Revised Critical Infrastructure Protection Reliability Standards, 43354-43367 [2015-17920]

Download as PDF Lhorne on DSK7TPTVN1PROD with PROPOSALS 43354 Federal Register / Vol. 80, No. 140 / Wednesday, July 22, 2015 / Proposed Rules the alien merits a favorable exercise of discretion. (8) Adjudication. USCIS will adjudicate a provisional unlawful presence waiver application in accordance with this paragraph and section 212(a)(9)(B)(v) of the Act. If USCIS finds that the alien is not eligible for a provisional unlawful presence waiver, or if USCIS determines in its discretion that a waiver is not warranted, USCIS will deny the waiver application. Notwithstanding 8 CFR 103.2(b)(16), USCIS may deny an application for a provisional unlawful presence waiver without prior issuance of a request for evidence or notice of intent to deny. (9) Notice of decision. USCIS will notify the alien and the alien’s attorney of record or accredited representative of the decision in accordance with 8 CFR 103.2(b)(19). USCIS may notify the Department of State of the denial of an application for a provisional unlawful presence waiver. A denial is without prejudice to the alien’s filing another provisional unlawful presence waiver application under this paragraph (e), provided the alien meets all of the requirements in this part, including that the alien’s case must be pending with the Department of State. An alien also may elect to file a waiver application under paragraph (a)(1) of this section after departing the United States, appearing for his or her immigrant visa interview at the U.S. Embassy or consulate abroad, and after the Department of State determines the alien’s admissibility and eligibility for an immigrant visa. Accordingly, denial of an application for a provisional unlawful presence waiver is not a final agency action for purposes of section 10(c) of the Administrative Procedure Act, 5 U.S.C. 704. (10) Withdrawal of waiver applications. An alien may withdraw his or her application for a provisional unlawful presence waiver at any time before USCIS makes a final decision. Once the case is withdrawn, USCIS will close the case and notify the alien and his or her attorney or accredited representative. The alien may file a new application for a provisional unlawful presence waiver, in accordance with the form instructions and required fees, provided that the alien meets all of the requirements included in this paragraph (e). * * * * * (12) * * * (i) * * * (C) Is determined to be otherwise eligible for an immigrant visa by the Department of State in light of the VerDate Sep<11>2014 15:08 Jul 21, 2015 Jkt 235001 approved provisional unlawful presence waiver. (ii) Waives the alien’s inadmissibility under section 212(a)(9)(B) of the Act only for purposes of the application for an immigrant visa and admission to the United States as an immigrant based on the approved immigrant visa petition upon which a provisional unlawful presence waiver application is based or selection by the Department of State to participate in the Diversity Visa Program under section 203(c) of the Act for the fiscal year for which the alien registered, with such selection being the basis for the alien’s provisional unlawful presence waiver application; * * * * * (14) * * * (i) The Department of State determines at the time of the immigrant visa interview that the alien is ineligible to receive an immigrant visa for any reason other than under section 212(a)(9)(B)(i)(I) or (II) of the Act; * * * * * (iii) The immigrant visa registration is terminated in accordance with section 203(g) of the Act, and has not been reinstated in accordance with section 203(g) of the Act; or (iv) The alien, at any time before or after approval of a provisional unlawful presence waiver or before an immigrant visa is issued, reenters or attempts to reenter the United States without being inspected and admitted or paroled. Jeh Charles Johnson, Secretary. [FR Doc. 2015–17794 Filed 7–21–15; 8:45 am] BILLING CODE 9111–97–P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM15–14–000] Revised Critical Infrastructure Protection Reliability Standards Federal Energy Regulatory Commission, Energy. ACTION: Notice of proposed rulemaking. AGENCY: The Federal Energy Regulatory Commission (Commission) proposes to approve seven critical infrastructure protection (CIP) Reliability Standards: CIP–003–6 (Security Management Controls), CIP– 004–6 (Personnel and Training), CIP– 006–6 (Physical Security of BES Cyber Systems), CIP–007–6 (Systems Security Management), CIP–009–6 (Recovery SUMMARY: PO 00000 Frm 00017 Fmt 4702 Sfmt 4702 Plans for BES Cyber Systems), CIP–010– 2 (Configuration Change Management and Vulnerability Assessments), and CIP–011–2 (Information Protection). The North American Electric Reliability Corporation (NERC) submitted the proposed Reliability Standards in response to the Commission’s Order No. 791. The proposed Reliability Standards address the cyber security of the bulk electric system and improve upon the current Commission-approved CIP Reliability Standards. In addition, the Commission proposes to direct NERC to develop certain modifications to Reliability Standard CIP–006–6 and to develop requirements addressing supply chain management. DATES: Comments are due September 21, 2015. ADDRESSES: Comments, identified by docket number, may be filed in the following ways: • Electronic Filing through http:// www.ferc.gov. Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format. • Mail/Hand Delivery: Those unable to file electronically may mail or handdeliver comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE., Washington, DC 20426. Instructions: For detailed instructions on submitting comments and additional information on the rulemaking process, see the Comment Procedures Section of this document. FOR FURTHER INFORMATION CONTACT: Daniel Phillips (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502–6387, daniel.phillips@ferc.gov. Kevin Ryan (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502–6840 kevin.ryan@ ferc.gov. SUPPLEMENTARY INFORMATION: 1. Pursuant to section 215 of the Federal Power Act (FPA),1 the Commission proposes to approve seven critical infrastructure protection (CIP) Reliability Standards: CIP–003–6 (Security Management Controls), CIP– 004–6 (Personnel and Training), CIP– 006–6 (Physical Security of BES Cyber Systems), CIP–007–6 (Systems Security Management), CIP–009–6 (Recovery Plans for BES Cyber Systems), CIP–010– 2 (Configuration Change Management 1 16 E:\FR\FM\22JYP1.SGM U.S.C. 824o. 22JYP1 Lhorne on DSK7TPTVN1PROD with PROPOSALS Federal Register / Vol. 80, No. 140 / Wednesday, July 22, 2015 / Proposed Rules and Vulnerability Assessments), and CIP–011–2 (Information Protection). The North American Electric Reliability Corporation, the Commission-certified Electric Reliability Organization (ERO), submitted the proposed Reliability Standards in response to Order No. 791.2 The Commission also proposes to approve NERC’s proposed implementation plan and violation risk factor and violation severity level assignments. In addition, we propose to approve NERC’s proposed new or revised definitions for inclusion in the NERC Glossary of Terms Used in Reliability Standards (NERC Glossary). Further, the Commission proposes to approve the retirement of Reliability Standards CIP–003–5, CIP–004–5.1, CIP–006–5, CIP–007–5, CIP–009–5, CIP– 010–1, and CIP–011–1. 2. The proposed Reliability Standards are designed to mitigate the cybersecurity risks to bulk electric system facilities, systems, and equipment, which, if destroyed, degraded, or otherwise rendered unavailable as a result of a cybersecurity incident, would affect the reliable operation of the Bulk-Power System.3 As discussed below, we believe that the proposed CIP Reliability Standards are just and reasonable and address the directives in Order No. 791 by: (1) Eliminating the ‘‘identify, assess, and correct’’ language in 17 of the CIP version 5 Standard requirements; (2) providing enhanced security controls for Low Impact assets; (3) providing controls to address the risks posed by transient electronic devices (e.g., thumb drives and laptop computers); and (4) addressing in an equally effective and efficient manner the need for a NERC Glossary definition for the term ‘‘communication networks.’’ Accordingly, we propose to approve the proposed CIP Reliability Standards because they improve the base-line cybersecurity posture of applicable entities compared to the current Commission-approved CIP Reliability Standards. 3. In addition, pursuant to FPA section 215(d)(5), the Commission proposes to direct NERC to develop certain modifications to Reliability Standard CIP–006–6. Specifically, while proposed CIP–006–6 would require protections for communication networks among a limited group of bulk electric system Control Centers, we propose to direct that NERC modify 2 Version 5 Critical Infrastructure Protection Reliability Standards, Order No. 791, 78 FR 72,755 (Dec. 3, 2013), 145 FERC ¶ 61,160 (2013), order on clarification and reh’g, Order No. 791–A, 146 FERC ¶ 61,188 (2014). 3 See NERC Petition at 3. VerDate Sep<11>2014 15:08 Jul 21, 2015 Jkt 235001 Reliability Standard CIP–006–6 to require protections for communication network components and data communicated between all bulk electric system Control Centers. In addition, we seek comment on the sufficiency of the security controls incorporated in the current CIP Reliability Standards regarding remote access used in relation to bulk electric system communications. Finally, as discussed in more detail below, we propose to direct NERC to develop requirements relating to supply chain management for industrial control system hardware, software, and services. I. Background A. Section 215 and Mandatory Reliability Standards 4. Section 215 of the FPA requires a Commission-certified ERO to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently.4 Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO,5 and subsequently certified NERC.6 B. Order No. 791 5. On November 22, 2013, in Order No. 791, the Commission approved the CIP version 5 Standards (Reliability Standards CIP–002–5 through CIP– 009–5, and CIP–010–1 and CIP–011–1).7 The Commission determined that the CIP version 5 Standards represented an improvement over prior iterations of the CIP Reliability Standards because, inter alia, they included a revised BES Cyber Asset categorization methodology that incorporated mandatory protections for all High, Medium, and Low Impact BES Cyber Assets, and because several new security controls improved the security posture of responsible entities.8 In addition, pursuant to section 215(d)(5) of the FPA, the Commission directed NERC to: (1) Remove the ‘‘identify, assess, and correct’’ language in 17 of the CIP Standard requirements; (2) develop enhanced security controls for U.S.C. 824o(e). Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, FERC Stats. & Regs. ¶ 31,204, order on reh’g, Order No. 672–A, FERC Stats. & Regs. ¶ 31,212 (2006). 6 North American Electric Reliability Corp., 116 FERC ¶ 61,062, order on reh’g and compliance, 117 FERC ¶ 61,126 (2006), aff’d sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009). 7 Order No. 791, 145 FERC ¶ 61,160 at P 41. 8 Id. PO 00000 4 16 5 Rules Frm 00018 Fmt 4702 Sfmt 4702 43355 Low Impact assets; (3) develop controls to protect transient electronic devices (e.g., thumb drives and laptop computers); (4) create a NERC Glossary definition for the term ‘‘communication networks,’’ and develop new or modified Reliability Standards to protect the nonprogrammable components of communications networks. 6. In addition, the Commission directed NERC to conduct a survey of Cyber Assets that are included or excluded under the new BES Cyber Asset definition and submit an informational filing within one year.9 Finally, the NOPR directed Commission staff to convene a technical conference to examine the technical issues concerning communication security, remote access, and the National Institute of Standards and Technology (NIST) Risk Management Framework.10 C. Informational Filing 7. On February 3, 2015, NERC submitted an informational filing assessing the results of a survey conducted to identify the scope of assets subject to the definition of the term BES Cyber Asset as it is applied in the CIP version 5 Standards. NERC states that the results of the survey indicate that, in general, the application of the BES Cyber Asset definition, and the 15 minute parameter in particular, resulted in the identification of BES Cyber Assets consistent with the language and intent of the CIP version 5 Standards.11 NERC maintained that the survey results demonstrate that the definition of BES Cyber Asset provides a sound basis for identifying the types of Cyber Assets that should be subject to the cyber security protections required by the CIP Reliability Standards.12 D. April 29, 2014 Technical Conference 8. On April 29, 2014, a staff-led technical conference was held pursuant to a directive in Order No. 791.13 The topics discussed at the technical conference included: (1) The adequacy of the approved CIP version 5 Standards’ protections for Bulk-Power System data being transmitted over data networks; (2) whether additional security controls are needed to protect Bulk-Power System communications networks, including remote systems access; and (3) the functional differences between the respective methods utilized for the identification, 9 Id. PP 76, 108, 136, 150. P 225. 11 See NERC Informational Filing, Docket No. RM13–5–000, at 3 (filed Feb. 3, 2015). 12 Id. 13 Order No. 791, 145 FERC ¶ 61,160 at P 225. 10 Id. E:\FR\FM\22JYP1.SGM 22JYP1 43356 Federal Register / Vol. 80, No. 140 / Wednesday, July 22, 2015 / Proposed Rules categorization, and specification of appropriate levels of protection for cyber assets using the CIP version 5 Standards as compared with those employed within the NIST Cybersecurity Framework. 9. With respect to the current state of protection for communications networks under the CIP version 5 Standards, some panelists opined that the CIP version 5 Standards lack controls to: (1) Protect communications outside of the Electronic Security Perimeter; (2) protect data in motion; (3) authenticate messages and commands to BES Cyber Assets; and (4) protect systems or communications using non routable protocols. On the subject of the adequacy of protections for Bulk-Power System data under the CIP version 5 Standards, several panelists stated that stronger measures, such as encryption, would enhance the overall protection for Bulk-Power System communications. However, other panelists also stated that encryption was not a universal solution because it could cause unacceptable latency (i.e., time delay in communications) in certain applications. 10. Regarding the need for additional security controls for Bulk-Power System communications, panelists identified a number of worthwhile steps that could be explored to enhance remote access. Suggestions included the adoption of additional physical security controls, integrity checks, encryption (in certain cases), out of bounds detection for communications links, and coordination with vendors to enhance risk management. In addition, certain panelists stated their position that the use of intermediate systems, alone, is not sufficient to address remote access concerns.14 Several panelists identified suggestions that could be explored to enhance protections for remote access, including the addition of logical or physical controls to provide additional network segmentation behind the intermediate systems.15 Lhorne on DSK7TPTVN1PROD with PROPOSALS E. NERC Petition 11. On February 13, 2015, NERC submitted a petition seeking approval of Reliability Standards CIP–003–6, CIP– 004–6, CIP–006–6, CIP–007–6, CIP– 009–6, CIP–010–2, and CIP–011–2, as well as the proposed implementation 14 An Intermediate System is defined as ‘‘A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users. The Intermediate System must not be located inside the Electronic Security Perimeter.’’ NERC Glossary at 46 (April 29, 2015). 15 See Transcript at pp. 176–177 (Kevin Perry speaking), 177–178 (Richard Kinas speaking), 178 (Dr. Andrew Wright speaking), 179 (Andrew Ginter speaking). VerDate Sep<11>2014 15:08 Jul 21, 2015 Jkt 235001 plan,16 associated violation risk factor and violation severity level assignments, proposed new or revised definitions,17 and retirement of Reliability Standards CIP–003–5, CIP–004–5.1, CIP–006–5, CIP–007–5, CIP–009–5, CIP–010–1, and CIP–011–1.18 NERC states that the proposed Reliability Standards are just, reasonable, not unduly discriminatory or preferential, and in the public interest because they satisfy the factors set forth in Order No. 672 that the Commission applies when reviewing a proposed Reliability Standard.19 NERC maintains that the proposed Reliability Standards ‘‘improve the cybersecurity protections required by the CIP Reliability Standards[.]’’ 20 12. NERC avers that the proposed CIP Reliability Standards satisfy the Commission directives in Order No. 791. Specifically, NERC states that the proposed Reliability Standards remove the ‘‘identify, assess, and correct’’ language, which represents the Commission’s preferred approach to addressing the underlying directive.21 In addition, NERC states that the proposed Reliability Standards address the Commission’s directive regarding a lack of specific controls or objective criteria for Low Impact BES Cyber Systems by requiring responsible entities ‘‘to implement cybersecurity plans for assets containing Low Impact BES Cyber Systems to meet specific security objectives relating to: (i) Cybersecurity awareness; (ii) physical security controls; (iii) electronic access controls; and (iv) Cyber Security Incident response.’’ 22 13. With regard to the Commission’s directive that NERC develop specific controls to protect transient electronic devices (e.g., thumb drives and laptop computers), NERC explains that the proposed Reliability Standards require responsible entities ‘‘to implement controls to protect transient devices proposed implementation plan is designed to match the effective dates of the proposed Reliability Standards with the effective dates of the prior versions of those Reliability Standards under the implementation plan of the CIP version 5 Standards. 17 The six new or revised definitions proposed for inclusion in the NERC Glossary are: (1) BES Cyber Asset; (2) Protected Cyber Asset; (3) Low Impact Electronic Access Point; (4) Low Impact External Routable Connectivity; (5) Removable Media; and (6) Transient Cyber Asset. 18 The proposed Reliability Standards are available on the Commission’s eLibrary document retrieval system in Docket No. RM15–14–000 and on the NERC Web site, www.nerc.com. 19 See NERC Petition at 13 and Exhibit C (citing Order No. 672, FERC Stats. & Regs. ¶ 31,204 at PP 323–335). 20 NERC Petition at 4. 21 Id. at 4, 15. 22 Id. at 5. PO 00000 16 The Frm 00019 Fmt 4702 Sfmt 4702 connected to their high impact and medium impact BES Cyber Systems and associated [Protected Cyber Assets].’’ 23 In addition, NERC states that the proposed Reliability Standards address the protection of communication networks ‘‘by requiring entities to implement security controls for nonprogrammable components of communication networks at Control Centers with high or medium impact BES Cyber Systems.’’ 24 Finally, NERC explains that it has not proposed a definition of the term ‘‘communication network’’ because the term is not used in the CIP Reliability Standards. Additionally, NERC states that ‘‘any proposed definition would need to be sufficiently broad to encompass all components in a communication network as they exist now and in the future.’’ 