as through fuel transportation. e. Commission Proposal Summary 119. In summary,\73\ the Commission proposes to approve Reliability Standard CIP-002-1 as mandatory and enforceable. In addition, the Commission proposes to direct the ERO, pursuant to section 215(d)(5) of the FPA and Sec. 39.5(f) of our regulations, to develop modifications to CIP-002-1 through its Reliability Standards development process that: (1) Provide some basic guidance on the content or considerations to be applied in a risk-based assessment methodology; (2) include a requirement that a senior manager annually review and approve the risk- based assessment methodology; (3) include a mechanism for the external review and approval of critical asset lists based on a regional perspective; and (4) modify Requirement R1.2 to (a) clarify the requirement to show why specific assets were or were not chosen as critical assets and (b) require the consideration of misuse of control systems. --------------------------------------------------------------------------- \73\ This summary should be read in conjunction with the discussion above. --------------------------------------------------------------------------- 2. CIP-003-1--Security Management Controls 120. Reliability Standard CIP-003-1 seeks to ensure that each responsible entity has minimum security management controls in place to protect critical cyber assets identified pursuant to CIP-002-1. To achieve this goal, a responsible entity first must develop a cyber security policy that represents management's commitment and ability to secure its critical cyber assets. The responsible entity must designate a senior manager to lead and direct the responsible entity's cyber security program. This senior manager will also be the person authorized to approve any exception set out in the entity's cyber security policy. 121. Further, a responsible entity must implement an information protection program to identify, classify and protect sensitive information concerning critical cyber assets, as well as an access control program to designate who may have access to such information. Finally, the responsible entity must establish a change control and configuration management program to oversee changes made to the critical cyber assets' hardware or software. 122. The Commission proposes to approve Reliability Standard CIP- 003-1 as mandatory and enforceable. In addition, we propose to direct the ERO to develop modifications to this Reliability Standard. In our discussion below, the Commission addresses its concerns in the following topic areas regarding CIP-003-1: (1) Adequacy of policy guidance; (2) discretion to grant exceptions; (3) leadership; (4) access authorization; (5) change control and configuration management; and (6) interconnected networks. a. Adequacy of Policy Guidance 123. Requirement R1 of Reliability Standard CIP-003-1 directs the responsible entity to ``document and implement a cyber security policy that represents management's commitment and ability to secure its critical cyber assets.'' The only guidance that is given with regard to the nature and scope of the cyber security policy is that it ``addresses the Requirements in CIP-002-1 through CIP-009-1, including the provisions for emergency situations.'' The Requirement also requires that a senior manager annually review and approve the policy. 124. The CIP Assessment stated that senior management involvement should improve the prioritization of control system security within the entity, including allocation of resources.\74\ It explained that, since many of the Requirements in the CIP Reliability Standards leave considerable discretion to each responsible entity, the scope and thoroughness of the cyber security policies could vary widely. Thus, the CIP Assessment expressed concern that, because Requirement R1 does not address the policy's adequacy, this Requirement could actually mask certain security vulnerabilities. --------------------------------------------------------------------------- \74\ CIP Assessment at 19. --------------------------------------------------------------------------- 125. APPA/LPPC are not convinced that the variation allowed in cyber security policies means that plans lack a sufficient level of protection. They believe that the Reliability Standard allows an appropriate level of variation as to how specific requirements will be met. Likewise, Georgia System does not share the CIP Assessment's concern that Requirement R1 could allow responsible entities to mask vulnerabilities, positing that it is in a utility's self-interest to take actions that improve reliability. Thus, it does not see a need for any additional guarantee that the involvement of senior management will result in improvements to the responsible entity's cyber security policy. Commission Proposal 126. The Commission acknowledges that details of particular security policies will vary due to the different cyber architectures and equipment used by the responsible entities. However, in addition to consideration of every Requirement in Reliability Standards CIP-002-1 through CIP-009-1, the Commission expects that responsible entities' security policies will address issues that are not currently reflected in the CIP Reliability Standards, but are important to the security of the control system. For instance, currently data networks and communication networks are not covered by any CIP Reliability Standard. Yet these networks play an important role in the proper functioning of the control systems. The Commission would expect a security policy for control systems to address the responsible entity's actions to protect communication networks. Other possible topics for guidance here are the appropriate use of defense in depth strategy; the use of wireless communications for control systems; uninterruptible power supplies; and heating, ventilation, and air-conditioning equipment for critical cyber assets. We note that Recommendation 34 of the Blackout Report states that ``grid-related organizations should have a planned and documented security strategy, governance model, and architecture for EMS [energy management systems] automation systems.'' \75\ --------------------------------------------------------------------------- \75\ See Blackout Report at 165, Recommendation 34. --------------------------------------------------------------------------- 127. The Commission proposes to direct the ERO to modify CIP-003-1 to provide additional guidance for the topics and processes that the required cyber security policy should address to ensure that the responsible entity [[Page 43985]] reasonably protects its critical cyber assets. b. Discretion to Grant Exceptions 128. Requirement R3 of CIP-003-1 provides that a responsible entity must document as an exception, with senior manager authorization, each instance where a responsible entity cannot conform to its security policy developed pursuant to Requirement R1. Documentation of the exception must include ``an explanation as to why the exception is necessary and any compensating measures, or a statement accepting risk.'' An exception to the cyber security policy must be documented within 30 days of senior management approval. An authorized exception must be reviewed and approved annually to ensure that the exception is still required and valid. 129. The CIP Assessment expressed concern that this provision allows for broad discretion and may serve as a disincentive for upgrading to control systems that fully comply with cyber security Reliability Standards.\76\ With regard to a responsible entity's option to ``accept the risk,'' it pointed out that, for interconnected control systems of various entities, acceptance of risk by one entity is actually an acceptance of risk for all those that are interconnected. Yet, other entities may not be aware of the vulnerability, particularly absent any oversight or regional perspective of the risks or vulnerabilities that may exist. --------------------------------------------------------------------------- \76\ CIP Assessment at 20. --------------------------------------------------------------------------- 130. Most commenters believe that it is appropriate to provide latitude for management to document exceptions to the responsible entity's established policies, select alternative and mitigating solutions, and ultimately accept residual risk. APPA/LPPC expect that the exercise of discretion will be one of the areas that will draw the most attention from auditors. 131. Others, such as California PUC agree with the CIP Assessment's concern that the broad discretion allowed for exceptions could act as a disincentive for upgrading control systems. California PUC also agrees that acceptance of the risk in a cyber environment is actually an acceptance of risk for all connected entities because the entity that initially accepts the risk becomes the ``weak link'' in the chain. Santa Clara suggests that a responsible entity that makes exceptions and ``accepts risks'' is responsible for communicating such exceptions to its Regional Entity, which can then evaluate the overall ``risk,'' if any, to the bulk electric system. The Regional Entity, in turn, can then communicate appropriately to any interconnected entities so that they might take any necessary action. Commission Proposal 132. The Commission is concerned that CIP-003-1 allows a responsible entity too much latitude in excusing itself from compliance with its cyber security policy. While there may be valid reasons for exceptions to a cyber security policy, and it is helpful that exceptions must be explained in writing and approved by a designated senior manager, the Commission does not believe that the ``exceptions'' provision provides sufficient rigor or external accountability regarding the decision of a responsible entity to except itself from the cyber security policy. Accordingly, the Commission proposes to direct that NERC develop a modification to Requirement R3 of CIP-003-1 to require a responsible entity to periodically submit to the Regional Entity the documentation of exceptions to the cyber security policy. The Commission believes that the external review of this documentation will provide added assurance that each responsible entity adequately justifies the exceptions to its cyber security policy. 133. In addition, the Commission believes that there is a distinction between situations where a responsible entity excepts itself from its cyber security policy, rather than from specific Requirements of the CIP Reliability Standards based on technical feasibility. An exception to a cyber security policy provision does not also excuse compliance with a Requirement of a CIP Reliability Standard. Generally, a responsible entity has no authority to excuse itself from compliance with a mandatory Reliability Standard. As discussed above in section II.B.1.6, the CIP Reliability Standards do include several Requirements that allow an exception based on technical feasibility. However, the Commission has proposed to direct NERC to modify such provisions so that a responsible entity can only invoke the technical feasibility exception after fulfilling specific conditions including receiving approval from the ERO or the relevant Regional Entity. In contrast, an exception to a cyber security policy would require only senior manager approval and after-the-fact reporting to the Regional Entity. Accordingly, the Commission proposes to direct NERC to clarify that the exceptions mentioned in Reliability Standard CIP-003-1, Requirements R2.3 and R3, do not except responsible entities from the requirements of the CIP Reliability Standards. c. Leadership 134. The CIP Assessment notes that senior management involvement in security issues is important to ensure that responsible entities achieve compliance as quickly as possible and to ensure that it exercises any necessary discretion in an appropriate manner.\77\ --------------------------------------------------------------------------- \77\ CIP Assessment at 20. --------------------------------------------------------------------------- 135. While National Grid concurs with the CIP Assessment, it also suggests that given the wide variety of critical assets, critical cyber assets and physical security requirements, no single senior manager has the expertise or authority to ensure compliance with all of the CIP Reliability Standards. Commission Proposal 136. The Commission's view is that Requirement R2 of CIP-003-1 should be interpreted to require the designation of a single manager who has direct and comprehensive responsibility for the implementation and ongoing compliance with the CIP Reliability Standards. While this senior manager must have authority to delegate tasks and responsibilities within the entity's management structure, we believe that the senior manager must remain accountable for the responsible entity's compliance with the CIP Reliability Standards. In our view, it is essential to make clear both the ``authority and ownership'' for security, as Recommendation 43 of the Blackout Report states.\78\ Therefore, the Commission proposes to direct the ERO to modify CIP-003- 1, to make clear the senior manager's ultimate responsibility. --------------------------------------------------------------------------- \78\ See Blackout Report at 169, Recommendation 43. --------------------------------------------------------------------------- d. Access Authorization 137. Requirement R5 of CIP-003-1 directs the responsible entity to implement a program for managing access to protected critical cyber asset information. The CIP Assessment suggested that an annual review of personnel access to this information appears insufficient and could result in unnecessary vulnerability, especially since there is no requirement that a responsible entity revise access privileges to such protected information upon employee termination or job reassignment. 138. Many commenters agree with the CIP Assessment's concern that an employee who leaves the company or who no longer performs job functions that require access to critical cyber assets should have that access revoked [[Page 43986]] promptly.\79\ NERC, Xcel, FirstEnergy and ReliabilityFirst note that this Requirement seeks establishment of ``a program for managing access to protected critical cyber asset information.'' They stress that CIP- 003-1, Requirement R5 relates to the governance and approval process, not the implementation and review of individual access (the oversight responsibility of which lies with the senior manager of the responsible entity). NERC asserts that the three requirements work together. The implementation provisions are in Requirement R5 of CIP-007-1, the revocation requirements are in Requirement R4 of CIP-004-1, and the management review and approval requirements are in Requirement R5 of CIP-003-1. NERC argues that, together, these provisions serve as a check that the CIP-004-1 revocation provision has been implemented. --------------------------------------------------------------------------- \79\ E.g., APPA/LPPC and California PUC. --------------------------------------------------------------------------- Commission Proposal 139. The Commission believes that the language of CIP-007-1, Requirement R5, CIP-004-1, Requirement R4, and CIP-003-1, Requirement R5 does not interlink these related provisions as clearly as some commenters assert. We are not persuaded by commenters who claim these Requirements adequately address the access issues related to employee turnover. We believe that the interrelationship among these provisions must be made clearer. We note that CIP-007-1, Requirement R5.1.3, which specifically refers to CIP-003-1, Requirement R5, addresses ``user accounts.'' Likewise, CIP-004-1, Requirement R4 addresses authorization for unescorted physical or cyber access to ``critical cyber assets.'' However, the information for which Requirement R4 of CIP-003-1 requires protection appears to be broader than ``user accounts'' and ``critical cyber assets.'' According to CIP-003-1, Requirement R4, protected information includes lists of critical cyber assets, floor plans, and security configuration information. While the concept of access authorization is similar across these provisions, there is no explicit mention in them of revoking access to ``information'' about critical cyber assets. While the priority must be on granting and revoking access to the critical cyber assets themselves, access to information concerning the critical cyber assets should also be adequately protected, and revocations always should be made promptly. We also note that Recommendation 44 of the Blackout Report stresses the need to prevent inappropriate disclosure of information.\80\ Thus, the Commission proposes to direct the ERO to modify Reliability Standards CIP-003-1, CIP-004-1, and/or CIP-007-1, to ensure and make clear that access to protected information is revoked promptly. --------------------------------------------------------------------------- \80\ See Blackout Report at 169, Recommendation 44. --------------------------------------------------------------------------- e. Change Control and Configuration Management 140. Requirement R6 requires the responsible entity to establish a process of change control and configuration management for adding, modifying, replacing, or removing critical cyber asset hardware or software. 141. The CIP Assessment noted that entities often rely on commercial vendors to test and certify that electronic security patches they provide will not adversely affect other electronic systems already in place. It is not clear how a responsible entity could otherwise verify that a problem does not exist without burdensome testing each time a patch is implemented. Such a testing requirement may also inhibit or delay the use of security patches and thereby prolong vulnerabilities that would otherwise be relatively easy to fix. 142. Santa Clara submits that electric utilities, like all ``cyber users,'' must rely on information technology vendors for accurate and reliable ``emergency or normal modifications.'' It suggests that it is not only unrealistic, but unnecessary, to expect that all responsible entities under the CIP Reliability Standards should, or could, possess the technical expertise to understand an IT vendor's code in enough detail to ensure that any modifications made by the IT vendor are accurate and reliable. 143. SPP believes that the purpose of the change management program is to ensure the entity is aware of all changes being made to a critical cyber asset and, in being aware, readily recognizes when an unapproved change is made. An unapproved change could be an indication of a cyber attack in progress. SPP comments that Requirement R6 may fall short because it does not specify the need for detection and monitoring controls to determine when changes occur. SPP also asserts that a proper change management program includes provisions for routine, planned changes and emergency, unplanned changes. Commission Proposal 144. While Requirement R6 of Reliability Standard CIP-003-1 captures the essence of managing changes intentionally made to critical cyber assets, it fails to address accidental consequences or malicious actions by individuals. Thus, the Commission believes that this Requirement needs to go further and we propose to direct the ERO to make two changes. First, we propose additional wording to require verification that authorized changes made to critical cyber assets, which include software and data, only affect processes that are intended. Our concern here includes both accidental consequences and malicious actions by individuals performing the changes. Second, we propose a requirement for responsible entities to take actions to detect unauthorized changes to critical cyber assets. Such changes could result from malicious actions originating either outside or inside the responsible entity. No electronic security perimeter is 100 percent effective, especially when a malicious action is performed by an insider, and detection must be part of a good cyber security program. Therefore, the Commission proposes, as suggested by SPP, to direct the ERO to modify Requirement R6 of Reliability Standard CIP- 003-1 to include in the process of change control and configuration management a requirement for detection and monitoring controls to determine if changes are made as intended and to investigate whether any unintended or unplanned changes have been made. f. Interconnected Networks 145. The CIP Assessment also raised a concern that interconnected control system networks are more susceptible to infiltration by a cyber intruder. Georgia Operators responds that every responsible entity must protect its critical cyber assets by guarding its electronic access points against the spread of harm from external interconnected entities. This task can only be accomplished by assuming that such external entities are themselves unprotected. 146. NERC and ReliabilityFirst claim that the purpose of establishing policy and procedure is for a responsible entity to protect itself from the ``outside world'' wherever that ``outside world'' might exist. It does not matter if the ``outside'' is an internally connected corporate network, or a completely separate entity. These commenters explain that the CIP Reliability Standards address a responsible entity's area of responsibility--the equipment it owns and controls. All interconnected control system network communications will traverse through electronic access points; therefore, there exists a need for ``security'' on the [[Page 43987]] interconnection points. Both commenters state that the electronic security perimeter effectively implements a model of mutual distrust between any collection of critical cyber assets within an electronic security perimeter, and any and all other cyber assets. Commission Proposal 147. The Commission agrees with commenters who caution that a responsible entity should protect itself from whatever is outside its control system. The phrase ``mutual distrust'' has been used to denote how these ``outside world'' systems are treated by those inside the control system. However, there is very little guidance for how a responsible entity would configure an architecture under a ``mutual distrust'' posture to handle both interactive login-type connectivity between the outside world and the control system as well as direct application communications (data shared between programs) that also occur between the control system and the outside world (both internal and external to the responsible entity). In addition, the Commission notes that, in our earlier discussion regarding the applicability of the CIP Reliability Standards to small entities, we relied in part upon the expectation that the responsible entities would adopt ``mutual distrust'' postures when receiving communications from others that impact the functioning of control systems. Therefore, the Commission proposes to direct the ERO to modify Reliability Standard CIP-003-1 to provide direction regarding the issues and concerns that a ``mutual distrust'' posture must address to protect the control system from the ``outside world.'' \81\ --------------------------------------------------------------------------- \81\ An architecture with a mutual distrust posture could involve various hardware or software mechanisms or manual procedures to restrict and verify access to the control system from these outside sources. Examples include: Firewalls; data checking software(s); or procedures for manually implementing a connection to allow a vendor to perform maintenance work. --------------------------------------------------------------------------- g. Commission Proposal Summary 148. In summary, the Commission proposes to approve Reliability Standard CIP-003-1 as mandatory and enforceable. In addition, the Commission proposes to direct the ERO, pursuant to section 215(d)(5) of the FPA and Sec. 39.5(f) of our regulations, to develop modifications to CIP-003-1 through its Reliability Standards development process that (1) provide additional guidance for the topics and processes that should be addressed by the required cyber security policy in order to ensure that the responsible entity reasonably protects its critical cyber assets; (2) require a responsible entity to submit periodically to the Regional Entity the documentation of exceptions to the cyber security policy; (3) clarify that the exceptions mentioned in Requirements R2.3 and R3 of CIP-003-1 do not except responsible entities from the requirements of the CIP Reliability Standards; (4) make clear that the senior manager ultimately remains responsible for the responsible entity's compliance with the CIP Reliability Standards; (5) ensure and make clear that access to protected critical cyber asset information is revoked promptly (and make parallel modifications to CIP-004-1 and CIP-007-1 as needed); (6) include in the process of change control and configuration management a requirement for detection and monitoring controls to determine if changes were made as intended and to investigate whether any unintended or unplanned changes have occurred; and (7) provide direction regarding the issues and concerns that a ``mutual distrust'' posture must address in order to protect a responsible entity's control system from the ``outside world.'' 3. CIP-004-1--Personnel and Training 149. Reliability Standard CIP-004-1 requires that personnel having authorized cyber access or unescorted physical access to critical cyber assets must have an appropriate level of personnel risk assessment, training and security awareness. Responsible entities must develop and implement a security awareness program that addresses concerns related to cyber security; a cyber security training program for affected personnel that addresses policies, access controls, procedures for the proper use of critical cyber assets, physical and electronic access to critical cyber assets, proper handling of asset information, and recovery methods after a Cyber Security Incident; and a personnel risk assessment program for all personnel having access to critical cyber assets. 