Physical Security Reliability Standard, 70069-70085 [2014-27908]
Download as PDFAgencies
[Federal Register Volume 79, Number 227 (Tuesday, November 25, 2014)] [Rules and Regulations] [Pages 70069-70085] From the Federal Register Online via the Government Printing Office [www.gpo.gov] [FR Doc No: 2014-27908] ----------------------------------------------------------------------- DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM14-15-000; Order No. 802] Physical Security Reliability Standard AGENCY: Federal Energy Regulatory Commission, Energy. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Federal Energy Regulatory Commission (Commission) approves Reliability Standard CIP-014-1 (Physical Security). The North American Electric Reliability Corporation, the Commission-certified Electric Reliability Organization, submitted Reliability Standard CIP-014-1 for Commission approval in response to a Commission order issued on March 7, 2014. The purpose of Reliability Standard CIP-014-1 is to enhance physical security measures for the most critical Bulk-Power System facilities and thereby lessen the overall vulnerability of the Bulk- Power System against physical attacks. In addition, the Commission directs NERC to develop one modification to Reliability Standard CIP- 014-1 and submit an informational filing. DATES: This rule is effective January 26, 2015. FOR FURTHER INFORMATION CONTACT: Regis Binder (Technical Information), Office of Electric Reliability, Division of Reliability Standards and Security, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, Telephone: (301) 665-1601, Regis.Binder@ferc.gov. Matthew Vlissides (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, Telephone: (202) 502-8408, Matthew.Vlissides@ferc.gov. SUPPLEMENTARY INFORMATION: Order No. 802 Final Rule (Issued November 20, 2014) 1. Pursuant to section 215 of the Federal Power Act (FPA), the Commission approves Reliability Standard CIP-014-1 (Physical Security).\1\ The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted Reliability Standard CIP-014-1 for Commission approval in response to a Commission order issued on March 7, 2014.\2\ The purpose of Reliability Standard CIP-014-1 is to enhance physical security measures for the most critical Bulk-Power System facilities and thereby lessen the overall vulnerability of the Bulk-Power System facilities against physical attacks. In addition to approving Reliability Standard CIP-014-1, as discussed below, the Commission directs NERC to submit an informational filing and, pursuant to FPA section 215(d)(5), directs NERC to develop a modification to Reliability Standard CIP-014-1.\3\ --------------------------------------------------------------------------- \1\ 16 U.S.C. 824o. \2\ Reliability Standards for Physical Security Measures, 146 FERC ] 61,166 (2014) (March 7 Order). \3\ 16 U.S.C. 824o(d)(5). --------------------------------------------------------------------------- I. Background A. Section 215 and Mandatory Reliability Standards 2. Section 215 of the FPA requires the Commission to certify an ERO to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Once approved, the Reliability Standards may be enforced in the United States by the ERO, subject to Commission oversight, or by the Commission independently.\4\ --------------------------------------------------------------------------- \4\ Id. 824o(e). --------------------------------------------------------------------------- B. March 7 Order 3. In the March 7 Order, the Commission determined that physical attacks on the Bulk-Power System could adversely impact the reliable operation of the Bulk-Power System, resulting in instability, uncontrolled separation, or cascading failures. Moreover, the Commission observed that the then current Reliability Standards did not specifically require entities to take steps to reasonably protect against physical security attacks on the Bulk-Power System. Accordingly, to carry out section 215 of the FPA and to provide for the reliable operation of the Bulk-Power System, the Commission directed NERC, pursuant to FPA section 215(d)(5), to develop and file for approval proposed Reliability Standards that address threats and vulnerabilities to the physical security of critical facilities on the Bulk-Power System. 4. The March 7 Order indicated that the Reliability Standards should require owners or operators of the Bulk-Power System to take at least three steps to address the risks that physical security attacks pose to the reliable operation of the Bulk-Power System. Specifically, the March 7 Order directed that the Reliability Standards should require: (1) Owners or operators of the Bulk-Power System to perform a risk assessment of their systems to identify their ``critical facilities''; (2) owners or operators of the identified critical facilities to evaluate the potential threats and vulnerabilities to those identified facilities; and (3) those owners or operators of critical facilities to develop and implement a security plan designed to protect against attacks to those identified critical facilities based on the assessment of the potential threats and vulnerabilities to their physical security. 5. The March 7 Order stated that the risk assessment used by an owner or operator to identify critical facilities should be verified by an entity other than the owner or operator, such as by NERC, the relevant Regional Entity, a reliability coordinator, or another entity.\5\ In addition, the March 7 Order indicated that the Reliability Standards should include a procedure for the verifying entity, as well as the Commission, to add or remove facilities from an owner's or operator's list of critical facilities.\6\ The March 7 Order further stated that the determination of threats and vulnerabilities and the security plan should be reviewed by NERC, the relevant Regional Entity, the reliability coordinator, or another entity with appropriate expertise. --------------------------------------------------------------------------- \5\ March 7 Order, 146 FERC ] 61,166 at P 11. \6\ Id. --------------------------------------------------------------------------- 6. The March 7 Order stated that, because the three steps of compliance with the contemplated Reliability Standards could contain sensitive or confidential information that, if released to the public, could jeopardize the reliable operation of the Bulk-Power System, NERC should include in the Reliability Standards a procedure that will ensure confidential treatment of sensitive or confidential information but still allow for the Commission, NERC and the Regional Entities to review and inspect any information that is needed [[Page 70070]] to ensure compliance with the Reliability Standards.\7\ --------------------------------------------------------------------------- \7\ Id. P 10. --------------------------------------------------------------------------- 7. The Commission directed NERC to submit the proposed Reliability Standards to the Commission for approval within 90 days of issuance of the March 7 Order (i.e., June 5, 2014). C. NERC Petition 8. On May 23, 2014, NERC petitioned the Commission to approve Reliability Standard CIP-014-1 and its associated violation risk factors and violation severity levels, implementation plan, and effective date.\8\ NERC maintains that the Reliability Standard is just, reasonable, not unduly discriminatory, or preferential, and in the public interest. In addition, NERC asserts that the proposed Reliability Standard complies with the Commission's directives in the March 7 Order. --------------------------------------------------------------------------- \8\ NERC explains that, to meet the 90-day deadline in the March 7 Order, the NERC Standards Committee approved waivers to NERC's Standard Processes Manual to shorten the comment and ballot periods for the Standards Authorization Request and draft Reliability Standard. NERC Petition at 13-14. Reliability Standard CIP-014-1 is not attached to this Final Rule. The complete text of Reliability Standard CIP-014-1 is available on the Commission's eLibrary document retrieval system in Docket No. RM14-15-000 and is posted on the ERO's Web site, available at https://www.nerc.com. --------------------------------------------------------------------------- 9. NERC explains that Reliability Standard CIP-014-1 ``serves the vital reliability goal of enhancing physical security measures for the most critical Bulk-Power System facilities and lessening the overall vulnerability of the Bulk-Power System to physical attacks.'' \9\ NERC maintains that the ``appropriate focus of the proposed Reliability Standard is Transmission stations and Transmission substations, which are uniquely essential elements of the Bulk-Power System.'' \10\ The Reliability Standard is applicable to transmission owners that satisfy the Applicability Sections 4.1.1.1, 4.1.1.2, 4.1.1.3, or 4.1.1.4, and to transmission operators. NERC states that the transmission facilities covered by Applicability Sections 4.1.1.1 through 4.1.1.4 match the ``Medium Impact'' transmission facilities listed in Attachment 1 (Impact Rating Criteria), specifically, the ``Medium Impact'' facilities described in Sections 2.4, 2.5, 2.6, and 2.7, of Reliability Standard CIP-002-5.1,\11\ According to NERC, the ``standard drafting team determined that using the criteria for `Medium Impact' Transmission Facilities set forth in Reliability Standard CIP-002-5.1 is an appropriate applicability threshold as the Commission has acknowledged that it is a technically sound basis for identifying Transmission Facilities, which, if compromised, would present an elevated risk to the Bulk-Power System.'' \12\ --------------------------------------------------------------------------- \9\ NERC Petition at 15-16. \10\ Id. at 18. NERC states that, although the terms ``Transmission stations'' and ``Transmission substations'' are sometimes used interchangeably, Reliability Standard CIP-014-1 uses the term ``Transmission substation'' to refer to a facility contained within a physical border (e.g., a fence or wall) that contains one or more autotransformers. Id. According to NERC, the term ``Transmission station,'' as used in Reliability Standard CIP- 014-1, refers to a facility that functions as a switching station or switchyard but does not contain autotransformers. Id. at 18-19. \11\ Id. at 25 (citing Reliability Standard CIP-002-5.1 (Cyber Security--BES Cyber System Categorization), Attachment 1 (Impact Rating Criteria)). \12\ Id. --------------------------------------------------------------------------- 10. Reliability Standard CIP-014-1 has six requirements. Requirement R1 requires applicable transmission owners to perform risk assessments on a periodic basis to identify their transmission stations and transmission substations that, if rendered inoperable or damaged, could result in widespread instability, uncontrolled separation, or cascading within an Interconnection. Requirement R1 also requires transmission owners to identify the primary control center that operationally controls each of the identified transmission stations or transmission substations. 11. Requirement R2 requires that each applicable transmission owner have an unaffiliated third party with appropriate experience verify the risk assessment performed under Requirement R1. Requirement R2 states that the transmission owner must either modify its identification of facilities consistent with the verifier's recommendation or document the technical basis for not doing so. In addition, Requirement R2 requires each transmission owner to implement procedures for protecting sensitive or confidential information made available to third-party verifiers or developed under the Reliability Standard from public disclosure. 12. Requirement R3 requires the transmission owner to notify a transmission operator that operationally controls a primary control center identified under Requirement R1 of such identification to ensure that the transmission operator has notice of the identification so that it may timely fulfill its obligations under Requirements R4 and R5 to protect the primary control center. 13. Requirement R4 requires each applicable transmission owner and transmission operator to conduct an evaluation of the potential threats and vulnerabilities of a physical attack on each of its respective transmission stations, transmission substations, and primary control centers identified as critical in Requirement R1. 14. Requirement R5 requires each transmission owner and transmission operator to develop and implement documented physical security plans that cover each of their respective transmission stations, transmission substations, and primary control centers identified as critical in Requirement R1. 15. Requirement R6 requires that each transmission owner and transmission operator subject to Requirements R4 and R5 have an unaffiliated third party with appropriate experience review its Requirement R4 evaluation and Requirement R5 security plan. Requirement R6 states that the transmission owner or transmission operator must either modify its evaluation and security plan consistent with the recommendation, if any, of the reviewer or document its reasons for not doing so. In addition, Requirement R6 requires each transmission owner to implement procedures for protecting sensitive or confidential information made available to third-party reviewers or developed under the Reliability Standard from public disclosure. D. Notice of Proposed Rulemaking 16. On July 17, 2014, the Commission issued a Notice of Proposed Rulemaking proposing to approve Reliability Standard CIP-014-1 as just, reasonable, not unduly discriminatory or preferential, and in the public interest.\13\ In addition, the NOPR proposed to direct NERC to develop two modifications to the Reliability Standard. First, the NOPR proposed to direct NERC to develop a modification to allow applicable governmental authorities (i.e., the Commission and any other appropriate federal or provincial authorities) to add or subtract facilities from an applicable entity's list of critical facilities under Requirement R1.\14\ Second, the NOPR proposed to direct NERC to modify the Reliability Standard to remove the term ``widespread'' as it appears in the phrase ``widespread instability'' in Requirement R1.\15\ The NOPR also proposed to direct NERC to submit two informational filings, one addressing the protection of ``High Impact'' control centers and the other addressing resiliency measures, to be submitted, respectively, within six months and one [[Page 70071]] year following the effective date of a final rule in this proceeding.\16\ --------------------------------------------------------------------------- \13\ Physical Security Reliability Standard, Notice of Proposed Rulemaking, 79 FR 42,734 (July 23, 2014), 148 FERC ] 61,040 (2014) (NOPR). \14\ Id. P 23. \15\ Id. P 29. \16\ Id. PP 35, 57. --------------------------------------------------------------------------- 17. In response to the NOPR, the Commission received 33 sets of initial comments and six sets of reply comments. We address below the issues raised in the NOPR and comments. The Appendix to this final rule lists the entities that filed comments in response to the NOPR. II. Discussion 18. Pursuant to FPA section 215(d)(2), we approve Reliability Standard CIP-014-1 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. The Commission also approves the associated violation risk factors, violation severity levels, implementation plan, and effective date proposed by NERC (i.e., the ``first day of the first calendar quarter that is six months beyond'' the effective date of the final rule in this proceeding).