25 NERC concludes that the proposed Reliability Standards ‘‘meet the ultimate security objective of protecting communication networks (both programmable and nonprogrammable communication network components).’’ 26 14. Accordingly, NERC requests that the Commission approve the proposed Reliability Standards, the proposed implementation plan, the associated violation risk factor and violation severity level assignments, and the proposed new and revised definitions. NERC requests an effective date for the Reliability Standards of the later of April 1, 2016 or the first day of the first calendar quarter that is three months after the effective date of the Commission’s order approving the proposed Reliability Standard, although NERC proposes that responsible entities will not have to comply with the requirements applicable to Low Impact BES Cyber Systems (CIP–003–6, Requirement R1, Part 1.2 and Requirement R2) until April 1, 2017. II. Discussion 15. Pursuant to section 215(d)(2) of the FPA, we propose to approve Reliability Standards CIP–003–6, CIP– 004–6, CIP–006–6, CIP–007–6, CIP– 009–6, CIP–010–2 and CIP–011–2 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. In addition, pursuant to FPA section 215(d)(5), we propose to direct NERC to develop certain modifications to Reliability Standard CIP–006–6 and to develop requirements addressing supply chain management. 23 Id. at 6. at 8. 25 Id. at 51–52. 26 Id. at 52. 24 Id. E:\FR\FM\22JYP1.SGM 22JYP1 Lhorne on DSK7TPTVN1PROD with PROPOSALS Federal Register / Vol. 80, No. 140 / Wednesday, July 22, 2015 / Proposed Rules 16. The proposed Reliability Standards address the Commission’s directives from Order No. 791 and are an improvement over the current Commission-approved CIP Reliability Standards. Specifically, we propose to approve the removal of the ‘‘identify, assess, and correct’’ language in certain requirements of the CIP version 5 Standards. We also propose to approve NERC’s submission regarding the protection of Low Impact BES Cyber Systems. With regard to the directive to create a NERC Glossary definition for the term ‘‘communication networks,’’ we propose to approve NERC’s proposal as an equally effective and efficient method to achieve the reliability goal underlying that directive in Order No. 791. 17. The technical controls in proposed Reliability Standard CIP–006– 6, which addresses the protection of non-programmable components of communication networks (i.e., network cabling and switches), are generally consistent with the type of controls cited by the Commission in Order No. 791.27 We are concerned, however, that the limited applicability of the proposed standard, i.e., BES Cyber Assets within the same Electronic Security Perimeter but located outside of a Physical Security Perimeter, results in a reliability gap. For the reasons discussed below, we propose to direct that NERC modify Reliability Standard CIP–006–6 to require physical or logical protections for communication network components between all bulk electric system Control Centers. 18. Separately, we are concerned that changes in the bulk electric system cyber threat landscape, identified through recent malware campaigns targeting supply chain vendors, have highlighted a gap in the protections under the CIP Reliability Standards. These malware campaigns represent a new type of threat to the reliability of the bulk electric system where malicious code can infect the software of industrial control systems used by responsible entities. Therefore, we propose to direct NERC to develop a new Reliability Standard or modified Reliability Standard to provide security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations. 19. We also propose to approve the new or revised definitions for inclusion in the NERC Glossary, and seek comment on the proposed definition for Low Impact External Routable Connectivity. Depending on the 27 See Order No. 791, 145 FERC ¶ 61,160 at P 149. VerDate Sep<11>2014 15:08 Jul 21, 2015 Jkt 235001 comments received, we may direct NERC to develop modifications to this definition to eliminate possible ambiguities and ensure that BES Cyber Assets receive adequate protection. 20. In addition, we propose to accept 19 violation risk factor and violation severity level assignments associated with the proposed Reliability Standards. Finally, we propose to approve NERC’s proposed implementation plan and effective date. Below, we discuss the following matters: (A) Identify, assess, and correct language; (B) enhanced security controls for Low Impact assets; (C) protection of Transient Devices; (D) protection of bulk electric system communication networks; (E) supply chain management; (F) proposed definitions; (G) NERC’s proposed implementation plan; and (H) proposed violation severity level and violation risk factor assignments. 43357 NERC Petition A. Identify, Assess, and Correct Language 22. In its Petition, NERC explains that it has addressed the Order No. 791 directive regarding the ‘‘identify, assess, and correct’’ language by removing the language from the 17 requirements that included the language in the CIP version 5 Standards.32 NERC states that it is addressing the concerns underlying the development of the ‘‘identify, assess, and correct’’ language through ‘‘transformation of its [Compliance Monitoring and Enforcement Program] and the implementation of a risk-based approach to compliance monitoring and enforcement activities.’’ 33 NERC explains that the changes it is making to the Compliance Monitoring and Enforcement Program, outside the text of a reliability standard, ‘‘directly accomplish the goal of the ‘identify, assess, and correct’ language by focusing ERO and industry resources on those areas that pose a more-than-minimal risk to reliability and helping to improve internal controls.’’ 34 Order No. 791 Discussion 21. In the proposed CIP version 5 Standards, NERC included language in 17 CIP requirements that would have required responsible entities to implement requirements in a manner to ‘‘identify, assess, and correct’’ deficiencies.28 In Order No. 791, the Commission concluded that the ‘‘identify, assess, and correct’’ language proposed by NERC was unclear with respect to the obligations it would impose on responsible entities, how it would be implemented by responsible entities, and how it would be enforced.29 The Commission explained that proposed Reliability Standards should be clear and unambiguous regarding what is required for compliance and who is required to comply.30 The Commission directed NERC, pursuant to section 215(d)(5) of the FPA, to develop modifications to the CIP version 5 Standards to address the Commission’s concerns with the ‘‘identify, assess, and correct’’ language. The Commission stated its preference that NERC should remove the ‘‘identify, assess, and correct’’ language from the 17 CIP version 5 requirements, while retaining the substantive provisions of those requirements.31 23. NERC’s proposal to remove the ‘‘identify, assess, and correct’’ language from the 17 requirements that included the language in the CIP version 5 Standards, while retaining the substantive provisions of those requirements, reflects the Commission’s preferred approach outlined in Order No. 791.35 Consistent with the rationale underlying the Order No. 791 directive, removing the ‘‘identify, assess, and correct’’ language avoids the possibility of inconsistent application and enforcement of the requirements at issue by eliminating the possibility of multiple interpretations of that language. 24. Accordingly, we propose to approve NERC’s removal of the ‘‘identify, assess, and correct’’ language from the 17 affected requirements. No. 791, 145 FERC ¶ 61,160 at P 44. P 67. 30 Id. P 68 (citing Mandatory Reliability Standards for the Bulk-Power System, Order No. 693, FERC Stats. & Regs. ¶ 31,242, at P 274, order on reh’g, Order No. 693–A, 120 FERC ¶ 61,053 (2007)). 31 Id. P 67 (citing Order No. 693, FERC Stats. & Regs. ¶ 31,242 at P 186). PO 00000 28 Order 29 Id. Frm 00020 Fmt 4702 Sfmt 4702 B. Enhanced Security Controls for Low Impact Assets Order No. 791 25. In Order No. 791, the Commission approved NERC’s new approach to categorizing BES Cyber Systems based on the High, Medium or Low Impact that each system could have on the reliable operation of the bulk electric system. Specifically, the Commission noted that the new tiered approach, ‘‘which requires at least a minimum classification of Low Impact for BES 32 NERC Petition at 15. at 15–16. 34 Id. at 18. 35 Order No. 791, 145 FERC ¶ 61,160 at P 67. 33 Id. E:\FR\FM\22JYP1.SGM 22JYP1 Lhorne on DSK7TPTVN1PROD with PROPOSALS 43358 Federal Register / Vol. 80, No. 140 / Wednesday, July 22, 2015 / Proposed Rules Cyber Systems, better assures the protection of assets that can cause cyber security risks to the bulk electric system.’’ 36 The Commission, however, raised concerns that the CIP version 5 Standards do not require any specific controls for BES Cyber Systems classified as Low Impact, nor do the standards contain clear, objective criteria ‘‘to judge the sufficiency of the controls ultimately adopted by responsible entities for Low Impact BES Cyber Systems.’’ 37 The Commission concluded that the lack of objective criteria to evaluate any controls adopted under proposed Reliability Standard CIP–003–5, Requirement R2 ‘‘introduces an unacceptable level of ambiguity and potential inconsistency into the compliance process,’’ resulting in an unnecessary gap in reliability.38 The Commission therefore directed NERC, pursuant to section 215(d)(5) of the FPA, to develop modifications to the CIP version 5 Standards to address the ambiguity and potential for inconsistency in the compliance process created by the lack of objective criteria pertaining to Low Impact BES Cyber Systems.39 26. While not directing NERC to develop specific controls for Low Impact BES Cyber Systems, the Commission noted that NERC could address the lack of objective criteria in a number of ways, including: (1) Requiring specific controls for Low Impact assets, including subdividing the assets into different categories with different defined controls applicable to each subcategory; (2) developing objective criteria against which the controls adopted by responsible entities can be compared and measured in order to evaluate their adequacy, including subdividing the assets into different categories with different defined control objectives applicable to each subcategory; (3) defining with greater specificity the processes that responsible entities must have for Low Impact facilities under Reliability Standard CIP–003–5, Requirement R2; or (4) another equally efficient and effective solution.40 Finally, the Commission emphasized that however NERC decides to address the Commission’s concern, ‘‘the criteria NERC proposes for evaluating a responsible entities’ protections for Low Impact facilities should be clear, objective, commensurate with their impact on the system, and technically justified.’’ 41 NERC Petition 27. In its Petition, NERC states that the revised CIP Reliability Standards include ‘‘additional specificity regarding the controls that responsible entities must implement for protecting their low impact BES Cyber Systems.’’ 42 NERC explains that proposed Reliability Standard CIP–003–6, Requirement R1 requires responsible entities to develop cyber security policies for Low Impact BES Cyber Systems ‘‘to communicate management’s expectation for cybersecurity across the organization.’’ 43 According to NERC, the cyber security policies required under proposed Reliability Standard CIP–003–6, Requirement R1 must include the four subject matter areas addressed by proposed Reliability Standard CIP–003–6, Requirement R2, Attachment 1, and must be reviewed and approved by the CIP Senior Manager at least once every 15 calendar months. NERC explains that, while a responsible entity has the flexibility to develop either a single comprehensive cyber security policy or single highlevel umbrella policy with detail provided in lower-level documents, ‘‘the purpose of these policies is to communicate the responsible entity’s management goals, objectives, and expectations for the protection of low impact BES Cyber Systems and establish a culture of security and compliance across the organization.’’ 44 28. In addition, NERC explains that proposed Reliability Standard CIP–003– 6, Requirement R2 requires responsible entities with Low Impact BES Cyber Systems to implement controls necessary to meet specific security objectives for: (1) Cyber security awareness; (2) physical security controls; (3) electronic access controls; and (4) cyber security incident response. NERC explains further that while the four topics addressed by Reliability Standard CIP–003–6, Requirement R2 are the same as those under the CIP version 5 Standards, focusing resources on the four identified subject matter areas ‘‘will have the greatest cybersecurity benefit for low impact BES Cyber Systems without diverting resources necessary for the protection of high and medium impact BES Cyber Systems.’’ 45 36 Id. 41 Id. 37 Id. P 87. P 107. 38 Id. P 108. 39 Id. P 108. 40 Id. P 108. 42 NERC VerDate Sep<11>2014 P 110. Petition at 23. 43 Id. at 24. 44 Id. at 32. 45 Id. at 25. 15:08 Jul 21, 2015 Jkt 235001 PO 00000 Frm 00021 Fmt 4702 29. NERC explains further that proposed Reliability Standard CIP–003– 6, Requirement R2 provides responsible entities with flexibility to adopt security controls for Low Impact BES Cyber Systems ‘‘in the manner that best suits the needs and characteristics of their organization, so long as the responsible entity can demonstrate that it designed its controls to meet the ultimate security objective.’’ 46 NERC states that attempts to overly prescribe specific security controls would be problematic and could inhibit the development of innovative security controls due to the diversity of Low Impact BES Cyber Systems. However, NERC explains that by having responsible entities articulate clear security objectives, ‘‘the ERO and the Commission will have a basis from which to judge the sufficiency of the controls ultimately adopted by a responsible entity.’’ 47 Discussion 30. We propose to approve proposed Reliability Standard CIP–003–6. NERC’s proposal satisfies the Commission’s Order No. 791 directive by providing responsible entities with a list of specific security objectives relevant to Low Impact BES Cyber Systems that must be addressed through one or more documented cyber security plans. Reliability Standard CIP–003–6, Requirement R2 provides clarity regarding what is expected for compliance and requires responsible entities to implement specific security controls to meet the four subject matter areas identified by NERC to address the risks associated with Low Impact BES Cyber Systems, providing enhanced protections for Low Impact assets. 31. As noted above, Attachment 1 to revised CIP–003–6, Requirement R2 identifies four topics addressed by the requirement, and describes the affirmative obligations associated with each topic, including: (1) Mandatory reinforcement of cyber security awareness practices at least once every 15 calendar months; (2) mandatory physical access controls to the asset or locations of the Low Impact BES Cyber Systems within the asset and Low Impact BES Cyber System Electronic Access Points, if any; (3) mandatory electronic access point protection to permit only necessary inbound and outbound bi-directional routable protocol access and mandatory authentication for all dialup connectivity that provides access to the Low Impact BES Cyber System; and (4) specific information to be included in 46 Id. 47 Id. Sfmt 4702 E:\FR\FM\22JYP1.SGM at 25. at 25. 22JYP1 Federal Register / Vol. 80, No. 140 / Wednesday, July 22, 2015 / Proposed Rules incident response plans. We believe that Attachment 1 provides sufficient context to evaluate objectively the effectiveness of the procedures developed by a responsible entity to implement CIP–003–6 and judge the sufficiency of the controls ultimately adopted by a responsible entity under its security plans. 32. Furthermore, we agree that NERC’s proposal to use clear security objectives in lieu of specific security controls for each Low Impact system is reasonable owing to the diversity of assets covered under the Low Impact category. With respect to the security subject matter areas covered under proposed CIP–003–6, we believe that NERC’s proposal is reasonable in relation to the risk posed by Low Impact BES Cyber Systems, as well as the diversity of systems captured by the Low Impact category. Therefore, we propose to approve proposed Reliability Standard CIP–003–6. Lhorne on DSK7TPTVN1PROD with PROPOSALS C. Protection of Transient Devices Order No. 791 33. In Order No. 791, the Commission approved the proposed definition of BES Cyber Asset that provides, in part, that ‘‘[a] Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calendar days or less, it is directly connected to a network within an [Electronic Security Perimeter], a Cyber Asset within an [Electronic Security Perimeter], or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.’’ 48 While the Commission had requested comment in the CIP version 5 NOPR on whether the 30 consecutive calendar day qualifier in the proposed definition of BES Cyber Asset ‘‘could result in the introduction of malicious code or new attack vectors to an otherwise trusted and protected system,’’ 49 the Commission concluded, based on comments, that ‘‘it would be unduly burdensome to protect transient devices in the same manner as BES Cyber Assets because transient devices are portable and frequently connected and disconnected from systems.’’ 50 34. While accepting the 30-day exemption in the BES Cyber Asset definition, the Commission reiterated its concern whether the provisions of the CIP version 5 Standards ‘‘provide adequately robust protection from the risks posed by transient devices.’’ 51 48 Order No. 791, 145 FERC ¶ 61,160 at P 132. 5 Critical Infrastructure Protection Reliability Standards, 143 FERC ¶ 61,055, at P 78 (2013) (CIP Version 5 NOPR). 50 Order No. 791, 145 FERC ¶ 61,160 at P 133. 51 Id. P 132. 49 Version VerDate Sep<11>2014 15:08 Jul 21, 2015 Jkt 235001 Therefore, the Commission directed that NERC, pursuant to section 215(d)(5) of the FPA, develop either new or modified Reliability Standards to address the reliability risks posed by connecting transient devices to BES Cyber Assets and Systems. In particular, the Commission stated that it expects NERC to consider the following security elements for transient devices and removable media: (1) Device authorization as it relates to users and locations; (2) software authorization; (3) security patch management; (4) malware prevention; (5) detection controls for unauthorized physical access to a transient device; and (6) processes and procedures for connecting transient devices to systems at different security classification levels (i.e., High, Medium, Low Impact).52 NERC Petition 35. In its Petition, NERC states that the revised CIP Reliability Standards satisfy the Commission’s directive in Order No. 791 by requiring that applicable entities: (1) Develop plans and implement cybersecurity controls to protect Transient Cyber Assets and Removable Media associated with their High Impact and Medium Impact BES Cyber Systems and associated Protected Cyber Assets; and (2) train their personnel on the risks associated with using Transient Cyber Assets and Removable Media. NERC states that the purpose of the proposed revisions is to prevent unauthorized access to and use of transient devices, mitigate the risk of vulnerabilities associated with unpatched software on transient devices, and mitigate the risk of the introduction of malicious code on transient devices. NERC explains that the standard drafting team determined that the proposed requirements should only apply to transient devices associated with High and Medium Impact BES Cyber Systems, concluding that ‘‘the application of the proposed transient devices requirements to transient devices associated with low impact BES Cyber Systems was unnecessary, and likely counterproductive, given the risks low impact BES Cyber Systems present to the Bulk Electric System.’’ 