150. The Commission proposes to approve Reliability Standard CIP- 004-1 as mandatory and enforceable. In addition, we propose to direct the ERO to develop modifications to this Reliability Standard. In our discussion below, the Commission addresses its concerns in the following topic areas regarding CIP-004-1: (1) Training; (2) personnel risk assessments; (3) access; and (4) jointly owned facilities. a. Training 151. The CIP Assessment noted that the training requirements specified in Requirement R2 apply to all personnel, contractors, and service vendors who have authorized cyber access or unescorted physical access to critical cyber assets.\82\ It then expressed concern that this requirement does not clearly address the interconnectivity of systems; i.e., the required training programs should address not only the critical cyber assets themselves, but also any networking hardware or software linking them. It noted that the importance of network support to overall security environment may not be understood by personnel if the training does not encompass the related non-critical cyber assets, such as switches and routers that can impact the security of the critical cyber assets. Moreover, it pointed out that while this requirement specifies the minimum topics that training should cover, it does not provide criteria for assessing the quality and adequacy of the training. With regard to both the awareness program of Requirement R1 and the training program of Requirement R2, the CIP Assessment noted that certain NIST publications provide guidance on training of personnel and practices that enhance the security posture of information systems.\83\ --------------------------------------------------------------------------- \82\ CIP Assessment at 23. \83\ See NIST Special Publication 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model (1998); and NIST Special Publication 800-50, Building an Information Technology Security Awareness Training Program (2003), available at: http://csrc.nist.gov/publications/nistpubs/. --------------------------------------------------------------------------- 152. NERC states that a subset of networking hardware and software is included in Requirement R2 to the extent active communications hardware and software reside within the defined electronic security perimeter, and because hardware and software acts as an electronic access control, defining the electronic security perimeter. NERC draws attention to the fact that communication networks and data communication links between discrete electronic security perimeters are specifically excluded by Applicability section 4.2.2 of this Reliability Standard. 153. APPA/LPPC believe that most, if not all, networking hardware and software will be essential to the operation and control of critical cyber assets and therefore will be subject to the Reliability Standard and encompassed by the security training requirement. FirstEnergy notes the Measures and Compliance provisions currently require only documentation of [[Page 43988]] the requirements and states that NERC should focus on developing Reliability Standards to maintain the quality of personnel training in this area. FirstEnergy states that training requirements should be appropriate to each employee's experience and access level. 154. The CIP Assessment also questioned whether it is appropriate to allow personnel to have access to critical cyber assets for up to 90 days prior to receiving any cyber security training, as Requirement R2.1 allows. It suggested that personnel should receive the training prior to such access. 155. NERC and ReliabilityFirst state that the sub-requirements of Requirement R2 list specific expected outcomes from the training. NERC and ReliabilityFirst state that the 90-day period is based on the belief that certain conditions may require that personnel receive access prior to specific additional training in cyber security processes and procedures in order to maintain or restore the reliable operation of the Bulk-Power System. They explain that standard industry practice ensures anyone with access to sensitive systems has had adequate training, but that such training may not have been specific to the systems or environment to which they receive access, such as when, in an emergency restoration, personnel with specialized knowledge may be required to access systems outside their normal assignments.\84\ --------------------------------------------------------------------------- \84\ APPA/LPPC, SPP and Xcel agree that this flexibility is needed in emergency situations, and comment that training beforehand would not always be practical. --------------------------------------------------------------------------- 156. APPA/LPPC agree with the CIP Assessment that, whenever possible, personnel should receive their cyber security training and undergo the required personnel risk assessment before being allowed access to critical cyber assets. However, APPA/LPPC favor retention of the 90-day period for conducting training so that responsible entities will not risk a technical violation of the Reliability Standard when emergency conditions require that personnel obtain access before they are trained or authorized with access. 157. ISA Group agrees with the CIP Assessment that training in critical security practices should occur prior to an individual having the corresponding access and suggests making a distinction between the training that is needed before access is granted and the remaining training that is not critical for access but still significant. The ISA Group also states that training and awareness programs should be specific to the critical cyber assets to be protected and that persons who provide the training should be adequately trained to address the cyber security of the systems. SPP and ISO-NE agree with the CIP Assessment that allowing unescorted access to critical cyber assets prior to security training introduces an unnecessary risk. SPP suggests that, under normal circumstances, training prior to access should be the requirement with provisions made for emergency conditions. Commission Proposal 158. Training is clearly integral to the protection of critical cyber assets. Allowing personnel to access critical cyber assets prior to receiving training increases the vulnerability of and risk to such assets. Thus, such access should not be the norm under the Reliability Standard. Accordingly, we propose to direct the ERO to modify this provision to require affected personnel to receive the required training before obtaining access to critical cyber assets (rather than within 90 days of access authorization), but allowing limited exceptions, such as during emergencies, subject to documentation and mitigation. 159. Alternate provisions for emergencies and certain other conditions could be designed, such as requiring documentation of all personnel who received access to particular equipment during the emergency and whether they received a briefing or any other training prior to their access concerning the specific facilities; the extent to which people needed for the emergency had received general training and possessed appropriate specialized expertise for the circumstance; and any risk mitigation steps taken during the emergency access, as discussed by commenters in this proceeding. To facilitate communications in emergency situations, the Commission proposes to direct the ERO to require responsible entities to identify ``core training'' elements to ensure that essential training elements will not go unheeded in an emergency and other contingency situations where full training prior to access will not best serve the reliability of the Bulk-Power System. We note that during ``emergency conditions,'' the Bulk-Power System could be particularly vulnerable to mischief or mistakes, and we propose to require the ERO to consider this when developing the modification. We also propose to direct the ERO to consider what, if any, modifications to CIP-004-1 should be made to address the concern raised by the ISA Group that security trainers be adequately trained themselves. 160. In addition, we propose to direct the ERO to modify the CIP- 004-1 to clarify that the cyber security training programs required by Requirement R2 are intended to encompass training on the networking hardware and software and other issues of electronic interconnectivity supporting the operation and control of the critical cyber assets. As indicated by the comments, it is not clear whether interconnectivity issues are already included in the proposed language of the training requirement of CIP-004-1. One method of clarification the ERO should consider is the addition of a provision such as that contained in CIP- 005-1, Requirement R1.4, which specifically subjects any non-critical cyber asset within a defined electronic security perimeter to the Reliability Standard. CIP-004-1 should leave no doubt that cyber security training concerning a critical cyber asset should encompass the electronic environment in which the asset is situated and the attendant vulnerabilities. 161. Finally, we propose to direct the ERO to increase the guidance in the Reliability Standard as to the scope and quality of training. We note that part of the goal for training, in conjunction with awareness programs, is to keep security practices on the minds of employees, contractors, and vendors. Examples of some areas where the inclusion of guidance can be considered are: control of electronic devices (such as laptop computers), the appropriate audiences for the training, delivery methods, and updates of training materials. In our view, the awareness and training programs, addressed separately by Requirements R1 and R2, complement each other and work in tandem. In parallel with the security awareness program, we expect the ERO to consider relevant aspects of the cited NIST Special Publications, as well as other relevant models, to improve CIP-004-1 and prevent a lowest common denominator result. b. Personnel Risk Assessment 162. Requirement R3 of CIP-004-1 requires each responsible entity to have a documented personnel risk assessment program. It also requires that a personnel risk assessment, including a criminal check, be conducted within 30 days after a person receives cyber access or unescorted physical access to critical cyber assets. The CIP Assessment noted that Requirement R3 would allow access to critical cyber assets while investigation is still underway, and even before an investigation has started. [[Page 43989]] 163. NERC and ReliabilityFirst assert that certain conditions affecting the reliable operation of the Bulk-Power System may require that personnel be allowed to access the critical cyber assets prior to completing the personnel risk assessment process, although they may be subject to escort and review during the investigative period. 164. Several commenters agree with the CIP Assessment that an appropriate personnel risk assessment should be completed before an employee (especially a newly hired employee or vendor) is granted access to critical cyber assets. SPP states that emergency contingency procedures can be developed to handle situations where access must be granted prior to completing the required background check. 165. However, NERC and other commenters have concerns about existing personnel. NERC and ReliabilityFirst assert that certain conditions affecting the reliable operation of the Bulk-Power System may require that personnel be allowed to access the critical cyber assets prior to the completion of the personnel risk assessment process, although they may be subject to escort and review during the investigative period. National Grid expresses concern that, since the Requirement appears to apply to a significant portion of existing utility workforce, any attempt to revoke access to such employees while completing their personnel risk assessments would create more reliability concerns than simply allowing such employees to remain on the job. FirstEnergy states that the 30-day window may be appropriate for employees and vendors with which the responsible entity has had a working relationship. FirstEnergy comments that Requirement R3 does not provide sufficient detail on what constitutes an adequate personnel risk assessment, which could cause variable interpretations of this Requirement. ISO-NE agrees with the CIP Assessment that the Reliability Standard provides insufficient direction regarding the elements of an appropriate awareness program. Commission Proposal 166. Similar to our concerns regarding the training provisions of Requirement R2, we believe that allowing applicable personnel, including vendors, to access critical cyber assets prior to the completion of their personnel risk assessment increases the vulnerability of, and risk to, these assets. We also observe that Recommendation 41 of the Blackout Report emphasizes the need for guidance on implementing background checks.\85\ At the same time, we believe that commenters have raised a valid concern regarding the disruptions that would result if current employees and vendors with established involvement were denied access to critical cyber assets for a 30-day period. Accordingly, we propose that the ERO develop modifications to Requirement R2 to provide that newly-hired personnel and vendors should not have access to critical cyber assets, except in specified circumstances such as an emergency. The ERO should determine the parameters of such exceptional circumstances in developing the proposed modification through its Reliability Standards development process. However, to avoid disruptions, we propose that the 30-day window allowing access before the personnel risk assessment is completed remain in effect for current employees and vendors with existing contractual relationships with the responsible entity as of the effective date of the Reliability Standard. We propose to direct that the ERO include, in developing modifications to CIP-004-1, criteria that address circumstances in which current personnel can continue access to critical cyber assets during the 30-day investigative period during initial compliance with CIP-004-1. --------------------------------------------------------------------------- \85\ See Blackout Report at 167-168, Recommendation 41, where the Blackout Report recommends that NERC provide guidance on background checks to be completed on contractor and sub-contractor employees in advance of allowing access to secure facilities. --------------------------------------------------------------------------- c. Access 167. Requirement R4 directs the responsible entity to maintain list(s) of personnel with authorized cyber or authorized unescorted physical access to critical cyber assets. The CIP Assessment observed that the lists do not serve to deny personnel access from critical cyber assets prior to completion of a personnel risk assessment. However, Requirement R4.2 requires that access to critical cyber assets be revoked within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access. 168. NERC states that while the access list itself does not prevent access, it does provide for identification of personnel for which additional levels of review and escort may be assigned. California PUC suggests amending the Reliability Standard to require immediate updates when an employee is transferred, retires, or is terminated. Commission Proposal 169. Timely system updates to access rights are important. Employee, contractor, or vendor access to critical cyber assets when the employee, contractor, or vendor no longer has a need for such access, due for example to a transfer or termination, represents a gap in security. Moreover, while Requirement R4 of CIP-004-1 requires a responsible entity to maintain a list of authorized personnel, it does not indicate what the responsible entity must do with the list. Accordingly, the Commission proposes to direct that NERC develop modifications to CIP-004-1 to require immediate revocation of access privileges when an employee, contractor, or vendor no longer performs a function that requires authorized physical or electronic access to a critical cyber asset for any reason (including disciplinary action, transfer, retirement or termination). Because an organization is typically aware in advance of personnel action dates, timely updating of the authorization list should not be unduly burdensome. Further, we propose to direct that NERC modify Requirement R4 to make clear that unescorted physical access should be denied to individuals that are not identified on the authorization list. d. Question of Jointly Owned Facilities 170. APPA/LPPC request that the Commission direct NERC to consider clarifications for entities with facilities governed by existing joint use or joint ownership agreements. They explain that most of there members have joint facilities with neighboring entities (e.g., a transmission substation at a point of interconnection with an adjacent system), and that joint facility agreements often prohibit individual co-owners from blocking the other co-owners' use of, or access to, such facilities. APPA/LPPC state that CIP-004-1 obligates individual responsible entities to block certain persons from their facilities, possibly including persons with existing contractual rights of access. APPA/LPPC believe that one joint facility owner should not be able to block another unaffiliated entity's existing contractual rights of access. APPA/LPPC also ask that entities with joint facilities not be subject to sanctions solely because an unaffiliated entity that is a party to one of its joint facility agreements failed to comply with CIP-004-1 when acting independently. Commission Proposal 171. The Commission views joint owners of critical cyber assets as being [[Page 43990]] equally subject to the CIP Reliability Standards as other responsible entities. If an asset is designated as a critical cyber asset by one joint owner, it must be treated likewise by the other owner(s). Thus, each entity that possesses an interest in a jointly-owned facility would be responsible to develop a list of its authorized personnel and to respect each other joint owner's corresponding list. 172. APPA/LPPC also raise the issue of ``joint use'' arrangements. For example, an owner of a critical cyber asset substation may well house electronic or other equipment on its premises that belongs to another entity that may or may not be subject to these Reliability Standards. The Commission believes that, in principle, the owner of a critical cyber asset is responsible under the Reliability Standards for ensuring that all persons having access to the critical cyber asset meet the requirements of these Reliability Standards, much as the owner is responsible to ensure that vendor personnel have the required levels of security training, awareness and background checks. 173. Nevertheless, we can appreciate that even with this general guidance, further clarification regarding how ``joint use'' arrangements should be addressed. Therefore, we propose to direct the ERO to address the ``joint use'' concerns expressed by APPA/LPPC while developing any modifications to these Reliability Standards directed in a final rule. Regardless of whether a facility subject to CIP-004-1 is jointly owned or not, all entities that have access to it must comply with CIP-004-1. Each entity, however, is responsible for only its compliance and may not attempt to block or limit another's access on the basis of its perception that the other entity has not complied with CIP-004-1. In the event non-compliance is suspected, it must be promptly reported to the Regional Entity or ERO. e. Commission Proposal Summary 174. In summary, the Commission proposes to approve Reliability Standard CIP-004-1 as mandatory and enforceable. In addition, the Commission proposes to direct the ERO, pursuant to section 215(d)(5) of the FPA and Sec. 39.5(f) of our regulations, to develop modifications to CIP-004-1 through its Reliability Standards development process that: (1) Require affected personnel, with limited exceptions, to receive required training before obtaining access to critical cyber assets (rather than within 90 days of access authorization); (2) require responsible entities to identify ``core training'' elements to ensure that essential training elements will not go unheeded in an emergency and other contingency situations where full training prior to access will not best serve the reliability of the Bulk-Power System; (3) clarify that the cyber security training programs required by Requirement R2 are intended to encompass training on networking hardware and software and other issues of electronic interconnectivity supporting the operation and control of critical cyber assets; (4) provide increased guidance on the scope and quality of training; (5) make modifications to Requirement R2 to provide that newly-hired personnel and vendors should not have access to critical cyber assets, except in specified circumstances such as an emergency; (6) address circumstances in which current personnel can continue access to critical cyber assets during the 30-day investigative period during initial compliance with CIP-004-1; and (7) require immediate revocation of both physical and electronic access privileges when an employee, for any reason (including disciplinary action, transfer, termination, or retirement), no longer performs a function that requires access to critical cyber assets. 175. In addition, the Commission proposes to direct the ERO to (1) consider what, if any, modifications to CIP-004-1 should be made to address the concern raised by the ISA Group that security trainers be adequately trained; (2) consider relevant aspects of certain NIST Special Publications, as well as other relevant models, to improve CIP- 004-1; and (3) address the ``joint use'' concerns expressed by APPA/ LPPC and discussed herein by the Commission when developing modifications to the Reliability Standards that the Commission may direct when we issue our final rule. 4. CIP-005-1--Electronic Security Perimeter(s) 176. Reliability Standard CIP-005-1 requires identification and protection of the electronic security perimeters inside which all critical cyber assets are located, as well as all access points. The electronic security perimeters are to encompass all the critical cyber assets that are identified using the risk-based assessment methodology required by Reliability Standard CIP-002-1. Multiple electronic security perimeters may be required; for example, one may be needed around a control room while another may be established around a substation. Once each electronic security perimeter has been established, the responsible entity must develop mechanisms to control and monitor electronic access to all electronic access points. Furthermore, the responsible entity must assess the electronic security perimeter's cyber vulnerability and test every electronic access point at least annually. 177. The Commission proposes to approve Reliability Standard CIP- 005-1 as mandatory and enforceable. In addition, we propose to direct the ERO to develop modifications to this Reliability Standard. Further, the Commission also proposes to require the ERO to consider various other matters of clarification, guidance, and modification. In our discussion below, the Commission addresses its concerns in the following topic areas regarding CIP-005-1: (1) Adequacy of electronic security perimeters; (2) protecting access points and controls; (3) monitoring access logs; (4) vulnerability assessments; and (5) document updates. a. Adequacy of Electronic Security Perimeters 178. Requirement R1 of CIP-005-1 addresses the identification of electronic security perimeters to ensure that every critical cyber asset resides within one. The CIP Assessment explained that the electronic security perimeter constitutes the appropriate first line of defense. However, a responsible entity should use a cyber security protection program that contains additional security measures to detect and stop intrusions that penetrate the outer shell of the defense (i.e., a defense in depth approach). 179. APPA/LPPC and Xcel agree with the CIP Assessment's concept of defense in depth and when possible, securing the non-critical cyber assets outside the electronic security perimeter. However, APPA/LPPC state that the use of ``defense in depth'' may not be practical for all critical cyber assets, such as assets supplied by vendors that are no longer in business. 180. Xcel notes that a line needs to be drawn in order to avoid responsible entities taking expensive precautions that are not cost- effective. It further adds that CIP-005-1 should not be extended to equipment and systems beyond the electronic security perimeter. Commission Proposal 181. The Commission recognizes that there is a point at which having multiple defense layers would not be cost effective. However, the effectiveness of any one defense measure is often dependent upon the quality of active human maintenance, and there is no one perfect defense measure that will guarantee the [[Page 43991]] protection of the Bulk-Power System. Therefore, we believe that a responsible entity must implement two or more distinct security measures when constructing an electronic security perimeter. Thus, the Commission proposes to direct the ERO to develop a requirement to implement a defensive security approach including two or more defensive measures in a defense in depth posture. This approach should not inhibit, but instead supplement the establishment of an electronic security perimeter. While such layers/measures are generally integrated within and constitute part of a system or program, many are also effectively, and more feasibly, placed ``in front of'' a system, such as an older, legacy system. b. Protecting Access Points and Controls 182. Requirement R2 of CIP-005-1 requires a responsible entity to implement organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the electronic security perimeter. Requirement R2.4 requires ``strong procedural and technical controls'' at enabled external access points ``to ensure authenticity of the accessing party, where technically feasible.'' 