\17\ As discussed below, the Commission determines that Reliability Standard CIP-014-1 satisfies the directives in the March 7 Order concerning the development and submittal of physical security Reliability Standards. --------------------------------------------------------------------------- \17\ NERC Petition, Exhibit B (Implementation Plan) at 1. --------------------------------------------------------------------------- 19. In addition to approving Reliability Standard CIP-014-1, the Commission adopts in part the NOPR proposal directing NERC to develop and submit modifications to the Reliability Standard concerning the use of the term ``widespread'' in Requirement R1. The Commission determines that the term ``widespread'' is unclear with respect to the obligations it imposes on applicable entities; how it would be implemented by applicable entities; and how it would be enforced. Accordingly, the Commission directs NERC, pursuant to FPA section 215(d)(5), to remove the term ``widespread'' from Reliability Standard CIP-014-1 or, alternatively, to propose modifications to the Reliability Standard that address the Commission's concerns. We direct that NERC submit a responsive modification within six months from the effective date of this final rule. 20. The Commission does not adopt the NOPR proposal that would have required NERC to develop and submit modifications to Reliability Standard CIP-014-1 to allow applicable governmental authorities (i.e., the Commission and any other appropriate federal or provincial authorities) to add or subtract facilities from an applicable entity's list of critical facilities under Requirement R1. We determine that the Commission's enforcement authority under FPA section 215(e), and particularly the use of targeted auditing following implementation of Reliability Standard CIP-014-1, will allow us to address the concerns raised in the NOPR. 21. With respect to the informational filings proposed in the NOPR, the Commission adopts the proposal to direct NERC to make an informational filing addressing whether Reliability Standard CIP-014-1 provides physical security for all ``High Impact'' control centers, as that term is defined in Reliability Standard CIP-002-5.1, necessary for the reliable operation of the Bulk-Power System. However, the Commission extends the deadline for that informational filing until two years following the effective date of Reliability Standard CIP-014-1. The Commission, at this time, does not adopt the NOPR proposal to direct NERC to make an informational filing addressing resiliency. Instead, the Commission will continue to consider ways for industry to best inform the Commission of its current and future resiliency efforts, which could take the form of reports and/or technical conferences to address specific areas of concern (e.g., spare parts, fuel security, and advanced technologies). 22. We address below the following issues raised in the NOPR and in the comments: (A) Removal of the term ``widespread''; (B) applicable governmental authorities' ability to add or subtract facilities from an entity's list of critical facilities; (C) informational filing on ``High Impact'' control centers; (D) informational filing on resiliency; (E) third-party verification and review; (F) exclusion of generators from the applicability section of Reliability Standard CIP- 014-1; (G) confidentiality; (H) other issues raised in comments; (I) violation risk factors and violation severity levels; and (J) implementation plan and effective date. A. Removal of the Term ``Widespread'' March 7 Order 23. The March 7 Order stated that a critical facility is ``one that, if rendered inoperable or damaged, could have a critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures on the Bulk-Power System.'' \18\ --------------------------------------------------------------------------- \18\ March 7 Order, 146 FERC ] 61,166 at P 6. --------------------------------------------------------------------------- NERC Petition 24. Reliability Standard CIP-014-1 states that its purpose is to ``identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.'' \19\ Requirement R1 states that the ``initial and subsequent risk assessments shall consist of a transmission analysis or transmission analyses designed to identify the Transmission station(s) and Transmission substation(s) that if rendered inoperable or damaged could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.'' --------------------------------------------------------------------------- \19\ NERC Petition at 17. --------------------------------------------------------------------------- NOPR 25. The NOPR proposed to direct NERC to modify Reliability Standard CIP-014-1 to remove the term ``widespread'' as it appears in the phrase ``widespread instability.'' The NOPR stated that the phrase ``widespread instability'' is undefined by NERC and is inconsistent with the March 7 Order's explanation of ``critical facility'' and the definition of ``reliable operation'' in FPA section 215(a)(4).\20\ --------------------------------------------------------------------------- \20\ ``[A facility] that, if rendered inoperable or damaged, could have a critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures on the Bulk-Power System.'' March 7 Order, 146 FERC ] 61,166 at P 6; 16 U.S.C. 824o(a)(4) (``The term `reliable operation' means operating the elements of the bulk-power system within equipment and electric system thermal, voltage, and stability limits so that instability, uncontrolled separation, or cascading failures of such system will not occur as a result of a sudden disturbance, including a cybersecurity incident, or unanticipated failure of system elements.''). --------------------------------------------------------------------------- 26. The NOPR stated that the use of ``widespread instability'' in Requirement R1 could, depending on the meaning of ``widespread,'' narrow the scope (and number) of identified critical facilities under Reliability Standard CIP-014-1 beyond what was contemplated in the March 7 Order. The NOPR also stated that the use of the term ``widespread'' could potentially render the Reliability Standard unenforceable or lead to an inadequate level of reliability by omitting facilities that are critical to the reliable operation of the Bulk- Power System. Comments 27. NERC comments that it does not oppose the NOPR directive but that the modification should be developed through NERC's standards development process and NERC should be allowed to propose alternative clarifying language ``to ensure the proposed Reliability Standard remains focused on Interconnection impacts and not local [[Page 70072]] impacts.'' \21\ NERC states that the term ``widespread'' was used to focus applicable entities' security efforts on facilities whose loss would have more than a local area impact. --------------------------------------------------------------------------- \21\ NERC Comments at 19. --------------------------------------------------------------------------- 28. SIA, Idaho Power, Pa PUC, SmartSenseCom, Foundation and Pepco support the NOPR proposal because they believe that the term ``widespread'' is vague or inconsistent with the definition of ``reliable operation'' in FPA section 215.\22\ Pepco, for example, states that the term ``widespread'' is ambiguous, will require requests for clarification or interpretation and will expose applicable entities to ``second-guessing'' from auditors. KCP&L, while it does not state that it supports the proposal, acknowledges that the term ``widespread'' is vague and that the term ``introduces interpretive language that may be problematic for compliance and enforcement interpretations as well as unintentionally narrow the scope of facilities.'' \23\ --------------------------------------------------------------------------- \22\ See SIA Comments at 2; Idaho Power Comments at 2; Pa PUC Comments at 5; Pepco Comments at 4-5; SmartSenseCom Comments at 7-8; Foundation Reply Comments at 7. \23\ KCP&L Comments at 4. --------------------------------------------------------------------------- 29. Other commenters do not support the proposed directive largely because they contend that the proposal may have the unintended consequence of expanding the scope of Reliability Standard CIP-014-1 to include localized events that have no impact on an Interconnection.\24\ APS, SCE, SDG&E, and G&T Cooperatives also maintain that while the term ``widespread'' is not defined by NERC, it appears elsewhere in the Reliability Standards, including in NERC's definition of ``Cascading'' and in the TPL Reliability Standards, and is understood by industry. Associations also state that the Commission should withdraw the NOPR proposal; however, Associations state that, in the alternative, the Commission should clarify that removal of the term ``widespread'' is not intended to bring within the scope of Reliability Standard CIP-014- 1 ``a substation or station unless the applicable Transmission Owner determines through technical studies and analyses that include the application of engineering judgment and practice that the loss of such facility would have a critical impact on the operation of the [bulk electric system] in the event the asset is rendered inoperable or damaged.'' \25\ NARUC states that the proposal will add costs without necessarily improving reliability. --------------------------------------------------------------------------- \24\ See APS Comments at 3; SCE Comments at 3; SDG&E Comments at 4-5; TVA Comments at 9-10; Tallahassee Comments at 1; Oncor Comments at 3-4; Ohio PUC Comments at 4-5; BPA Comments at 3; NARUC Comments at 11; G&T Cooperatives Comments at 8-11; Southern Comments at 7-10. \25\ Associations Comments at 14-15; see also APS Comments at 3- 4, Southern Comments at 11. --------------------------------------------------------------------------- 30. ITC, while agreeing that the term ``widespread'' is not well- defined and would render the Reliability Standard vague, contends that the definition of critical facility in Requirement R1 should be replaced by defining as critical all physical facilities that contain ``High Impact'' or ``Medium Impact'' BES Cyber Systems as those terms are defined in Reliability Standard CIP-002-5.1. Commission Determination 31. The Commission adopts the NOPR proposal in part and directs NERC to remove the term ``widespread'' from Reliability Standard CIP- 014-1 or, alternatively, to propose modifications to the Reliability Standard that address the Commission's concerns. The differing views expressed in the comments validate the concern raised in the NOPR that the meaning of the term ``widespread'' is unclear and subject to interpretation. 32. We stated in the March 7 Order that ``the Reliability Standards that we are ordering today apply only to critical facilities that, if rendered inoperable or damaged, could have a critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures on the Bulk-Power System.\26\ We affirm the March 7 Order's statement that ``[m]ethodologies to determine these facilities should be based on objective analysis, technical expertise, and experienced judgment.'' \27\ --------------------------------------------------------------------------- \26\ March 7 Order, 146 FERC ] 61,166 at P 6 n.5. \27\ Id. P 6. --------------------------------------------------------------------------- 33. However, incorporating the undefined term ``widespread'' in Reliability Standard CIP-014-1 introduces excessive uncertainty in identifying critical facilities under Requirement R1.\28\ As the Commission stated in the March 7 Order, only an instability that has a ``critical impact on the operation of the interconnection'' warrants finding that the facility causing the instability is critical under Requirement R1. The March 7 Order did not intend to suggest that the physical security Reliability Standards should address facilities that do not have a ``critical impact on the operation of the interconnection.'' This understanding is, we believe, unintentionally absent in Requirement R1 because the requirement only deems a facility critical when, if rendered inoperable or damaged, it could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection. The definition in Requirement R1 should not be dependent on how an applicable entity interprets the term ``widespread'' but instead should be modified to make clear that a facility that has a critical impact on the operation of an Interconnection is critical and therefore subject to Requirement R1. --------------------------------------------------------------------------- \28\ See Version 5 Critical Infrastructure Protection Reliability Standards, Order No. 791, 78 FR 72,755 (Dec. 3, 2013), 145 FERC ] 61,160, at P 67 (2013), order granting clarification in part and denying rehearing, Order No. 791-A, 146 FERC ] 61,188 (2014) (directing removal or clarification ``identify, assess and correct'' language). --------------------------------------------------------------------------- 34. While some commenters contend that the meaning of the term ``widespread'' is well-understood by industry, we find that there is ample evidence in the record to support the conclusion that the term is susceptible to different interpretations by applicable entities. Notably, KCP&L states that, while it was a participant in the standards drafting process for Reliability Standard CIP-014-1, it agrees that the term requires interpretation. Moreover, KCP&L and Pepco share our concern that compliance enforcement authorities may find it difficult to consistently enforce compliance with Requirement R1 without a clear understanding of the term's meaning. 35. Accordingly, pursuant to FPA section 215(d)(5), the Commission directs NERC to develop a modification to Reliability Standard CIP-014- 1 that either removes the term ``widespread'' from Requirement R1 or, in the alternative, proposes changes that address the Commission's concerns. Further, we direct that NERC submit a responsive modification within six months from the effective date of this final rule. We recognize that certain entities commented on how NERC could modify Reliability Standard CIP-014-1 to address the Commission's stated concerns.\29\ However, we conclude that it is appropriate to allow NERC to develop and propose a modification in the first instance. With respect to ITC's more general comments regarding the scope of critical facilities in Requirement R1, we address the potential for applying the impact designations in Reliability Standard CIP-002-5.1 to Reliability Standard CIP-014-1, Requirement R1 in the section below regarding the NOPR's proposed informational filing on ``High Impact'' control centers. --------------------------------------------------------------------------- \29\ See, e.g., BPA Comments at 2; Ohio PUC Comments at 5; TVA Comments at 9, ITC Comments at 9. --------------------------------------------------------------------------- [[Page 70073]] B. Applicable Governmental Authority's Ability To Add or Subtract Facilities From an Entity's List of Critical Facilities March 7 Order 36. In the March 7 Order, the Commission stated that: [T]he risk assessment used by an owner or operator to identify critical facilities should be verified by an entity other than the owner or operator. Such verification could be performed by NERC, the relevant Regional Entity, a Reliability Coordinator, or another entity. The Reliability Standards should include a procedure for the verifying entity, as well as the Commission, to add or remove facilities from an owner's or operator's list of critical facilities. . . .