53 36. NERC proposes to add two terms to the NERC Glossary, Transient Cyber Asset and Removable Media, to clarify the types of transient devices subject to the CIP Reliability Standards. NERC also proposes to revise the definitions for BES Cyber Asset and Protected Cyber Asset to remove the 30-day exemption PO 00000 as the proposed definition for Transient Cyber Assets obviates the need for the 30-day exemption language. NERC indicates that, as defined, Transient Cyber Assets and Removable Media do not provide reliability services and are not part of the BES Cyber System to which they are connected.54 37. NERC proposes to define Transient Cyber Asset as: ‘‘A Cyber Asset that (i) is capable of transmitting or transferring executable code, (ii) is not included in a BES Cyber System, (iii) is not a Protected Cyber Asset (PCA) and (iv) is directly connected (e.g., using Ethernet, serial, Universal Serial Bus, or wireless, including near field or Bluetooth communication) for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an [Electronic Security Perimeter], or a [Protected Cyber Asset].’’ NERC explains that examples of Transient Cyber Assets include but are not limited to: Diagnostic test equipment, packet sniffers, equipment used for BES Cyber System maintenance, equipment used for BES Cyber System configuration or equipment used to perform vulnerability assessments, and may include devices or platforms such as laptops, desktops or tablet computers which run applications that support BES Cyber Systems.55 38. NERC proposes to define the term Removable Media as: ‘‘Storage media that (i) are not Cyber Assets, (ii) are capable of transferring executable code, (iii) can be used to store, copy, move, or access data, and (iv) are directly connected for 30 consecutive calendar days or less to a BES Cyber Asset, a network within an [Electronic Security Perimeter] or a Protected Cyber Asset. Examples include but are not limited to floppy disks, compact disks, USB flash drives, external hard drives and other flash memory cards/drives that contain nonvolatile memory.’’ 56 39. NERC explains that proposed Reliability Standard CIP–010–2, Requirement R4 requires entities to document and implement a plan for managing and protecting Transient Cyber Assets and Removable Media in order to protect BES Cyber Systems from the risks associated with transient devices. Specifically, Requirement R4 provides that ‘‘[e]ach responsible entity for its high impact and medium impact BES Cyber Systems and associated Protected Cyber Assets, shall implement, except under CIP Exceptional Circumstances, one or more documented plans for Transient Cyber 54 Id. 52 Id. P 136. 53 NERC Petition at 34–35. Frm 00022 Fmt 4702 Sfmt 4702 43359 at 36–37. at 36. 56 Id. at 36. 55 Id. E:\FR\FM\22JYP1.SGM 22JYP1 43360 Federal Register / Vol. 80, No. 140 / Wednesday, July 22, 2015 / Proposed Rules Lhorne on DSK7TPTVN1PROD with PROPOSALS Assets and Removable Media that include the sections in Attachment 1 [to the proposed standard].’’ NERC indicates that Attachment 1 does not prescribe a standard method or set of controls that each entity must implement to protect its transient devices, but rather requires responsible entities to meet certain security objectives by implementing the controls that the responsible entity determines are necessary to meet its affirmative obligation to protect BES Cyber Systems.57 40. NERC further explains that Attachment 1 to CIP–010–2, Requirement R4 requires a responsible entity to adopt controls to address the following areas: (1) Protections for Transient Cyber Assets managed by responsible entities; (2) protections for Transient Cyber Assets managed by another party; and (3) protections for Removable Media. NERC indicates that these provisions reflect the standard drafting team’s recognition that the security controls required for a particular transient device must account for (1) the functionality of that device and (2) whether the responsible entity or a third party manages the device. NERC also states that, because Transient Cyber Assets and Removable Media have different capabilities, they present different levels of risk to the bulk electric system.58 Discussion 41. Based on our review, proposed Reliability Standard CIP–010–2 appears to provide a satisfactory level of security for transient devices used at High and Medium Impact BES Cyber Systems. As described above, proposed Reliability Standard CIP–010–2, Requirement R4 addresses the following security elements: (1) Device authorization; (2) software authorization; (3) security patch management; (4) malware prevention; and (5) unauthorized use. The proposed security controls, taken together, constitute a reasonable approach to address the reliability objectives outlined by the Commission in Order No. 791. The proposed security controls outlined in Attachment 1 should ensure that responsible entities apply multiple security controls to provide defense-in-depth protection to transient devices (i.e., transient cyber assets and removable media) in the High and Medium Impact BES Cyber System environments. 42. We are concerned, however, that NERC’s proposed revisions do not provide adequate security controls to 57 Id. 58 Id. address the risks posed by transient devices used at Low Impact BES Cyber Systems, including Low Impact control centers, due to the limited applicability of Requirement R4. We believe that this omission may result in a gap in protection for Low Impact BES Cyber Systems. For example, malware inserted via a USB flash drive at a single Low Impact substation could propagate through a network of many substations without encountering a single security control under NERC’s proposal. In addition, we note that Low Impact security controls do not provide for the use of mandatory anti-malware/ antivirus protections within the Low Impact facilities, heightening the risk that malware or malicious code could propagate through these systems without being detected. 43. We do not believe that NERC has provided an adequate justification to limit the applicability of Reliability Standard CIP–010–2. In its petition, NERC states that ‘‘the application of the proposed transient devices requirements to transient devices associated with low impact BES Cyber Systems was unnecessary, and likely counterproductive, given the risks low impact BES Cyber Systems present to the Bulk Electric System.’’ 59 Essentially, NERC posits that resources are better placed in the protection of High and Medium Impact devices. The burden of expanding the applicability of Reliability Standard CIP–010–2 to transient devices at Low Impact BES Cyber Systems, however, is not clear from the information in the record. Nor is it clear what information and analysis led NERC to conclude that the application of the transient device requirements to Low Impact BES Cyber Systems ‘‘was unnecessary.’’ 60 Therefore, we direct NERC to provide additional information supporting the proposed limitation in Reliability Standard CIP–010–2 to High and Medium Impact BES Cyber Systems. Depending on the information provided, we may direct NERC to address the potential reliability gap by developing a solution, which could include modifying the applicability section of CIP–010–2, Requirement R4 to include Low Impact BES Cyber Systems, that effectively addresses, and is appropriately tailored to address, the risks posed by transient devices to Low Impact BES Cyber Systems. 59 NERC at 37. at 38. VerDate Sep<11>2014 Petition at 34–35. 60 Id. 15:08 Jul 21, 2015 Jkt 235001 PO 00000 Frm 00023 Fmt 4702 Sfmt 4702 D. Protection of Bulk Electric System Communication Networks Order No. 791 44. In Order No. 791, the Commission approved a revised definition of the NERC Glossary term Cyber Asset, including the removal of the phrase ‘‘communication networks.’’ In reaching its decision, the Commission recognized that maintaining the phrase ‘‘communication networks’’ in the definition of ‘‘cyber asset’’ could cause confusion and potentially complicate implementation of the CIP version 5 Standards ‘‘as many communication network components, such as cabling, cannot strictly comply with the CIP Reliability Standards.’’ 61 45. However, while the Commission approved the revised Cyber Asset definition, the Commission also directed NERC to create a definition of communication networks. Specifically, the Commission stated that ‘‘[t]he definition of communication networks should define what equipment and components should be protected, in light of the statutory inclusion of communication networks for the reliable operation of the Bulk-Power System.’’ 62 46. The Commission also directed NERC to develop new or modified Reliability Standards to address the reliability gap resulting from the removal of the phrase ‘‘communication networks’’ from the Cyber Asset definition. Specifically, the Commission found that a gap in protection may exist since the CIP version 5 Standards ‘‘do not address security controls needed to protect the nonprogrammable components of communication networks.’’ 63 The Commission explained that the new or modified Reliability Standards should require appropriate and reasonable controls to protect the non-programmable aspects of communication networks.64 The Commission provided examples of other relevant information security standards that address the protection of the nonprogrammable aspects of communication networks by requiring, among other things, locked wiring closets, disconnected or locked spare jacks, protection of cabling by conduit or cable trays, or generally emphasizing the protection of communication network cabling from interception or damage.65 61 Order No. 791, 145 FERC ¶ 61,160 at P 148. P 150. 63 Id. P 149. 64 Id. P 150. 65 Id. P 149 (referencing NIST SP 800–53 Revision 3, security control family Physical and 62 Id. E:\FR\FM\22JYP1.SGM 22JYP1 Federal Register / Vol. 80, No. 140 / Wednesday, July 22, 2015 / Proposed Rules Lhorne on DSK7TPTVN1PROD with PROPOSALS NERC Petition 47. In its petition, NERC states that the standard drafting team concluded that it did not need to create a new definition for communication networks to address the Commission’s concerns. NERC explains that the term communication network ‘‘is generally understood to encompass both programmable and nonprogrammable components (i.e., a communication network includes computer peripherals, terminals, and databases as well as communication mediums such as wires).’’ 66 Therefore, NERC concludes that any proposed definition of communication network ‘‘would need to be sufficiently broad to encompass all components in a communication network as they exist now and in the future.’’ 67 NERC explains that, based on that conclusion, the standard drafting team identified the types of equipment and components that responsible entities must protect, and developed reasonable controls to secure those components based on the risk they pose to the bulk electric system, rather than develop a specific definition. 48. NERC states that the revised CIP Reliability Standards, as proposed, address the ultimate security objective of protecting both the programmable and nonprogrammable components of communication networks.68 NERC explains that the proposed standards include protections for cables and other nonprogrammable components of communication networks through proposed Reliability Standard CIP–006– 6, Requirement R1, Part 1.10, which augments the existing protections for programmable communication components by requiring entities to implement various security controls to restrict and manage physical access to Physical Security Perimeters.69 NERC further states that the standard drafting team focused on nonprogrammable communication components at control centers with High or Medium Impact BES Cyber Systems because those locations present a heightened risk to the Bulk-Power System, warranting the increased protections.70 49. NERC explains that proposed Reliability Standard CIP–006–6, Environmental Protection, Annex 2, page 54; BSI ISO/IEC (2005). Information technology—Security techniques—Information security management systems—Requirements (ISO/IEC 27001:2005).British Standards Institute). 66 NERC Petition at 52 (citing North American Electric Reliability Corp., 142 FERC ¶ 61,203, at PP 13–14 (2013)). 67 Id. at 52. 68 Id. 69 Id. at 52–53. 70 Id. at 48. VerDate Sep<11>2014 15:08 Jul 21, 2015 Jkt 235001 Requirement R1, Part 1.10 provides that, for High and Medium Impact BES Cyber Systems and their associated Protected Cyber Assets, responsible entities must restrict physical access to cabling and other nonprogrammable communication components used for connection between covered Cyber Assets within the same Electronic Security Perimeter in those instances when such cabling and components are located outside of a Physical Security Perimeter. NERC explains further that, where physical access restrictions to such cabling and components are not feasible, Part 1.10 provides that the responsible entity must document and implement encryption of data transmitted over such cabling and components and/or monitor the status of the communication link composed of such cabling and components. Further, pursuant to Part 1.10, a responsible entity must issue an alarm or alert in response to detected communication failures to the personnel identified in the BES Cyber Security Incident response plan within 15 minutes of detection, or implement an equally effective logical protection.71 50. NERC states that proposed Reliability Standard CIP–006–6 provides flexibility for responsible entities to implement the physical security measures that best suit their needs and to account for configurations where logical measures are necessary because the entity cannot implement physical access restrictions effectively. Responsible entities have the discretion as to the type of physical or logical protections to implement pursuant to Part 1.10, provided that the protections are designed to meet the overall security objective. According to NERC, the protections required by Part 1.10 will reduce the possibility of tampering and the likelihood that ‘‘man-in-the-middle’’ attacks could compromise the integrity of BES Cyber Systems or Protected Cyber Assets at control centers with High or Medium Impact BES Cyber Systems.72 51. NERC explains that proposed Part 1.10 applies only to nonprogrammable components outside of a Physical Security Perimeter because nonprogrammable components located within a Physical Security Perimeter are already subject to physical security protections by virtue of their location. NERC further states that Part 1.10 only applies to nonprogrammable components used for connection between applicable Cyber Assets within the same Electronic Security Perimeter because Reliability Standard CIP–005–5 PO 00000 71 Id. 72 Id. at 48–49. at 49–50. Frm 00024 Fmt 4702 Sfmt 4702 43361 already requires logical protections for communications between discrete Electronic Security Perimeters.73 52. In addition, NERC asserts that the proposed Reliability Standards will strengthen the defense-in-depth approach by further minimizing the ‘‘attack surface’’ of BES Cyber Systems. NERC also clarifies that the standard drafting team limited the applicability in this manner to clarify that responsible entities are not responsible for protecting nonprogrammable communication components outside of the responsible entity’s control (i.e., components of a telecommunication carrier’s network).74 Discussion 53. We believe that NERC’s proposed alternative approach to addressing the Commission’s Order No. 791 directive regarding the definition of communication networks adequately addresses part of the underlying concerns set forth in Order No. 791. Proposed Reliability Standard CIP–006– 6, Requirement R1.10 specifies the types of assets subject to mandatory protection by using the existing definitions of Electronic Security Perimeter 75 and Physical Security Perimeter.76 Proposed Reliability Standard CIP–006–6 addresses protection for non-programmable components of communication networks, such as network cabling and switches, that are located within the same Electronic Security Perimeter, but span separate Physical Security Perimeters. Specifically, proposed Reliability Standard CIP–006–6 requires responsible entities to restrict physical access to cabling and other nonprogrammable communication components between BES Cyber Assets within the same Electronic Security Perimeter in those instances when such cabling and components are located outside of a Physical Security Perimeter. Where physical access restrictions to such cabling and components is not feasible, Part 1.10 provides that responsible entities must document and implement encryption of data transmitted over such cabling and components, monitor the status of the 73 Id. at 49. at 51. 75 Electronic Security Perimeter: The logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled. See NERC Glossary at 33. 76 Physical Security Perimeter: The physical, completely enclosed (‘‘six-wall’’) border surrounding computer rooms, telecommunications rooms, operations centers, and other locations in which Critical Cyber Assets are housed and for which access is controlled. See NERC Glossary at 60. 74 Id. E:\FR\FM\22JYP1.SGM 22JYP1 Lhorne on DSK7TPTVN1PROD with PROPOSALS 43362 Federal Register / Vol. 80, No. 140 / Wednesday, July 22, 2015 / Proposed Rules communication link composed of such cabling and components, or implement an equally effective logical protection. 54. We propose to accept NERC’s proposed omission of a definition of communication networks based on NERC’s explanation that responsible entities must develop controls to secure the non-programmable components of communication networks based on the risk they pose to the bulk electric system, rather than develop a specific definition of communication networks to identify assets for protection. NERC’s proposal is an equally efficient and effective solution to the Commission’s directive in Order No. 791 that NERC develop a definition of communication networks, subject to the proposed modification discussed below. 55. NERC’s proposed solution for the protection of nonprogrammable components of communication networks, however, does not fully meet the intent of the Commission’s Order No. 791 directive, resulting in a gap in security for bulk electric system communication systems. While the technical substance of CIP–006–6, Requirement R1, Part 1.10 appears to be adequate, we are concerned that the limited applicability of the provision results in limited protection for the nonprogrammable components of the communication systems at issue. Specifically, proposed CIP–006–6, Requirement R1, Part 1.10 would only apply to nonprogrammable components of communication networks within the same Electronic Security Perimeter, excluding from protection other programmable and non-programmable communication network components that may exist outside of a discrete Electronic Security Perimeter. 