183. The CIP Assessment raised concerns regarding the qualifier ``where technically feasible'' in Requirement R2.4. The CIP Assessment also cautioned that keeping pace with advances in cyber security is a necessary part of the defense strategy needed to protect against intrusion by an adversary. The CIP Assessment noted that implementation and maintenance of strong controls to ensure authenticity of the accessing party is not a question of technical feasibility. It represents that the technology currently exists and that every responsible entity identifying critical cyber assets should be able to implement such controls. Balancing an appropriate mix of protections and technology is part of achieving effective cyber security. The CIP Assessment also expressed the view that Requirement R2.4 should not allow a responsible entity to fail to implement rudimentary procedural and technical access controls. 184. California PUC states that electronic access from outside the electronic security perimeter should require strong verification, such as digital certificates or two-factor authentication. It suggests that such a system is virtually impenetrable and that it, or some similar system, should be required in the CIP Reliability Standards. 185. California PUC comments that access controls should be implemented at all access points to the network and that the caveat of ``technical feasibility'' in the NERC-proposed Reliability Standard is inappropriate. California PUC further states that Requirement R2.0 prescribes, inter alia, that only those ports and services required for normal or emergency operations should be enabled, while all others should be disabled. Furthermore, it notes that access control, including the authorization process and authentication method for each access point, should be documented. Access should be monitored twenty- four hours a day, seven days a week, and disturbances and unauthorized access attempts should be identified. All responsible entities should conduct vulnerability assessments of their access points, scanning to verify that only the proper ports and services are enabled. California PUC agrees with the CIP Assessment assertion that ``such (strong access control) technology currently exists'' and implementation by every entity is feasible. 186. NERC disagrees with the CIP Assessment comment that a ``technical feasibility'' caveat is not needed in Requirement R2.4, particularly for legacy implementations and substation environments. NERC agrees that the CIP Assessment statement may be applicable in a modern control center environment, where common IT systems have migrated into the control environment. However, NERC states that this is not the case for many existing field systems. The technical feasibility clause, NERC claims, is needed to accommodate the vast majority of legacy systems that cannot be upgraded due to the age and nature of their system configurations.\86\ --------------------------------------------------------------------------- \86\ Progress Energy, ReliabilityFirst, and Santa Clara agree with NERC. --------------------------------------------------------------------------- 187. Given the numerous scenarios surrounding access control, APPA/ LPPC believe that removing the ``technically feasibility'' caveat will not provide a solution in every situation. They assert that Requirement R2.4 is appropriate as currently written. APPA/LPPC note that some access control solutions, such as biometric ones, are still subject to failure and may grant access to unauthorized people. Commission Proposal 188. Requirement R2.4 of CIP-005-1 calls for the implementation of ``strong procedural or technical controls'' at access points to ensure authenticity of the accessing party. While we agree with the goal of Requirement R2.4, we are concerned that requiring ``strong'' controls does not provide sufficient guidance and possibly sets subjective criteria. Thus, we believe that Requirement R2.4 should provide greater clarity regarding the expectation for adequate compliance by identifying examples of specific verification technologies that would satisfy the Requirement, while also allowing compliance pursuant to other technically equivalent measures or technologies. The Commission agrees with California PUC that strong verification includes technologies such as digital certificates and two-factor authentication. We also note that Recommendation 32 of the Blackout Report emphasizes the need ``to ensure access is granted only to users who have corresponding job responsibilities.'' \87\ We propose to direct the ERO to modify this Reliability Standard accordingly. --------------------------------------------------------------------------- \87\ See Blackout Report at 164-165, Recommendation 32. --------------------------------------------------------------------------- 189. The Commission believes that providing such basic security measures as access control can be accomplished using/placing measures ``in front of'' systems as opposed to ``inside'' systems. Such an approach can be used to secure even older, yet functioning, legacy systems. The Commission proposes to direct the ERO to evaluate the issue and provide specific guidance to responsible entities that must face such issues. 190. The Commission is persuaded by commenters that maintain that, due to the variety of equipment and systems, some discretion must be preserved that would allow responsible entities to control access points. Further, in our general discussion of ``technical feasibility'' in section II.A.5.b above, we explained that, while we have concerns regarding the broad discretion currently allowed in the use of the technical feasibility language, we would not propose to eliminate the provision but, rather, propose to require specific controls and accountability when a responsible entity chooses to invoke the provision. Specifically, a responsible entity invoking a technical feasibility exception would have to: (1) Develop and implement interim mitigation steps to address the vulnerabilities associated with each exception; (2) develop and implement a remediation plan to eliminate the exception, including interim milestones and a reasonable completion date; and (3) obtain written approval of these steps by the senior manager responsible for leading and managing compliance with the CIP Reliability Standards. As discussed previously, the Commission proposes that a responsible entity invoking a [[Page 43992]] technical feasibility exception must have a review by senior management of the expediency and effectiveness of the manner in which a responsible entity has addressed each of these three proposed conditions. In addition, the Commission proposes to require a responsible entity to report and justify to the ERO and the Regional Entity for approval each exception and its expected duration. 191. Consistent with our earlier discussion, we will not propose the removal of the ``technical feasibility'' language from Requirement R2.4 of CIP-005-1. However, such discretion will not lie solely with the responsible entities. We propose to direct that Regional Entities review the application of ``technical feasibility'' as the basis for allowing a responsible entity an exception to full compliance with a Requirement. c. Monitoring Access Logs 192. Requirement R3. of CIP-005-1 requires responsible entities to implement electronic or manual processes for monitoring and logging access at access points to the electronic security perimeter at all times. Further, where technically feasible, the security monitoring process must detect and alert for attempts at or actual unauthorized access. Where such alerts are not technically feasible, Requirement R3.2 requires a responsible entity to review access logs at least every 90 calendar days. 193. The CIP Assessment noted that frequent reviews of access logs are necessary to look for security breaches that automated alerts do not detect. It cautioned that the ``technical feasibility'' caveat in Requirement R3.2 can allow a 90-day lapse in review of access logs when it is commonplace in the IT industry for logs to be reviewed every one or two days. The CIP Assessment also advised that the use of discretion to address ``technical feasibility'' permitted in Requirement R3.2 should not be a basis for failing to implement a process that detects attempts to access or actual unauthorized access. Such monitoring technology is available \88\ and no responsible entity should be excepted due to technical infeasibility. --------------------------------------------------------------------------- \88\ Technology that is currently available for monitoring access (e.g., network servers, firewalls, Intrusion Detection Systems, Intrusion Prevention Systems) has alarm capability built into it. --------------------------------------------------------------------------- 194. NERC agrees with the CIP Assessment that logs should be reviewed frequently. However, NERC believes that a strict requirement for the review period cannot be specified because of the varied methods and technologies used to gather and review the logs. NERC asserts that automated alert technology can detect many attempts and breaches, and leave a much smaller set of ``questionable'' events which can readily be analyzed manually.\89\ --------------------------------------------------------------------------- \89\ FirstEnergy, ReliabilityFirst, ISO/RTO Council, Georgia System, Xcel, and Santa Clara agree with NERC. --------------------------------------------------------------------------- Commission Proposal 195. The Commission is persuaded by the commenters that varied technologies and locations make setting a ``one size fits all'' frequency of access log review requirement difficult. However, the Commission believes that, while automated review systems provide a reasonable day-to-day check of the system and a convenient screening for obvious system breaches, periodic manual review provides the opportunity to recognize an unanticipated form of malicious activity and improve automated detection settings. Thus, regular manual review is beneficial. 196. The Commission believes that frequent reviews of access logs are necessary to detect breaches that automated alerts do not detect. Moreover, where automated alerts are not used, frequent monitoring takes on even greater importance. The Commission recognizes that accessibility of an access log may affect the review interval. For instance, logs that are readily available, such as those from within a control room setting, should be reviewed at least weekly. Those logs that are not readily available, such as those located at a remote substation, are less accessible and therefore can be read less frequently. However, any attempt to differentiate the required frequency of review of these logs must be balanced against the criticality of the facilities. It is not acceptable to dismiss a critical facility from timely review simply because it is remote. 197. For the reasons discussed above, the Commission believes that more frequent review of access logs is important and therefore proposes to direct the ERO to develop a bifurcated review requirement of access logs at electronic access points in which readily available logs are reviewed more frequently than every 90 days. The Commission believes such review should be performed at least weekly. As part of developing this bifurcated review requirement, the ERO must include in the Reliability Standard guidance on how a responsible entity should designate individual assets as ``readily accessible'' or ``not readily accessible,'' consistent with our discussion above. d. Vulnerability Assessments 198. The CIP Assessment stated that Requirement R4 fails to specify whether a live vulnerability assessment is required, as opposed to a paper assessment.\90\ It recommends performing a ``live'' cyber vulnerability assessment at least annually and developing an action plan to remediate any weaknesses identified. It also notes that permitting a one year window, without any specificity regarding updates, could be inadequate. --------------------------------------------------------------------------- \90\ A live vulnerability assessment typically involves the use of specialized software or hardware to scan electronic access points to determine which communications each access point allows to pass through. --------------------------------------------------------------------------- 199. NERC, Progress Energy and ReliabilityFirst state that Requirement R4 intentionally allows for either vulnerability assessment approach, live or paper-based, to allow a responsible entity to determine the approach best suited to its own level of sophistication and tolerance for risk. NERC acknowledges that some responsible entities already perform live testing but notes that such testing is limited to specific systems and circumstances of the responsible entity. 200. Georgia System argues that the existing Requirement R4 is well-designed. It suggests, however, that annual testing of each electronic access point should not be imposed, because such wide-spread ``live'' testing could have adverse impacts on system reliability. APPA/LPPC disagree with the CIP Assessment and insist that an annual testing requirement is sufficient, as long as the responsible entity does not make changes to any border devices. APPA/LPPC argue that, if changes occur to the perimeter, then the entity should, as a good business practice, reassess the vulnerability of that portion of the perimeter. Commission Proposal 201. The Commission believes that annual vulnerability assessments are sufficient, provided that no modifications are made to the electronic security perimeter during the year. However, when the electronic security perimeter, or another measure in a defense in depth strategy, is modified, it is not acceptable to wait a year to test modifications. Thus, the Commission proposes to direct the ERO to revise the Reliability Standard to require a vulnerability assessment of the electronic access points as part of, or contemporaneously with, any [[Page 43993]] modifications to the electronic security perimeter or defense in depth strategy. 202. In addition, the Commission proposes that Requirement R4 should provide for the conduct of live vulnerability assessments at least once every three years, with subsequent annual paper assessments in the intervening years. If such live vulnerability assessments are not ``technically feasible,'' consistent with the Commission's earlier determination, a responsible entity may seek to be excused from full compliance via an application to the Regional Entity fully documenting the necessary interim actions, milestone schedule, and mitigation plan. e. Commission Proposal Summary 203. In summary, the Commission proposes to approve Reliability Standard CIP-005-1 as mandatory and enforceable. In addition, the Commission proposes to direct the ERO, pursuant to section 215(d)(5) of the FPA and Sec. 39.5(f) of our regulations, to develop modifications to CIP-005-1 through its Reliability Standards development process that (1) require implementation of a defensive security approach, including two or more defensive measures in a defense in depth posture; (2) add guidance to Requirement R2 by identifying examples of specific verification technologies that would satisfy compliance with the ``strong controls'' in Requirement R2.4, such as digital certificates and two-factor authentication, while also allowing compliance by means of technically equivalent measures; (3) evaluates and provides guidance regarding the use of access security measures ``in front of'' as opposed to ``inside of'' older systems; (4) require additional controls and accountability when a responsible entity invokes the ``technical feasibility'' exception in Requirement R2.4 consistent with the proposal discussion in section II.A.5.b of the NOPR; (5) provide a bifurcated review requirement of access logs at electronic access points in which readily available logs are reviewed more frequently than 90 days including guidance on which assets should be designated ``readily accessible;'' (6) require a vulnerability assessment of electronic access points as part of, or contemporaneously with, any modifications to an electronic security perimeter or defense in depth strategy; and (7) provide for the conduct of live vulnerability assessments at least once every three years, with subsequent annual paper assessments in the intervening years. 5. CIP-006-1--Physical Security of Critical Cyber Assets 204. Reliability Standard CIP-006-1 addresses the physical security of the critical cyber assets identified in Reliability Standard CIP- 002-1. In particular, CIP-006-1 requires a responsible entity to create and maintain a physical security plan that ensures that all cyber assets within an electronic security perimeter also reside within an identified physical security perimeter.\91\ The physical security plan must be approved by senior management and must contain processes for identifying, controlling, and monitoring all access points and authorization requests. --------------------------------------------------------------------------- \91\ As defined in the NERC Glossary, an ``Electronic Security Perimeter'' means, ``[t]he logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled. * * * and a Physical Security Perimeter is ``the physical, completely enclosed (``six-wall'') border surrounding computer rooms, telecommunications rooms, operations centers, and other locations in which Critical Cyber Assets means are housed and for which access is controlled * * *.'' --------------------------------------------------------------------------- 205. Reliability Standard CIP-006-1 also addresses operational and procedural controls to manage physical access at all access points to the physical security perimeter at all times by the use of alarm systems and/or human observation or video monitoring. The Reliability Standard also requires that the logging of physical access must occur at all times, and the information logged must be sufficient to uniquely identify individuals crossing the perimeter. Finally, the Reliability Standard requires responsible entities to test and maintain all physical security mechanisms on a three-year cycle. 206. The Commission proposes to approve Reliability Standard CIP- 006-1 as mandatory and enforceable. In addition, we propose to direct the ERO to develop modifications to this Reliability Standard. Further, the Commission also proposes to require the ERO to consider various other matters of clarification, guidance, and modification. In our discussion below, we address our concerns in the following topic areas regarding CIP-006-1: (1) Physical security plan; (2) physical access controls and monitoring physical access controls; (3) physical security breach; and (4) maintenance and testing. a. Physical Security Plan 207. Requirement R1.1 of CIP-006-1 addresses processes that a responsible entity must include in its physical security plan to ensure that all cyber assets within an electronic security perimeter also reside within an identified physical security perimeter. The CIP Assessment noted that Requirement R1.1 anticipates that there may be instances where a completely enclosed border cannot be established and that, in such instances, the responsible entity shall deploy and document ``alternative measures'' to control physical access to the critical cyber assets. It cautioned, however, that Requirement R1.1 does not provide guidance on how an alternative measure should be identified or determined to be adequate. 208. SPP recognizes the CIP Assessment concern with Requirement R1.1, but disagrees that the language of the Requirement needs revision. SPP maintains that while the Reliability Standard prescribes what must be done, it does not and should not prescribe how a particular Requirement is to be implemented. SPP states that NERC's FAQ document offers suggestions on how to physically secure critical cyber assets when they cannot be enclosed within a restricted access six-wall boundary. Progress Energy agrees with the CIP Assessment that NERC should provide guidance on how an alternative measure would be identified or determined adequate. However, Progress Energy contends that this guidance should not be in the Reliability Standard itself, but rather in an interpretive document like a FAQ document. Commission Proposal 209. The Commission's current view is that the phrase ``alternative measures'' as referenced in Requirement R1.1 should be interpreted to be a Requirement exception.\92\ Under this Requirement, the responsible entity is required to deploy and document alternative measures if a completely enclosed ``six-wall'' border cannot be established to control physical access to the critical cyber assets. However, the Requirements do not provide guidance on how an alternative measure should be identified or determined to be adequate. Therefore, the Commission proposes to direct the ERO to treat the allowance of ``alternative measures'' as ``interim actions'' developed and implemented as part of a mitigation plan under a ``technical feasibility'' exception. --------------------------------------------------------------------------- \92\ The Commission's discussion elsewhere in this NOPR, relating to discretion to make exceptions to a Requirement based on technical feasibility applies here. --------------------------------------------------------------------------- [[Page 43994]] b. Physical Access Controls and Monitoring Physical Access Controls 210. The CIP Assessment noted that Requirement R2 of the Reliability Standard requires the use of at least one of four listed physical access control methods, but does not require or suggest that the method(s) employed to control physical access consider the characteristics of the access point at issue and the criticality of the asset being protected.\93\ Requirement R3 requires monitoring at each access point to the physical security perimeter, including alarm systems and/or human monitoring. For both Requirement R2 and Requirement R3, a responsible entity can choose whether to implement single or multiple access control methods and monitoring devices. The CIP Assessment suggested that, consistent with a defense in depth strategy, a layered approach would increase the complexity of an intrusion by requiring that multiple security provisions be circumvented. The CIP Assessment further suggested that such an approach would provide redundancy in case one system requires maintenance or unexpectedly fails to function as expected. --------------------------------------------------------------------------- \93\ CIP Assessment at 29. --------------------------------------------------------------------------- 211. Xcel, FirstEnergy and others agree that redundancy and the number of layers should be a function of a reasonable risk assessment and good utility practice, which provide an objective basis for measuring compliance. They also state that unnecessary redundancy would take funds and resources away from the assets that need the elaborate redundancy. 212. Xcel agrees with the CIP Assessment that defense in depth is an optimal strategy, but states that it is not always practical. For example, Xcel notes that where a substation has cyber security equipment inside a control building surrounded by a fence, it may not be worth the cost or administrative burden to install fence detection equipment at a remote substation. 213. FirstEnergy agrees with the CIP Assessment that Requirement R2 should include a process for identifying the criticality of critical cyber assets and a process for applying an appropriate number of layers based on criticality. NERC and ReliabilityFirst point out that, throughout the Reliability Standards, assets are classified as either critical or non-critical, with no subjectivity involved in determining their ``level'' of criticality. They suggest that all assets classified as critical must be afforded the same level of protection, regardless of their location or perceived level of criticality. Consequently, they believe the specific implementation of protection must be functionally equivalent and sufficient at all locations. Commission Proposal 214. We do not believe that the proposal to require a minimum of two different security procedures creates an unreasonable burden. We believe that a responsible entity must, at a minimum, implement two or more different security procedures when establishing a physical security perimeter. Use of a minimum of two different security procedures will, for example, enable continuous security protection when one of the security protection measures is undergoing maintenance and provides redundant security protection in the event that one of the measures is breached. Therefore, while the Commission recognizes that there is a point at which implementing multiple layers of defense becomes an unreasonable burden to responsible entities, the Commission proposes to direct the ERO to modify this Reliability Standard to state that a responsible entity must, at a minimum, implement two or more different security procedures when establishing a physical security perimeter around critical cyber assets. c. Physical Security Breach 215. The CIP Assessment noted that Reliability Standard CIP-006-1 does not include actions to be taken in response to a physical security breach. Thus, the CIP Assessment suggested that the physical security plan specify responsibilities and required communication in such an event. 