\30\ --------------------------------------------------------------------------- \30\ March 7 Order, 146 FERC ] 61,166 at P 11. --------------------------------------------------------------------------- NERC Petition 37. Reliability Standard CIP-014-1 does not include a procedure that allows the Commission to add or subtract facilities from an applicable entity's list of critical facilities under Requirement R1. Instead, NERC states that the Commission has the existing authority to enforce NERC Reliability Standards pursuant to FPA section 215(e)(3).\31\ NERC explains that a transmission owner must be able to demonstrate that its method for performing its risk assessment under Requirement R1 ``was technically sound and reasonably designed to identify its critical Transmission stations and Transmission substations.'' \32\ NERC maintains that if ``in the course of assessing an entity's compliance with the proposed Reliability Standard, NERC, a Regional Entity or [the Commission] finds that the entity's transmission analysis was patently deficient and the Requirement R2 verification process did not cure those deficiencies, they could use their enforcement authority to compel Transmission Owners to re-perform the risk assessment using assumptions designed to identify the appropriate critical facilities.'' \33\ NOPR --------------------------------------------------------------------------- \31\ NERC Petition at 37. \32\ Id. \33\ Id. --------------------------------------------------------------------------- 38. The NOPR stated that Reliability Standard CIP-014-1 does not include a procedure that allows the Commission to add or subtract facilities from an applicable entity's list of critical facilities. The NOPR stated that if the Commission determined through an audit of an applicable entity, or through some other means, that a critical facility does not appear on the entity's list of critical facilities, there is no provision in Reliability Standard CIP-014-1 to allow the Commission to require its inclusion. In the NOPR, the Commission proposed to direct NERC to modify the physical security Reliability Standard to ``include a procedure that would allow applicable governmental authorities, i.e., the Commission and any other appropriate federal or provincial authorities, to add or subtract facilities from an applicable entity's list of critical facilities.'' \34\ --------------------------------------------------------------------------- \34\ NOPR, 148 FERC ] 61,040 at P 23. --------------------------------------------------------------------------- Comments 39. NERC asserts that the Commission should not adopt the NOPR proposal. NERC maintains that the proposal is unnecessary because it duplicates existing Commission compliance monitoring and enforcement authority.\35\ Moreover, NERC contends that the NOPR's concerns surrounding the use of existing compliance and enforcement methods to ensure compliance with Requirement R1 are unsubstantiated. NERC states that if the NOPR proposal is adopted, then the Commission must better justify the reasons for the directive and limit and clarify the scope and content of the proposed directive. --------------------------------------------------------------------------- \35\ NERC Comments at 8 (``the Commission can use its broad enforcement authority to make certain that the applicable entity re- performs the risk assessment on whatever timeline the Commission deems appropriate or face penalties or sanctions under the FPA''). --------------------------------------------------------------------------- 40. Pa PUC, Foundation, SmartSenseCom and Paschall state that they support the NOPR proposal.\36\ Other commenters do not oppose the proposal but maintain that it should be clarified or modified if adopted by the Commission.\37\ --------------------------------------------------------------------------- \36\ Pa PUC Comments at 5; Foundation Comments at 3; SmartSenseCom Comments at 6; Paschall Comments at 2. \37\ See G&T Cooperatives Comments at 3-8; ITC Comments at 12; NYPSC Comments at 5-7; Pepco Comments at 5-7; Idaho Power Comments at 1-2. --------------------------------------------------------------------------- 41. The majority of commenters do not support the NOPR proposal for various legal and policy reasons.\38\ Associations' comments are representative of this viewpoint in that they address: (1) The statutory authority to modify critical facility lists or otherwise allow the Commission (or any other governmental authority) an operational role in the performance of a Reliability Standard; (2) how the Commission would afford entities due process in determining whether to direct the addition or removal of facilities while still maintaining confidentiality; and (3) what constitutes ``any other appropriate federal or provincial authorities'' and the legal authority and advisability of delegating responsibility to another government entity. Like NERC, Associations contend that the Commission already possesses the compliance and enforcement authority to ensure that applicable entities comply with Requirement R1.\39\ Specifically, Associations state that the ``Commission has sufficient existing enforcement authority under the FPA to take actions to address concerns raised in the NOPR regarding the sufficiency of decisions made to identify critical facilities under CIP-014-1 . . . includ[ing] the use of traditional enforcement authority under Section 215(e)(3), including audits and investigations, which it has used on several occasions.'' \40\ Associations also request a technical conference in two years that addresses the implementation of Reliability Standard CIP-014-1. --------------------------------------------------------------------------- \38\ See Southern Comments at 2-7; Trade Associations Comments at 5-12; GridWise Comments at 3-9; Duke Comments at 3-5; NARUC Comments at 4; KCP&L Comments at 2-4; SDG&E Comments at 3-4; Oncor Comments at 2-3; Entergy Comments at 1; TAPS Comments at 3-9; APS Comments at 2-3; BPA Comments at 2; SCE Comments at 2; Ohio PUC Comments at 3-4; TVA Comments at 6-9; CEA Comments at 3-9; NU Utilities Comments at 1. \39\ Associations Comments at 9; see also TAPS Comments at 5 (``If the Commission finds a Registered Entity's risk assessment study to be inadequate because it lacks a critical facility, the Registered Entity will be in violation of [Requirement] R1 of the Physical Security standard . . . [t]he Commission could then direct a specific method of compliance . . . and impose daily penalties until the Registered Entity complies. If despite the threat of penalties, the Commission were concerned about the need for timely action, it could order the Registered Entity to come into compliance within a specified reasonable timeframe.''). \40\ Associations Comments at 9. --------------------------------------------------------------------------- Commission Determination 42. Based on our review of the comments, we determine not to adopt the NOPR proposal. 43. We are persuaded by commenters that the NOPR directive would present NERC, as the entity that would have to develop the proposed modification, and the Commission, which would have to approve any NERC proposal, with a number of substantial policy issues. Ultimately, we believe that the NOPR proposal would require NERC and the Commission to expend resources that could be better applied elsewhere. 44. The Commission, instead, will focus its resources on carrying out compliance and enforcement activities to ensure that critical facilities are identified under Requirement R1. In its comments, NERC indicated that NERC staff will submit to the NERC Board of Trustees a report three months following implementation of Requirements R1, R2 and R3 concerning the scope of facilities identified as [[Page 70074]] critical, including the number of facilities identified as critical and their defining characteristics.\41\ NERC also committed to sending this report to Commission staff.\42\ Based on the results reported by NERC, we expect Commission staff to audit a representative number of applicable entities to ensure compliance with Reliability Standard CIP- 014-1. Depending on the audit findings, the Commission will determine if there is a need for any further action by the Commission including, but not limited to, directing NERC to develop modifications to Reliability Standard CIP-014-1 to provide greater specificity to the methodology for determining critical facilities. At this time, we will not direct Commission staff to convene a technical conference on implementation of Reliability Standard CIP-014-1 in two-years' time, as requested by Associations. We may revisit that proposal at a later time. --------------------------------------------------------------------------- \41\ NERC Comment at 27-28. NERC's post-implementation reports are further discussed below. \42\ Id. at 28. --------------------------------------------------------------------------- C. Informational Filing on ``High Impact'' Control Centers March 7 Order 45. The March 7 Order stated that a ``critical facility is one that, if rendered inoperable or damaged, could have a critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures on the Bulk-Power System.'' \43\ The March 7 Order, while not mandating that a minimum number of facilities be deemed critical under the physical security Reliability Standards, explained that the ``Commission expects that critical facilities generally will include, but not be limited to, critical substations and critical control centers.'' \44\ --------------------------------------------------------------------------- \43\ March 7 Order, 146 FERC ] 61,166 at P 6. \44\ Id. P 6, n.6. --------------------------------------------------------------------------- NERC Petition 46. NERC states that Reliability Standard CIP-014-1 addresses the protection of primary control centers, which NERC defines as facilities that ``operationally control[ ] a Transmission station or Transmission substation when the electronic actions from the control center can cause direct physical actions at the identified Transmission station or Transmission substation, such as opening a breaker.'' \45\ --------------------------------------------------------------------------- \45\ NERC Petition at 19. --------------------------------------------------------------------------- 47. NERC maintains that ``[c]ontrol centers that provide back-up capability and control centers that cannot operationally control a critical Transmission station or Transmission substation do not present similar direct risks to Real-time operations if they are the target of a physical attack,'' and thus they are not covered by Reliability Standard CIP-014-1.\46\ NERC explains that the destruction of a back-up control center would ``have no direct reliability impact in Real-time as the entity can continue operation . . . from its primary control center.'' \47\ With respect to control centers that do not physically operate Bulk-Power System facilities, such as control centers operated by reliability coordinators, NERC states that, while ``certain monitoring and oversight capabilities might be lost as a result of a physical attack on such control centers, the Transmission Owner or Transmission Operator that operationally controls the critical Transmission station or Transmission substation would be able to continue operating its transmission system to prevent widespread instability, uncontrolled separation, or Cascading within an Interconnection.'' \48\ --------------------------------------------------------------------------- \46\ Id. \47\ Id. at 20. \48\ Id. at 20-21. --------------------------------------------------------------------------- 48. NERC acknowledges that certain control centers categorized as ``High Impact'' or ``Medium Impact'' under Reliability Standard CIP- 002-5.1 (Cyber Security--BES Cyber System Categorization) would not be covered control centers under Reliability Standard CIP-014-1.\49\ NERC explains that this situation: --------------------------------------------------------------------------- \49\ Reliability Standard CIP-002-5.1 (Cyber Security--BES Cyber System Categorization), Attachment 1 (Impact Rating Criteria). reflects the different nature of cyber security risks and physical security risks at control centers . . . [a] primary cyber security concern for control centers is the corruption of data or information and the potential for operators to take action based on corrupted data or information . . . [and] [t]his concern exists at control centers that operationally control Bulk-Power System facilities and those that do not. As such, there is no distinction in CIP-002-5.1 between these control centers . . . however, such a distinction is appropriate in the physical security context.\50\ --------------------------------------------------------------------------- \50\ NERC Petition at 22 n.55. 49. NERC points out that Reliability Standard CIP-006-5 already requires physical security protections that are ``designed to restrict physical access to locations containing High and Medium Impact Cyber Systems,'' which include control centers and backup control centers for reliability coordinators, balancing authorities, transmission operators and generation operators irrespective of their ability to operationally control Bulk-Power System facilities.\51\ --------------------------------------------------------------------------- \51\ Id. at 21. --------------------------------------------------------------------------- NOPR 50. The NOPR proposed to direct NERC to make an informational filing within six months of the effective date of a final rule in this proceeding indicating whether the development of Reliability Standards that provide physical security for all ``High Impact'' control centers, as that term is defined in Reliability Standard CIP-002-5.1, is necessary for the reliable operation of the Bulk-Power System. 51. The NOPR stated that primary and back-up control centers of functional entities other than transmission owners and operators identified as ``High Impact'' may warrant assessment and physical security controls under this Reliability Standard because a successful attack could prevent or impair situational awareness, especially from a wide-area perspective, or could allow attackers to distribute misleading and potentially harmful data and operating instructions that could result in instability, uncontrolled separation, or cascading failures. 