56. While NERC asserts that this limitation is justified by the controls required under Reliability Standard CIP–005–5, NERC’s position does not appear to consider that the controls set forth in Reliability Standard CIP–005–5 are limited to interactive remote access into an Electronic Security Perimeter, and can only be applied on programmable electronic devices and data that exists within an Electronic Security Perimeter.77 This limitation would exclude communication network components that may be necessary to facilitate the automated transmission of reliability data between bulk electric system Control Centers in discrete Electronic Security Perimeters and would also exclude real time monitoring data that is used by Reliability Coordinators to monitor and assess the operation of their control areas. In other words, revised Reliability Standard CIP– 006–6, Requirement R1 provides mandatory protection against: (1) Physical attacks on nonprogrammable equipment; (2) man-in-the-middle attacks; and (3) session hijacking attacks within the confines of a bulk electric system Control Center, but does not extend protections to real-time data passing between Control Centers outside of a facility. 57. Comments from participants at the April 29, 2014 Technical Conference suggest that the Commission should take action to ensure the confidentiality, integrity, and availability of sensitive bulk electric system data when it is in motion both inside and outside of an Electronic Security Perimeter.78 We understand that inter-Control Center communications play a vital role in maintaining bulk electric system reliability and, as a result, we believe that the communication links and data used to control and monitor the bulk electric system should receive protection under the CIP Reliability Standards. 58. We also recognize that third party communication infrastructure (e.g., facilities owned by a telecommunications company) cannot necessarily be physically protected by responsible entities. This fact, however, does not alleviate the need to protect reliability data that traverses third party communication infrastructure. Proposed Reliability Standard CIP–006–6, Requirement R1, Part 1.10 mandates that logical controls, such as encryption and connection link monitoring, be applied to cabling and components that cannot be physically restricted by the responsible entity. However, similar protections are not afforded to communications and data leaving bulk electric system Control Centers where they may be intercepted and altered while traversing communication networks. 59. Therefore, pursuant to section 215(d)(5) of the FPA, we propose to direct NERC to develop a modification to proposed Reliability Standard CIP– 006–6 to require responsible entities to implement controls to protect, at a minimum, all communication links and sensitive bulk electric system data communicated between all bulk electric system Control Centers. This includes communication between two (or more) Control Centers, but not between a Control Center and non-Control Center facilities such as substations. Also, if latency concerns mitigate against use of 77 See Reliability Standard CIP–005–5 (Electronic Security Perimeters), Requirement R2. 78 See Transcript at pp. 19, 24, 74–75 (Kevin Perry speaking), 79 (Mikhail Falkovich speaking). VerDate Sep<11>2014 15:08 Jul 21, 2015 Jkt 235001 PO 00000 Frm 00025 Fmt 4702 Sfmt 4702 encryption as a logical control for any inter-Control Center communications, our understanding is that other logical protections are available, and we seek comment on this point. 60. Further, as discussed at the April 29, 2014 technical conference, panelists identified suggestions that could be explored to enhance protections for remote access, including the addition of logical or physical controls to provide additional network segmentation behind the intermediate systems. For example, the Commission is interested in comments that address the value achieved if the CIP standards were to require the incorporation of additional network segmentation controls, connection monitoring, and session termination controls behind responsible entity intermediate systems. We seek comment on whether these or other steps to improve remote access protection are needed, and whether the adoption of any additional security controls addressing this topic would provide substantial reliability and security benefits. E. Risks Posed by Lack of Controls for Supply Chain Management 61. The information and communications technology and industrial control system supply chains provide hardware, software and operations support for computer networks. Such supply chains are complex, globally distributed and interconnected systems that have geographically diverse routes and consist of multiple tiers of outsourcing. The supply chain includes public and private sector entities that depend on each other to develop, integrate, and use information and communications technology and industrial control system supply chain products and services. Thus, the supply chain provides the opportunity for significant benefits to customers, including low cost, interoperability, rapid innovation, a variety of product features and choice. 62. However, the global supply chain also enables opportunities for adversaries to directly or indirectly affect the management or operations of companies that may result in risks to the end user. Supply chain risks may include the insertion of counterfeits, unauthorized production, tampering, theft, or insertion of malicious software, as well as poor manufacturing and development practices. To address these risks, NIST developed SP 800–161 79 to 79 NIST SP 800–161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations (April 2015), available at: http://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-161.pdf. E:\FR\FM\22JYP1.SGM 22JYP1 Federal Register / Vol. 80, No. 140 / Wednesday, July 22, 2015 / Proposed Rules Lhorne on DSK7TPTVN1PROD with PROPOSALS provide guidance and controls that can be used to comply with Federal Information Processing Standard 199 Standards for Security Categorization of Federal Information and Information Systems for Federal Government Information Systems.80 Similarly, the Department of Energy has developed guidance on cybersecurity procurement language for energy delivery systems.81 63. While the Commission did not address supply chain management in Order No. 791, changes in the bulk electric system cyber threat landscape identified through recent malware campaigns targeting supply chain vendors have highlighted a gap in the protections under the CIP Standards. Specifically, in 2014, after Order No. 791 was issued, the Industry Control System—Computer Emergency Readiness Team (ICS–CERT) reported on two focused malware campaigns.82 This new type of malware campaign is based on the injection of malware while a product or service remains in the control of the hardware or software vendor, prior to delivery to the customer. 64. We believe that it is reasonable to direct NERC to develop a new or modified Reliability Standard to provide security controls for supply chain management for industrial control system hardware, software, and computing and networking services associated with bulk electric system operations. The reliability goal should be to create a forward-looking, objectivedriven standard that encompasses activities in the system development life cycle: from research and development, design and manufacturing stages (where applicable), to acquisition, delivery, integration, operations, retirement, and eventual disposal of the Registered Entity’s information and communications technology and industrial control system supply chain equipment and services. The standard should support and ensure security, integrity, quality, and resilience of the 80 Federal Information Processing Standard Publication, Standards for Security Categorization of Federal Information and Information Systems, available at: http://csrc.nist.gov/publications/fips/ fips199/FIPS-PUB-199-final.pdf. 81 Cybersecurity Procurement Language for Energy Delivery Systems, April 2014 at page 1. http://www.energy.gov/sites/prod/files/2014/04/f15/ CybersecProcurementLanguageEnergyDeliverySystems_040714_fin.pdf. 82 ICS–CERT is a division of the Department of Homeland Security that works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community. See https://ics-cert.uscert.gov/alerts/ICS-ALERT-14-176-02A; and https:// ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B for ‘‘alert’’ information on supply chain malware campaigns. VerDate Sep<11>2014 15:08 Jul 21, 2015 Jkt 235001 supply chain and the future acquisition of products and services. 65. Since security controls for supply chain management will likely vary greatly with each responsible entity due to variations in individual business practices, the right set of supply chain management security controls should accommodate for, among other things, an entity’s: (1) Procurement process; (2) vendor relations; (3) system requirements; (4) information technology implementation; and (5) privileged commercial or financial information. The following Supply Chain Risk Management controls from NIST SP 800–161 may be instructional in the development of any new reliability standard to address this security topic: 83 (1) Access Control Policy and Procedures; (2) Security Assessment Authorization; (3) Configuration Management; (4) Identification and Authentication; (5) System Maintenance Policy and Procedures; (6) Personnel Security Policy and Procedures; (7) System and Services Acquisition; (8) Supply Chain Protection; and (9) Component Authenticity.84 66. Therefore, pursuant to section 215(d)(5) of the FPA, we propose to direct NERC to develop a new reliability standard or modified reliability standard to provide security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations. In addition to the parameters discussed above, due to the broadness of the topic and the individualized nature of many aspects of supply chain management, we anticipate that a Reliability Standard pertaining to supply chain management security would: • Respect section 215 jurisdiction by only addressing the obligations of registered entities. A reliability standard should not directly impose obligations on suppliers, vendors or other entities that provide products or services to registered entities. • Be forward-looking in the sense that the reliability standard should not dictate the abrogation or re-negotiation of currently-effective contracts with vendors, suppliers or other entities. • Recognize the individualized nature of many aspects of supply chain management by setting goals (the ‘‘what’’), while allowing flexibility in how a registered entity subject to the 83 The listed controls do not reflect a comprehensive scope of the proposed standard. 84 See NIST SP 800–161. PO 00000 Frm 00026 Fmt 4702 Sfmt 4702 43363 standard achieves that goal (the ‘‘how’’).85 • Given the types of specialty products involved and diversity of acquisition processes, the standard may need to allow exceptions, e.g., to meet safety requirements and fill operational gaps if no secure products are available. • Provide enough specificity so that compliance obligations are clear and enforceable. In particular, we anticipate that a reliability standard that simply requires a registered entity to ‘‘have a plan’’ addressing supply chain management would not suffice. Rather, to adequately address our concerns, we believe that a reliability standard should identify specific controls. As discussed above, NIST SP 800–161 may be instructional in identifying appropriate controls in the development of an effective supply chain management reliability standard. We recognize that developing a supply chain management standard would likely be a significant undertaking and require extensive engagement with stakeholders to define the scope, content, and timing of the standard. Accordingly, to further that stakeholder engagement, we seek comment on this proposal, including: (1) The general proposal to direct that NERC develop a Reliability Standard to address supply chain management; (2) the anticipated features of, and requirements that should be included in, such a standard; and (3) a reasonable timeframe for development of a standard. We also direct staff, after receipt and consideration of those comments, to engage in additional outreach to further the Commission’s consideration of the need for, and scope, content, and timing of, a supply chain management standard. F. Proposed Definitions 67. The proposed revised CIP Reliability Standards include six new or revised definitions for inclusion in the NERC glossary. NERC’s proposal includes four new definitions and two revised definitions. Specifically, NERC seeks approval for the following terms: (1) BES Cyber Asset; (2) Protected Cyber Asset; (3) Low Impact Electronic Access Point; (4) Low Impact External Routable Connectivity; (5) Removable Media; and (6) Transient Cyber Asset. We propose to approve the proposed definitions for inclusion in the NERC Glossary. We also seek comment on certain aspects of the proposed definition for Low Impact External Routable Connectivity, as discussed below. After receiving 85 See Order No. 672, FERC Stats. & Regs. ¶ 31,204 at P 260. E:\FR\FM\22JYP1.SGM 22JYP1 43364 Federal Register / Vol. 80, No. 140 / Wednesday, July 22, 2015 / Proposed Rules comments, depending on the adequacy of the explanations provided in response to our questions, we may direct NERC to develop modifications to this definition to eliminate ambiguities and assure that the revised CIP Reliability Standards provide adequate protection for the bulk electric system. the proposed CIP Reliability Standards, hindering the adoption of effective security controls for Low Impact BES Cyber Assets. Depending upon the responses received, we may direct NERC to develop a modification to the definition of Low Impact External Routable Connectivity. Definition—Low Impact External Routable Connectivity 68. In its petition, NERC proposes the following definition for Low Impact External Routable Connectivity: G. Implementation Plan 71. NERC’s proposed implementation plan for the proposed Reliability Standards is designed to match the effective dates of the proposed Reliability Standards with the effective dates of the prior versions of the related Reliability Standards under the implementation plan of the CIP version 5 Standards. NERC states that the purpose of this approach is to provide regulatory certainty by limiting the time, if any, that the CIP version 5 Standards with the ‘‘identify, assess, and correct’’ language would be effective. Specifically, pursuant to the CIP version 5 implementation plan, the effective date of each of the CIP version 5 Standards is April 1, 2016, except for the effective date for Requirement R2 of CIP–003–5, which is April 1, 2017. Consistent with those dates, the proposed implementation plan provides that: (1) each of the proposed reliability Standards shall become effective on the later of April 1, 2016 or the first day of the first calendar quarter that is three months after the effective date of the Commission’s order approving the proposed Reliability Standard; and (2) responsible entities will not have to comply with the requirements applicable to Low Impact BES Cyber Systems (CIP–003–6, Requirement R1, Part 1.2 and Requirement R2) until April 1, 2017.89 72. NERC’s proposed implementation plan also includes effective dates for the new and modified definitions associated with: (1) transient devices (i.e., BES Cyber Asset, Protected Cyber Asset, Removable Media, and Transient Cyber Asset); and (2) Low Impact controls (i.e., Low Impact Electronic Access Point and Low Impact External Routable Connectivity). Specifically, NERC proposes: (1) That the definitions associated with transient device become effective on the compliance date for Reliability Standard CIP–010–2, Requirement R4; and (2) that the definitions addressing the Low Impact controls become enforceable on the compliance date for Reliability Standard CIP–003–6, Requirement R2. Lastly, NERC proposes that the retirement of Reliability Standards CIP–003–5, CIP– 004–5.1, CIP–006–5, CIP–007–5, CIP– Lhorne on DSK7TPTVN1PROD with PROPOSALS Direct user-initiated interactive access or a direct device-to-device connection to a low impact BES Cyber System(s) from a Cyber Asset outside the asset containing those low impact BES Cyber System(s) via a bidirectional routable protocol connection. Point-to-point communications between intelligent electronic devices that use routable communication protocols for timesensitive protection or control functions between Transmission station or substation assets containing low impact BES Cyber Systems are excluded from this definition (examples of this communication include. but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols).86 69. NERC explains that the proposed definition describes the scenarios where responsible entities are required to apply Low Impact access controls under Reliability Standard CIP–003–6, Requirement R2 to their Low Impact assets. Specifically, if Low Impact External Routable Connectivity is used, a responsible entity must implement a Low Impact Electronic Access Point to permit only necessary inbound and outbound bidirectional routable protocol access.87 70. We seek comment on the following aspects of the proposed definition. First, we seek comment on the purpose of the meaning of the term ‘‘direct’’ in relation to the phrases ‘‘direct user-initiated interactive access’’ and ‘‘direct device-to-device connection’’ within the proposed definition. In addition, we seek comment on the implementation of the ‘‘layer 7 application layer break’’ contained in certain reference diagrams in the Guidelines and Technical Basis section of proposed Reliability Standard CIP–003–6.88 It appears that guidance provided in the Guidelines and Technical Basis section of the proposed standard may conflict with the plain reading of the term ‘‘direct.’’ We are concerned that a conflict in the reading of the term ‘‘direct’’ could lead to complications in the implementation of 86 NERC Petition at 28. at 29. 88 See CIP–003–6 Guidelines and Technical Basis Section, Reference Model 6 at p. 39. 87 Id. VerDate Sep<11>2014 15:08 Jul 21, 2015 Jkt 235001 PO 00000 89 Id. at 53–54. Frm 00027 Fmt 4702 Sfmt 4702 009–5, CIP–010–1 and CIP–011–1 become effective on the effective date of the proposed Reliability Standards.90 73. We propose to approve NERC’s implementation plan for the proposed CIP Reliability Standards, as described above. H. Violation Risk Factor/Violation Severity Level Assignments 74. NERC requests approval of the violation risk factors and violation severity levels assigned to the proposed Reliability Standards. Specifically, NERC requests approval of 19 violation risk factor and violation severity level assignments associated with the proposed Reliability Standards.91 We propose to accept these violation risk factors and violation severity levels. III. Information Collection Statement 75. The FERC–725B information collection requirements contained in this Proposed Rule are subject to review by the Office of Management and Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 1995.92 OMB’s regulations require approval of certain information collection requirements imposed by agency rules.93 Upon approval of a collection of information, OMB will assign an OMB control number and expiration date. Respondents subject to the filing requirements of this rule will not be penalized for failing to respond to these collections of information unless the collections of information display a valid OMB control number. The Commission solicits comments on the Commission’s need for this information, whether the information will have practical utility, the accuracy of the burden estimates, ways to enhance the quality, utility, and clarity of the information to be collected or retained, and any suggested methods for minimizing respondents’ burden, including the use of automated information techniques. 76. The Commission based its paperwork burden estimates on the changes in paperwork burden presented by the proposed CIP Reliability Standards as compared to the CIP version 5 Standards. The Commission has already addressed the burden of implementing the CIP version 5 Standards.94 As discussed above, the immediate rulemaking addresses four areas of modification to the CIP standards: (1) Removal of the ‘‘identify. 