216. California PUC states that CIP-006-1 is sound, except that it does not require a plan in the contingency of a physical security breach. California PUC suggests that a guideline for such a plan should be incorporated into this Reliability Standard. Commission Proposal 217. Below, the Commission proposes, in CIP-008-1, to direct the ERO to develop and include (in CIP-008-1) language regarding what should be included in the term ``reportable incident.'' The Commission proposes to direct the ERO, when it develops its language in Reliability Standard CIP-008-1 on the term ``reportable incident,'' to include a breach that may occur through cyber or physical means. Thus, the Commission expects that the issue of a physical security breach will be fully addressed through that proposed modification and no revision of CIP-006-1 is needed to address this issue. d. Maintenance and Testing 218. Requirement R6, which requires a maintenance and testing program, to ensure that all physical security systems under Requirements R2, R3, and R4 function properly, is critical for the overall success of CIP-006-1. The CIP Assessment explained that, if the system's outer physical security perimeter fails to secure critical assets, the electronic access controls may be rendered ineffective. The CIP Assessment questioned whether consideration should be given to testing the more important physical security mechanisms and systems more frequently, with testing and maintenance records maintained for the full three-year testing cycle. 219. NERC and ReliabilityFirst reiterate that the Reliability Standards do not make a distinction between levels of criticality. These commenters assert that testing of more important systems cannot be performed, because all critical assets have the same level of criticality. Xcel states that a more frequent testing of the physical security perimeter is not needed because most of the equipment will be used on a weekly basis. Xcel maintains that since the equipment will be in regular use, a Requirement for additional testing of the equipment appears redundant. 220. SPP agrees with the CIP Assessment, stating that a three-year inspection cycle of physical access control is too infrequent if a critical asset has high potential impact on reliability and where such testing is not inconvenient. SPP argues that, while it may be appropriate to test the physical access controls at a remote substation once every three years, the physical access controls at a generating plant and a control center can and should be tested far more frequently. FirstEnergy also agrees with the CIP Assessment, stating that more frequent testing should be required for critical facilities, but that the Requirement should specify the form of testing that will be considered adequate. Commission Proposal 221. Currently, Requirement R6 of CIP-006-1 requires that responsible entities implement maintenance and testing programs of physical security systems on a cycle no longer than three years and retain testing and maintenance records for the same cycle. In addition, Requirement R6 requires retention of outage records of certain physical security systems for a [[Page 43995]] minimum of one year. The Commission agrees with SPP that maintenance and testing of physical security systems should occur more frequently than once every three years. However, the Commission also agrees with SPP that such testing at remote substations should be allowed less frequently. Therefore, the Commission proposes to direct the ERO to modify this Reliability Standard to require that: (1) A readily accessible critical cyber asset be tested every year with a one-year record requirement for the retention of testing, maintenance, and outage records; and (2) a non-readily accessible critical cyber asset be tested in a three-year cycle with a three-year record retention requirement. The Commission believes that this approach provides an appropriate assurance that security measures for geographically dispersed physical assets are functioning properly. e. Commission Proposal Summary 222. In summary, the Commission proposes to approve Reliability Standard CIP-006-1 as mandatory and enforceable. In addition, the Commission proposes to direct the ERO, pursuant to section 215(d)(5) of the FPA and Sec. 39.5(f) of our regulations, to develop modifications to CIP-006-1 through its Reliability Standards development process that require that: (1) The ERO treats the allowance of ``alternative measures'' referenced in Requirement R1.1 as ``interim actions'' developed and implemented as part of a mitigation plan under a ``technical feasibility'' exception; (2) a responsible entity must, at a minimum, implement two or more different security procedures when establishing a physical security perimeter around critical cyber assets; (3) the ERO, when it develops its language in Reliability Standard CIP-008-1 on the term ``reportable incident,'' include a breach that may occur through cyber or physical means; (4) a readily accessible critical cyber asset be tested every year with a one-year requirement for the retention of testing, maintenance, and outage records; and (5) a non-readily accessible critical cyber asset be tested in a three-year cycle with a three-year record retention requirement. 6. CIP-007-1--Systems Security Management 223. The Purpose statement in Reliability Standard CIP-007-1 states that it requires responsible entities to define methods, processes and procedures for securing those systems determined to be critical cyber assets, as well as the non-critical cyber assets within the electronic security perimeter(s). 224. The CIP Assessment explained that this Reliability Standard deals primarily with changes made to the operating control system \94\ and verification that such changes will not inadvertently have adverse effects.\95\ The CIP Assessment noted that the operating control system is vulnerable during the testing process for an indeterminate period of time prior to the installation of a patch, and an attacker could exploit the vulnerability. It explained that contracts with vendors present another security challenge. Service contracts typically provide that the vendor will test patches before allowing an entity to install them on its operating control system. The contracts also typically prohibit installation before the vendor verifies the patch, at risk of voiding the warranty. It explained that the time involved in the testing and installation of a patch may provide an attacker a window of opportunity to exploit the vulnerability that the patch is designed to prevent. --------------------------------------------------------------------------- \94\ The term ``operating control system'' is used in this NOPR to represent the control system used to control critical assets in real time, as opposed to backup, training, or duplicate control systems. \95\ CIP Assessment at 31. --------------------------------------------------------------------------- 225. Another challenge the CIP Assessment identified is ensuring that the test environment accurately approximates and mirrors the operating control system. It noted that an inaccurate test environment can allow potential failures of the new product to go undetected. It noted that some entities may not have the resources to maintain a backup system, let alone a duplicate of their operating control system. 226. The Commission proposes to approve Reliability Standard CIP- 007-1 as mandatory and enforceable. In addition, we propose to direct the ERO to develop modifications to this Reliability Standard. In our discussion below, the Commission addresses its concerns in the following topic areas regarding CIP-007-1: (1) Test procedures; (2) ports and services; (3) security patch management; (4) malicious software prevention; (5) security status Monitoring; (6) disposal or redeployment; (7) cyber vulnerability assessment; and (8) documentation review and maintenance. a. Test Procedures 227. Requirement R1 of CIP-007-1 requires a responsible entity to ensure that new cyber assets and significant changes to existing cyber assets within the electronic security perimeter do not adversely affect existing cyber security controls. Responsible entities must create, implement, and maintain cyber security test procedures in a manner that minimizes adverse effects on the production system or its operation. They must document that testing is performed in a manner that reflects the production environment and must document test results. 228. The CIP Assessment suggested that Requirement R1.2 should require the responsible entity to document how each significant difference between the operation and testing environments is considered and addressed.\96\ --------------------------------------------------------------------------- \96\ CIP Assessment at 32. --------------------------------------------------------------------------- 229. NERC and ReliabilityFirst comment that any test environment that has a ``significant difference'' from the production environment is not a true ``reflection'' of the production requirement, as required by the Reliability Standard. National Grid states that the need for and amount of testing will depend on the nature of the change that needs to be implemented. Flexibility to assess each situation is necessary to determine the type of testing required. National Grid states that it may not be possible to establish an isolated testing environment for all security upgrades because cyber assets in production operate continuously. A responsible entity therefore may need to take substantial steps to configure a test environment, such as taking an entire substation out of service. Commission Proposal 230. If a testing environment does not accurately reflect the operational environment, testing of systems may not be adequate to judge impacts on reliability. While, ideally, testing should be conducted on a precise duplicate of the production system, the Commission acknowledges that this is not always possible. When it is not, any differences between the test environment and the production system should be documented. In addition, the Commission believes that responsible entities should address to the satisfaction of senior management these differences and how they propose to mitigate the impact of any differences between the testing environment and the production system. Therefore, the Commission proposes to direct the ERO to modify Requirement R1 and its subparts to require documentation of each significant difference between the testing and the production environments, and how each such difference is mitigated or otherwise addressed. [[Page 43996]] b. Ports and Services 231. Requirement R2 of CIP-007-1 requires a responsible entity to establish a process to ensure that only those ports and services required for normal and emergency operations are enabled and all others are disabled. 232. The CIP Assessment stressed that the requirement to ``disable other ports and services'' is a basic building block of a cyber security program, and that it is a generally recognized security practice to assume a ``deny all'' stance (i.e., disabling all ports and services first) before opening the various ports that are needed only for operations. The CIP Assessment expressed concern that Requirement R2.3 allows a responsible entity to ``accept risk'' rather than take mitigating action where unused ports and services cannot be disabled due to ``technical limitations.'' This Requirement specifies that the responsible entity must either document (1) compensating measures to mitigate exposure or (2) an ``acceptance of risk.'' The CIP Assessment noted that in situations where technical limitations prevent unused ports and services from being disabled and risk can at best be mitigated, acceptance of risk appears to mean acceptance of vulnerabilities without further action. The CIP Assessment suggested that clear guidance is needed to explain limited circumstances for its use, and warned that accepting risk could potentially become an exception from compliance that permits unacceptable risks. 233. NERC and ReliabilityFirst comment that many situations exist where ports and services must be left open due to operating system requirements, the requirements of equipment manufacturers or vendors or the lack of information from vendors that is necessary to determine if a port or service can be disabled. APPA/LPPC agree with the CIP Assessment that closing unused ports is generally a good business practice, but they disagree that it should be mandated. They state that in some cases there may be sound technical reasons why an unused port cannot be closed. They further comment that this Requirement is acceptable as written because it allows the responsible entity to use reasonable business judgment. Commission Proposal 234. In section II.A.5.b above, the Commission discusses the problems presented by acceptance of risk. For the reasons discussed there, the Commission proposes to direct the ERO to eliminate the acceptance of risk language from Requirement R2.3. At the same time, the Commission proposes to leave intact the exception for ``technical limitations.'' However, the Commission believes that the ``technical limitations'' language of Requirement R2.3 raises the same concerns here as the ``technical feasibility'' language referenced in section II.A.5.b. While an exception for ``technical limitations'' may be appropriate, it must include the same conditions as discussed in the context of ``technical feasibility.'' Accordingly, we propose that the same conditions and reporting requirements should apply here. Thus, the Commission proposes to direct the ERO to revise Requirement R2 and its subparts to reflect our determinations discussed above to remove the ``acceptance of risk'' language and to impose the same conditions and reporting requirements here for ``technical limitations'' as imposed elsewhere in this NOPR regarding ``technical feasibility.'' c. Security Patch Management 235. Requirement R3 of CIP-007-1 requires a responsible entity to establish and document a security patch management program for tracking, evaluating, testing and installing applicable cyber security software patches for all cyber assets within an electronic security perimeter. Among other things, a responsible entity must document the implementation of security patches. Where a patch is not installed, the responsible entity must document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk. 236. The CIP Assessment acknowledged that compensating measures are necessary at times, especially when patches require vendor support, but also expressed concern that Requirement R3.2 permits a wide variation of processes for patching a system when it allows an ``acceptance of risk'' in lieu of mitigating risk exposure through a patching program. The CIP Assessment asserted that an effective Reliability Standard cannot simply offer a responsible entity a choice between installing a patch or accepting the risk of not doing so, and that at least some form of mitigation should always be possible. 237. NERC and ReliabilityFirst believe that ``acceptance of risk'' is not a permanent solution but would be used during a period where testing and other required upgrades may be accomplished. In addition, they and other commenters are concerned about implementing language in the Reliability Standard that would seem to require installation of patches on platforms where patches cannot be implemented due to architecture, operating environment or warranty issues. Allegheny states that if patches were not applied, it is highly unlikely there would not be some form of mitigation available such as physical protection and/or firewalls. It also states that compensating measures should be in place before there is an acceptance of risk. SoCal Edison states that acceptance of the risk of non-compliance should be clearly documented so that an auditor can see the rationale for this decision. 238. PG&E comments that older devices have a limited modification capability, and as a result the responsible entity must balance the risk of replacing devices that currently operate with new, untested, and potentially inadequate devices. Commission Proposal 239. The Commission has discussed acceptance of risk above and, because those remarks and proposals apply equally here, we propose that the ``acceptance of risk'' language must be removed here also.\97\ With the exception of references to acceptance of risk, the Commission considers the provisions of Requirement R3 to be acceptable and appropriate. Patch management must be weighed in light of the risks involved, with senior management involved in the decision. As discussed under Recommendation 33 of the Blackout Report,\98\ using the most up- to-date patches that deal specifically with security vulnerabilities is of the utmost importance, provided it does not degrade the system and the patch does not create more vulnerability than the problem it is intended to fix. --------------------------------------------------------------------------- \97\ See supra discussion in section II.A.5.b. \98\ See Blackout Report at 164, Recommendation 33. --------------------------------------------------------------------------- d. Malicious Software Prevention 240. Requirement R4 of CIP-007-1 requires responsible entities to use anti-virus and other malicious software prevention tools. The CIP Assessment noted that Reliability Standard CIP-007-1 does not provide any direction on how to implement this type of protection or where it should be deployed, and that care must be taken to implement and test malicious code protection in order to avoid harm to the operating control system. The CIP Assessment pointed out that the Reliability Standard could suggest the use of a multi-layer, defense in depth strategy, to forestall or detect an attacker's penetration of the electronic security.\99\ --------------------------------------------------------------------------- \99\ CIP Assessment at 33. --------------------------------------------------------------------------- [[Page 43997]] 241. Requirement R4 requires the responsible entity to use anti- virus software and malicious software prevention tools where ``technically feasible.'' The CIP Assessment questioned this phrase as allowing unnecessary discretion to opt out of Requirement R4. It noted that Requirement R4.1 raises the same concerns regarding the phrase ``acceptance of risk'' as in Requirement R3.2, this time in connection with cases where anti-virus software and malicious software prevention tools are not installed. The CIP Assessment noted a lack of direction in the Reliability Standard and sought comment on what types of compensating measures are available and what would be an adequate justification for accepting risk. 242. In response to the CIP Assessment observation that Requirement R4 does not provide any direction on how to implement anti-virus protection or where it should be deployed, NERC and ReliabilityFirst comment that the Reliability Standards are performance based; that they do not specify how to perform a function, only that the Requirement must be met. This comment is similar to the suggestion addressed in Order No. 672,\100\ that, ``in general, a Reliability Standard should address the `what' and not the `how' of reliability and that the actual implementation of a Reliability Standard should be left to entities such as control area operators and system planners * * *.'' \101\ NERC and ReliabilityFirst conclude that, while the responsible entity must implement a solution that meets the Requirement, it should not be restricted with regard to how to do so. Thus, they argue the Reliability Standard should remain silent as to whether the anti-virus solution is implemented at the electronic security perimeter border, on an in-line device, or on the critical cyber asset itself, so long as the implemented solution meets the stated requirement. --------------------------------------------------------------------------- \100\ FERC Stats. & Regs. ] 31,204 at P 260. \101\ In Order No. 672, the Commission immediately followed this general statement with the caution that, ``in other situations, however, the `how' may be inextricably linked to the Reliability Standard and may need to be specified by the ERO to ensure the enforcement of the Reliability Standard.'' Order No. 672 at P 265. --------------------------------------------------------------------------- 243. In response to the CIP Assessment comment that the Reliability Standard does not suggest the use of a multi-layered, defense in depth strategy through the use of various products from multiple vendors, NERC and ReliabilityFirst state that a multi-layered defense may be appropriate in a best practice document, but not in a mandatory Reliability Standard. Commission Proposal 244. The Commission has discussed the issues of defense in depth, technical feasibility, and risk acceptance elsewhere above in this NOPR. The remarks and proposals there apply equally to the issue of malicious software prevention. Therefore, the ``acceptance of risk'' language must be removed here, and the same conditions and reporting requirements regarding ``technical feasibility'' that apply elsewhere are applicable here. In addition, the Commission proposes to direct the ERO to modify Requirement R4 to include safeguards against personnel introducing, either maliciously or unintentionally, viruses or malicious software in to a cyber asset within the electronic security perimeter through remote access, electronic media, or other means. e. Security Status Monitoring 245. Requirement R6 of CIP-007-1 requires responsible entities to ensure that all cyber assets within the electronic security perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security. Among other things, a responsible entity must maintain logs of system events related to cyber security, where technically feasible, to support incident response as required in Reliability Standard CIP- 008-1. Logs must be retained for 90 calendar days, and the responsible entity must review logs of system events related to cyber security and maintain records documenting review of logs. 246. The CIP Assessment questioned the need to limit Requirement R6.3, which requires logs of system events related to cyber security to support incident reporting, as specified in CIP-008-1, to situations where this is ``technically feasible.'' The CIP Assessment also raised concerns about the record retention requirements for Requirements R6.3 and R6.4, which pertain to logs of cyber security-related system events used to identify reportable incidents and to support incident response, as required in CIP-008-1. It noted that, depending upon the frequency of log review, the 90-day period specified may be inadequate and that frequent review of logs would facilitate the early detection of reportable incidents. It also would ensure that current data are available for forensics. The CIP Assessment sought comment on whether the Reliability Standard should address the frequency and scope of the review of system event logs related to cyber security that is required by Requirement R6.5. It also noted the lack of guidance on how data should be saved, backed up and stored where computerized cyber incident monitoring and logging is performed. 247. Several commenters state that all devices of interest do not have the capability to create logs or that they may not provide the capability to capture ``security related'' information. They state that many installed devices in power plants and substations do not have log generation capability. If there is no capacity to generate logs, then it is technically infeasible to maintain logs. 248. NERC and ReliabilityFirst comment that generated logs from remote locations may not be readily collected for frequent review. In many cases, the telecommunications infrastructure connecting these remote locations cannot support the rapid and frequent collection of log data, especially if it is voluminous. The remote location of some sites makes frequent visits to collect and store log data impractical. 249. SPP recommends that logs be transferred in real time to a separate logging system to mitigate the risk of a successful attack destroying evidence of the intrusion. Where possible, the log should be readable separately from the device that created it or the device should be able to continue logging while in playback mode. Wisconsin Electric submits that cyber security logs should be reviewed with the frequency necessary to identify a cyber security incident within the timeframe established in the entity's cyber security incident response plan. The cyber security logs should be stored in a manner that assures that information is protected as required in CIP-003-1 and that it is available through the 90-day retention period. Commission Proposal 250. We have discussed the issue of technical feasibility. Our remarks and proposals there apply equally to the technical feasibility of monitoring and logging of system events related to cyber security. 