52. The NOPR stated that the proposed informational filing should address whether there is a need for consistent treatment of ``High Impact'' control centers for cybersecurity and physical security purposes through the development of Reliability Standards that afford physical protection to all ``High Impact'' control centers. The NOPR also stated that the development of physical security protections for all ``High Impact'' control centers would not be without precedent because, as noted above, Reliability Standard CIP-006-5 already requires that ``High Impact'' control centers have some physical protections, including restrictions on physical access, to protect BES Cyber Assets. However, the NOPR further stated that the security measures required by Reliability Standard CIP-006-5 may not be comparable to those required by Reliability Standard CIP-014-1, and thus may not be sufficient to ``deter, detect, delay, assess, communicate, and respond to potential threats and vulnerabilities'' as required in Requirement R5 of Reliability Standard CIP-014-1. Further, the NOPR stated that Reliability Standard CIP-006-5 does not require an ``unaffiliated third party review'' of the evaluation and security plan required by Reliability Standard CIP-014-1. [[Page 70075]] Comments 53. NERC states that it does not oppose submitting an informational filing to address whether ``High Impact'' control centers warrant assessment and physical security controls under Reliability Standard CIP-014-1. However, NERC requests that the Commission modify the NOPR proposal to give NERC at least 12 months from the effective date of a final rule in this proceeding to submit the informational filing. 54. Other commenters, while not necessarily agreeing that all ``High Impact'' control centers should be subject to Reliability Standard CIP-014-1, support the NOPR proposal for various reasons.\52\ Associations state that the informational filing ``will provide a more granular mapping of the strategic considerations embedded in the CIP standards . . . as well as consideration of the issues relating to control centers not covered by CIP-014-1.'' \53\ MISO and SDG&E state that the informational filing could be a useful way for identifying areas of possible improvement in the future. Some commenters, including Associations, recommend that the Commission direct NERC to submit the informational filing as critical energy infrastructure information (CEII). --------------------------------------------------------------------------- \52\ See Associations Comments at 16; KCP&L Comments at 4; Foundation Comments at 7; SDG&E Comments at 5; Pa PUC Comments at 6; SCE Comments at 4; MISO Comments at 6-7. \53\ Associations Comments at 16. --------------------------------------------------------------------------- 55. ITC supports the proposed informational filing but states that the Commission should widen the scope of the informational filing to assess the benefits of extending Reliability Standard CIP-014-1 to all ``High Impact'' and ``Medium Impact'' BES Cyber Assets. ITC states that the definition of ``critical'' assets is insufficiently comprehensive because it fails to provide physical security for facilities that contain crucial Cyber Assets. ITC further states that identifying critical facilities under Requirement R1 is unnecessary because applicable entities already have a list of facilities containing ``High Impact'' and ``Medium Impact'' Cyber Assets, which could also serve as the list of critical facilities for the purposes of Reliability Standard CIP-014-1. SIA agrees that Requirement R1 should be modified to include all ``High Impact'' control centers. 56. Commenters opposed to the NOPR proposal contend that the informational filing is unnecessary or would be burdensome.\54\ Trade Associations state that Reliability Standard CIP-014-1 correctly focuses on the protection of primary control centers that operationally control transmission stations or substations identified under Requirement R1. Idaho Power states that Reliability Standard CIP-006-5 contains enough physical access controls to meet the expectations of ``deter, detect, delay, assess, communicate, and respond'' because there are extensive monitoring and alerting requirements that must be applied to all ``High Impact'' control centers. Reclamation states that Reliability Standard CIP-014-1 will capture all ``High Impact'' control centers as currently drafted. Pepco states that an informational filing would divert resources from implementation and compliance with Reliability Standard CIP-014-1. --------------------------------------------------------------------------- \54\ Trade Associations Comments at 12; Pepco Comments at 7. --------------------------------------------------------------------------- Commission Determination 57. The Commission adopts the NOPR proposal and directs NERC to submit an informational filing that addresses whether there is a need for consistent treatment of ``High Impact'' control centers for cybersecurity and physical security purposes through the development of Reliability Standards that afford physical protection to all ``High Impact'' control centers. The Commission, however, modifies the NOPR proposal and extends the due date for the informational filing to two years following the effective date of Reliability Standard CIP-014-1. 58. While we approve Reliability Standard CIP-014-1 in this final rule, including the Reliability Standard's treatment of control centers, the Commission, for the reasons set forth in the NOPR, finds that NERC should assess whether all ``High Impact'' control centers should be protected under Reliability Standard CIP-014-1.\55\ We recognize that NERC and applicable entities will be in a better position to provide this assessment after implementation of Reliability Standard CIP-014-1 and Reliability Standard CIP-006-5, the latter of which provides some physical protection to ``High Impact'' control centers. Accordingly, the Commission directs NERC to submit the informational filing two years following the effective date of Reliability Standard CIP-014-1. The Commission, while not directing NERC to submit the informational filing as CEII, recognizes the concerns raised by commenters regarding confidentiality. The Commission expects NERC to prepare the informational filing and submit it in such a way as to protect any critical information from public disclosure. --------------------------------------------------------------------------- \55\ See NOPR, 148 FERC ] 61,040 at PP 35-39. --------------------------------------------------------------------------- 59. At this time, the Commission will not direct NERC to address in the informational filing whether all ``High Impact'' and ``Medium Impact'' BES Cyber Assets should be considered critical for the purposes of Reliability Standard CIP-014, Requirement R1. We are sympathetic to several points raised in ITC's comments, which echo some of the statements in the NOPR. However, as stated in the NOPR, the basis for directing an informational filing regarding control centers is found in the March 7 Order, where the Commission stated that it ``expects that critical facilities generally will include, but not be limited to, critical substations and critical control centers.'' \56\ While NERC explained why not all ``High Impact'' control centers may be critical for the purposes of Reliability Standard CIP-014-1, we conclude that this issue requires close attention and should be addressed in the informational filing. The broader concerns raised by ITC regarding the scope of Requirement R1 can be evaluated by NERC and industry as part of the implementation process. As we noted above, the Commission will devote resources to compliance with and enforcement of Reliability Standard CIP-014-1 to ensure that all critical facilities are identified pursuant to Requirement R1. Should the Commission find through these efforts, or through the post-implementation reports and informational filing that NERC will submit, that Requirement R1 as currently written is not capturing all critical facilities, then the Commission will act upon that information. --------------------------------------------------------------------------- \56\ NOPR, 148 FERC ] 61,040 at P 44 (quoting March 7 Order, 146 FERC ] 61,166 at P 6 n.6). --------------------------------------------------------------------------- D. Informational Filing on Resiliency March 7 Order 60. In the March 7 Order, the Commission stated that the development of physical security Reliability Standards ``will help provide for the resiliency and reliable operation of the Bulk-Power System. To that end, the proposed Reliability Standards should allow owners or operators to consider resiliency of the grid in the risk assessment when identifying critical facilities, and the elements that make up those facilities, such as transformers that typically require significant time to repair or replace. As part of this process, owners or operators may consider elements of resiliency such as how the system is designed, operated, and [[Page 70076]] maintained, and the sophistication of recovery plans and inventory management.'' \57\ --------------------------------------------------------------------------- \57\ March 7 Order, 146 FERC ] 61,166 at P 7. --------------------------------------------------------------------------- NERC Petition 61. Reliability Standard CIP-014-1 mentions resiliency in Requirement R5, stating in Requirement R5.1 that the physical security plans that entities develop shall include, among other attributes: ``Resiliency or security measures designed collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified during the evaluation conducted in Requirement R4.'' The NERC petition describes Requirement R5.1, with regard to resiliency, as referring to ``steps an entity may take that, while not specifically targeted as hardening the physical security of the site, help to decrease the potential adverse impact of a physical attack . . . including modifications to system topology or the construction of a new Transmission station . . . that would lessen the criticality of the facility.'' \58\ --------------------------------------------------------------------------- \58\ NERC Petition at 42. --------------------------------------------------------------------------- NOPR 62. The NOPR stated that the NERC petition describes resiliency measures that could be included in the required physical security plans. The NOPR also stated, however, that specific resiliency measures are not required by Reliability Standard CIP-014-1, which is consistent with the March 7 Order. Instead, the NOPR noted that Reliability Standard CIP-014-1 allows the security plans to be flexible in order to meet different threats and protect varying Bulk-Power System configurations. 63. The NOPR stated that resiliency is as, or even more, important than physical security given that physical security cannot protect against all possible attacks. The NOPR also stated that, in the case of the loss of a substation, the Bulk-Power System may depend on resiliency to minimize the impact of the loss of facilities and restore blacked-out portions of the Bulk-Power System as quickly as possible. The NOPR further stated that some entities may implement resiliency measures rather than security measures, such as by adding facilities or operating procedures that reduce or eliminate the importance of existing critical facilities, which could significantly improve reliability and resiliency. 64. The NOPR stated that the NERC petition indicated that the NERC Board of Trustees expects NERC management to monitor and assess the implementation of Reliability Standard CIP-014-1 on an ongoing basis, which would include: The number of assets identified as critical under the Reliability Standard; the defining characteristics of the assets identified as critical; the scope of security plans (i.e., the types of security and resiliency measures contemplated under the various security plans); the timelines included in the security plan for implementing the security and resiliency measures; and industry progress in implementing the Reliability Standard. The NOPR also stated that NERC explained that this information could be used to provide regular updates to Commission staff.\59\ The NOPR proposed to rely on NERC's ongoing assessment of Reliability Standard CIP-014-1's implementation and to require NERC to make such information available to Commission staff upon request. --------------------------------------------------------------------------- \59\ NOPR, 148 FERC ] 61,040 at P 56. --------------------------------------------------------------------------- 65. In addition, the NOPR proposed to direct NERC to submit an informational filing that addresses the resiliency of the Bulk-Power System when confronted with the loss of critical facilities. The NOPR stated that the informational filing should explore what steps can be taken, in addition to those required by Reliability Standard CIP-014-1, to maintain the reliable operation of the Bulk-Power System when faced with the loss or degradation of critical facilities. The NOPR proposed to direct NERC to submit the informational filing within one year after the effective date of the final rule in this proceeding.\60\ --------------------------------------------------------------------------- \60\ NERC issued a report on severe impact resilience in 2012. See NERC, Severe Impact Resilience: Considerations and Recommendations (May 2012), available at https://www.nerc.com/comm/OC/SIRTF%20Related%20Files%20DL/SIRTF_Final_May_9_2012-Board_Accepted.pdf. The NOPR stated that the proposed informational filing could draw on the report but should also reflect subsequent work and development on this topic, particularly including supply chain, transporting and other logistical issues for equipment such as large transformers. NOPR, 148 FERC ] 61,040 at P 57. --------------------------------------------------------------------------- Comments 66. NERC requests that the Commission not direct it to submit an informational filing on resiliency. NERC contends that an informational filing on resiliency would divert resources from NERC's oversight of the implementation of Reliability Standard CIP-014-1 and NERC's efforts to assess the Reliability Standard's effectiveness. NERC states that it will monitor and assess implementation of Reliability Standard CIP-014- 1, as described in NERC's petition, and will prepare two initial reports for the NERC Board of Trustees, the first report being submitted three months following implementation of Requirements R1, R2 and R3 and the second report being submitted three months after implementation of Requirements R4, R5 and R6. With respect to the second report, NERC states that ``[g]iven the NOPR's discussion of resiliency, this report will pay particular attention to the resiliency measures included in entities' security plans.'' \61\ NERC further states that it commits to provide both reports to Commission staff. --------------------------------------------------------------------------- \61\ NERC Comments at 28. --------------------------------------------------------------------------- 67. Pepco does not support the proposed informational filing because of the burden Pepco contends it would impose on NERC and registered entities, including diverting resources from the implementation of Reliability Standard CIP-014-1. Pepco asserts that resiliency is already addressed in Reliability Standard CIP-014-1. 68. SDG&E, MISO and Idaho Power support directing NERC to submit the proposed informational filing on resiliency as a way of determining next steps for enhancing the reliability of the Bulk-Power System.\62\ --------------------------------------------------------------------------- \62\ See SDG&E Comments at 5; MISO Comments at 6-7; Idaho Power Comments at 4; see also Paschall Comments at 2. --------------------------------------------------------------------------- 69. Other commenters, including Associations, while generally agreeing that the issue of resiliency needs to be considered, recommend that the Commission convene a technical conference rather than require NERC to submit an informational filing because, they maintain, a technical conference would be more effective.