90 Id. at 56. Exhibit E. 92 44 U.S.C. 3507(d). 93 5 CFR 1320.11 (2012). 94 See Order No. 791, 145 FERC ¶ 61,160 at PP 226–244. 91 Id., E:\FR\FM\22JYP1.SGM 22JYP1 Federal Register / Vol. 80, No. 140 / Wednesday, July 22, 2015 / Proposed Rules assess, and correct’’ language from 17 CIP requirements; (2) development of enhanced security controls for low impact assets; (3) development of controls to protect transient devices (e.g. thumb drives and laptop computers); and (4) protection of communications networks. We do not anticipate that the removal of the ‘‘identify, assess and correct’’ language will impact the reporting burden, as the substantive compliance requirements would remain the same, while NERC indicates that the concept behind the deleted language continues to be implemented within NERC’s compliance function. The development of controls to protect transient devices and protection of communication networks (as proposed by NERC) have associated reporting burdens that will affect a limited number of entities, i.e., those with Medium and High Impact BES Cyber Systems. The enhanced security controls for Low Impact assets are likely to impose a reporting burden on a much larger group of entities. 77. The NERC Compliance Registry, as of June 2015, identifies approximately 1,435 U.S. entities that Number of entities Registered entities 43365 are subject to mandatory compliance with Reliability Standards. Of this total, we estimate that 1,363 entities will face an increased paperwork burden under the proposed CIP Reliability Standards, and we estimate that a majority of these entities will have one or more Low Impact assets. In addition, we estimate that approximately 23 percent of the entities have assets that will be subject to Reliability Standards CIP–006–6 and CIP–010–2. Based on these assumptions, we estimate the following reporting burden: Total burden hours in year 1 Total burden hours in year 2 Total burden hours in year 3 Entities subject to CIP–006–6 and CIP–010–2 with Medium and/or High Impact Assets ................................................................................................... 313 75,120 130,208 130,208 Totals ........................................................................................................ 313 75,120 130,208 130,208 78. The following shows the annual cost burden for each group, based on the burden hours in the table above: • Year 1: Entities subject to CIP–006– 6 and CIP–010–2 with Medium and/or High Impact Assets: 313 × 240 hours/ entity * $76/hour = $5,709,120. • Years 2 and 3: 313 entities × 416 hours/entity * $76/hour = $9,895,808 per year. • The paperwork burden estimate includes costs associated with the initial development of a policy to address requirements relating to transient devices, as well as the ongoing data Number of entities Registered entities collection burden. Further, the estimate reflects the assumption that costs incurred in year 1 will pertain to policy development, while costs in years 2 and 3 will reflect the burden associated with maintaining logs and other records to demonstrate ongoing compliance. Total burden hours in year 1 Total burden hours in year 2 Total burden hours in year 3 1,363 163,560 283,504 283,504 Totals ........................................................................................................ Lhorne on DSK7TPTVN1PROD with PROPOSALS Entities subject to CIP–003–6 with low impact Assets ................................... 1,363 163,560 283,504 283,504 79. The following shows the annual cost burden for each group, based on the burden hours in the table above: • Year 1: Entities subject to CIP–003– 6 with Low Impact Assets: 1,363 × 120 hours/entity * $76/hour = $12,430,560. • Years 2 and 3: 1,363 entities × 208 hours/entity * $76/hour = $21,546,304 per year. • The paperwork burden estimate includes costs associated with the modification of existing policies to address requirements relating to low impact assets, as well as the ongoing data collection burden, as set forth in CIP–003–6, Requirements R1.2 and R2, and Attachment 1. Further, the estimate reflects the assumption that costs incurred in year 1 will pertain to revising existing policies, while costs in years 2 and 3 will reflect the burden associated with maintaining logs and other records to demonstrate ongoing compliance. 80. The estimated hourly rate of $76 is the average loaded cost (wage plus VerDate Sep<11>2014 15:08 Jul 21, 2015 Jkt 235001 benefits) of legal services ($129.68 per hour), technical employees ($58.17 per hour) and administrative support ($39.12 per hour), based on hourly rates and average benefits data from the Bureau of Labor Statistics.95 81. Title: Mandatory Reliability Standards, Revised Critical Infrastructure Protection Standards. Action: Proposed Collection FERC– 725B. OMB Control No.: 1902–0248. Respondents: Businesses or other forprofit institutions; not-for-profit institutions. Frequency of Responses: On Occasion. Necessity of the Information: This proposed rule proposes to approve the requested modifications to Reliability Standards pertaining to critical infrastructure protection. As discussed above, the Commission proposes to 95 See http://bls.gov/oes/current/naics2_22.htm and http://www.bls.gov/news.release/ecec.nr0.htm. Hourly figures as of June 1, 2015. PO 00000 Frm 00028 Fmt 4702 Sfmt 4702 approve NERC’s proposed revised CIP Reliability Standards pursuant to section 215(d)(2) of the FPA because they improve the currently-effective suite of cyber security CIP Reliability Standards. Internal Review: The Commission has reviewed the proposed Reliability Standards and made a determination that its action is necessary to implement section 215 of the FPA. 82. Interested persons may obtain information on the reporting requirements by contacting the following: Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426 [Attention: Ellen Brown, Office of the Executive Director, email: DataClearance@ferc.gov, phone: (202) 502–8663, fax: (202) 273–0873]. 83. For submitting comments concerning the collection(s) of information and the associated burden estimate(s), please send your comments to the Commission, and to the Office of Management and Budget, Office of E:\FR\FM\22JYP1.SGM 22JYP1 43366 Federal Register / Vol. 80, No. 140 / Wednesday, July 22, 2015 / Proposed Rules Information and Regulatory Affairs, Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission, phone: (202) 395–4638, fax: (202) 395–7285]. For security reasons, comments to OMB should be submitted by email to: oira_ submission@omb.eop.gov. Comments submitted to OMB should include Docket Number RM15–14–000 and OMB Control Number 1902–0248. IV. Regulatory Flexibility Act Analysis 84. The Regulatory Flexibility Act of 1980 (RFA) generally requires a description and analysis of Proposed Rules that will have significant economic impact on a substantial number of small entities.96 The Small Business Administration’s (SBA) Office of Size Standards develops the numerical definition of a small business.97 The SBA revised its size standard for electric utilities (effective January 22, 2014) to a standard based on the number of employees, including affiliates (from the prior standard based on megawatt hour sales).98 Proposed Reliability Standards CIP–003–6, CIP– 004–6, CIP–006–6, CIP–007–6, CIP– 009–6, CIP–010–2, and CIP–011–2 are expected to impose an additional burden on 1,363 entities 99 (reliability coordinators, generator operators, generator owners, interchange coordinators or authorities, transmission operators, balancing authorities, transmission owners, and certain distribution providers). 85. Of the 1,363 affected entities discussed above, we estimate that 444 entities are small entities. We estimate that 399 of these 444 small entities do not own BES Cyber Assets or BES Cyber Systems that are classified as Medium or High Impact and, therefore, will only be affected by the proposed modifications to Reliability Standard CIP–003–6. As discussed above, proposed Reliability Standard CIP–003– 6 enhances reliability by providing criteria against which NERC and the Commission can evaluate the sufficiency of an entity’s protections for Low Impact BES Cyber Assets. We estimate that each of the 399 small entities to whom the proposed modifications to Reliability Standard CIP–003–6 applies will incur one-time Lhorne on DSK7TPTVN1PROD with PROPOSALS 96 5 U.S.C. 601–12. CFR 121.101 (2013). 98 SBA Final Rule on ‘‘Small Business Size Standards: Utilities,’’ 78 FR 77343 (Dec. 23, 2013). 99 Public utilities may fall under one of several different categories, each with a size threshold based on the company’s number of employees, including affiliates, the parent company, and subsidiaries. For the analysis in this NOPR, we are using a 500 employee threshold for each affected entity to conduct a comprehensive analysis. 97 13 VerDate Sep<11>2014 15:08 Jul 21, 2015 Jkt 235001 costs of approximately $149,358 per entity to implement this standard, as well as the ongoing paperwork burden reflected in the Information Collection Statement (approximately $15,000 per year per entity). We do not consider the estimated costs for these 399 small entities a significant economic impact. 86. In addition, we estimate that 14 small entities own Medium Impact substations and that 31 small transmission operators own Medium or High impact control centers. These 45 small entities represent 10.1 percent of the 444 affected small entities. We estimate that each of these 45 small entities may experience an economic impact of $50,000 per entity in the first year of initial implementation to meet proposed Reliability Standard CIP–010– 2 and $30,000 in ongoing annual costs,100 for a total of $110,000 per entity over the first three years. Therefore, we estimate that each of these 45 small entities will incur a total of $258,654 in costs over the first three years. We conclude that 10.1 percent of the total 444 affected small entities does not represent a substantial number in terms of the total number of regulated small entities. 87. Based on the above analysis, we propose to certify that the proposed Reliability Standards will not have a significant economic impact on a substantial number of small entities. V. Environmental Analysis 88. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment.101 The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended.102 The actions proposed herein fall within this categorical exclusion in the Commission’s regulations. VI. Comment Procedures 89. The Commission invites interested persons to submit comments on the matters and issues proposed in this notice to be adopted, including any related matters or alternative proposals that commenters may wish to discuss. Comments are due September 21, 2015. annual cost for year 2 and forward. Implementing the National Environmental Policy Act of 1969, Order No. 486, FERC Stats. & Regs. ¶ 30,783 (1987). 102 18 CFR 380.4(a)(2)(ii). PO 00000 100 Estimated 101 Regulations Frm 00029 Fmt 4702 Sfmt 4702 Comments must refer to Docket No. RM15–14–000, and must include the commenter’s name, the organization they represent, if applicable, and address. 90. The Commission encourages comments to be filed electronically via the eFiling link on the Commission’s Web site at http://www.ferc.gov. The Commission accepts most standard word processing formats. Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format. Commenters filing electronically do not need to make a paper filing. 91. Commenters that are not able to file comments electronically must send an original of their comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE., Washington, DC 20426. 92. All comments will be placed in the Commission’s public files and may be viewed, printed, or downloaded remotely as described in the Document Availability section below. Commenters on this proposal are not required to serve copies of their comments on other commenters. VII. Document Availability 93. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the Internet through the Commission’s Home Page (http:// www.ferc.gov) and in the Commission’s Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE., Room 2A, Washington, DC 20426. 94. From the Commission’s Home Page on the Internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number of this document, excluding the last three digits, in the docket number field. User assistance is available for eLibrary and the Commission’s Web site during normal business hours from the Commission’s Online Support at (202) 502–6652 (toll free at 1–866–208–3676) or email at ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502–8371, TTY (202) 502–8659. Email the Public Reference Room at public.referenceroom@ferc.gov. By direction of the Commission. E:\FR\FM\22JYP1.SGM 22JYP1 Federal Register / Vol. 80, No. 140 / Wednesday, July 22, 2015 / Proposed Rules Issued: July 16, 2015. Nathaniel J. Davis, Sr., Deputy Secretary. [FR Doc. 2015–17920 Filed 7–21–15; 8:45 am] BILLING CODE 6717–01–P DEPARTMENT OF JUSTICE Bureau of Prisons 28 CFR Part 550 [BOP–1168–P] RIN 1120–AB68 Drug Abuse Treatment Program Bureau of Prisons, Justice. Proposed rule. AGENCY: ACTION: In this document, the Bureau of Prisons (Bureau) proposes revisions to the Residential Drug Abuse Treatment Program (RDAP) regulations to allow greater inmate participation in the program and positively impact recidivism rates. DATES: Comments are due by September 21, 2015. ADDRESSES: The public is encouraged to submit comments on this proposed rule using the www.regulations.gov comment form. Written comments may also be submitted to the Rules Unit, Office of General Counsel, Bureau of Prisons, 320 First Street NW., Washington, DC 20534. You may view an electronic version of this regulation at www.regulations.gov. When submitting comments electronically you must include the BOP Docket Number in the subject box. FOR FURTHER INFORMATION CONTACT: Sarah Qureshi, Office of General Counsel, Bureau of Prisons, phone (202) 307–2105. SUPPLEMENTARY INFORMATION: SUMMARY: Lhorne on DSK7TPTVN1PROD with PROPOSALS Posting of Public Comments Please note that all comments received are considered part of the public record and made available for public inspection online at www.regulations.gov. Such information includes personal identifying information (such as your name, address, etc.) voluntarily submitted by the commenter. If you want to submit personal identifying information (such as your name, address, etc.) as part of your comment, but do not want it to be posted online, you must include the phrase ‘‘PERSONAL IDENTIFYING INFORMATION’’ in the first paragraph of your comment. You must also locate all the personal identifying information VerDate Sep<11>2014 15:08 Jul 21, 2015 Jkt 235001 you do not want posted online in the first paragraph of your comment and identify what information you want redacted. If you want to submit confidential business information as part of your comment but do not want it to be posted online, you must include the phrase ‘‘CONFIDENTIAL BUSINESS INFORMATION’’ in the first paragraph of your comment. You must also prominently identify confidential business information to be redacted within the comment. If a comment has so much confidential business information that it cannot be effectively redacted, all or part of that comment may not be posted on www.regulations.gov. Personal identifying information identified and located as set forth above will be placed in the agency’s public docket file, but not posted online. Confidential business information identified and located as set forth above will not be placed in the public docket file. If you wish to inspect the agency’s public docket file in person by appointment, please see the FOR FURTHER INFORMATION CONTACT paragraph. Discussion In this document, the Bureau proposes revisions to the Residential Drug Abuse Treatment Program (RDAP) regulations in four areas to allow greater inmate participation in the program and positively impact recidivism rates. Specifically, the Bureau proposes to (1) remove the regulatory requirement for RDAP written testing because it is more appropriate to assess an inmate’s progress through clinical evaluation of behavior change (the written test is no longer used in practice); (2) remove existing regulatory provisions which automatically expel inmates who have committed certain acts (e.g., abuse of drugs or alcohol, violence, attempted escape); (3) limit the time frame for review of prior offenses for early release eligibility purposes to ten years before the date of federal imprisonment; and (4) lessen restrictions relating to early release eligibility. Community Treatment Services. Currently, the Bureau’s regulations contain the term ‘‘Transitional drug abuse treatment (TDAT)’’ in 28 CFR 550.53(a)(3) and in the title and paragraphs (a) and (b) of § 550.56. We propose to replace this phrase because the name of this program has been changed to ‘‘Community Treatment Services (CTS).’’ This is a minor change to more accurately reflect the nature of the treatment program. PO 00000 Frm 00030 Fmt 4702 Sfmt 4702 43367 § 550.50 Purpose and scope. We propose changes to this regulation to more accurately describe the purpose of the subpart and to reflect the source of drug treatment services within the Bureau of Prisons. The current regulation states that Bureau facilities have drug abuse treatment specialists who are supervised by a Coordinator and that facilities with residential drug abuse treatment programs (RDAP) should have additional specialists for treatment in the RDAP unit. This is inaccurate. We propose to change the regulation to explain that the Bureau’s drug abuse treatment programs, which include drug abuse education, RDAP and non-residential drug abuse treatment services, are provided by the Psychology Services Department. We likewise propose to make a minor corresponding change in § 550.53(a)(1), which also refers inaccurately to the Drug Abuse Program Coordinator, when instead the course of activities referenced in that regulation is provided by the Psychology Services Department. § 550.53 Residential Drug Abuse Treatment Program (RDAP)(f)(2). The Bureau proposes to remove subparagraph (f)(2) of § 550.53, which requires inmates to pass RDAP testing procedures and refers to an RDAP exam. The RDAP program no longer includes written testing as a requirement for completion of the program. Instead, RDAP uses clinical observation and clinical evaluation of inmate behavior change to assess readiness for completion. Therefore, the current language is inaccurate and imposes a requirement upon inmates that no longer exists. In 2010, the Bureau converted the Residential Drug Abuse Treatment Programs to the Modified Therapeutic Community Model of treatment (MTC). This evidenced-based model is designed to assess progress through treatment as determined by the participants’ completion of treatment goals and activities on their individualized treatment plan, and demonstrated behavior change. Each participant jointly works with their treatment specialist to create the content of their treatment plan. Every three months, or more often if necessary, each participant meets with their clinical team (four or more treatment staff) to review their progress in treatment. Progress in treatment is determined through assessing the accomplishment of their treatment goals and activities, along with demonstrated behavior change, such as improved personal and social conduct, no disciplinary incidents, etc. Unsatisfactory progress is evident when the participant does not accomplish E:\FR\FM\22JYP1.SGM 22JYP1