251. The Commission agrees with the CIP Assessment and Wisconsin Electric that logs should be reviewed with the frequency necessary to ensure timely identification of a cyber security incident. Simply reviewing logs at the end of the retention period will not ensure an appropriate level of security because it does not permit effective response to all incidents. We note that [[Page 43998]] this issue of log review touches on Blackout Report Recommendation 35, which addresses network monitoring, and Recommendation 37 which addresses diagnostic capabilities.\102\ The Commission therefore proposes to direct the ERO to revise Requirement R6 to include a requirement that logs be reviewed on a weekly basis for readily accessible critical assets and reviewed within the retention period for assets that are not readily accessible. This direction should be completed consistent with our discussion above regarding ``readily accessible'' assets.\103\ Accessibility should take into account both physical remoteness and available communications channels. We would expect control centers to fall within the ``readily accessible'' category. --------------------------------------------------------------------------- \102\ See Blackout Report at 165-166, Recommendations 35 and 37. \103\ See section II.B.4.c (Monitoring Access Logs) in this NOPR. --------------------------------------------------------------------------- 252. The Commission also proposes to direct the ERO to revise Requirement R6.4 to clarify that while the retention period for all logs specified in Requirement R6 is 90 days, the retention period for logs mentioned in Requirement R6.3 for the support of incident response as required in CIP-008-1 is the retention period required by CIP-008-1, i.e., three years. Requirement R6.4 is somewhat unclear and could be read to suggest that the 90 day period also applies to logs kept for purposes of CIP-008-1, and such an interpretation would conflict with the Requirements of that Reliability Standard. f. Disposal or Redeployment 253. Requirement R7 of CIP-007-1 requires the responsible entity to establish formal methods, processes and procedures for disposal or redeployment of cyber assets. The CIP Assessment noted that erasing alone may not be adequate because technology exists that allows retrieval of ``erased'' data from storage devices, and that effective protection requires discarded or redeployed assets to undergo high quality degaussing.\104\ --------------------------------------------------------------------------- \104\ CIP Assessment at 34-35. To degauss is to demagnetize. Degaussing a magnetic storage medium removes all data stored on it. --------------------------------------------------------------------------- 254. Allegheny and SPP agree with the CIP Assessment that erasing alone may be inadequate because technology currently exists that allows retrieval of ``erased'' data from storage devices. SPP also states that if the magnetic media is being disposed of, physical destruction of the media is also an appropriate technique to render it unreadable. 255. NERC and ReliabilityFirst state that any method that fails to ``prevent unauthorized retrieval of sensitive cyber security or reliability data'' does not satisfy the Requirement. Likewise, APPA/ LPPC believe that it is clear from the Requirement that ``erase'' means that there is no opportunity for unauthorized retrieval of data from a cyber asset prior to discarding it or redeploying it. They caution against being overly prescriptive regarding the exact process that responsible entities must use to meet this Requirement. Commission Proposal 256. The Commission agrees with commenters that degaussing is not the sole means for achieving the goal of the requirement. As noted by commenters, the issue is less one of erasure, which is as much a method as it is a goal, than of assuring that there is no opportunity for unauthorized retrieval of data from a cyber asset prior to discarding it or redeploying it. The Commission therefore proposes to direct the ERO to modify this Requirement to clarify this point. g. Cyber Vulnerability Assessment 257. Requirement R8 of CIP-007-1 requires a responsible entity to perform a cyber vulnerability assessment of all cyber assets within the electronic security perimeter at least annually. The CIP Assessment noted that this Requirement provides little direction on what features, functionality, and vulnerabilities responsible entities should focus on in a vulnerability assessment. The CIP Assessment pointed out that a poorly chosen vulnerability assessment process could result in a false sense of security. The CIP Assessment also noted that while Requirement R8.4 requires development of an action plan to remediate or mitigate vulnerabilities identified in the assessment, it does not provide a timeframe for completion of the action plan.\105\ --------------------------------------------------------------------------- \105\ CIP Assessment at 35. --------------------------------------------------------------------------- 258. Several commenters state that a responsible entity must determine the approach it will implement based on its own level of sophistication and its internal tolerance for risk. These commenters state that every environment and implementation is different, and any additional specificity would be impossible to describe for all possible situations, and, consequently, would not be productive. NERC and ReliabilityFirst state that requiring a specific timeframe for completion of an action regardless of its complexity serves no useful purpose because the timeframe will depend on the actions required. They maintain that the requirement to document the ``execution status'' of the action plan serves to keep the action plan on track. 259. ISA Group states that experience shows that most companies do not know what devices have actually been installed in the field. It maintains that a requirement for a detailed walk-down of all critical cyber assets should be mandatory for an acceptable vulnerability assessment. Progress and Xcel comment that the scope of the vulnerability test should be clearly defined. Commission Proposal 260. The Commission believes that vulnerability testing is a valuable tool in determining whether actions that were taken to shore up the security posture of the electronic security perimeter and other areas of responsibility are in fact adequate. The Blackout Report recognized the importance of vulnerability assessments in Recommendation 38 that called for vulnerability assessment activities to identify weaknesses and mitigating actions.\106\ The Commission believes, as noted by NERC and ReliabilityFirst, that execution status is a good means to keep the action plan on track. Therefore, the Commission proposes to require that the ERO provide more direction on what features, functionality, and vulnerabilities the responsible entities should address when conducting the vulnerability assessments, and to revise Requirement R8.4 to require an entity-imposed timeline for completion of the already-required action plan. --------------------------------------------------------------------------- \106\ See Blackout Report at 167, Recommendation 38. --------------------------------------------------------------------------- h. Documentation Review and Maintenance 261. Requirement R9 of CIP-007-1 requires the responsible entity to review, update and maintain all documentation needed to support compliance with the Requirements of CIP-007-1 at least annually. Changes resulting from modifications to the systems or controls must be documented within 90 calendar days of the change. The CIP Assessment expressed the view that the 90-day timeframe for updating documentation appears excessively long, especially when one considers that this Reliability Standard establishes a line of defense for protecting critical cyber assets and that up-to-date documentation is essential in case of an emergency. 262. NERC and ReliabilityFirst state that the 90-day time period is appropriate, given the nature and type of facilities and their locations, [[Page 43999]] particularly in light of the potential need for internal reviews and approvals by a number of people or groups of people before a documentation change can be effected. ReliabilityFirst adds that the 90-day period also takes into account possible management changes or extended time out of the office. Commission Proposal 263. The Commission proposes to direct the ERO to modify Requirement R9 to state that the changes resulting from modifications to the system or controls shall be documented within a 30-day time period. We believe that the planning and engineering of system and control modifications require sufficient lead time to enable the documentation of such modifications to take place within a 30 calendar day timeframe. i. Commission Proposal Summary 264. In summary, the Commission proposes to approve Reliability Standard CIP-007-1 as mandatory and enforceable. In addition, the Commission proposes to direct the ERO, pursuant to section 215(d)(5) of the FPA and Sec. 39.5(f) of our regulations to develop modifications to CIP-007-1 through its Reliability Standards development process that: (1) Modify Requirement R1 and its subparts to require documentation of each significant difference between the testing and the production environments, and how each such difference is mitigated or otherwise addressed; (2) revise Requirement R2 and its subparts to remove the ``acceptance of risk'' language and apply the same conditions and reporting requirements here for ``technical limitations'' as imposed elsewhere in this NOPR for ``technical feasibility;'' (3) remove the ``acceptance of risk'' provision from Requirement R3 and R4; (4) modify Requirement R4 to include safeguards against personnel introducing, either maliciously or unintentionally, viruses or malicious software to a cyber asset within the electronic security perimeter through remote access, electronic media, or other means; (5) ensure that references to ``technical feasibility'' in CIP- 007-1 are subject to the same conditions and reporting requirements discussed elsewhere; (6) revise Requirement R6 to include a requirement that logs be reviewed on a weekly basis for readily accessible critical assets and reviewed within the retention period for assets that are not readily accessible; (7) revise Requirement R6.4 to clarify that while the retention period for all logs specified in Requirement R6 is 90 days, the retention period for logs mentioned in Requirement R6.3 for the support of incident response as required in CIP-008-1 is the retention period required by CIP-008-1, i.e., three years; (8) revise Requirement R7 of the Reliability Standard to clarify that the issue is less one of erasure than of assuring that there is no opportunity for unauthorized retrieval of data from a cyber asset prior to discarding it or redeploying; (9) provide more direction on what features, functionality, and vulnerabilities the responsible entities should address when conducting the vulnerability assessments; (10) revise Requirement R8.4 to require an entity-imposed timeline for completion of the already-required action plan; and (11) revise Requirement R9 to state that the changes resulting from modifications to the system or controls shall be documented in within 30 days. 7. CIP-008-1--Incident Reporting and Response Planning 265. Proposed Reliability Standard CIP-008-1 requires a responsible entity to identify, classify, respond to, and report cyber security incidents related to critical cyber assets. Specifically, Requirement R1 of CIP-008-1 requires responsible entities to develop and maintain an Incident Response Plan that addresses responses to a cyber security incident. The plan should characterize and classify pertinent events as reportable cyber security incidents and provide corresponding response actions. The response actions should include: (1) The roles and responsibilities of the incident response teams, (2) procedures for handling incidents, and (3) associated communication plans. In addition, cyber security incidents must be reported to the ESISAC either directly or through an intermediary. The Incident Response Plan should be reviewed and tested at least annually. Changes to the Incident Response Plan are to be documented within 90 days. Responsible entities must retain documentation related to reportable cyber security incidents for a period of three years. 266. The Commission proposes to approve Reliability Standard CIP- 008-1 as mandatory and enforceable. In addition, we propose to direct the ERO to develop modifications to this Reliability Standard. In our discussion below, the Commission addresses its concerns in the following topic areas regarding CIP-008-1: (1) Definition of a reportable incident; (2) reporting; and (3) full operational exercises and lessons learned. a. Definition of a Reportable Incident 267. The CIP Assessment noted that Requirement R1 of CIP-008-1 makes reference to reportable cyber security incidents, but it does not provide a definition of a ``reportable incident.'' Consequently, cyber security incidents may go unreported depending upon a responsible entity's interpretation of a ``reportable incident.'' \107\ --------------------------------------------------------------------------- \107\ CIP Assessment at 36. The CIP Assessment recognized that NERC's FAQ document answers the question of ``what is a reportable incident?'' by referencing definitions in the ESISAC Indications, Analysis, and Warnings Program guidelines document entitled ``Indications, Analysis and Warnings Program Standard Operating Procedure'' and the Department of Energy Form OE 417 Report entitled ``Electric Emergency Incident and Disturbance Report.'' However, since these materials are not incorporated into the proposed CIP Reliability Standards, CIP-008-1 remains ambiguous in this regard. North American Electric Reliability Council, Frequently Asked Questions (FAQs) Cyber Security Standards CIP-002-1 through CIP-009- 1, March 6, 2006, page 27, question 1. --------------------------------------------------------------------------- 268. NERC and ReliabilityFirst affirm the CIP Assessment concern, stating that each responsible entity is required to develop the required procedures for the determination of a reportable incident. They add that the definition of a reportable incident is currently undergoing extensive industry debate. 269. A number of commenters state that FERC should require NERC to clarify what types of cyber security incidents are ``reportable incidents.'' National Grid points out that the Commission should seek to ensure that any further interpretation of what is considered a reportable incident be consistent with the reporting obligations of utilities under the DOE Form 417. Allegheny suggests that, in order to maintain consistency, the DOE Form 417 reporting requirements should be referenced as part of the Reliability Standard. Progress Energy, on the other hand, states that such increased specificity is not possible and would be subject to constant revision in response to ever-changing incidents or threats to cyber systems. Commission Proposal 270. The Commission believes that guidance regarding what should be included in the term ``reportable incident'' can be provided. The Blackout Report pointed out the need for ``uniform standards for the reporting and sharing of physical and cyber security incident information'' in Recommendation 42.\108\ As NERC and ReliabilityFirst state, the definition of a ``reportable incident'' is currently undergoing extensive industry debate. [[Page 44000]] This debate can be a catalyst for developing an appropriate level of guidance. As noted in the NERC Glossary, a ``cyber security incident'' is defined as a compromise, or an attempt to compromise, the electronic security perimeter or physical security perimeter of a critical asset. The Commission proposes to direct the ERO to: (1) Develop and include in CIP-008-1 language that takes into account a breach that may occur through cyber or physical means; \109\ (2) harmonize, but not necessarily limit, the meaning of the term reportable incident with other reporting mechanisms, such as DOE Form 417; (3) recognize that the term should not be triggered by ineffectual and untargeted attacks that proliferate on the internet; and (4) ensure that the guidance language that is developed results in a Reliability Standard that can be audited and enforced. --------------------------------------------------------------------------- \108\ See also Blackout Report at 168, Recommendation 42. \109\ The Commission emphasizes that a cyber security incident that does not result in a material loss of physical assets should not prevent the incident from being reported. --------------------------------------------------------------------------- b. Reporting 271. CIP-008-1, Requirement R1.3, requires that each responsible entity establish a process for reporting cyber security incidents to the ESISAC. The responsible entity must ensure that all reportable cyber security incidents are reported to the ESISAC either directly or through an intermediary. 272. ESISAC procedures require the reporting of a cyber incident within one hour of a suspected malicious incident. However, compliance with ESISAC's Indications, Analysis and Warnings Program (IAW) Standard Operating Procedure (SOP) is voluntary. The CIP Assessment noted the importance of other responsible entities receiving timely information regarding a reportable cyber security incident, so they can take precautions against being the target of a similar incident. The CIP Assessment stated that, depending upon the nature of the incident, timelines of incident reporting may be critical. It expressed concern with regard to the voluntary nature of the one-hour reporting requirement associated with ESISAC's IAW SOP. Therefore, the CIP Assessment requested comment on whether CIP-008-1 should incorporate ESISAC's one-hour reporting limit or another reporting interval that would provide adequate time for another responsible entity to take meaningful precautions. 273. NERC and ReliabilityFirst agree that rapid reporting is desirable. However, they state that imposing a specific time period is not advisable because, when an event occurs, the need to meet a reporting deadline should not be the entity's primary concern, rather restoration of operations must take precedence. NERC and ReliabilityFirst state that ESISAC's IAW SOP is intentionally not a part of this Reliability Standard, and is classified as a guideline, because it has not been through the ERO standards development process. These commenters believe the requirement is to report incidents to the ESISAC, with the implication that an established ESISAC reporting protocol is to be used. 274. APPA/LPPC do not believe that incorporating the ESISAC one- hour reporting limit or any other deadline would provide adequate time for another responsible entity to take meaningful precautions to prevent a cyber attack. Cyber attacks are designed to occur nearly simultaneously in more than one location. Thus, even an extremely short deadline, such as one minute, is unlikely to provide other responsible entities time to take precautions. Nonetheless, APPA/LPPC suggest that, if a deadline is prescribed, it should run from the discovery of the incident by the responsible entity, and not from the occurrence of the incident. 275. Several commenters argue against any time limit for reporting security incidents. They believe the requirement to report such incidents to the ESISAC is sufficient. Wisconsin Electric notes that using the same one-hour limit in CIP 008-1 as in the ESISAC IAW SOP would not represent a new performance threshold to the industry. Commission Proposal 276. The Commission believes that the ESISAC one-hour reporting limit is reasonable and proposes that it be incorporated into CIP 008- 1. We reach this conclusion for several reasons. First, although it is true that cyber attacks against different entities could occur simultaneously, it would still be extremely useful to those attempting to defend against those attacks to know what kind of threat they are dealing with. The fact that simultaneous attacks are directed at other entities would be important information about the nature of the attacks. 277. Second, while the Commission agrees that, in the aftermath of a cyber attack, restoring the system is the utmost priority, we do not believe that sending this short report would be a time consuming distraction, and we judge that its probative value would justify the minimal time spent in making this report. 278. Third, the Commission disagrees with commenters that believe that a reporting limit will not provide others with time for responsive action to mitigate other potential Cyber Security Incidents. While a reporting time limit may not allow such mitigation in every situation, it very well could allow such mitigation in many situations. 279. Fourth, although ESISAC's time limit is voluntary, a one hour NERC reporting time limit would match up with the ESISAC reporting time limit and, thus, would avoid conflicting requirements and would not cause any new reporting burden. 280. Thus, the Commission proposes to direct the ERO to modify CIP- 008-1 to require a responsible entity to contact appropriate government authorities and industry participants in the event of a Cyber Security Incident as soon as possible, but, in any event, within one hour of the event, even if it is a preliminary report. While we leave development of the details to NERC, the Commission agrees with APPA/LPPC that the reporting timeframe should run from the discovery of the incident by the responsible entity, and not the occurrence of the incident. c. Full Operational Exercises and Lessons Learned 281. The CIP Assessment stated that the annual testing of the Incident Response Plan should require full operational exercises due to the potential for such exercises to uncover unforeseen complications.\110\ In addition, it indicated that CIP-008-1 does not require documentation or reassessment of a plan's adequacy as a result of lessons learned from testing or in response to specific issues. --------------------------------------------------------------------------- \110\ CIP Assessment at 37. --------------------------------------------------------------------------- 282. NERC and ReliabilityFirst state that there are many instances in substations or power plants where backup or fully functional test systems do not exist, making a full operational exercise an extremely risky proposition. Because of this, NERC and ReliabilityFirst believe that a universal requirement for a full operational exercise may be unduly disruptive and burdensome to reliable operations, and represent a threat to the overall reliability of the Bulk-Power System. NERC and ReliabilityFirst believe that table-top exercises are sufficient to test the effectiveness of an Incident Response Plan. Several commenters agree. Ontario IESO posits that there is no evidence that a paper drill would be materially inferior to an operational exercise. [[Page 44001]] 283. A number of commenters believe that requiring a full operational exercise during the three-year documentation cycle and paper drills during the other two years should provide the desired benefits of testing the Incident Response Plan. An actual incident response would satisfy the need for a full operational exercise during a three-year cycle. One commenter, the ISA Group, believes that full operational exercises should be mandated at least yearly. Wisconsin Electric states that, if full drills become a requirement, they should be conducted every five years, with paper drills only when the process or procedure is created or changed. 284. Several commenters note that there may be a significant benefit in executing an operational exercise over a paper drill, but note that an operational exercise also can require expensive back-up systems and may unnecessarily risk damaging system functionality in case of an error or unforeseen system effect. Georgia System believes each responsible entity has to determine whether the incremental benefit from a yearly exercise is worth the costs and reliability risks associated with the exercise. MidAmerican states it could support full operational exercises for a limited number of critical assets, with paper exercises for the remaining facilities. National Grid suggests that operational drills are more appropriate for actual recovery plans under CIP-009-1, and paper drills are more than adequate to assess whether the response plans under CIP-008-1 identify and alert the right responders. Xcel Energy is concerned that operational drills (like vulnerability tests) could cause an inadvertent disruption to EMS and SCADA systems. 