\63\ --------------------------------------------------------------------------- \63\ See Associations Comments at 17; KCP&L Comments at 6-7; SCE Comments at 4; Trade Associations Comments at 13-14; GridWise Comments at 3. --------------------------------------------------------------------------- Commission Determination 70. The Commission determines not to adopt the NOPR proposal requiring NERC to submit an informational filing concerning resiliency of the Bulk-Power System. While commenters expressed differing views on whether an informational filing is needed, the comments recognized the importance of Bulk-Power System resiliency. In addition, NERC committed to providing the Commission with two reports following implementation of Reliability Standard CIP-014-1, which, NERC indicates, will address the issue of resiliency. 71. Rather than require NERC to submit an informational filing at this time, the Commission will review the NERC reports and will consider ways for industry to best inform the Commission of its current and future [[Page 70077]] resiliency efforts, which could take the form of reports and/or technical conferences to address specific areas of concern (e.g., spare parts, fuel security, and advanced technologies). E. Third-Party Verification and Review March 7 Order 72. In the March 7 Order, the Commission stated that ``the risk assessment used by an owner or operator to identify critical facilities should be verified by an entity other than the owner or operator . . . [and] [s]imilarly, the determination of threats and vulnerabilities and the security plan should also be reviewed by NERC, the relevant Regional Entity, the Reliability Coordinator, or another entity with appropriate expertise.'' \64\ --------------------------------------------------------------------------- \64\ March 7 Order, 146 FERC ] 61,166 at P 11. --------------------------------------------------------------------------- NERC Petition 73. Requirement R2 of Reliability Standard CIP-014-1 requires transmission owners to have their risk assessments verified by an unaffiliated third party. Requirement R6, likewise, requires each transmission owner and transmission operator to have their vulnerability and threat assessment(s) along with their security plan(s) for any critical facilities reviewed by an unaffiliated third party. 74. Regarding how an applicable entity is supposed to address any recommendations by a third-party verifier, Reliability Standard CIP- 014-1, in Requirement R2.3, states that the transmission owner must either (a) ``modify its identification . . . consistent with the recommendation'' or (b) ``document the technical basis for not modifying the identification in accordance with the recommendation.'' Similarly, Requirement R6.3 sets forth the procedure for considering any recommendations from the reviewing entity as to the threat assessments and security plans: The applicable entity must either (a) ``modify its evaluation or security plan(s) consistent with the recommendation'' or (b) ``document the reason(s) for not modifying the evaluation or security plan(s) consistent with the recommendation.'' 75. NERC states that ``[r]equiring documentation of the technical basis for not modifying the identification in accordance with the recommendation will help ensure that a Transmission Owner meaningfully considers the verifier's recommendations and follows those recommendations unless it can technically justify its reasons for not doing so. To comply with Part 2.3, the technical justification must be sound and based on acceptable approaches to conducting transmission analyses.'' \65\ The NERC petition contains a similar explanation for the third-party review (Requirement R6) of the threat assessments and security plans mandated in Requirements R4 and R5.\66\ --------------------------------------------------------------------------- \65\ NERC Petition at 36. \66\ Id. at 50. --------------------------------------------------------------------------- NOPR 76. The NOPR proposed to approve the third-party verification and review method proposed by NERC in Requirements R2 and R6. The NOPR stated that failure to provide a written, technically justifiable reason for rejecting a third-party recommendation would render the applicable entity non-compliant. With that understanding, the NOPR proposed to approve NERC's proposed third-party verification and review in Requirements R2 and R6 of Reliability Standard CIP-014-1 as an equally efficient and effective alternative to the directive in the March 7 Order. Comments 77. NERC states that it supports the NOPR proposal. NERC states that third-party verification and review will provide another layer of expertise and independence to the identification of critical assets, the evaluation of threats and vulnerabilities, and the development of effective security plans. NERC reiterates that an applicable entity's failure to provide a reasonable, written explanation for declining to follow a third-party recommendation would constitute non-compliance. 78. MISO, Reclamation, KCP&L, ITC, and G&T Cooperatives support the NOPR proposal but each suggest modifications or request clarification of Reliability Standard CIP-014-1.\67\ --------------------------------------------------------------------------- \67\ See also Paschall Comments at 2; Foundation Comments at 7. --------------------------------------------------------------------------- 79. MISO states that entities like itself, that are both reliability coordinators and planning coordinators, may be subject to substantial, simultaneous demands by many transmission owners for concurrent verification of risk assessments. MISO notes that Requirement R2.2 requires applicable entities to have their risk assessment verified within 90 days of completion of the risk assessment. MISO states that firm adherence to the 90-day deadline could undermine the protections in Reliability Standard CIP-014-1 by requiring verifying entities (e.g., MISO) to conduct hurried or shorter-than-optimal assessments. Accordingly, MISO seeks clarification that NERC has the discretion to extend the implementation deadline, especially with respect to the 90-day verification deadline in Requirement R2.2. Likewise, G&T Cooperatives, NIPSCO and KCP&L state that there should be flexibility regarding the 90-day deadline because of the limited pool of qualified third-party verifiers. 80. Reclamation states that transmission owners should have discretion to make decisions regarding third-party recommendations based on cost and risk analyses. Reclamation also states that Requirement 2.1 should be modified to require that third-party verifications be conducted by a transmission owner's planning coordinator or transmission planner. If the transmission owner is also the planning coordinator and transmission planner, then Reclamation states that the verification should be conducted by the reliability coordinator. 81. KCP&L states that NERC should develop a pre-approved list of qualified third-party contractors or require third parties to register with NERC. KCP&L also seeks clarification that an independent system operator (ISO) or regional transmission operator (RTO) concurrent with its role as reliability coordinator could provide third-party review services. KCP&L states that it does not oppose having an RTO that is also a reliability coordinator or planning coordinator serve as a third-party reviewer but would not support a mandate requiring a specific third-party reviewer. KCP&L also seeks clarification of the meaning of the phrase ``unaffiliated third-party.'' 82. ITC states that the Commission should ``confirm that the verification of a responsible entity's risk assessment, threat assessment, and security plan, as specified in Requirements R2 and R6, constitutes full compliance by that responsible entity with respect to the risk assessment and security plan.'' \68\ --------------------------------------------------------------------------- \68\ ITC Comments at 10. --------------------------------------------------------------------------- 83. NIPSCO, TVA and Idaho Power do not support the NOPR proposal. NIPSCO contends that third-party verification is ``inconsistent with the approach to entity self-assessment applied in other Reliability Standards'' and notes that the Version 5 CIP Reliability Standards do not include a provision for third-party review.\69\ NIPSCO also contends that the use of third parties could raise confidentiality concerns. Idaho Power maintains that the proposal should not be adopted because it does not require third parties to include a written or technical justification with their recommendations. Idaho Power also [[Page 70078]] states that ``if a third-party verification and review process is incorporated in to the Standard, it should clearly describe the specific methodology and performance criteria to be applied.'' \70\ TVA states that FPA section 215 does not contemplate the use of third-party verifiers and reviewers acting in an enforcement role. TVA also contends that Reliability Standard CIP-014-1 does not contain any qualification criteria that third-party verifiers and reviewers must meet. TVA further states that using third-party verifiers and reviewers could compromise the confidentiality of critical information. --------------------------------------------------------------------------- \69\ NIPSCO Comments at 2. \70\ Idaho Power Comments at 3-4. --------------------------------------------------------------------------- Commission Determination 84. We adopt the NOPR proposal and approve the third-party verification and review provisions found in Requirements R2 and R6 of Reliability Standard CIP-014-1. These provisions, as stated by NERC, provide an important, independent layer of expertise in the identification, assessment and protection of critical facilities. 85. We disagree with the arguments raised in the comments submitted by NIPSCO, TVA and Idaho Power. The use of third-party verification and review in Reliability Standard CIP-014-1 is not inconsistent with other Commission-approved Reliability Standards merely because third-party review is not used in other Reliability Standards. NIPSCO is correct that the Version 5 CIP Reliability Standards do not include third-party review provisions. However, as NIPSCO acknowledges, the Version 5 CIP Reliability Standards contain bright-line criteria that guide the determinations made by applicable entities in identifying BES Cyber Assets.\71\ By contrast, Reliability Standard CIP-014-1 contains no such criteria and instead requires applicable entities to develop their own analysis. In addition, the threat evaluation in Requirement R4 and security plan in Requirement R6 involve areas of expertise that applicable entities in the electric industry may not possess and thus would strongly benefit from the experience of qualified third parties. --------------------------------------------------------------------------- \71\ We also note that in Order No. 706, the Commission directed NERC to develop an external review procedure for the identification of critical assets by responsible entities. See Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC ] 61,040, at PP 322-329, order on reh'g, Order No. 706-A, 123 FERC ] 61,174 (2008), order on clarification, Order No. 706-B, 126 FERC ] 61,229 (2009), order on clarification, Order No. 706-C, 127 FERC ] 61,273 (2009). --------------------------------------------------------------------------- 86. Similarly, we disagree with TVA that the use of third-party verifiers and reviewers is inconsistent with FPA section 215. As discussed above, we reject TVA's view that third-party verifiers and reviewers will be acting in an enforcement capacity. These third parties will have no authority to determine whether an applicable entity has violated a requirement of Reliability Standard CIP-014-1, require compliance, or issue penalties. Moreover, as stated in the NOPR, an applicable entity in some cases could be found to be in violation of a requirement even if the applicable entity's actions were verified by a third party.\72\ We also determine that the requirements in Reliability Standard CIP-014-1 (i.e., Requirements R2.1 and R6.1) establishing the qualifications for third-party verifiers and reviewers are sufficient. As discussed below, as Reliability Standard CIP-014-1 is implemented, we are satisfied that NERC and Regional Entities will provide additional assistance to applicable entities to identify qualified third-party verifiers and reviewers if the need arises. We are also satisfied that Requirements R2.4 and R6.4 provide adequate protection against the disclosure of sensitive or confidential information. --------------------------------------------------------------------------- \72\ NOPR, 148 FERC ] 61,040 at P 23. --------------------------------------------------------------------------- 87. In response to Idaho Power's concern, we expect that third- party verifiers and reviewers will articulate a reasonable basis for their recommendations. The absence of such a basis for a recommendation could justify an applicable entity's decision to decline to adopt the recommendation. We also see no reason to include in Reliability Standard CIP-014-1 ``specific methodology and performance criteria'' for third-party verification and review beyond what is already contained in the requirements and compliance measures recited in the Reliability Standard. 88. With respect to the other comments, there is no evidence in the record to support the conclusion that an insufficient number of qualified third-party verifiers and reviewers exists such that applicable entities will be unable to meet the 90-day deadline in Requirements R2 and R6. To the extent an applicable entity requires additional time to comply, that situation should be addressed on a case-by-case basis.