Agencies

[Federal Register Volume 80, Number 140 (Wednesday, July 22, 2015)]
[Proposed Rules]
[Pages 43354-43367]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-17920]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 40

[Docket No. RM15-14-000]


Revised Critical Infrastructure Protection Reliability Standards

AGENCY: Federal Energy Regulatory Commission, Energy.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Federal Energy Regulatory Commission (Commission) proposes 
to approve seven critical infrastructure protection (CIP) Reliability 
Standards: CIP-003-6 (Security Management Controls), CIP-004-6 
(Personnel and Training), CIP-006-6 (Physical Security of BES Cyber 
Systems), CIP-007-6 (Systems Security Management), CIP-009-6 (Recovery 
Plans for BES Cyber Systems), CIP-010-2 (Configuration Change 
Management and Vulnerability Assessments), and CIP-011-2 (Information 
Protection). The North American Electric Reliability Corporation (NERC) 
submitted the proposed Reliability Standards in response to the 
Commission's Order No. 791. The proposed Reliability Standards address 
the cyber security of the bulk electric system and improve upon the 
current Commission-approved CIP Reliability Standards. In addition, the 
Commission proposes to direct NERC to develop certain modifications to 
Reliability Standard CIP-006-6 and to develop requirements addressing 
supply chain management.

DATES: Comments are due September 21, 2015.

ADDRESSES: Comments, identified by docket number, may be filed in the 
following ways:
     Electronic Filing through http://www.ferc.gov. Documents 
created electronically using word processing software should be filed 
in native applications or print-to-PDF format and not in a scanned 
format.
     Mail/Hand Delivery: Those unable to file electronically 
may mail or hand-deliver comments to: Federal Energy Regulatory 
Commission, Secretary of the Commission, 888 First Street NE., 
Washington, DC 20426.
    Instructions: For detailed instructions on submitting comments and 
additional information on the rulemaking process, see the Comment 
Procedures Section of this document.

FOR FURTHER INFORMATION CONTACT: 

Daniel Phillips (Technical Information), Office of Electric 
Reliability, Federal Energy Regulatory Commission, 888 First Street 
NE., Washington, DC 20426, (202) 502-6387, daniel.phillips@ferc.gov.
Kevin Ryan (Legal Information), Office of the General Counsel, Federal 
Energy Regulatory Commission, 888 First Street NE., Washington, DC 
20426, (202) 502-6840 kevin.ryan@ferc.gov.

SUPPLEMENTARY INFORMATION: 
    1. Pursuant to section 215 of the Federal Power Act (FPA),\1\ the 
Commission proposes to approve seven critical infrastructure protection 
(CIP) Reliability Standards: CIP-003-6 (Security Management Controls), 
CIP-004-6 (Personnel and Training), CIP-006-6 (Physical Security of BES 
Cyber Systems), CIP-007-6 (Systems Security Management), CIP-009-6 
(Recovery Plans for BES Cyber Systems), CIP-010-2 (Configuration Change 
Management

[[Page 43355]]

and Vulnerability Assessments), and CIP-011-2 (Information Protection). 
The North American Electric Reliability Corporation, the Commission-
certified Electric Reliability Organization (ERO), submitted the 
proposed Reliability Standards in response to Order No. 791.\2\ The 
Commission also proposes to approve NERC's proposed implementation plan 
and violation risk factor and violation severity level assignments. In 
addition, we propose to approve NERC's proposed new or revised 
definitions for inclusion in the NERC Glossary of Terms Used in 
Reliability Standards (NERC Glossary). Further, the Commission proposes 
to approve the retirement of Reliability Standards CIP-003-5, CIP-004-
5.1, CIP-006-5, CIP-007-5, CIP-009-5, CIP-010-1, and CIP-011-1.
---------------------------------------------------------------------------

    \1\ 16 U.S.C. 824o.
    \2\ Version 5 Critical Infrastructure Protection Reliability 
Standards, Order No. 791, 78 FR 72,755 (Dec. 3, 2013), 145 FERC ] 
61,160 (2013), order on clarification and reh'g, Order No. 791-A, 
146 FERC ] 61,188 (2014).
---------------------------------------------------------------------------

    2. The proposed Reliability Standards are designed to mitigate the 
cybersecurity risks to bulk electric system facilities, systems, and 
equipment, which, if destroyed, degraded, or otherwise rendered 
unavailable as a result of a cybersecurity incident, would affect the 
reliable operation of the Bulk-Power System.\3\ As discussed below, we 
believe that the proposed CIP Reliability Standards are just and 
reasonable and address the directives in Order No. 791 by: (1) 
Eliminating the ``identify, assess, and correct'' language in 17 of the 
CIP version 5 Standard requirements; (2) providing enhanced security 
controls for Low Impact assets; (3) providing controls to address the 
risks posed by transient electronic devices (e.g., thumb drives and 
laptop computers); and (4) addressing in an equally effective and 
efficient manner the need for a NERC Glossary definition for the term 
``communication networks.'' Accordingly, we propose to approve the 
proposed CIP Reliability Standards because they improve the base-line 
cybersecurity posture of applicable entities compared to the current 
Commission-approved CIP Reliability Standards.
---------------------------------------------------------------------------

    \3\ See NERC Petition at 3.
---------------------------------------------------------------------------

    3. In addition, pursuant to FPA section 215(d)(5), the Commission 
proposes to direct NERC to develop certain modifications to Reliability 
Standard CIP-006-6. Specifically, while proposed CIP-006-6 would 
require protections for communication networks among a limited group of 
bulk electric system Control Centers, we propose to direct that NERC 
modify Reliability Standard CIP-006-6 to require protections for 
communication network components and data communicated between all bulk 
electric system Control Centers. In addition, we seek comment on the 
sufficiency of the security controls incorporated in the current CIP 
Reliability Standards regarding remote access used in relation to bulk 
electric system communications. Finally, as discussed in more detail 
below, we propose to direct NERC to develop requirements relating to 
supply chain management for industrial control system hardware, 
software, and services.