285. NERC and ReliabilityFirst state that collection and maintenance of lessons learned, and plan improvement are included in the ``update'' language of Requirement R1.4. Allegheny states that documentation and implementation of lessons learned is a critical part of any incident response or drill. As such, Allegheny believes the need to maintain a collection of lessons learned as a result of testing the Incident Response Plan and to apply them to plan improvements is necessary to ensure response plans remain viable. Wisconsin Electric submits that lessons learned from incident response exercises should be documented as well as audited for completion of any enhancements to the process. Commission Proposal 286. We understand from commenters that annual testing may be costly and disruptive. Nonetheless, periodic operational drills are important because they may reveal weaknesses, vulnerabilities, and opportunity for improvement that a paper drill would not identify. The Commission agrees with the commenters that suggest that a full operational exercise should be performed at least once every three years, and that tabletop exercises are sufficient for the other two years. We believe this strikes an appropriate balance between the benefits of executing an operational exercise and the associated costs and potential risks of misoperations. Therefore, the Commission proposes to direct the ERO to revise the Reliability Standard to require responsible entities to perform a ``full operational exercise'' at least once every three years, or to fully document its reason for not conducting an exercise in full operational mode pursuant to the technical feasibility parameters discussed earlier in section II.A.5.b. Further, the Commission proposes to direct the ERO to provide guidance on the meaning of the term ``full operational exercise.'' \111\ --------------------------------------------------------------------------- \111\ We address the meaning of the term ``full operational exercise'' in section II.B.8.c below. --------------------------------------------------------------------------- 287. The Commission believes that industry will benefit from a requirement to document and implement lessons learned from testing or responses to actual cyber security incidents. Although NERC and ReliabilityFirst suggest that this is included in the ``update'' language of Requirement R1.4, we believe that the Reliability Standard would be improved by making a ``lessons learned'' requirement explicit. Therefore, the Commission proposes to direct that the ERO refine CIP- 008-1, Requirement R2 to require responsible entities to maintain documentation of paper drills, full operational drills, and responses to actual incidents, all of which must include lessons learned. The Commission also proposes to direct the ERO to include language to require revisions to the Incident Response Plan to address these lessons learned. d. Commission Proposal Summary 288. In summary, the Commission proposes to approve Reliability Standard CIP-008-1 as mandatory and enforceable. In addition, the Commission proposes to direct the ERO, pursuant to section 215(d)(5) of the FPA and Sec. 39.5(f) of our regulations to develop modifications to CIP-008-1 through its Reliability Standards development process that: (1) Develop and include language regarding the term ``reportable incident'' that takes into account a breach that may occur through cyber or physical means; (2) harmonize, but not necessarily limit, the meaning of the term reportable incident with other reporting mechanisms, such as DOE Form 417; (3) recognize that the term ``reportable incident'' should not be triggered by ineffectual and untargeted attacks that proliferate on the internet; (4) ensure that the guidance language that is developed results in a Reliability Standard that can be audited and enforced; (5) require a responsible entity to contact appropriate government authorities and industry participants in the event of a Cyber Security Incident as soon as possible, but at least within one hour of the event, even if it is a preliminary report; (6) require responsible entities to perform a ``full operational exercise'' at least once every three years, or to fully document its reason for not conducting an exercise in full operational mode pursuant to the technical feasibility parameters discussed earlier herein and provide guidance on the meaning of the term ``full operational exercise;'' (7) refine Requirement R2 to require responsible entities to maintain documentation of paper drills, full operational drills, and responses to actual incidents, all of which must include lessons learned; and (8) require revisions to the Incident Response Plan to address the lessons learned. 8. CIP-009-1--Recovery Plans for Critical Cyber Assets 289. The purpose of proposed Reliability Standard CIP-009-1 is to ensure that recovery plans for critical cyber assets are in place and following established business continuity and disaster recovery techniques and practices. This Reliability Standard establishes required development, updating, and testing of recovery plans, as well as storage and testing of associated backup data and backup media. 290. The Commission proposes to approve Reliability Standard CIP- 009-1 as mandatory and enforceable. In addition, we propose to direct the ERO to develop modifications to this Reliability Standard. Further, the Commission also proposes to require the ERO to consider various other matters of clarification, guidance, and modification. In our discussion below, the Commission addresses its concerns in the following topic areas regarding CIP-009-1: (1) Recovery plans; (2) forensic data collection; (3) operational exercises; (4) recovery plan updates; (5) backup and storage of restoration data and (6) testing of backup media. [[Page 44002]] a. Recovery Plans 291. Requirement R1 of CIP-009-1 requires the responsible entity to create and annually review recovery plans for critical cyber assets. The CIP Assessment expressed concern that the ``events or conditions of varying duration and severity that would activate the recovery plan(s)'' language is very general and does not provide or require a definition of what constitutes a precipitating event or triggering condition necessary for recovery plan implementation. 292. NERC, MidAmerican, Xcel, and Allegheny comment that providing additional detail will limit the scope of potential ``precipitating events'' addressed by recovery plans, and will not provide for the needed flexibility. NERC states that the determination of which events warrant a recovery plan is intentionally left to the discretion of responsible entities. Wisconsin Electric and others agree with the CIP Assessment that additional clarification should be added to this Requirement. Commission Proposal 293. The Commission shares the concern that ``precipitating events'' are readily recognized by responsible entities so that recovery plans are promptly implemented. While we do not propose to require modifications regarding the ``events and conditions'' language at this time, we do note that Requirement R1 fails to state that the plans it requires must be implemented when needed. That is, it requires that recovery plans must be ``created and reviewed'' but does not explicitly require actual implementation when the ``events or conditions of varying duration and severity'' occur. We propose to direct the ERO to modify to CIP-009-1 to include this requirement. In the interim period, the Commission will infer that implementation is embodied in this Requirement when enforcing it; i.e., if an entity has the required recovery plan but does not implement it when the anticipated event or conditions occur, the entity will not be in compliance with this Reliability Standard. b. Forensic Data Collection 294. The CIP Assessment pointed out that Requirement R1 does not provide guidance on whether and how the recovery plans should preserve data for forensics purposes. In particular, Requirement R1 does not specify whether forensics collection should occur prior to, contemporaneously with, or after recovery of the critical cyber assets. 295. NERC, ReliabilityFirst, and PG&E assert that there are no Bulk-Power System reliability issues associated with forensic data collection, and that there is a possibility that collection of forensic data could impede the restoration of cyber assets, which in turn could affect the reliable operation of the Bulk-Power System. NERC comments that each entity must consider the balance between data collection and actions required to rapidly restore the electric power transmission. NERC states that after-the-fact recovery of incident data cannot be assumed to be technically possible on legacy equipment and that, therefore, it cannot be a requirement. Georgia System stresses that restoring the Bulk-Power System should remain the foremost objective of all immediate efforts, over issues of data collection. 296. Allegheny comments that forensics collection should also be addressed within this range of plans. Noting again that one size does not fit all in regards to scenarios for recovery planning, Allegheny says that forensic collection should be addressed in each of the plans that addresses the various scenarios. Commission Proposal 297. The Commission is concerned that Requirement R1 of CIP-009-1 does not require the collection of forensics data and does not address how such collection activities relate to restoration of service efforts. The Commission believes that concern for the reliability of the Bulk-Power System requires attention to forensics data collection. The Blackout Report also emphasized the need to improve forensics and diagnostic capabilities in Recommendation 37.\112\ Obtaining forensic data will benefit the long-term reliability of the Bulk-Power System because the lessons learned from one event assist in eliminating or dealing with a repeat (or similar) event. Forensic data collection procedures could be as minimal as preserving a corrupted drive, making a data mirror of the system before proceeding with recovery, or taking the important assessment steps necessary to avoid reintroducing the precipitating or corrupted data. Technical capabilities to do so will likely vary with the facility, and many legacy systems present considerable technical limitations in this regard. In the interest of ``raising the bar'' above what the least capable equipment can do to collect forensic data, the Commission proposes to direct the ERO to modify CIP-009-1 to incorporate use of good forensic data collection practices into this CIP Reliability Standard. --------------------------------------------------------------------------- \112\ See Blackout Report at 166, Recommendation 37. --------------------------------------------------------------------------- 298. In addition, we agree with commenters that recovery of critical cyber assets and the Bulk-Power System is of short-term critical importance, and information collection efforts should not impede or restrict system restoration. Nonetheless, it is also important to long-term reliability interests that responsible entities make solid forensic efforts in a given situation, such as collecting the data immediately after system restoration or the recovery of critical cyber assets, if that is what can be done. We recognize that collecting forensic data may not be ``technically feasible'' for all situations due to equipment limitations, such as older substation installations with little electronic monitoring. Therefore, we suggest that forensic data collection is an appropriate candidate for the ``where technically feasible'' exception clause, where, if invoked, the responsible entity would be required to propose interim actions, milestone schedules, and a mitigation plan, as described elsewhere in this NOPR. We agree with commenters that the recovery plans should include forensic data collection procedures. Therefore, we propose to direct the ERO, when incorporating the use of good forensic data collection practices into this Reliability Standard, to make clear that such practices should not impede or restrict system restoration and to consider whether it is necessary to include a ``technical feasibility'' provision. c. Operational Exercises 299. Requirement R2 of CIP-009-1 requires the responsible entity to exercise recovery plans at least annually, and that such exercise can range from a paper drill, to a full operational exercise, to recovery from an actual incident. The CIP Assessment asked whether full operational exercises should be required to aid in identifying potential problems and in realizing opportunities for improving recovery plans.\113\ --------------------------------------------------------------------------- \113\ CIP Assessment at 38. --------------------------------------------------------------------------- 300. NERC and others believe that table-top exercises (or paper drills) are sufficient, and consistent with accepted practice used to test blackstart procedures. NERC cautions that full operational exercises may be extremely risky because many substations or power plants do not have backup or fully functional test systems. NERC, therefore, believes that a universal requirement for full operational [[Page 44003]] exercises may be unduly disruptive and burdensome to reliable operations. 301. ISA Group and others support required periodic operational testing of restoration plans. California PUC recommends annual testing through a full operational exercise; and Allegheny supports operational exercises on a three-year cycle. Wisconsin Electric suggests that a one-time full operational test of the process would be beneficial. Georgia Operators supports periodic operational testing, with the caveat that each entity should determine whether the benefit is worth the costs and reliability risks associated with such an exercise. MidAmerican states that it could support full operational exercises for a limited number of critical assets. Commission Proposal 302. The Commission agrees with the commenters that stress the benefits of operational exercises; i.e., that potential problems, some of which could significantly impair reliability, will not be found without them. We do not believe that table-top exercises alone, on an ongoing basis, will suffice, given the increasing complexity and interconnection of control systems. Some commenters acknowledge the benefits of operational exercises, but believe they should occur only on a limited basis. We agree with this approach, with the cautionary note that technical feasibility and risks must be carefully weighed with the possible benefits. We acknowledge that some infrastructure facilities exist for which even limited operational exercises present unsuitable reliability risks. However, we conclude that benefits from operational exercises are sufficient that the industry as a whole should develop suitable operational exercises in the course of evolving good cyber security practices. 303. Accordingly, the Commission proposes to direct the ERO to develop modifications to the Reliability Standard through its Reliability Standards development process to require a full operational exercise once every three years (unless an actual incident occurs), but to permit reliance on table-top exercises annually in other years. Further, we propose, in conjunction with the above proposed modification, that the ERO consider the appropriateness of a ``technical feasibility'' option, in the limited fashion proposed earlier in this NOPR.\114\ For example, CIP-009-1 could be modified to allow for partial operational exercises, reduced from ``full operational exercises,'' only to the extent a responsible entity explains and documents, for a particular substation or a particular generating plant, technical infeasibility with the requisite interim actions, milestone schedules, and a mitigation plan, as described elsewhere in this NOPR. --------------------------------------------------------------------------- \114\ See section II.A.5.b (Technical Feasibility and Acceptance of Risk). --------------------------------------------------------------------------- 304. We note that NERC points out a lack of clarity of the term ``full operational exercise.'' The Commission agrees and therefore proposes to direct the ERO, in conjunction with making the above modifications, to either define in its Glossary the term ``full operational exercise'' or provide more direction directly in the Reliability Standard as to the parameters of the term. As NERC and ReliabilityFirst note, many operational exercise practices include table-top components in significant proportions. d. Recovery Plan Updates 305. Requirement R3 requires the responsible entity to update the recovery plans to reflect any changes or lessons learned from an exercise or the recovery from an actual event. It requires plan updates to be communicated to the personnel responsible for activating or implementing the recovery plan within 90 days of the change. The CIP Assessment noted that individuals responsible for activation and implementation of process changes in the recovery plans must have the most current information available, and questions whether a 90-day time lag is consistent with this objective. 306. NERC comments that a shorter time frame is impractical due to the number, kind and location of assets, especially field assets. Santa Clara agrees with the CIP Assessment that recovery plans must be updated as soon as possible after an event, but also states that 90 days is reasonable for completion of training for all affected personnel. Santa Clara notes that it may not be feasible to include all shift schedules of personnel in training sessions in a timeline shorter than 90 days. 307. ISO/RTO Council agrees with the CIP Assessment that that updates to such documents generally can be performed sooner than 90 days. ISO/RTO Council suggests that timely updating should be a formal component of any assessment or review process, especially with regard to after-the-fact analyses and timely application of lessons learned. ISA Group states that a 90-day time lag to activate or implement process changes in recovery plans after deficiencies are discovered is not acceptable. ISA Group suggests up to one week to identify any process workarounds and 30 days to modify equipment as necessary. Commission Proposal 308. Requirement R3 of CIP-009-1 requires that updates to a recovery plan be communicated within 90 days to the personnel responsible for activating or implementing the recovery plan. The Commission is concerned that individuals responsible for activating and implementing the recovery plan must have the most current information available, and believes that a 90-day time lag between when a weakness in a recovery plan is discovered and when it is corrected and communicated to such responsible personnel is too long. Failure for such responsible personnel to have current information about a recovery plan could cause unnecessary delay in restoring critical cyber assets to service and thereby jeopardize the reliability of the Bulk-Power System. Therefore, the Commission proposes to direct the ERO to modify Requirement R3 of CIP-009-1 to shorten the timeline for updating recovery plans to 30 days, while continuing to allow up to 90 days for completing the communications of that update to responsible personnel. We believe a 30 day requirement for updating the recovery plans will promote timely incorporation of lessons learned during exercises and actual events. While key personnel should be informed as soon as possible, we agree with SPP and others that 90 days is reasonable for the completion of personnel training sessions, due to varied shifts schedules and other feasibility issues with regard to facility and organization. e. Backup and Storage of Restoration Data 309. Requirement R4 requires that a recovery plan include processes and procedures for the backup and storage of information necessary to successfully restore critical cyber assets. The CIP Assessment asserted that the Requirement should specify that, when significant changes are made to the operational control system, a backup should be made for recovery purposes and that it should be tested as part of the system change before it is stored and assumed to be operational. 310. NERC and ReliabilityFirst state that this concern is mitigated by the generally accepted practice of maintaining multiple generations of backup. NERC states that ``backup made for recovery purposes'' is contained in the ``supporting configuration management activities'' clause of CIP-003-1, Requirement R6. [[Page 44004]] 311. Progress Energy agrees with the CIP Assessment that a backup should be tested before it is stored, but believes that the frequency of testing should be left to the discretion of the responsible entity. SPP asserts that backups should be routinely and regularly backed up, not just upon a significant change to the configuration. SPP notes that a properly configured backup and restoration testing process obviates the need to make special backups upon occurrence of the significant changes to existing critical assets defined by CIP-007-1, Requirement R1. Commission Proposal 312. The Commission proposes to instruct the ERO to modify this Reliability Standard to incorporate guidance that the backup and restoration processes and procedures required by Requirement R4 should include, at least with regard to significant changes made to the operational control system, verification that they are operational before the backups are stored or relied upon for recovery purposes. 313. The Commission agrees with NERC that preserving multiple generations of restoration backups is common practice, and believes that competent and complete implementation of the CIP Reliability Standards would tend to include testing of recovery backups as they are created, also as a matter of good, efficient practice. However, we disagree with NERC that exercising these good practices is contained in, implied by, or readily understood from Requirement R6 of CIP-003-1. Adding language, such as ``these procedures are to include practices to test and verify the operability of the backup before it is stored and relied upon for recovery,'' would eliminate this ambiguity. As stated above, in our discussion of the change control processes required by Requirement R6 of CIP-003-1, the Commission reiterates its position, that there is a need for enhanced direction in issues related to proper change control. The CIP Reliability Standards should specifically state that a change control process should include procedures for a tested backup. No backups of any kind are mentioned in CIP-003-1, Requirement R6. f. Testing of Backup Media 314. Requirement R5 requires annual testing of information stored on backup media to ensure information essential to recovery is available. The CIP Assessment noted the criticality of such information being accessible in the event of an actual incident, noted that the Reliability Standard does not specify any actions to be taken in the event of a failure in testing, and asked whether such testing should also be conducted on a more frequent basis. 315. NERC and ReliabilityFirst comment that, since the Reliability Standards cannot predict what technology will be used, they should not specify actions in response to testing. They believe that routine use of backups will serve to exercise the media more often than the specified one-year test. Likewise, Georgia System states that annual testing is more than adequate, even unnecessary, if no significant changes were made to the system; and more prescriptive Reliability Standards should be developed only if experience shows that discretion exercised in implementation of the Reliability Standards is abused. 316. Santa Clara agrees with the CIP Assessment that testing of information stored on backup media is crucial to the integrity of those backup systems. It submits that such testing could be done on a periodic basis, and in an ``off-line'' mode if necessary. Santa Clara has found it beneficial to maintain more than one set of backups so that, if the latest backup fails, the previous backup has been tested and validated, leaving a ``Plan B'' restoration solution available until the latest backup system is corrected. 317. Constellation adds that review of the backup and recovery plans is implicit if the annual review of the Cyber Security Policy already required by the CIP Reliability Standards is performed competently. SPP agrees that restoration testing is only one part of a more comprehensive backup plan, noting that the entity needs to have procedures to verify backups are successfully completed every cycle, and procedures for when the backup fails. SPP points out that failure to notice that a backup process has failed poses a far greater risk than infrequency of testing, as long as the backup process is properly managed. Commission Proposal 318. The Commission agrees with commenters that, if these CIP Reliability Standards are implemented in a full and competent manner, then adequate backup verification measures will probably be in place. Reliability Standards, however, demand a higher degree of certainty. The proposed Reliability Standards do not provide the guidance that SPP offers--that responsible entities need to have procedures to verify backups are successfully completed every cycle and to have recovery procedures in place for when the backup fails. The Commission agrees with SPP on this point. 