\73\ Reclamation has not explained why Requirement R2.1 should be modified to require that a transmission owner use its planning coordinator or transmission planner as a verifier, and thus we reject that proposal. In addition, addressing Reclamation's second point, while risk and cost could be aspects of an applicable entity's technical justification for declining to follow a third-party recommendation, ultimately there must be a sufficient objective basis in the justification document from which to determine that the applicable entity acted reasonably in declining to follow the recommendation. --------------------------------------------------------------------------- \73\ For similar reasons, we reject Entergy's suggestion that Reliability Standard CIP-014-1 include language providing for flexibility concerning delays in compliance with deadlines contained in the Reliability Standard due to acts of nature. See Entergy Comments at 1. --------------------------------------------------------------------------- 89. With respect to KCP&L's comments, there may be value in NERC developing a list of qualified third-party verifiers and reviewers or otherwise requiring some form of registration process for third-party verifiers and reviewers. The Commission, however, will not direct NERC to do so at this time. We expect that NERC could, as Reliability Standard CIP-014-1 is implemented, pursue or, if necessary, propose such an effort if warranted. Indeed, Reliability Standard CIP-014-1 appears to contemplate such a role for NERC by indicating in Requirement R6.1 that an entity is qualified to serve as a reviewer if ``approved by the ERO.'' In addition, we see no reason why an ISO or RTO could not serve as a third-party verifier or reviewer provided it satisfies the qualifications stated in Requirements R2.1 and R6.1. We also conclude that the term ``unaffiliated third party'' is sufficiently clear. As NERC stated in its petition, ``the term `unaffiliated' means that the selected verifying entity cannot be a corporate affiliate (i.e., the verifying entity cannot be an entity that corporately controls, is controlled by or is under common control with, the Transmission Owner). The verifying entity also cannot be a division of the Transmission Owner that operates as a functional unit.'' \74\ KCP&L does not indicate what, in this explanation, is ambiguous or requires clarification. --------------------------------------------------------------------------- \74\ NERC Petition at 34-35. --------------------------------------------------------------------------- 90. With respect to ITC's comment, third-party verification under Requirement R2 adds an important layer of expertise and independence in the identification of critical facilities. However, verification under Requirement R2 is not intended to and, indeed, cannot cure an applicable entity's failure to comply with Requirement R1 if it is determined by the compliance enforcement authority that the applicable entity failed to do so, a situation that ITC concedes could [[Page 70079]] happen.\75\ We anticipate that a properly verified critical facility list will normally result in compliance with Requirement R1, but the Commission cannot foreclose the possibility that that may not be the case.\76\ --------------------------------------------------------------------------- \75\ ITC Comments at 9 (``ITC further doesn't disagree that, in extremely dire circumstances, a risk assessment which has been verified by a third-party may nonetheless be so deficient (and the third-party review be similarly inadequate) that it could be considered non-compliant.''); see also NERC Petition at 37 (``If, in the course of assessing an entity's compliance with the proposed Reliability Standard, NERC, a Regional Entity, or FERC finds that the entity's transmission analysis was patently deficient and that the Requirement R2 verification process did not cure those deficiencies, they could use their enforcement authority to compel Transmission Owners to re-perform the risk assessment using assumptions designed to identify the appropriate critical facilities.''). \76\ See Order No. 706, 122 FERC ] 61,040 at P 320 (denying ``safe harbor'' for good faith compliance with CIP Reliability Standards). --------------------------------------------------------------------------- F. Generators March 7 Order 91. The March 7 Order did not direct NERC to make the physical security Reliability Standards applicable to specific functional entity types. The March 7 Order stated that ``some of the requirements imposed by these newly proposed Reliability Standards may best be performed by the owner and other activity may best be performed by the operator,'' and that NERC should clearly indicate which entity is responsible for each requirement.\77\ With regard to the applicable types of facilities, the Commission stated that it ``is not requiring NERC to adopt a specific type of risk assessment, nor is the Commission requiring that a mandatory number of facilities be identified as critical facilities under the Reliability Standards.'' \78\ --------------------------------------------------------------------------- \77\ March 7 Order, 146 FERC ] 61,166 at P 6, n.4. \78\ Id. P 6. --------------------------------------------------------------------------- NERC Petition 92. In explaining why the Reliability Standard does not include generator owners and generator operators as applicable entities, the standard drafting team found that: it was not necessary to include Generator Operators and Generator Owners in the Reliability Standard. First, Transmission stations or Transmission substations interconnecting generation facilities are considered when determining applicability. Transmission Owners will consider those Transmission stations and Transmission substations that include a Transmission station on the high side of the Generator Step-up transformer (GSU) using Applicability Section 4.1.1.1 and 4.1.1.2 . . . Second, the transmission analysis or analyses conducted under Requirement R1 should take into account the impact of the loss of generation connected to applicable Transmission stations or Transmission substations. Additionally, the [March 7] order does not explicitly mention generation assets and is reasonably understood to focus on the most critical Transmission Facilities.\79\ --------------------------------------------------------------------------- \79\ NERC Petition, Exhibit A (Proposed Reliability Standard) at 23. The standard drafting team provided the following example: ``a Transmission station or Transmission substation identified as a Transmission Owner facility that interconnects generation will be subject to the Requirement R1 risk assessment if it operates at 500 kV or greater or if it is connected at 200 kV-499 kV to three or more other Transmission stations or Transmission substations and has an `aggregate weighted value' exceeding 3000 according to the table in Applicability Section 4.1.1.2.'' Id. at 23. 93. NERC explains that generator owners and generator operators were not included in the applicability section because, ``while the loss of a generator facility due to a physical attack may have local reliability effects, the loss of the facility is unlikely to have the widespread, uncontrollable impact'' contemplated for loss of a critical facility in the March 7 Order.\80\ NERC maintains that a ``generation facility does not have the same critical functionality as certain Transmission stations and Transmission substations due to the limited size of generating plants, the availability of other generation capacity connected to the grid, and planned resilience of the transmission system to react to the loss of a generation facility.'' \81\ --------------------------------------------------------------------------- \80\ NERC Petition at 22. \81\ Id. --------------------------------------------------------------------------- NOPR 94. The NOPR proposed to approve the applicability section of the Reliability Standard CIP-014-1 without the inclusion of generator owners and generator operators. The NOPR stated that omitting generator owners and generator operators from the applicability section is consistent with the March 7 Order. The NOPR affirmed the statement in the March 7 Order that the ``number of facilities identified as critical will be relatively small compared to the number of facilities that comprise the Bulk-Power System.'' \82\ The NOPR proposed to accept NERC's justification for excluding generator owners and operators because it is in keeping with the March 7 Order's focus on protecting the most critical facilities. The NOPR stated that, according to NERC, a generation facility ``does not have the same critical functionality as certain Transmission stations and Transmission substations due to the limited size of generating plants, the availability of other generation capacity connected to the grid, and planned resilience of the transmission system to react to the loss of a generation facility.'' \83\ The NOPR also noted that Requirement R1 mandates a transmission analysis that accounts for transmission owner- or transmission operator-owned substations that connect generating stations to the Bulk-Power System with step-up transformers. --------------------------------------------------------------------------- \82\ NOPR, 148 FERC ] 61,040 at P 44 (quoting March 7 Order, 146 FERC ] 61,166 at P 12). \83\ NOPR, 148 FERC ] 61,040 at P 45 (quoting NERC Petition at 22). --------------------------------------------------------------------------- 95. While proposing to accept the applicability section of the proposed Reliability Standard, the NOPR stated that NERC's proposed omission of generator owners and generator operators could potentially exempt substations owned or operated by generators. The NOPR sought comment on the potential reliability impact of excluding generator owned or operated substations. Comments 96. NERC states that it supports the NOPR proposal to approve the applicability criteria in Reliability Standard CIP-014-1 without the inclusion of generator owners and generator operators. NERC, reiterating the justification in the NERC petition, states that the loss of a generation facility is unlikely to result in critical impacts on the Bulk-Power System. 97. Associations, Trade Associations, Reclamation, G&T Cooperatives, KCP&L, Idaho Power, and APS also support the NOPR proposal.\84\ Associations' comments are representative of the comments supportive of the NOPR proposal in that Associations state that generation facilities will be considered in Reliability Standard CIP- 014-1, even without generator owners and generator operators included in the applicability criteria, because all generators interconnected to applicable transmission stations or substations will be in included in the transmission analysis under applicability sections 4.1.1.1 and 4.1.1.2. --------------------------------------------------------------------------- \84\ Associations Comments at 16-17; Trade Associations Comments at 12-13; Reclamation Comments at 1; G&T Cooperatives Comments at 13-14; KCP&L Comments at 5; Idaho Power Comments at 3; APS Comments at 4-5. --------------------------------------------------------------------------- 98. Paschall states, without elaboration, that generation facilities should be included within the scope of Reliability Standard CIP-014-1. Foundation comments that it supports Reliability Standard CIP-014-1, as modified in the NOPR, and also advocates for the inclusion of certain generation facilities in a second stage physical security Reliability Standard (discussed in Section H below). [[Page 70080]] Commission Determination 99. We adopt the NOPR proposal and approve the applicability criteria in Reliability Standard CIP-014-1 without the inclusion of generator owners and generator operators. As the Commission stated in the NOPR, we agree with NERC that a generation facility ``does not have the same critical functionality as certain Transmission stations and Transmission substations due to the limited size of generating plants, the availability of other generation capacity connected to the grid, and planned resilience of the transmission system to react to the loss of a generation facility.'' 100. Paschall provides a conclusory statement that generation facilities should be included in Reliability Standard CIP-014-1, but does not provide a rationale for this position. Thus, we find Paschall's comments unpersuasive. G. Confidentiality March 7 Order 101. The March 7 Order stated that: All three steps of compliance with the Reliability Standard described above could contain sensitive or confidential information that, if released to the public, could jeopardize the reliable operation of the Bulk-Power System. Guarding sensitive or confidential information is essential to protecting the public by discouraging attacks on critical infrastructure. Therefore, NERC should include in the Reliability Standards a procedure that will ensure confidential treatment of sensitive or confidential information but still allow for the Commission, NERC and the Regional Entities to review and inspect any information that is needed to ensure compliance with the Reliability Standards.\85\ --------------------------------------------------------------------------- \85\ March 7 Order, 146 FERC ] 61,166 at P 10. --------------------------------------------------------------------------- NERC Petition 102. Reliability Standard CIP-014-1 includes two requirements addressing the concerns over confidentiality. Requirements R2.2 and R6.4, which are substantially the same, state that ``[e]ach Transmission Owner shall implement procedures, such as the use of non- disclosure agreements, for protecting sensitive or confidential information made available to the unaffiliated third party [verifier or reviewer] and to protect or exempt sensitive or confidential information developed pursuant to this Reliability Standard from public disclosure.'' Comments 103. Associations, GridWise, Duke, Seattle, ITC, and Trade Associations state that the Commission should explicitly address the issue of confidentiality in the final rule. Associations state that the Commission should state that any data produced or collected by an RTO in accordance with a requirement of Reliability Standard CIP-014-1 are protected and should not be made available to a market monitor pursuant to a RTO tariff or market monitor agreement. Associations state that, at a minimum, a market monitor should have to make a filing with the Commission explaining the need for such information and indicating how the market monitor would protect such information from disclosure. GridWise and ITC state that they share Associations' concerns regarding confidentiality. 104. Trade Associations and Seattle comment that the final rule should contain an explicit statement that Reliability Standard CIP-014- 1 is intended to preempt any state or local public disclosure laws. SWTDUG's reply comments question the Commission's legal authority to preempt state or local public disclosure laws, as suggested by Trade Associations and Seattle, without further Congressional action. 105. Duke comments that the Commission should take all necessary steps to protect the confidential information related to the activities of applicable entities, the Commission, NERC and Regional Entities in performance of their obligations under Reliability Standard CIP-014-1. Duke states that, pursuant to the Commission's regulations, the ``disposition of each violation or alleged violation that relates to a Cybersecurity Incident or that would jeopardize the security of the Bulk-Power System if publicly disclosed shall be nonpublic unless the Commission directs otherwise.'' \86\ Duke recommends interpreting this provision to include violations of Reliability Standard CIP-014-1 or to revise the regulation to do so. Duke also maintains that: (1) The risk assessment required under Requirement R1; (2) the third-party verification performed under Requirement R2; (3) the notification provided to transmission operators under Requirement R3; (4) the evaluation of threats and vulnerabilities performed under Requirement R4; (5) the development of physical security plans performed under Requirement R5; and (6) the third-party review performed under Requirement R6 all qualify as CEII. In addition, Duke states that this information is also exempt from the Freedom of Information Act under the (b)(4) exemption for ``trade secrets and commercial or financial information obtained from a person and privileged or confidential.'' --------------------------------------------------------------------------- \86\ 18 CFR 39.7(b)(4). --------------------------------------------------------------------------- Commission Determination 106. In the March 7 Order, the Commission recognized that compliance with the contemplated physical security Reliability Standards would likely require the development or sharing of confidential or sensitive material that, if disclosed to the public, could jeopardize the reliable operation of the Bulk-Power System. As a result, the Commission directed NERC to include adequate procedures in the Reliability Standards to prevent the dissemination of confidential or sensitive information. 