I. Background

A. Section 215 and Mandatory Reliability Standards

    4. Section 215 of the FPA requires a Commission-certified ERO to 
develop mandatory and enforceable Reliability Standards, subject to 
Commission review and approval. Reliability Standards may be enforced 
by the ERO, subject to Commission oversight, or by the Commission 
independently.\4\ Pursuant to section 215 of the FPA, the Commission 
established a process to select and certify an ERO,\5\ and subsequently 
certified NERC.\6\
---------------------------------------------------------------------------

    \4\ 16 U.S.C. 824o(e).
    \5\ Rules Concerning Certification of the Electric Reliability 
Organization; and Procedures for the Establishment, Approval, and 
Enforcement of Electric Reliability Standards, Order No. 672, FERC 
Stats. & Regs. ] 31,204, order on reh'g, Order No. 672-A, FERC 
Stats. & Regs. ] 31,212 (2006).
    \6\ North American Electric Reliability Corp., 116 FERC ] 
61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006), 
aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
---------------------------------------------------------------------------

B. Order No. 791

    5. On November 22, 2013, in Order No. 791, the Commission approved 
the CIP version 5 Standards (Reliability Standards CIP-002-5 through 
CIP- 009-5, and CIP-010-1 and CIP-011-1).\7\ The Commission determined 
that the CIP version 5 Standards represented an improvement over prior 
iterations of the CIP Reliability Standards because, inter alia, they 
included a revised BES Cyber Asset categorization methodology that 
incorporated mandatory protections for all High, Medium, and Low Impact 
BES Cyber Assets, and because several new security controls improved 
the security posture of responsible entities.\8\ In addition, pursuant 
to section 215(d)(5) of the FPA, the Commission directed NERC to: (1) 
Remove the ``identify, assess, and correct'' language in 17 of the CIP 
Standard requirements; (2) develop enhanced security controls for Low 
Impact assets; (3) develop controls to protect transient electronic 
devices (e.g., thumb drives and laptop computers); (4) create a NERC 
Glossary definition for the term ``communication networks,'' and 
develop new or modified Reliability Standards to protect the 
nonprogrammable components of communications networks.
---------------------------------------------------------------------------

    \7\ Order No. 791, 145 FERC ] 61,160 at P 41.
    \8\ Id.
---------------------------------------------------------------------------

    6. In addition, the Commission directed NERC to conduct a survey of 
Cyber Assets that are included or excluded under the new BES Cyber 
Asset definition and submit an informational filing within one year.\9\ 
Finally, the NOPR directed Commission staff to convene a technical 
conference to examine the technical issues concerning communication 
security, remote access, and the National Institute of Standards and 
Technology (NIST) Risk Management Framework.\10\
---------------------------------------------------------------------------

    \9\ Id. PP 76, 108, 136, 150.
    \10\ Id. P 225.
---------------------------------------------------------------------------

C. Informational Filing

    7. On February 3, 2015, NERC submitted an informational filing 
assessing the results of a survey conducted to identify the scope of 
assets subject to the definition of the term BES Cyber Asset as it is 
applied in the CIP version 5 Standards. NERC states that the results of 
the survey indicate that, in general, the application of the BES Cyber 
Asset definition, and the 15 minute parameter in particular, resulted 
in the identification of BES Cyber Assets consistent with the language 
and intent of the CIP version 5 Standards.\11\ NERC maintained that the 
survey results demonstrate that the definition of BES Cyber Asset 
provides a sound basis for identifying the types of Cyber Assets that 
should be subject to the cyber security protections required by the CIP 
Reliability Standards.\12\
---------------------------------------------------------------------------

    \11\ See NERC Informational Filing, Docket No. RM13-5-000, at 3 
(filed Feb. 3, 2015).
    \12\ Id.
---------------------------------------------------------------------------

D. April 29, 2014 Technical Conference

    8. On April 29, 2014, a staff-led technical conference was held 
pursuant to a directive in Order No. 791.\13\ The topics discussed at 
the technical conference included: (1) The adequacy of the approved CIP 
version 5 Standards' protections for Bulk-Power System data being 
transmitted over data networks; (2) whether additional security 
controls are needed to protect Bulk-Power System communications 
networks, including remote systems access; and (3) the functional 
differences between the respective methods utilized for the 
identification,

[[Page 43356]]

categorization, and specification of appropriate levels of protection 
for cyber assets using the CIP version 5 Standards as compared with 
those employed within the NIST Cybersecurity Framework.
---------------------------------------------------------------------------

    \13\ Order No. 791, 145 FERC ] 61,160 at P 225.
---------------------------------------------------------------------------

    9. With respect to the current state of protection for 
communications networks under the CIP version 5 Standards, some 
panelists opined that the CIP version 5 Standards lack controls to: (1) 
Protect communications outside of the Electronic Security Perimeter; 
(2) protect data in motion; (3) authenticate messages and commands to 
BES Cyber Assets; and (4) protect systems or communications using non 
routable protocols. On the subject of the adequacy of protections for 
Bulk-Power System data under the CIP version 5 Standards, several 
panelists stated that stronger measures, such as encryption, would 
enhance the overall protection for Bulk-Power System communications. 
However, other panelists also stated that encryption was not a 
universal solution because it could cause unacceptable latency (i.e., 
time delay in communications) in certain applications.
    10. Regarding the need for additional security controls for Bulk-
Power System communications, panelists identified a number of 
worthwhile steps that could be explored to enhance remote access. 
Suggestions included the adoption of additional physical security 
controls, integrity checks, encryption (in certain cases), out of 
bounds detection for communications links, and coordination with 
vendors to enhance risk management. In addition, certain panelists 
stated their position that the use of intermediate systems, alone, is 
not sufficient to address remote access concerns.\14\ Several panelists 
identified suggestions that could be explored to enhance protections 
for remote access, including the addition of logical or physical 
controls to provide additional network segmentation behind the 
intermediate systems.\15\
---------------------------------------------------------------------------

    \14\ An Intermediate System is defined as ``A Cyber Asset or 
collection of Cyber Assets performing access control to restrict 
Interactive Remote Access to only authorized users. The Intermediate 
System must not be located inside the Electronic Security 
Perimeter.'' NERC Glossary at 46 (April 29, 2015).
    \15\ See Transcript at pp. 176-177 (Kevin Perry speaking), 177-
178 (Richard Kinas speaking), 178 (Dr. Andrew Wright speaking), 179 
(Andrew Ginter speaking).
---------------------------------------------------------------------------

E. NERC Petition

    11. On February 13, 2015, NERC submitted a petition seeking 
approval of Reliability Standards CIP-003-6, CIP-004-6, CIP-006-6, CIP-
007-6, CIP-009-6, CIP-010-2, and CIP-011-2, as well as the proposed 
implementation plan,\16\ associated violation risk factor and violation 
severity level assignments, proposed new or revised definitions,\17\ 
and retirement of Reliability Standards CIP-003-5, CIP-004-5.1, CIP-
006-5, CIP-007-5, CIP-009-5, CIP-010-1, and CIP-011-1.\18\ NERC states 
that the proposed Reliability Standards are just, reasonable, not 
unduly discriminatory or preferential, and in the public interest 
because they satisfy the factors set forth in Order No. 672 that the 
Commission applies when reviewing a proposed Reliability Standard.\19\ 
NERC maintains that the proposed Reliability Standards ``improve the 
cybersecurity protections required by the CIP Reliability 
Standards[.]'' \20\
---------------------------------------------------------------------------

    \16\ The proposed implementation plan is designed to match the 
effective dates of the proposed Reliability Standards with the 
effective dates of the prior versions of those Reliability Standards 
under the implementation plan of the CIP version 5 Standards.
    \17\ The six new or revised definitions proposed for inclusion 
in the NERC Glossary are: (1) BES Cyber Asset; (2) Protected Cyber 
Asset; (3) Low Impact Electronic Access Point; (4) Low Impact 
External Routable Connectivity; (5) Removable Media; and (6) 
Transient Cyber Asset.
    \18\ The proposed Reliability Standards are available on the 
Commission's eLibrary document retrieval system in Docket No. RM15-
14-000 and on the NERC Web site, www.nerc.com.
    \19\ See NERC Petition at 13 and Exhibit C (citing Order No. 
672, FERC Stats. & Regs. ] 31,204 at PP 323-335).
    \20\ NERC Petition at 4.
---------------------------------------------------------------------------

    12. NERC avers that the proposed CIP Reliability Standards satisfy 
the Commission directives in Order No. 791. Specifically, NERC states 
that the proposed Reliability Standards remove the ``identify, assess, 
and correct'' language, which represents the Commission's preferred 
approach to addressing the underlying directive.\21\ In addition, NERC 
states that the proposed Reliability Standards address the Commission's 
directive regarding a lack of specific controls or objective criteria 
for Low Impact BES Cyber Systems by requiring responsible entities ``to 
implement cybersecurity plans for assets containing Low Impact BES 
Cyber Systems to meet specific security objectives relating to: (i) 
Cybersecurity awareness; (ii) physical security controls; (iii) 
electronic access controls; and (iv) Cyber Security Incident 
response.'' \22\
---------------------------------------------------------------------------

    \21\ Id. at 4, 15.
    \22\ Id. at 5.
---------------------------------------------------------------------------

    13. With regard to the Commission's directive that NERC develop 
specific controls to protect transient electronic devices (e.g., thumb 
drives and laptop computers), NERC explains that the proposed 
Reliability Standards require responsible entities ``to implement 
controls to protect transient devices connected to their high impact 
and medium impact BES Cyber Systems and associated [Protected Cyber 
Assets].'' \23\ In addition, NERC states that the proposed Reliability 
Standards address the protection of communication networks ``by 
requiring entities to implement security controls for nonprogrammable 
components of communication networks at Control Centers with high or 
medium impact BES Cyber Systems.'' \24\ Finally, NERC explains that it 
has not proposed a definition of the term ``communication network'' 
because the term is not used in the CIP Reliability Standards. 
Additionally, NERC states that ``any proposed definition would need to 
be sufficiently broad to encompass all components in a communication 
network as they exist now and in the future.'' \25\ NERC concludes that 
the proposed Reliability Standards ``meet the ultimate security 
objective of protecting communication networks (both programmable and 
nonprogrammable communication network components).'' \26\
---------------------------------------------------------------------------

    \23\ Id. at 6.
    \24\ Id. at 8.
    \25\ Id. at 51-52.
    \26\ Id. at 52.
---------------------------------------------------------------------------

    14. Accordingly, NERC requests that the Commission approve the 
proposed Reliability Standards, the proposed implementation plan, the 
associated violation risk factor and violation severity level 
assignments, and the proposed new and revised definitions. NERC 
requests an effective date for the Reliability Standards of the later 
of April 1, 2016 or the first day of the first calendar quarter that is 
three months after the effective date of the Commission's order 
approving the proposed Reliability Standard, although NERC proposes 
that responsible entities will not have to comply with the requirements 
applicable to Low Impact BES Cyber Systems (CIP-003-6, Requirement R1, 
Part 1.2 and Requirement R2) until April 1, 2017.

II. Discussion

    15. Pursuant to section 215(d)(2) of the FPA, we propose to approve 
Reliability Standards CIP-003-6, CIP-004-6, CIP-006-6, CIP-007-6, CIP-
009-6, CIP-010-2 and CIP-011-2 as just, reasonable, not unduly 
discriminatory or preferential, and in the public interest. In 
addition, pursuant to FPA section 215(d)(5), we propose to direct NERC 
to develop certain modifications to Reliability Standard CIP-006-6 and 
to develop requirements addressing supply chain management.

[[Page 43357]]

    16. The proposed Reliability Standards address the Commission's 
directives from Order No. 791 and are an improvement over the current 
Commission-approved CIP Reliability Standards. Specifically, we propose 
to approve the removal of the ``identify, assess, and correct'' 
language in certain requirements of the CIP version 5 Standards. We 
also propose to approve NERC's submission regarding the protection of 
Low Impact BES Cyber Systems. With regard to the directive to create a 
NERC Glossary definition for the term ``communication networks,'' we 
propose to approve NERC's proposal as an equally effective and 
efficient method to achieve the reliability goal underlying that 
directive in Order No. 791.
    17. The technical controls in proposed Reliability Standard CIP-
006-6, which addresses the protection of non-programmable components of 
communication networks (i.e., network cabling and switches), are 
generally consistent with the type of controls cited by the Commission 
in Order No. 791.\27\ We are concerned, however, that the limited 
applicability of the proposed standard, i.e., BES Cyber Assets within 
the same Electronic Security Perimeter but located outside of a 
Physical Security Perimeter, results in a reliability gap. For the 
reasons discussed below, we propose to direct that NERC modify 
Reliability Standard CIP-006-6 to require physical or logical 
protections for communication network components between all bulk 
electric system Control Centers.
---------------------------------------------------------------------------

    \27\ See Order No. 791, 145 FERC ] 61,160 at P 149.
---------------------------------------------------------------------------

    18. Separately, we are concerned that changes in the bulk electric 
system cyber threat landscape, identified through recent malware 
campaigns targeting supply chain vendors, have highlighted a gap in the 
protections under the CIP Reliability Standards. These malware 
campaigns represent a new type of threat to the reliability of the bulk 
electric system where malicious code can infect the software of 
industrial control systems used by responsible entities. Therefore, we 
propose to direct NERC to develop a new Reliability Standard or 
modified Reliability Standard to provide security controls for supply 
chain management for industrial control system hardware, software, and 
services associated with bulk electric system operations.
    19. We also propose to approve the new or revised definitions for 
inclusion in the NERC Glossary, and seek comment on the proposed 
definition for Low Impact External Routable Connectivity. Depending on 
the comments received, we may direct NERC to develop modifications to 
this definition to eliminate possible ambiguities and ensure that BES 
Cyber Assets receive adequate protection.
    20. In addition, we propose to accept 19 violation risk factor and 
violation severity level assignments associated with the proposed 
Reliability Standards. Finally, we propose to approve NERC's proposed 
implementation plan and effective date. Below, we discuss the following 
matters: (A) Identify, assess, and correct language; (B) enhanced 
security controls for Low Impact assets; (C) protection of Transient 
Devices; (D) protection of bulk electric system communication networks; 
(E) supply chain management; (F) proposed definitions; (G) NERC's 
proposed implementation plan; and (H) proposed violation severity level 
and violation risk factor assignments.