319. The Commission proposes to direct the ERO to modify this Reliability Standard to provide direction that backup practices include regular procedures to ensure verification that backups are successful and backup failures are addressed, thus guaranteeing that backups are available for future use. Insertion of language such as, ``backup procedures are to include regular verification of successful completion and procedures to address backup failures'' would satisfy this goal. We agree that inability to recognize the failure of a backup process poses a great risk, and that the annual restoration testing in this Requirement is adequate as long as the backup process is properly managed. g. Commission Proposal Summary 320. In summary, the Commission proposes to approve Reliability Standard CIP-009-1 as mandatory and enforceable. In addition, the Commission proposes to direct the ERO, pursuant to section 215(d)(5) of the FPA and Sec. 39.5(f) of our regulations to develop modifications to CIP-009-1 through its Reliability Standards development process that: (1) Clarify Requirement R1 to make clear that the required recovery plans must be implemented when the ``events or conditions of varying duration and severity'' occur; (2) incorporate use of good forensic data collection practices, and make clear that such practices should not impede or restrict system restoration and to consider whether it is necessary to include a ``technical feasibility'' provision with the parameters discussed above; (3) define in the NERC glossary the term ``full operational exercise'' or provide more direction directly in the Reliability Standard as to the parameters of the term; (4) require a full operational exercise once every three years (unless an actual incident occurs), but to permit reliance on table-top exercises annually in other years and consider the appropriateness of a technical feasibility option in connection with modified operational exercises; (5) shorten the timeline to updating recovery plans to 30 days, while continuing to allow up to 90 days to communicate those updates to responsible and affected personnel; (6) incorporate guidance that the backup and restoration processes and procedures required by Requirement R4 should include, at least with regard to significant changes made to the operational control system, verification that they are operational before the backups are stored or relied [[Page 44005]] upon for recovery purposes; and (7) provide direction that backup practices include regular procedures to ensure verification that backups are successful and available for future use. C. Violation Risk Factors 1. Background 321. In a separate filing, NERC submitted over 1,000 Violation Risk Factors, including 162 that correspond to Requirements of the proposed CIP Reliability Standards.\115\ While the Commission has addressed the Violation Risk Factors that correspond to the Requirements of the Commission-approved Reliability Standards, NERC requested that the Commission take action on the Violation Risk Factors when it takes actions on the associated Reliability Standards.\116\ Accordingly, the Commission will address the Violation Risk Factors that correspond to the CIP Reliability Standards in this proceeding. --------------------------------------------------------------------------- \115\ See NERC's March 23, 2007 filing in Docket No. RR07-10- 000, Exh. A. \116\ See North American Electric Reliability Corporation, 119 FERC ] 61,145 (2007) (May 18 Order) (approving and modifying Violation Risk Factors). --------------------------------------------------------------------------- 322. As part of its compliance and enforcement program, the ERO will use a three-step process to determine a monetary penalty for a standard violation. In the first of these steps, the ERO or Regional Entity will set an initial range for the base penalty amount for the violation. In order to accomplish this, the ERO or the Regional Entity will consider the applicable Violation Risk Factor \117\ and Violation Severity Level \118\ in the ``base penalty amount table'' in Appendix A to NERC's Sanction Guidelines. According to NERC, the base penalty amount table adds a measure of certainty for those subject to penalties and assists the ERO in executing its penalty authority. --------------------------------------------------------------------------- \117\ A Violation Risk Factor of lower, medium, or high is assigned to each Requirement of each mandatory Reliability Standard to associate a violation of the Requirement with its potential impact on the reliability of the Bulk-Power System. \118\ For each Requirement of a Reliability Standard, NERC will define up to four Violation Severity Levels-lower, moderate, high, and severe--as measurements of the degree to which a Requirement is violated. In a June 7, 2007 order, the Commission approved NERC's proposal to apply the current Levels of Non-Compliance in lieu of Violation Severity Levels, while NERC develops a comprehensive set of Violation Severity Levels by March 1, 2008. North American Electric Reliability Corp., 119 FERC ] 61,248 (2007). --------------------------------------------------------------------------- 323. NERC states that a Violation Risk Factor has been assigned to each Requirement of the Version 1 Reliability Standards to delineate the relative risk to the Bulk-Power System associated with the violation of each Requirement, and the Violation Risk Factors do not change the meaning or intent of the Reliability Standards. NERC explains that it has defined the following three levels of Violation Risk Factors: (1) High risk requirement; (2) medium risk requirement; and (3) lower risk requirement.\119\ --------------------------------------------------------------------------- \119\ See May 18 Order at P 9 (providing the complete definition of each level of Violation Risk Factor). --------------------------------------------------------------------------- 2. Commission Proposal 324. In reviewing the proposed Violation Risk Factor assignments, the Commission has used the same guidelines it applied when evaluating NERC's submission of Violation Risk Factors as discussed in the May 18 Order. Specifically, to determine whether the proposed Violation Risk Factor assignments appropriately indicate the potential or expected impact to the reliability of the Bulk-Power System, the Commission considered: (1) Consistency with the conclusions of the Final Report on the August 14, 2003 Blackout in the United States and Canada, (2) consistency within a Reliability Standard, i.e., among sub- and main Requirements of the same Reliability Standard, (3) consistency among Reliability Standards with similar Requirements, (4) consistency with NERC's proposed definition of the Violation Risk Factor level, and (5) assignment of a Violation Risk Factor level to those Requirements in certain Reliability Standards that co-mingle a higher risk reliability objective and a lesser risk reliability objective.\120\ --------------------------------------------------------------------------- \120\ See May 18 Order at P 16-36. We also note that the May 18 Order explained that this list is not necessarily comprehensive. The Commission retains the flexibility to consider additional guidelines in the future. Id. at n.12. --------------------------------------------------------------------------- 325. Based on the application of these guidelines, and for the reasons explained below, the Commission proposes to approve the 162 proposed Violation Risk Factor assignments that correspond to the Requirements of the CIP Reliability Standards and direct NERC to revise 43 of them. In addition, the Commission notes that NERC did not assign Violation Risk Factors to the following nine Requirements and proposes to direct NERC to make these Violation Risk Factor assignments and file them for Commission approval: CIP-002-1 Requirement R3.1 CIP-003-1 Requirement R4.1 CIP-003-1 Requirement R5.1.2 CIP-004-1 Requirement R2.2.2 CIP-004-1 Requirement R2.2.3 CIP-005-1 Requirement R1.5 CIP-007-1 Requirement R5.1 CIP-007-1 Requirement R5.3.3 CIP-007-1 Requirement R7 326. NERC has assigned a ``lower'' designation to almost 85 per cent of the Violation Risk Factors corresponding to the Requirements of the CIP Reliability Standards. No Requirements received a ``higher'' Violation Risk Factor assignment. By definition, a ``lower'' Violation Risk Factor assignment means that the Requirement is administrative in nature where a violation of the Requirement would not be expected to affect the electrical state, capability, monitoring or control of the Bulk-Power System. The Commission believes that NERC has mischaracterized many of the Requirements as ``administrative,'' resulting in a ``lower'' Violation Risk Factor assignment, where in fact a ``medium'' or ``high'' designation is more appropriate. 327. For example, CIP-002-1 Requirement R2, which requires the identification of assets that are critical to the Bulk-Power System, is assigned a ``lower'' Violation Risk Factor. While the product of the Requirement is a list of critical assets, this is clearly not an administrative Requirement. In fact, the failure to properly identify critical assets could place the Bulk-Power System at an unacceptable risk or restoration efforts could be hindered. Further, this Requirement has a controlling effect over all of the CIP Reliability Standards that follow. If an asset is critical and is not identified as such, the remaining CIP Reliability Standards will not be applied. Depending on the asset that is overlooked, and consequently not protected by the standards, a ``higher'' level of Bulk-Power System failure is possible. Thus, by NERC's definition, this Requirement should have a ``higher'' Violation Risk Factor assignment. In addition, the recommendations related to physical and cyber security contained in the Blackout Report,\121\ while largely addressed by the proposed CIP Reliability Standards, would essentially be thwarted if a responsible entity does not comply with Requirements R2 and R3 of CIP-002-1. Accordingly, we are proposing to direct NERC to modify this Requirement to denote a ``higher'' Violation Risk Factor assignment. --------------------------------------------------------------------------- \121\ Blackout Report at 163-169, Recommendations 32-44. --------------------------------------------------------------------------- 328. Similarly, CIP-002-1 Requirement R3, which requires the identification of cyber assets that are essential to the operation of critical Bulk-Power System assets, has a ``medium'' Violation Risk Factor assignment. By definition, a ``medium'' Violation Risk Factor assignment means that the Requirement is unlikely, under [[Page 44006]] emergency, abnormal, or restoration conditions to lead to Bulk-Power System instability, separation, or cascading failures, nor to hinder restoration to a normal condition. However, if this Requirement is violated, the Bulk-Power System could in fact be at an unacceptable risk of failure or restoration efforts could be hindered. Further, this Requirement has a controlling effect over all of the CIP Reliability Standards that follow. As with CIP-002-1 Requirement R2, depending on the asset that is overlooked, and consequently not protected by the Reliability Standards, a higher level of Bulk-Power System failure is possible. Also, proper compliance with CIP-002-1, Requirement R3 is essential to the ability of the proposed CIP Reliability Standards to satisfy the recommendations of the Blackout Report.\122\ Thus, by NERC's definition this Requirement should have a ``higher'' Violation Risk Factor assignment. Accordingly, we are proposing to direct NERC to modify this Requirement to denote a ``higher'' Violation Risk Factor assignment. --------------------------------------------------------------------------- \122\ Id. --------------------------------------------------------------------------- 329. The other modifications that the Commission is proposing to direct NERC to move the Violation Risk Factor from a ``lower'' to a ``medium'' assignment. The Commission's primary reason for directing these changes is to promote implementation of the recommendations contained in the Blackout Report; to establish consistency within a Reliability Standard, i.e., among sub- and main Requirements of the same Reliability Standard; and consistency across Reliability Standards. 330. The Commission proposes to approve the proposed Violation Risk Factor assignments filed by NERC and proposes to direct NERC to modify the Violation Risk Factors corresponding to the Requirements as illustrated in the attached list of proposed disposition actions for the proposed Violation Risk Factors. 331. We propose to direct NERC to submit a filing containing these modifications within 60 days of the date of the Final Rule. We also propose to direct NERC to include in its filing a complete Violation Risk Factor matrix. The matrix should also include assignments for the missing Violation Risk Factor assignments discussed above. III. Information Collection Statement 332. The Office of Management and Budget (OMB) Regulations require that OMB approve certain reporting and recordkeeping (collections of information) imposed by an agency.\123\ The information collection requirements proposed in this NOPR are identified under the Commission data collection, FERC-725B ``Mandatory Reliability Standards for Critical Infrastructure Protection.'' These proposed information collections will be submitted to OMB for review under section 3507(d) of the Paperwork Reduction Act of 1995.\124\ In addition, OMB regulations require OMB to approve certain reporting and recordkeeping requirements imposed by agency rule.\125\ --------------------------------------------------------------------------- \123\ 5 CFR 1320.11. \124\ 44 U.S.C. 3507(d). \125\ 5 CFR 1320.11. --------------------------------------------------------------------------- 333. The ``public protection'' provisions of the Paperwork Reduction of 1995 requires each agency to display a currently valid control number and inform respondents that a response is not required unless the information collection displays a valid OMB control number on each information collection or provides a justification as to why the information collection control number cannot be displayed. In the case of information collections published in regulations, the control number is to be published in the Federal Register. 334. Public Reporting Burden: The Commission developed its estimate of burden based upon the CIP Reliability Standards as proposed by NERC. The CIP Reliability Standards include only one actual reporting requirement. Specifically, CIP-008-1 requires responsible entities to report cyber security incidents to ESISAC. In addition, the eight CIP Reliability Standards require responsible entities to develop various policies, plans, programs and procedures. For example, each responsible entity must develop and document a risk-based assessment methodology to identify critical assets, which is then used to develop a list of critical cyber assets (CIP-002-1). A responsible entity that identifies any critical cyber assets must also document: a cyber security policy (CIP-003-1); a security awareness program (CIP-004-1, Requirement R1); a personnel risk assessment program (CIP-004-1, Requirement R3); an electronic security perimeter and processes for control of electronic access to all electronic access points to the perimeter (CIP-005-1, Requirements R1 and R2); a physical security plan (CIP-006-1); procedures for securing certain cyber assets (CIP-007-1); and recovery plans for critical cyber assets (CIP-008-1). The above is not an exhaustive list and, in addition, the CIP Reliability Standards require responsible entities to maintain various lists and access logs. 335. The CIP Reliability Standards do not require a responsible entity to report to the Commission, ERO or Regional Entities the various policies, plans, programs and procedures. However, the documentation of the policies, plans, programs and procedures must be available to demonstrate compliance with the CIP Reliability Standards. The Commission has included the cost of developing the required documentation for the required policies, plans, programs and procedures in its burden estimate. The Commission, however, did not include in our burden estimate the cost of substantive compliance with the CIP Reliability Standards, separate from the requirements to develop specific documentation. In formulating our estimate of the reporting burden, the Commission has been guided by several factors. Number of Entities: As of April 2007, NERC identified 1,266 registered entities in the United States. The Applicability section of each CIP Reliability Standard specifies nine categories of users, owners and operators of the Bulk-Power System (as well as NERC and the Regional Entities) that must comply with the CIP Reliability Standards. The nine categories of users, owners and operators are based on the categories of functions identified in the NERC Functional Model. Based on a review of NERC's registration list, the Commission estimates that approximately 1,000 entities will be required to comply with the CIP Reliability Standards. Variations in Compliance Burden: The Commission's estimate is based on all 1,000 entities documenting an assessment methodology to identify critical assets and critical cyber assets pursuant to CIP-002-1. As explained above, only those entities that identify critical cyber assets pursuant to CIP-002-1 are responsible to comply with the requirements of CIP-003-1 through CIP-009-1. Accordingly, the cost burden estimate differs for those entities that identify critical cyber assets and those that do not. Further, the reporting burden would vary with the number of critical cyber assets identified pursuant to CIP-002-1. An entity that identifies numerous critical cyber security assets, including assets located at remote locations, will likely require more resources to develop its policies, plans, programs and procedures compared to an entity that identifies one or two critical cyber assets, housed at a single location. Based on this distinction, the [[Page 44007]] Commission has developed separate estimates for large investor-owned utilities and other responsible entities such as municipals, generators and cooperatives. Customary Practices: Prior to the development of CIP-002-1 through CIP-009-1, NERC approved through its urgent action process a cyber security standard known as ``UA-1200,'' which applied to entities ``such as control areas, transmission owners and operators, and generation owners and operators.'' UA-1200 addressed a number of the same reporting burdens as the CIP Reliability Standards at issue in this proceeding. For example, UA-1200 required the creation and maintenance of a cyber security policy, the identification of ``critical cyber assets,'' and the development of a cyber security training program. Thus, entities that voluntarily complied with UA-1200 will continue these practices when the mandatory CIP Reliability Standards are in effect. Further, many entities, including those that did not comply with UA-1200, typically have followed certain practices specified in the CIP Reliability Standards. The Commission believes that practices such as conducting cyber security training, having procedures for whom to contact in case of a cyber security incident, and developing a plan for how to restore a computerized control system should it fail are usual and customary practices in the electric industry and others. The Commission has taken such customary practices into account when estimating the reporting burden. Time Period: The CIP Reliability Standards were approved by the NERC board in May 2006, with a designated effective date of June 1, 2006.\126\ The proposed implementation schedule submitted with the CIP Reliability Standards plans for responsible entities to be ``auditably compliant'' with most requirements by mid-2010 or later. Mid-2010 is four years after CIP Reliability Standards went into effect. Therefore, the Commission developed an annual burden estimate by dividing total costs by 4 years. --------------------------------------------------------------------------- \126\ Although NERC designated an effective date of June 1, 2006, the CIP Reliability Standards are not mandatory and enforceable, i.e., subject to penalties for non-compliance, until they are approved by the Commission. ---------------------------------------------------------------------------------------------------------------- Number of Number of Hours per Total annual Data collection respondents responses response hours ---------------------------------------------------------------------------------------------------------------- FERC-725B Large investor-owned utility................ 155 1 2,080 322,400 Others, including munis and coops........... 795 1 1,000 795,000 Entities that have not identified critical 50 1 160 8,000 cyber assets............................... --------------------------------------------------------------- Totals.................................. .............. .............. .............. 1,125,400 ---------------------------------------------------------------------------------------------------------------- Information Collection Costs: The Commission seeks comments on the costs to comply with these requirements. It has projected the costs to be: Large investor-owned utility = 322,400 hours@$88 = $28,371,200. Others, including munis and coops = 795,000 hours@$88 = $69,960,000 Entities that have not identified critical cyber assets = 8,000 hours@$88 = $704,000. Because auditably compliant status is not required for many requirements until mid-2010, the Commission has projected the costs over a four-year period. On an annual basis the costs will be ($28,371,200 + $69,960,000 + $704,000)/4 years = $24,758,800 per year. The hourly rate of $88 is a composite figure of the average cost of legal services ($200 per hour), technical employees ($39.99 per hour) and administrative support ($25 per hour), based on hourly rates from the Bureau of Labor Statistics (BLS). Using the May 2006 OES Industry- Specific Occupational Employment and Wage Estimates, the median hourly rate wage estimate for a computer software engineer is $39.99.\127\ --------------------------------------------------------------------------- \127\ See http://www.bls.gov/oes/current/naics2_22.htm. --------------------------------------------------------------------------- Title: Mandatory Reliability Standards for Critical Infrastructure Protection. Action: Proposed collection. OMB Control Number: To be determined. Frequency of responses: On occasion. Necessity for information: As discussed above, EPAct 2005 adds a new section 215 to the FPA, which requires a Commission-certified ERO to develop mandatory and enforceable Reliability Standards, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced by the ERO subject to Commission oversight, or the Commission can independently enforce Reliability Standards. Pursuant to section 215 of the FPA, the Commission proposes in this NOPR to approve eight Critical Infrastructure Protection (CIP) Reliability Standards submitted to the Commission for approval by NERC. The CIP Reliability Standards require certain users, owners, and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets. The information collections proposed in this NOPR are needed to protect the electric industry's Bulk-Power System against malicious cyber attacks that could threaten the reliability of the Bulk-Power System. 336. Internal Review: The Commission has reviewed the CIP Reliability Standards proposed for approval in this NOPR and has made a preliminary determination that the proposed CIP Reliability Standards are necessary to safeguard the integrity of the nation's Bulk-Power System. The Commission has assured itself, by means of its internal review, that there is specific, objective support for the burden estimate associated with the information requirements (FERC-725B ``Mandatory Reliability Standards for Critical Infrastructure Protection'') proposed to be imposed by this NOPR. 337. Interested persons may obtain information on the reporting requirements by contacting the following: Federal Energy Regulatory Commission, 888 First Street, NE., Washington, DC 20426 (Attention: Michael Miller, Office of the Executive Director, 202-502-8415) or from the Office of Management and Budget (Attention: Desk Officer for the Federal Energy Regulatory Commission, fax: 202-395-7285, e-mail: oira_submission@omb.eop.gov). 338. Comments concerning the collection of information(s) and the associated burden estimate(s), should be sent to the contact listed above and to the Office of Management and Budget, Office of Information and Regulatory Affairs, Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission, phone: (202) 395-7856, fax: (202) 395-7285]. [[Page 44008]] IV. Environmental Analysis 339. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment.\128\ The Commission has categorically excluded certain actions from these requirements as not having a significant effect on the human environment.\129\ The actions proposed here fall within categorical exclusions in the Commission's regulations for rules that are clarifying, corrective, or procedural, for information gathering, analysis, and dissemination, and for sales, exchange, and transportation of electric power that requires no construction of facilities.\130\ Therefore, an environmental assessment is unnecessary and has not been prepared in this NOPR. --------------------------------------------------------------------------- \128\ Order No. 486, Regulations Implementing the National Environmental Policy Act, 52 FR 47897 (Dec. 17, 1987), FERC Stats. & Regs. Preambles 1986-1990 ] 30,783 (1987). \129\ 18 CFR 380.4. \130\ See 18 CFR 380.4(a)(2)(ii), 380.4(a)(5), 380.4(a)(27). --------------------------------------------------------------------------- V. Regulatory Flexibility Act Certification 340. The Regulatory Flexibility Act of 1980 (RFA) \131\ generally requires a description and analysis of final rules that will have significant economic impact on a substantial number of small entities. In a NOPR, an agency must either include an initial regulatory flexibility analysis or certify that the proposed rule will not have a ``significant impact on a substantial number of small entities.'' The Small Business Administration defines a small electric utility as one that has a total electric output of less than four million MWh in the proceeding year. --------------------------------------------------------------------------- \131\ 5 U.S.C. 601-612 (2006). --------------------------------------------------------------------------- 341. The RFA requires agencies in drafting a proposed rule: (1) To assess the affect that their regulation will have on small entities; (2) to analyze effective alternatives that may minimize a regulation's impact; and (3) to make their analyses available for public comment.