107. We find that NERC has included sufficient safeguards in Reliability Standard CIP-014-1 to ensure that confidential or sensitive information produced in compliance with the Reliability Standard will not be publicly disclosed. Reliability Standard CIP-014-1 includes requirements regarding the sharing of information between applicable entities and third-party verifiers and reviewers in Requirements R2.4 and R6.4. Moreover, the ``Compliance'' section of Reliability Standard CIP-014-1 provides: ``Confidentiality: To protect the confidentiality and sensitive nature of the evidence for demonstrating compliance with this standard, all evidence will be retained at the Transmission Owner's and Transmission Operator's facilities.'' 108. The Commission will take all necessary and appropriate steps, as provided for in our governing statutes and regulations, to preserve an applicable entity's confidential or sensitive information when the public disclosure of such information could jeopardize the reliable operation of the Bulk-Power System. However, we decline to address in this final rule issues of preemption or the specific mechanism for treating confidential or sensitive information. Moreover, we find that it would be inappropriate to address Associations' request concerning the disclosure of information related to compliance with Reliability Standard CIP-014-1 to market monitors pursuant to a market monitor agreement or RTO tariff. No such agreements or tariffs are before us in this rulemaking proceeding. H. Other Issues 109. Entergy seeks clarification as to whether the requirement in Reliability Standard CIP-014-1, Requirement R5 that an applicable entity ``shall develop and implement a documented physical security plan(s) that covers their [[Page 70081]] respective Transmission station(s), Transmission substation(s), and primary control center(s) . . . [and] shall be developed within 120 calendar days following the completion of Requirement R2 and executed according to the timeline specified in the physical security plan(s)'' means that the actions called for in the security plan must be completed within 120 days. We see no ambiguity in Requirement R5 as the requirement only states that the security plan, not the actions called for in the plan, must be developed within 120 calendar days. 110. Reclamation proposes that the term ``risk assessment'' in Requirement R1 of Reliability Standard CIP-014-1 be changed to ``impact assessment'' because the requirement contemplates an assessment on the impact of the loss of facilities on the stability of the bulk electric system rather than a ``risk assessment.'' Reclamation further states that, based on the generally accepted meaning of the term ``risk assessment,'' that term better correlates to Requirement R4. We see no practical reason to require NERC to modify the nomenclature used in Requirement R1. Similarly, we see no reason to require NERC to change ``risk assessment'' to ``threat risk assessment,'' as suggested by Paschall, or to require NERC to define ``risk assessment'' because the term is largely defined in Requirement R1. 111. Foundation recommends that the Commission direct NERC to begin development of a second phase physical security Reliability Standard. Foundation maintains that such a Reliability Standard would address deficiencies in Reliability Standard CIP-014-1, including the exclusion of generation facilities and certain control centers. For example, Foundation maintains that the loss of a single generation facility could cause cascading outages on the Bulk-Power System. However, for the reasons discussed in Sections C and F above, we are not persuaded that there is a sufficient factual basis at this time to direct NERC to develop a second phase physical security Reliability Standard. While we decline to direct NERC to develop a second phase physical security Reliability Standard at this time, the informational filing on ``High Impact'' control centers required in this final rule, the post- implementation reports that NERC has committed to provide to the Commission, the Commission's compliance and enforcement efforts, and other outreach with NERC, industry and the public, will inform the Commission's views going forward as to what additional steps, if any, might be required to help ensure the reliable operation of the Bulk- Power System in the face of physical security threats. I. Violation Risk Factors and Violation Severity Levels 112. Each requirement of Reliability Standard CIP-014-1 includes one violation risk factor and has an associated set of at least one violation severity level. The ranges of penalties for violations will be based on the sanctions table and supporting penalty determination process described in the Commission-approved NERC Sanction Guidelines, according to the NERC petition. The NOPR proposed to approve the violation risk factors and violation severity levels for the requirements in Reliability Standard CIP-014-1 consistent with the Commission's established guidelines.\87\ The Commission did not receive any comments regarding this aspect of the NOPR. Accordingly, the Commission approves the violation risk factors and violation severity levels for the requirements in Reliability Standard CIP-014-1. --------------------------------------------------------------------------- \87\ North American Electric Reliability Corp., 135 FERC ] 61,166 (2011). --------------------------------------------------------------------------- J. Implementation Plan and Effective Date NERC Petition 113. The NERC petition proposes that Reliability Standard CIP-014-1 become effective the ``first day of the first calendar quarter that is six months beyond the date that this standard is approved by applicable regulatory authorities'' (i.e., the effective date of a final rule in this proceeding approving the proposed Reliability Standard).\88\ NERC states that the initial risk assessment required under Requirement R1 must be completed by or before the effective date of the proposed Reliability Standard.\89\ As described in the requirements of the Reliability Standard, NERC also identifies when Requirements R2, R3, R4, R5, and R6 must be complied with following the effective date of Reliability Standard CIP-014-1. --------------------------------------------------------------------------- \88\ NERC Petition, Exhibit B (Implementation Plan) at 1. Exhibit B also delineates the completion timelines for Requirements R2 through R6. Parts 2.1, 2.2, and 2.4 of Requirement R2 shall be completed within 90 calendar days of the effective date of the Reliability Standard. Part 2.3 of Requirement R2 shall be completed within 60 calendar days of the completion of performance under Requirement R2 part 2.2. Requirement R3 shall be completed within 7 calendar days of completion of performance under Requirement R2. Requirements R4 and R5 shall be completed within 120 calendar days of completion of performance under Requirement R2. Parts 6.1, 6.2, and 6.4 of Requirement R6 shall be completed within 90 calendar days of completion of performance under Requirement R5. Part 6.3 of Requirement R6 shall be completed within 60 calendar days of Requirement R6 part 6.2. \89\ Id. --------------------------------------------------------------------------- NOPR 114. The NOPR proposed to approve NERC's implementation plan and effective date for Reliability Standard CIP-014-1. Comments 115. KCP&L states that the Commission should make it clear if the effective date of Reliability Standard CIP-014-1 will be earlier than April 2016, which KCP&L states is the effective date of Reliability Standard CIP-002-5. KCP&L states that the ``basis for determination of criticality in CIP-014-1 references the same applicability as found in the CIP-002-5 . . . [and the] potential disconnect in implementation dates may impact registered entities adversely in preparations for Critical Infrastructure Protection standards or in application of physical security improvements given the work required to identify critical assets.'' \90\ --------------------------------------------------------------------------- \90\ KCP&L Comments at 7. --------------------------------------------------------------------------- Commission Determination 116. We approve the implementation plan and effective date proposed by NERC for Reliability Standard CIP-014-1. In response to KCP&L's comment, we understand that, pursuant to the implementation plan and effective date proposed by NERC and approved herein, Reliability Standard CIP-014-1 will become effective before April 2016. III. Information Collection Statement 117. The Paperwork Reduction Act (PRA) \91\ requires each federal agency to seek and obtain Office of Management and Budget (OMB) approval before undertaking a collection of information directed to ten or more persons or contained in a rule of general applicability. OMB regulations require approval of certain information collection requirements imposed by agency rules.\92\ Upon approval of a collection(s) of information, OMB will assign an OMB control number and an expiration date. Respondents subject to the filing requirements of an agency rule will not be penalized for failing to respond to these collections of information unless the collections of information display a valid OMB control number. --------------------------------------------------------------------------- \91\ 44 U.S.C. 3501-3520. \92\ See 5 CFR 1320.10. --------------------------------------------------------------------------- [[Page 70082]] Comments 118. Associations state that developing a security plan will cost more than $19,000 per company and ``should include a more realistic estimate of costs to comply with the proposed standard because of the influence that the Commission's assessment may have on the judgment of state utility commission or other regulatory authorities determining the prudence of costs incurred to comply with the proposed standard.'' \93\ Associations also state ``that it understands that one medium- sized investor-owned utility anticipates that third-party contract support will cost approximately $270,000 for conducting transmission studies under R1, third-party verification under R2, analyses of threats under R4, and support for security plan development under R5.'' \94\ Associations further state that the Commission's estimate did not include the cost of implementing the actual security measures included in applicable entity security plan. KCP&L states that it supports Associations' comments. --------------------------------------------------------------------------- \93\ Associations Comments at 19. \94\ Id. at 19 n.19. --------------------------------------------------------------------------- Commission Determination 119. We adopt the Information Collection Statement estimates contained in the NOPR. As we have previously stated, the estimates provided in an Information Collection Statement are meant to quantify the paperwork burden imposed by a final rule.\95\ The Information Collection Statement is not intended to estimate the cost of compliance with the requirements of a Reliability Standard approved in a final rule.\96\ Associations has not explained why it believes the Commission's paperwork burden estimate is not ``realistic'' or what would be a ``realistic'' figure other than to relate, in a footnote, that it understands that an unidentified medium-sized utility anticipates that compliance with requirements of Reliability Standard CIP-014-1, rather than the paperwork burden imposed by a final rule approving the Reliability Standard, will cost approximately $270,000. Associations' comments do not provide any creditable evidence or analysis to cause us to reevaluate the paperwork burden estimate contained in the NOPR. Accordingly, as set forth below, we adopt the NOPR's Information Collection Statement burden and cost estimates. --------------------------------------------------------------------------- \95\ As defined in the PRA, ``the term ``burden'' means time, effort, or financial resources expended by persons to generate, maintain, or provide information to or for a Federal agency, including the resources expended for--(A) reviewing instructions; (B) acquiring, installing, and utilizing technology and systems; (C) adjusting the existing ways to comply with any previously applicable instructions and requirements; (D) searching data sources; (E) completing and reviewing the collection of information; and (F) transmitting, or otherwise disclosing the information.'' \96\ Version 5 Critical Infrastructure Protection Reliability Standards, Order No. 791, 78 FR 72,755 (Dec. 3, 2013), 145 FERC ] 61,160, at P 235 (2013), order granting clarification in part and denying rehearing, Order No. 791-A, 146 FERC ] 61,188 (2014). --------------------------------------------------------------------------- 120. The Commission based its estimates on the number of respondents on the NERC compliance registry as of May 28, 2014. According to the registry, there are 357 transmission owners (TOs) and 197 transmission operators (TOPs). The NERC compliance registry also shows that there are only 19 transmission operators that are not also registered as a transmission owner. 121. The burden associated with the final rule is included in FERC- 725U (Mandatory Reliability Standards: Reliability Standard CIP-014, OMB Control Number 1902-0274).\97\ The following table shows the Commission's burden and cost estimates, broken down by requirement and year: --------------------------------------------------------------------------- \97\ The requirement for NERC to make the informational filing is part of the responsibilities related to being the nation-wide Electric Reliability Organization. The burden related to that filing is part of FERC-725 (OMB Control Number 1902-0225). \98\ The estimates for cost per response are derived using the following formula: Average Burden Hours per Response * XX per Hour = Average Cost per Response. The hourly cost figures are based on data for wages plus benefits from the Bureau of Labor Statistics (as of September 4, 2014) at https://www.bls.gov/oes/current/naics3_221000.htm and https://www.bls.gov/news.release/ecec.nr0.htm. The figures are rounded for the purposes of calculations in this table and are:For electrical engineers: $60.87/hr., rounded to $61/ hr. for attorneys: $128/hr. for administrative staff: $31.86/hr., rounded to $32/ hr. FERC-725U -------------------------------------------------------------------------------------------------------------------------------------------------------- Number of Average burden Total burden Requirements in reliability standard CIP- Number and type of respondents responses per Total number of hours and cost hours and total 014-1 over respondent responses per response \98\ cost years 1-3 (1).............................. (2) (1)*(2)=(3) (4) (3)*(4) -------------------------------------------------------------------------------------------------------------------------------------------------------- Year 1: R1................................... 