\132\ In its notice of proposed rule making (NOPR), the agency must either include an initial regulatory flexibility analysis (Initial RFA) \133\ or certify that the proposed rule will not have a ``significant impact on a substantial number of small entities.'' \134\ --------------------------------------------------------------------------- \132\ 5 U.S.C. 601-604 (2006). \133\ 5 U.S.C. 603(a) (2006). \134\ 5 U.S.C. 605(b) (2006). --------------------------------------------------------------------------- Affect on small entities 342. Our analysis shows that the DOE's Energy Information Administration (EIA) reports that there were 3,284 electric utility companies in the United States in 2005,\135\ and 3,029 of these electric utilities qualify as small entities under the SBA definition. Of these 3,284 electric utility companies, the EIA subdivides them as follows: (1) 883 cooperatives of which 852 are small entity cooperatives; (2) 1,862 municipal utilities, of which 1842 are small entity municipal utilities; (3) 127 political subdivisions, of which 114 are small entity political subdivisions; (4) 159 power marketers, of which 97 individually could be considered small entity power marketers; \136\ (5) 219 privately owned utilities, of which 104 could be considered small entity private utilities; (6) 25 state organizations, of which 16 are small entity state organizations and (7) nine federal organizations of which four are small entity federal organizations. --------------------------------------------------------------------------- \135\ See Energy Information Administration Database, Form EIA- 861, Dept. of Energy (2005), available at http://www.eia.doe.gov/cneaf/electricity/page/eia861.html . \136\ Most of these small entity power marketers and private utilities are affiliated with others and, therefore, do not qualify as small entities under the SBA definition. --------------------------------------------------------------------------- 343. As explained above, the Commission is relying on NERC's compliance registry, applying the NERC Statement of Registry Criteria, to identify entities that must comply with the CIP Reliability Standards. To be included in the compliance registry, the ERO will have made a determination that a specific small entity has a material impact on the Bulk-Power System. Consequently, the compliance of such small entities is justifiable as necessary for Bulk-Power System reliability. Based on NERC's compliance registry as of June 2007, the Commission estimates that approximately 1,000 registered entities will be responsible for compliance with the CIP Reliability Standards. Of these, the Commission estimates that the CIP Reliability Standards will apply to approximately 632 small entities, consisting of 12 small investor-owned utilities and 620 small municipal and cooperatives. 344. The Commission believes that the CIP Reliability Standards will not have a significant economic impact on a substantial number of small entities. The majority of small entities are not required to comply with mandatory Reliability Standards based on the application of the NERC Registry Criteria. Moreover, as explained above, a small entity that is registered but does not identify critical cyber assets pursuant to CIP-002-1 will not have compliance obligations pursuant to CIP-003-1 through CIP-009-1. While a small entity that identifies only a few critical cyber assets must comply with CIP-003-1 through CIP-009- 1, the Commission believes that the economic impact of such compliance will not be significant. Likewise, the housing of a limited number of critical cyber assets in a single location will lessen the economic impact of compliance. 345. In addition, as discussed further below, while not required or proposed by this NOPR, small entities can, if they choose, collectively select a single consultant to develop model software and programs to comply with the proposals in this NOPR on their behalf. Such an approach could significantly reduce the costs that would be incurred if each company would address these issues independently. 346. While there will be some portion of small entities that will have to expend significant amounts of resources on labor and technology to comply with the CIP Reliability Standards, the Commission believes that this will be a significant minority. Further, in such circumstances, the economic impact is justified as necessary to protect cyber security assets that support Bulk-Power System reliability. Alternatives 347. In Order No. 693, which approved 83 Reliability Standard for the Bulk-Power System, the Commission discussed several alternatives that are also applicable to the CIP Reliability Standards.\137\ Several of these have already been implemented such as the approval of the NERC definition of bulk electric system, which reduces significantly the number of small entities responsible for compliance with mandatory Reliability Standards.\138\ Further, the Commission adopted the NERC compliance registry process to identify the entities responsible for compliance with mandatory Reliability Standards. --------------------------------------------------------------------------- \137\ See Order No. 693 at P 1945. \138\ Id. at P 75, 1945. --------------------------------------------------------------------------- 348. Another significant alternative is the ability for a small entity to join a joint action agency or similar organization. Such an organization may accept responsibility for compliance with mandatory Reliability Standards on behalf of its members and also may divide the responsibility for compliance with its members. The Commission generally approved the concept of joint action agencies in Order No. 693 and directed NERC to submit implementing [[Page 44009]] procedures.\139\ NERC submitted revisions to its Rules of Procedure to allow for joint action agencies and similar organizations and, in an order issuing concurrently with this NOPR, the Commission approves NERC's joint action agency rules. These rules, supported by APPA, NRECA and others, will provide significant flexibility for small entities on how they will achieve compliance with the CIP Reliability Standards or to assign compliance responsibility to a central organization. --------------------------------------------------------------------------- \139\ Id. at P 107. --------------------------------------------------------------------------- Certification 349. Based on the above analysis, the Commission certifies that the proposed rulemaking will not have a significant impact on a substantial number of small entities. VI. Comment Procedures 350. The Commission invites interested persons to submit comments on the matters and issues proposed in this notice to be adopted, including any related matters or alternative proposals that commenters may wish to discuss. Comments are due October 5, 2007. Comments must refer to Docket No. RM06-22-000, and must include the commenter's name, the organization they represent, if applicable, and their address in their comments. Comments may be filed either in electronic or paper format. 351. Comments may be filed electronically via the eFiling link on the Commission's Web site at http://www.ferc.gov. The Commission accepts most standard word processing formats and requests commenters to submit comments in a text-searchable format rather than a scanned image format. Commenters filing electronically do not need to make a paper filing. Commenters that are not able to file comments electronically must send an original and 14 copies of their comments to: Federal Energy Regulatory Commission, Office of the Secretary, 888 First Street, NE., Washington, DC 20426. 352. All comments will be placed in the Commission's public files and may be viewed, printed, or downloaded remotely as described in the Document Availability section below. Commenters on this proposal are not required to serve copies of their comments on other commenters. VII. Document Availability 353. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the Internet through FERC's Home Page (http://www.ferc.gov) and in FERC's Public Reference Room during normal business hours (8:30 a.m. to 5 p.m. Eastern time) at 888 First Street, NE., Room 2A, Washington DC 20426. 354. From FERC's Home Page on the Internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number excluding the last three digits of this document in the docket number field. 355. User assistance is available for eLibrary and the FERC's Web site during normal business hours from FERC Online Support at (202) 502-6652 (toll-free at 1-866-208-3676) or e-mail at ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502- 8371, TTY (202) 502-8659. E-Mail the Public Reference Room at public.referenceroom@ferc.gov. List of Subjects in 18 CFR Part 39 Administrative practice and procedure, Electric power, Penalties, Reporting and recordkeeping requirements. By direction of the Commission. Kimberly D. Bose, Secretary. [Note: The following appendices will not be published in the Code of Federal Regulations.] Appendix A ------------------------------------------------------------------------ List of Commenters ------------------------------------------------------------------------ Allegheny.................... Allegheny Power and Allegheny Energy Supply Company. AMP-Ohio..................... American Municipal Power--Ohio, Inc. APPA/LPPC.................... American Public Power Association and Large Public Power Council. ATC.......................... American Transmission Company, LLC. Arizona Public Service....... Arizona Public Service Company. California PUC............... California Public Utilities Commission. Cleveland Public Power....... City of Cleveland, Division of Public Power. Constellation................ Constellation Energy Group, Inc. Dominion..................... Dominion Resources, Inc. Duke......................... Duke Energy Corporation. EEI.......................... Edison Electric Institute. EPSA......................... Electric Power Supply Association. FirstEnergy.................. FirstEnergy Service Company. Georgia System............... Georgia System Operations Corporation. ISA Group.................... Three members of the ISA-SP99.05 Leadership Group (Instrument Society of America). ISO/RTO Council.............. ISO/RTO Council. ISO-NE....................... ISO New England Inc. MEAG Power................... MEAG Power Motion to Intervene. MidAmerican.................. MidAmerican Electric Operating Companies. MITRE........................ MITRE Corporation. National Grid................ National Grid USA. NERC......................... North American Electric Reliability Corporation. NIST......................... National Institute of Standards and Technology. Northeast Utilities.......... Northeast Utilities Service Company (on behalf of its transmission owning affiliates, the NU Companies). NRECA........................ National Rural Electric Cooperative Association. Ontario IESO................. Ontario Independent Electricity System Operator. PG&E......................... Pacific Gas and Electric Company. PJM.......................... PJM Interconnection, LLC. [[Page 44010]] Progress Energy.............. Progress Energy, Inc. ReliabilityFirst............. ReliabilityFirst Corporation. Santa Clara.................. City of Santa Clara, for its municipal Silicon Valley Power. SoCal Edison................. Southern California Edison Company. Southern..................... Southern Company Services, Inc. Southwest TDUs............... Southwest Transmission Dependent Utility Group. SPP.......................... Southwest Power Pool, Inc. Tampa Electric............... Tampa Electric Company. Wisconsin Electric........... Wisconsin Electric Power Company. Xcel......................... Xcel Energy Services, Inc. ------------------------------------------------------------------------ Appendix B.--Violation Risk Factors: Proposed Dispositions -------------------------------------------------------------------------------------------------------------------------------------------------------- Violation risk factor -------------------------------------------- Standard No. Requirement No. Text of requirement Commission Guideline NERC proposal determination -------------------------------------------------------------------------------------------------------------------------------------------------------- CIP-002-1......................... R1................... Critical Asset Identification LOWER............... MEDIUM.............. 1, 3, 4 Method--The Responsible Entity shall identify and document a risk- based assessment methodology to use to identify its Critical Assets. CIP-002-1......................... R1.2................. The risk-based assessment shall LOWER............... MEDIUM.............. 2 consider the following assets: CIP-002-1......................... R2................... Critical Asset Identification--The LOWER............... HIGH................ 1, 3, 4 Responsible Entity shall develop a list of its identified Critical Assets determined through an annual application of the risk-based assessment methodology required in R1. The Responsible Entity shall review this list at least annually, and update it as necessary CIP-002-1......................... R3................... Critical Cyber Asset Identification-- MEDIUM.............. HIGH................ 1, 3, 4 Using the list of Critical Assets developed pursuant to Requirement R2, the Responsible Entity shall develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset. Examples at control centers and backup control centers include systems and facilities at master and remote sites that provide monitoring and control, automatic generation control, real-time power system modeling, and real-time interutility data exchange. The Responsible Entity shall review this list at least annually, and update it as necessary. For the purpose of Reliability Standard CIP- 002, Critical Cyber Assets are further qualified to be those having at least one of the following characteristics: CIP-003-1......................... R1................... Cyber Security Policy--The LOWER............... MEDIUM.............. 1 Responsible Entity shall document and implement a cyber security policy that represents management's commitment and ability to secure its Critical Cyber Assets. The Responsible Entity shall, at minimum, ensure the following: CIP-003-1......................... R2................... Leadership--The Responsible Entity LOWER............... MEDIUM.............. 1 shall assign a senior manager with overall responsibility for leading and managing the entity's implementation of, and adherence to, Reliability Standards CIP-002 through CIP-009. CIP-003-1......................... R4................... Information Protection--The LOWER............... MEDIUM.............. 1 Responsible Entity shall implement and document a program to identify, classify, and protect information associated with Critical Cyber Assets. CIP-004-1......................... R2.1................. This program will ensure that all LOWER............... MEDIUM.............. 1 personnel having such access to Critical Cyber Assets, including contractors and service vendors, are trained within 90 calendar days of such authorization. CIP-004-1......................... R2.2................. Training shall cover the policies, LOWER............... MEDIUM.............. 1, 2 access controls, and procedures as developed for the Critical Cyber Assets covered by CIP-004, and include, at a minimum, the following required items appropriate to personnel roles and responsibilities: [[Page 44011]] CIP-004-1......................... R2.2.4............... Action plans and procedures to LOWER............... MEDIUM.............. 1, 4 recover or re-establish Critical Cyber Assets and access thereto following a Cyber Security Incident. CIP-004-1......................... R3................... Personnel Risk Assessment--The LOWER............... MEDIUM.............. 1, 3, 4 Responsible Entity shall have a documented personnel risk assessment program, in accordance with federal, state, provincial, and local laws, and subject to existing collective bargaining unit agreements, for personnel having authorized cyber or authorized unescorted physical access. A personnel risk assessment shall be conducted pursuant to that program within 30 days of such personnel being granted such access. Such program shall at a minimum include: CIP-004-1......................... R4.2................. The Responsible Entity shall revoke LOWER............... MEDIUM.............. 1, 3, 4 such access to Critical Cyber Assets within 24 hours for personnel terminated for cause and within seven calendar days for personnel who no longer require such access to Critical Cyber Assets. CIP-005-1......................... R1.1................. Access points to the Electronic LOWER............... MEDIUM.............. 1, 2, 4 Security Perimeter(s) shall include any externally connected communication end point (for example, dial-up modems) terminating at any device within the Electronic Security Perimeter(s). CIP-005-1......................... R1.2................. For a dial-up accessible Critical LOWER............... MEDIUM.............. 1, 2, 4 Cyber Asset that uses a non- routable protocol, the Responsible Entity shall define an Electronic Security Perimeter for that single access point at the dial-up device. CIP-005-1......................... R1.3................. Communication links connecting LOWER............... MEDIUM.............. 1, 2, 4 discrete Electronic Security Perimeters shall not be considered part of the Electronic Security Perimeter. However, end points of these communication links within the Electronic Security Perimeter(s) shall be considered access points to the Electronic Security Perimeter(s). CIP-005-1......................... R1.4................. Any non-critical Cyber Asset within LOWER............... MEDIUM.............. 1, 2, 4 a defined Electronic Security Perimeter shall be identified and protected pursuant to the requirements of Reliability Standard CIP-005. CIP-005-1......................... R2................... Electronic Access Controls--The LOWER............... MEDIUM.............. 1, 2, 4 Responsible Entity shall implement and document the organizational processes and technical and procedural mechanisms for control of electronic access at all electronic access points to the Electronic Security Perimeter(s). CIP-005-1......................... R2.4................. Where external interactive access LOWER............... MEDIUM.............. 1, 2 into the Electronic Security Perimeter has been enabled, the Responsible Entity shall implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party, where technically feasible. CIP-005-1......................... R3................... Monitoring Electronic Access--The LOWER............... MEDIUM.............. 1, 2 Responsible Entity shall implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week. CIP-005-1......................... R3.1................. For dial-up accessible Critical LOWER............... MEDIUM.............. 1 Cyber Assets that use non-routable protocols, the Responsible Entity shall implement and document monitoring process(es) at each access point to the dial-up device, where technically feasible. CIP-005-1......................... R3.2................. Where technically feasible, the LOWER............... MEDIUM.............. 1 security monitoring process(es) shall detect and alert for attempts at or actual unauthorized accesses. These alerts shall provide for appropriate notification to designated response personnel. Where alerting is not technically feasible, the Responsible Entity shall review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every 90 calendar days. [[Page 44012]] CIP-005-1......................... R4................... Cyber Vulnerability Assessment--The LOWER............... MEDIUM.............. 1, 2 Responsible Entity shall perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually. The vulnerability assessment shall include, at a minimum, the following: CIP-005-1......................... R4.2................. A review to verify that only ports LOWER............... MEDIUM.............. 1, 2 and services required for operations at these access points are enabled. CIP-005-1......................... R4.3................. The discovery of all access points LOWER............... MEDIUM.............. 1, 2 to the Electronic Security Perimeter; CIP-005-1......................... R4.4................. A review of controls for default LOWER............... MEDIUM.............. 1, 2 accounts, passwords, and network management community strings; and CIP-005-1......................... R4.5................. Documentation of the results of the LOWER............... MEDIUM.............. 1, 4 assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan. CIP-006-1......................... R1.5................. Procedures for reviewing access LOWER............... MEDIUM.............. 1, 3 authorization requests and revocation of access authorization, in accordance with CIP-004 Requirement R4. CIP-006-1......................... R6.1................. Testing and maintenance of all LOWER............... MEDIUM.............. 2 physical security mechanisms on a cycle no longer than three years. CIP-007-1......................... R1.1................. The Responsible Entity shall create, LOWER............... MEDIUM.............. 1, 2 implement, and maintain cyber security test procedures in a manner that minimizes adverse effects on the production system or its operation. CIP-007-1......................... R2................... Ports and Services--The Responsible LOWER............... MEDIUM.............. 1, 2 Entity shall establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled. CIP-007-1......................... R2.3................. In the case where unused ports and LOWER............... MEDIUM.............. 1, 2 services cannot be disabled due to technical limitations, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk. CIP-007-1......................... R4................... Malicious Software Prevention--The LOWER............... MEDIUM.............. 1, 2 Responsible Entity shall use anti- virus software and other malicious software (``malware'') prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s). CIP-007-1......................... R4.1................. The Responsible Entity shall LOWER............... MEDIUM.............. 1, 2 document and implement anti-virus and malware prevention tools. In the case where anti-virus software and malware prevention tools are not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk. CIP-007-1......................... R4.2................. The Responsible Entity shall LOWER............... MEDIUM.............. 1, 2 document and implement a process for the update of anti-virus and malware prevention ``signatures.'' The process must address testing and installing the signatures. CIP-007-1......................... R5.1.3............... The Responsible Entity shall review, LOWER............... MEDIUM.............. 1, 2 at least annually, user accounts to verify access privileges are in accordance with Reliability Standard CIP-003 Requirement R5 and Reliability Standard CIP-004 Requirement R4. CIP-007-1......................... R5.2.1............... The policy shall include the LOWER............... MEDIUM.............. 1, 2 removal, disabling, or renaming of such accounts where possible. For such accounts that must remain enabled, passwords shall be changed prior to putting any system into service. CIP-007-1......................... R5.2.3............... Where such accounts must be shared, LOWER............... MEDIUM.............. 1, 2 the Responsible Entity shall have a policy for managing the use of such accounts that limits access to only those with authorization, an audit trail of the account use (automated or manual), and steps for securing the account in the event of personnel changes (for example, change in assignment or termination). [[Page 44013]] CIP-007-1......................... R6.1................. The Responsible Entity shall LOWER............... MEDIUM.............. 1, 2 implement and document the organizational processes and technical and procedural mechanisms for monitoring for security events on all Cyber Assets within the Electronic Security Perimeter. CIP-007-1......................... R6.2................. The security monitoring controls LOWER............... MEDIUM.............. 1, 2 shall issue automated or manual alerts for detected Cyber Security Incidents. CIP-007-1......................... R6.3................. The Responsible Entity shall LOWER............... MEDIUM.............. 1, 2 maintain logs of system events related to cyber security, where technically feasible, to support incident response as required in Reliability Standard CIP-008. CIP-007-1......................... R8.2................. A review to verify that only ports LOWER............... MEDIUM.............. 1, 3 and services required for operation of the Cyber Assets within the Electronic Security Perimeter are enabled; CIP-007-1......................... R8.3................. A review of controls for default LOWER............... MEDIUM.............. 1, 3 accounts; and CIP-007-1......................... R8.4................. Documentation of the results of the LOWER............... MEDIUM.............. 1, 2, 3 assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan. -------------------------------------------------------------------------------------------------------------------------------------------------------- [FR Doc. E7-14710 Filed 8-3-07; 8:45 am] BILLING CODE 6717-01-P