357 TOs.......................... 1 357 20 7,140 $1,220 $435,540 R2................................... 357 TOs.......................... 1 357 34 12,138 $2,342 $836,094 R3................................... 2 TOPs........................... 1 2 1 2 $128 $256 R4................................... 30 TOs........................... 1 32 80 2,560 2 TOPs........................... ................. ................. $4,880 $156,160 R5................................... 30 TOs........................... 1 32 320 10,240 2 TOPs........................... ................. ................. $19,520 $624,640 R6................................... 30 TOs........................... 1 32 304 9,728 2 TOPs........................... ................. ................. $18,812 $601,984 Record Retention......................... 357 TOs.......................... 1 359 2 718 2 TOPs........................... ................. ................. $64 $22,976 Year 2: Record Retention..................... 357 TOs.......................... 1 359 2 718 2 TOPs........................... ................. ................. $64 $22,976 Year 3: R1................................... 30 TOs........................... 1 30 20 600 ................................. ................. ................. $1,220 $36,600 R2................................... 30 TOs........................... 1 30 34 1,029 [[Page 70083]] ................................. ................. ................. $2,342 $70,260 R3................................... 2 TOPs........................... 1 2 1 2 ................................. ................. ................. $128 $256 R4................................... 30 TOs........................... 1 32 80 2,560 2 TOPs........................... ................. ................. $4,880 $156,160 R5................................... 30 TOs........................... 1 32 80 2,560 2 TOPs........................... ................. ................. $4,880 $156,160 R6................................... 30 TOs........................... 1 32 134 4,288 2 TOPs........................... ................. ................. $8,442 $270,144 Record Retention..................... 357 TOs.......................... 1 359 2 718 2 TOPs........................... ................. ................. $64 $22,976 ------------------ Year 1 Total..................... ................................. ................. ................. ................. 42,526 ................................. ................. ................. ................. $2,677,650 Year 2 Total..................... ................................. ................. ................. ................. 718 ................................. ................. ................. ................. $22,976 Year 3 Total..................... ................................. ................. ................. ................. 11,748 ................................. ................. ................. ................. $712,556 ------------------ TOTAL (for Years 1-3)........ ................................. ................. ................. ................. 54,992 ................................. ................. ................. ................. $3,413,182 -------------------------------------------------------------------------------------------------------------------------------------------------------- 122. In arriving at the figures in the above table, the Commission made the following assumptions: a. Requirement R1: We assume that responsible entities will complete the required risk assessment at approximately the same time as they complete the assessments required under the existing TPL Reliability Standards. Accordingly, the burden for Reliability Standard CIP-014-1 only represents the documentation required in addition to what entities currently prepare. Conservatively, we assume that in the first year all transmission owners and transmission operators will complete the required risk assessment.\99\ In the third year, we assume that only 30 transmission operators will be required to do another risk assessment and that the entities with critical facilities after the first risk assessment will still have critical facilities after the second risk assessment. --------------------------------------------------------------------------- \99\ While it is likely that only large transmission owners and transmission operators will have critical facilities under Requirement R1, the Commission's estimate includes all transmission owners and operators because reliable data on what percentage of large owners and operators control critical facilities is unavailable. --------------------------------------------------------------------------- b. Requirement R5: We assume that developing physical security plans in the first year will be more time consuming than in later years because in later years the plans will likely only need to be updated. 123. Title: FERC-725U, Mandatory Reliability Standards: Reliability Standard CIP-014-1. Action: Proposed Collection of Information. OMB Control No: 1902-0274. Respondents: Business or other for profit, and not for profit institutions. Frequency of Responses: Ongoing. Necessity of the Information: Reliability Standard CIP-014-1 implements the Congressional mandate of the Energy Policy Act of 2005 to develop mandatory and enforceable Reliability Standards to better ensure the reliability of the nation's Bulk-Power System. Specifically, Reliability Standard CIP-014-1 ensures that applicable entities with critical Bulk-Power System facilities develop and implement physical security plans to address physical security threats and vulnerabilities that could result in widespread instability, uncontrolled separation, or cascading within an Interconnection. Internal review: The Commission has reviewed Reliability Standard CIP-014-1 and has determined that the Reliability Standard is necessary to ensure the reliability and integrity of the nation's Bulk-Power System. 124. Interested persons may obtain information on the reporting requirements by contacting: Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426 [Attention: Ellen Brown, Office of the Executive Director, email: DataClearance@ferc.gov, Phone: (202) 502-8663, fax: (202) 273-0873]. Comments on the requirements of this rule may also be sent to the Office of Information and Regulatory Affairs, Office of Management and Budget, Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission]. For security reasons, comments should be sent by email to OMB at oira_submission@omb.eop.gov. Comments submitted to OMB should refer to FERC-725U and OMB Control No. 1902-0274. IV. Environmental Analysis 125. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment.\100\ The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended.\101\ The actions here fall within this categorical exclusion in the Commission's regulations. --------------------------------------------------------------------------- \100\ Order No. 486, Regulations Implementing the National Environmental Policy Act of 1969, 52 FR 47897 (Dec. 17, 1987), FERC Stats. & Regs. Regulations Preambles 1986-1990 ] 30,783 (1987). \101\ 18 CFR 380.4(a)(2)(ii). --------------------------------------------------------------------------- V. Regulatory Flexibility Act 126. The Regulatory Flexibility Act of 1980 (RFA) \102\ generally requires a description and analysis of proposed [[Page 70084]] rules that will have significant economic impact on a substantial number of small entities. --------------------------------------------------------------------------- \102\ 5 U.S.C. 601-612. --------------------------------------------------------------------------- 127. The Small Business Administration (SBA) revised its size standard (effective January 22, 2014) for electric utilities from a standard based on megawatt hours to a standard based on the number of employees, including affiliates.\103\ Under SBA's new size standards, transmission owners and transmission operators likely come under the following category and associated size threshold: Electric bulk power transmission and control, at 500 employees.\104\ --------------------------------------------------------------------------- \103\ SBA Final Rule on ``Small Business Size Standards: Utilities,'' 78 FR 77,343 (Dec. 23, 2013). \104\ 13 CFR 121.201, Sector 22, Utilities. --------------------------------------------------------------------------- 128. The NOPR stated that, based on U.S. economic census data, the approximate percentage of small firms in this category is 57 percent.\105\ The NOPR also stated that the Commission did not have information concerning how the economic census data compares with entities registered with NERC and is unable to estimate the number of small transmission owners and transmission operators using the new SBA definition. However, the NOPR stated that Reliability Standard CIP-014- 1 only applies to transmission owners and transmission operators that own and/or operate certain critical Bulk-Power System facilities. In the NOPR, the Commission stated that it believes that Reliability Standard CIP-014-1 will be applicable to a relatively small group of large entities. No comments were received addressing the Commission's proposed certification.\106\ --------------------------------------------------------------------------- \105\ NOPR, 148 FERC ] 61,040 at P 70. Data and further information are available on the SBA Web site. See SBA Firm Size Data, available at https://www.sba.gov/advocacy/849/12162. Since issuance of the NOPR, the Commission has obtained data that enables us to estimate more closely the number of small entities affected by this final rule. We now estimate that 28 percent (or 103 out of the 359 entities) are small entities. \106\ To the extent that Associations' comments, which we addressed above in the Information Collection Statement section, were also directed to the Commission's proposed certification regarding the Regulatory Flexibility Act, Associations' comments do not dispute any of the assumptions underlying the proposed certification or contest the proposed certification itself. --------------------------------------------------------------------------- 129. Accordingly, the Commission certifies that Reliability Standard CIP-014-1 will not have a significant impact on a substantial number of small entities. Accordingly, no regulatory flexibility analysis is required. VI. Document Availability 130. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the Internet through the Commission's Home Page (https://www.ferc.gov) and in the Commission's Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE., Room 2A, Washington DC 20426. 131. From the Commission's Home Page on the Internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number excluding the last three digits of this document in the docket number field. 132. User assistance is available for eLibrary and the Commission's Web site during normal business hours from the Commission's Online Support at 202-502-6652 (toll free at 1-866-208-3676) or email at ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502- 8371, TTY (202) 502-8659. Email the Public Reference Room at public.referenceroom@ferc.gov. VII. Effective Date and Congressional Notification 133. This final rule is effective January 26, 2015. The Commission has determined, with the concurrence of the Administrator of the Office of Information and Regulatory Affairs of OMB, that this rule is not a ``major rule'' as defined in section 351 of the Small Business Regulatory Enforcement Fairness Act of 1996.\107\ This final rule is being submitted to the Senate, House, and Government Accountability Office. --------------------------------------------------------------------------- \107\ 5 U.S.C. 804(2). By the Commission. Nathaniel J. Davis, Sr., Deputy Secretary. Note: This appendix will not appear in the Code of Federal Regulations. Appendix ------------------------------------------------------------------------ Abbreviation Commenter ------------------------------------------------------------------------ Initial Commenters ------------------------------------------------------------------------ APS............................... Arizona Public Service Company. Associations...................... Edison Electric Institute, Electric Power Supply Association, Electricity Consumers Resource Council. BPA............................... Bonneville Power Administration. CEA............................... Canadian Electricity Association. Duke.............................. Duke Energy Corporation. Entergy........................... Entergy. Foundation........................ Foundation for Resilient Societies. GridWise.......................... GridWise Alliance. G&T Cooperatives.................. Associated Electric Cooperative, Inc., Basin Electric Power Cooperative, and Tri-State Generation and Transmission Association, Inc. Idaho Power....................... Idaho Power Company. ITC............................... International Transmission Company. KCP&L............................. Kansas City Power & Light Company and KCP&L Greater Missouri Operations Company. MISO.............................. Midcontinent Independent System Operator, Inc. NARUC............................. National Association of Regulatory Utility Commissioners. NEMA.............................. National Electrical Manufactures Association. NERC.............................. North American Electric Reliability Corporation. NU................................ Utilities Northeast Utilities System. NYPSC............................. New York Public Service Commission. Ohio PUC.......................... Public Utilities Commission of Ohio. Oncor............................. Oncor Electric Delivery Company LLC. Pa PUC............................ Pennsylvania Public Utility Commission. Paschall.......................... Roger Paschall. Pepco............................. Pepco Holdings, Inc. Reclamation....................... U.S. Department of Interior, Bureau of Reclamation. Seattle........................... City of Seattle. [[Page 70085]] SCE............................... Southern California Edison. SDG&E............................. San Diego Gas & Electric. SIA............................... Security Industry Association. Southern.......................... Southern Company Services, Inc. TAPS.............................. Transmission Access Policy Study Group. TVA............................... Tennessee Valley Authority. Trade Associations................ American Public Power Association, Large Public Power Council, National Rural Electric Cooperative Association. Xcel.............................. Xcel Energy Services Inc. ------------------------------------------------------------------------ Reply Commenters ------------------------------------------------------------------------ Foundation........................ Foundation for Resilient Societies. ITC............................... International Transmission Company. NIPSCO............................ Northern Indiana Public Service Company. SmartSenseCom..................... SmartSenseCom, Inc. SWTDUG............................ Southwest Transmission Dependent Utility Group. Tallahassee....................... City of Tallahassee. ------------------------------------------------------------------------ [FR Doc. 2014-27908 Filed 11-24-14; 8:45 am] BILLING CODE 6717-01-P
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