A. Identify, Assess, and Correct Language

Order No. 791
    21. In the proposed CIP version 5 Standards, NERC included language 
in 17 CIP requirements that would have required responsible entities to 
implement requirements in a manner to ``identify, assess, and correct'' 
deficiencies.\28\ In Order No. 791, the Commission concluded that the 
``identify, assess, and correct'' language proposed by NERC was unclear 
with respect to the obligations it would impose on responsible 
entities, how it would be implemented by responsible entities, and how 
it would be enforced.\29\ The Commission explained that proposed 
Reliability Standards should be clear and unambiguous regarding what is 
required for compliance and who is required to comply.\30\ The 
Commission directed NERC, pursuant to section 215(d)(5) of the FPA, to 
develop modifications to the CIP version 5 Standards to address the 
Commission's concerns with the ``identify, assess, and correct'' 
language. The Commission stated its preference that NERC should remove 
the ``identify, assess, and correct'' language from the 17 CIP version 
5 requirements, while retaining the substantive provisions of those 
requirements.\31\
---------------------------------------------------------------------------

    \28\ Order No. 791, 145 FERC ] 61,160 at P 44.
    \29\ Id. P 67.
    \30\ Id. P 68 (citing Mandatory Reliability Standards for the 
Bulk-Power System, Order No. 693, FERC Stats. & Regs. ] 31,242, at P 
274, order on reh'g, Order No. 693-A, 120 FERC ] 61,053 (2007)).
    \31\ Id. P 67 (citing Order No. 693, FERC Stats. & Regs. ] 
31,242 at P 186).
---------------------------------------------------------------------------

NERC Petition
    22. In its Petition, NERC explains that it has addressed the Order 
No. 791 directive regarding the ``identify, assess, and correct'' 
language by removing the language from the 17 requirements that 
included the language in the CIP version 5 Standards.\32\ NERC states 
that it is addressing the concerns underlying the development of the 
``identify, assess, and correct'' language through ``transformation of 
its [Compliance Monitoring and Enforcement Program] and the 
implementation of a risk-based approach to compliance monitoring and 
enforcement activities.'' \33\ NERC explains that the changes it is 
making to the Compliance Monitoring and Enforcement Program, outside 
the text of a reliability standard, ``directly accomplish the goal of 
the `identify, assess, and correct' language by focusing ERO and 
industry resources on those areas that pose a more-than-minimal risk to 
reliability and helping to improve internal controls.'' \34\
---------------------------------------------------------------------------

    \32\ NERC Petition at 15.
    \33\ Id. at 15-16.
    \34\ Id. at 18.
---------------------------------------------------------------------------

Discussion
    23. NERC's proposal to remove the ``identify, assess, and correct'' 
language from the 17 requirements that included the language in the CIP 
version 5 Standards, while retaining the substantive provisions of 
those requirements, reflects the Commission's preferred approach 
outlined in Order No. 791.\35\ Consistent with the rationale underlying 
the Order No. 791 directive, removing the ``identify, assess, and 
correct'' language avoids the possibility of inconsistent application 
and enforcement of the requirements at issue by eliminating the 
possibility of multiple interpretations of that language.
---------------------------------------------------------------------------

    \35\ Order No. 791, 145 FERC ] 61,160 at P 67.
---------------------------------------------------------------------------

    24. Accordingly, we propose to approve NERC's removal of the 
``identify, assess, and correct'' language from the 17 affected 
requirements.

B. Enhanced Security Controls for Low Impact Assets

Order No. 791
    25. In Order No. 791, the Commission approved NERC's new approach 
to categorizing BES Cyber Systems based on the High, Medium or Low 
Impact that each system could have on the reliable operation of the 
bulk electric system. Specifically, the Commission noted that the new 
tiered approach, ``which requires at least a minimum classification of 
Low Impact for BES

[[Page 43358]]

Cyber Systems, better assures the protection of assets that can cause 
cyber security risks to the bulk electric system.'' \36\ The 
Commission, however, raised concerns that the CIP version 5 Standards 
do not require any specific controls for BES Cyber Systems classified 
as Low Impact, nor do the standards contain clear, objective criteria 
``to judge the sufficiency of the controls ultimately adopted by 
responsible entities for Low Impact BES Cyber Systems.'' \37\ The 
Commission concluded that the lack of objective criteria to evaluate 
any controls adopted under proposed Reliability Standard CIP-003-5, 
Requirement R2 ``introduces an unacceptable level of ambiguity and 
potential inconsistency into the compliance process,'' resulting in an 
unnecessary gap in reliability.\38\ The Commission therefore directed 
NERC, pursuant to section 215(d)(5) of the FPA, to develop 
modifications to the CIP version 5 Standards to address the ambiguity 
and potential for inconsistency in the compliance process created by 
the lack of objective criteria pertaining to Low Impact BES Cyber 
Systems.\39\
---------------------------------------------------------------------------

    \36\ Id. P 87.
    \37\ Id. P 107.
    \38\ Id. P 108.
    \39\ Id. P 108.
---------------------------------------------------------------------------

    26. While not directing NERC to develop specific controls for Low 
Impact BES Cyber Systems, the Commission noted that NERC could address 
the lack of objective criteria in a number of ways, including: (1) 
Requiring specific controls for Low Impact assets, including 
subdividing the assets into different categories with different defined 
controls applicable to each subcategory; (2) developing objective 
criteria against which the controls adopted by responsible entities can 
be compared and measured in order to evaluate their adequacy, including 
subdividing the assets into different categories with different defined 
control objectives applicable to each subcategory; (3) defining with 
greater specificity the processes that responsible entities must have 
for Low Impact facilities under Reliability Standard CIP-003-5, 
Requirement R2; or (4) another equally efficient and effective 
solution.\40\ Finally, the Commission emphasized that however NERC 
decides to address the Commission's concern, ``the criteria NERC 
proposes for evaluating a responsible entities' protections for Low 
Impact facilities should be clear, objective, commensurate with their 
impact on the system, and technically justified.'' \41\
---------------------------------------------------------------------------

    \40\ Id. P 108.
    \41\ Id. P 110.
---------------------------------------------------------------------------

NERC Petition
    27. In its Petition, NERC states that the revised CIP Reliability 
Standards include ``additional specificity regarding the controls that 
responsible entities must implement for protecting their low impact BES 
Cyber Systems.'' \42\ NERC explains that proposed Reliability Standard 
CIP-003-6, Requirement R1 requires responsible entities to develop 
cyber security policies for Low Impact BES Cyber Systems ``to 
communicate management's expectation for cybersecurity across the 
organization.'' \43\ According to NERC, the cyber security policies 
required under proposed Reliability Standard CIP-003-6, Requirement R1 
must include the four subject matter areas addressed by proposed 
Reliability Standard CIP-003-6, Requirement R2, Attachment 1, and must 
be reviewed and approved by the CIP Senior Manager at least once every 
15 calendar months. NERC explains that, while a responsible entity has 
the flexibility to develop either a single comprehensive cyber security 
policy or single high-level umbrella policy with detail provided in 
lower-level documents, ``the purpose of these policies is to 
communicate the responsible entity's management goals, objectives, and 
expectations for the protection of low impact BES Cyber Systems and 
establish a culture of security and compliance across the 
organization.'' \44\
---------------------------------------------------------------------------

    \42\ NERC Petition at 23.
    \43\ Id. at 24.
    \44\ Id. at 32.
---------------------------------------------------------------------------

    28. In addition, NERC explains that proposed Reliability Standard 
CIP-003-6, Requirement R2 requires responsible entities with Low Impact 
BES Cyber Systems to implement controls necessary to meet specific 
security objectives for: (1) Cyber security awareness; (2) physical 
security controls; (3) electronic access controls; and (4) cyber 
security incident response. NERC explains further that while the four 
topics addressed by Reliability Standard CIP-003-6, Requirement R2 are 
the same as those under the CIP version 5 Standards, focusing resources 
on the four identified subject matter areas ``will have the greatest 
cybersecurity benefit for low impact BES Cyber Systems without 
diverting resources necessary for the protection of high and medium 
impact BES Cyber Systems.'' \45\
---------------------------------------------------------------------------

    \45\ Id. at 25.
---------------------------------------------------------------------------

    29. NERC explains further that proposed Reliability Standard CIP-
003-6, Requirement R2 provides responsible entities with flexibility to 
adopt security controls for Low Impact BES Cyber Systems ``in the 
manner that best suits the needs and characteristics of their 
organization, so long as the responsible entity can demonstrate that it 
designed its controls to meet the ultimate security objective.'' \46\ 
NERC states that attempts to overly prescribe specific security 
controls would be problematic and could inhibit the development of 
innovative security controls due to the diversity of Low Impact BES 
Cyber Systems. However, NERC explains that by having responsible 
entities articulate clear security objectives, ``the ERO and the 
Commission will have a basis from which to judge the sufficiency of the 
controls ultimately adopted by a responsible entity.'' \47\
---------------------------------------------------------------------------

    \46\ Id. at 25.
    \47\ Id. at 25.
---------------------------------------------------------------------------

Discussion
    30. We propose to approve proposed Reliability Standard CIP-003-6. 
NERC's proposal satisfies the Commission's Order No. 791 directive by 
providing responsible entities with a list of specific security 
objectives relevant to Low Impact BES Cyber Systems that must be 
addressed through one or more documented cyber security plans. 
Reliability Standard CIP-003-6, Requirement R2 provides clarity 
regarding what is expected for compliance and requires responsible 
entities to implement specific security controls to meet the four 
subject matter areas identified by NERC to address the risks associated 
with Low Impact BES Cyber Systems, providing enhanced protections for 
Low Impact assets.
    31. As noted above, Attachment 1 to revised CIP-003-6, Requirement 
R2 identifies four topics addressed by the requirement, and describes 
the affirmative obligations associated with each topic, including: (1) 
Mandatory reinforcement of cyber security awareness practices at least 
once every 15 calendar months; (2) mandatory physical access controls 
to the asset or locations of the Low Impact BES Cyber Systems within 
the asset and Low Impact BES Cyber System Electronic Access Points, if 
any; (3) mandatory electronic access point protection to permit only 
necessary inbound and outbound bi-directional routable protocol access 
and mandatory authentication for all dialup connectivity that provides 
access to the Low Impact BES Cyber System; and (4) specific information 
to be included in

[[Page 43359]]

incident response plans. We believe that Attachment 1 provides 
sufficient context to evaluate objectively the effectiveness of the 
procedures developed by a responsible entity to implement CIP-003-6 and 
judge the sufficiency of the controls ultimately adopted by a 
responsible entity under its security plans.
    32. Furthermore, we agree that NERC's proposal to use clear 
security objectives in lieu of specific security controls for each Low 
Impact system is reasonable owing to the diversity of assets covered 
under the Low Impact category. With respect to the security subject 
matter areas covered under proposed CIP-003-6, we believe that NERC's 
proposal is reasonable in relation to the risk posed by Low Impact BES 
Cyber Systems, as well as the diversity of systems captured by the Low 
Impact category. Therefore, we propose to approve proposed Reliability 
Standard CIP-003-6.

C. Protection of Transient Devices

Order No. 791
    33. In Order No. 791, the Commission approved the proposed 
definition of BES Cyber Asset that provides, in part, that ``[a] Cyber 
Asset is not a BES Cyber Asset if, for 30 consecutive calendar days or 
less, it is directly connected to a network within an [Electronic 
Security Perimeter], a Cyber Asset within an [Electronic Security 
Perimeter], or to a BES Cyber Asset, and it is used for data transfer, 
vulnerability assessment, maintenance, or troubleshooting purposes.'' 
\48\ While the Commission had requested comment in the CIP version 5 
NOPR on whether the 30 consecutive calendar day qualifier in the 
proposed definition of BES Cyber Asset ``could result in the 
introduction of malicious code or new attack vectors to an otherwise 
trusted and protected system,'' \49\ the Commission concluded, based on 
comments, that ``it would be unduly burdensome to protect transient 
devices in the same manner as BES Cyber Assets because transient 
devices are portable and frequently connected and disconnected from 
systems.'' \50\
---------------------------------------------------------------------------

    \48\ Order No. 791, 145 FERC ] 61,160 at P 132.
    \49\ Version 5 Critical Infrastructure Protection Reliability 
Standards, 143 FERC ] 61,055, at P 78 (2013) (CIP Version 5 NOPR).
    \50\ Order No. 791, 145 FERC ] 61,160 at P 133.
---------------------------------------------------------------------------

    34. While accepting the 30-day exemption in the BES Cyber Asset 
definition, the Commission reiterated its concern whether the 
provisions of the CIP version 5 Standards ``provide adequately robust 
protection from the risks posed by transient devices.'' \51\ Therefore, 
the Commission directed that NERC, pursuant to section 215(d)(5) of the 
FPA, develop either new or modified Reliability Standards to address 
the reliability risks posed by connecting transient devices to BES 
Cyber Assets and Systems. In particular, the Commission stated that it 
expects NERC to consider the following security elements for transient 
devices and removable media: (1) Device authorization as it relates to 
users and locations; (2) software authorization; (3) security patch 
management; (4) malware prevention; (5) detection controls for 
unauthorized physical access to a transient device; and (6) processes 
and procedures for connecting transient devices to systems at different 
security classification levels (i.e., High, Medium, Low Impact).\52\
---------------------------------------------------------------------------

    \51\ Id. P 132.
    \52\ Id. P 136.
---------------------------------------------------------------------------

NERC Petition
    35. In its Petition, NERC states that the revised CIP Reliability 
Standards satisfy the Commission's directive in Order No. 791 by 
requiring that applicable entities: (1) Develop plans and implement 
cybersecurity controls to protect Transient Cyber Assets and Removable 
Media associated with their High Impact and Medium Impact BES Cyber 
Systems and associated Protected Cyber Assets; and (2) train their 
personnel on the risks associated with using Transient Cyber Assets and 
Removable Media. NERC states that the purpose of the proposed revisions 
is to prevent unauthorized access to and use of transient devices, 
mitigate the risk of vulnerabilities associated with unpatched software 
on transient devices, and mitigate the risk of the introduction of 
malicious code on transient devices. NERC explains that the standard 
drafting team determined that the proposed requirements should only 
apply to transient devices associated with High and Medium Impact BES 
Cyber Systems, concluding that ``the application of the proposed 
transient devices requirements to transient devices associated with low 
impact BES Cyber Systems was unnecessary, and likely counterproductive, 
given the risks low impact BES Cyber Systems present to the Bulk 
Electric System.'' \53\
---------------------------------------------------------------------------

    \53\ NERC Petition at 34-35.
---------------------------------------------------------------------------

    36. NERC proposes to add two terms to the NERC Glossary, Transient 
Cyber Asset and Removable Media, to clarify the types of transient 
devices subject to the CIP Reliability Standards. NERC also proposes to 
revise the definitions for BES Cyber Asset and Protected Cyber Asset to 
remove the 30-day exemption as the proposed definition for Transient 
Cyber Assets obviates the need for the 30-day exemption language. NERC 
indicates that, as defined, Transient Cyber Assets and Removable Media 
do not provide reliability services and are not part of the BES Cyber 
System to which they are connected.\54\
---------------------------------------------------------------------------

    \54\ Id. at 36-37.
---------------------------------------------------------------------------

    37. NERC proposes to define Transient Cyber Asset as: ``A Cyber 
Asset that (i) is capable of transmitting or transferring executable 
code, (ii) is not included in a BES Cyber System, (iii) is not a 
Protected Cyber Asset (PCA) and (iv) is directly connected (e.g., using 
Ethernet, serial, Universal Serial Bus, or wireless, including near 
field or Bluetooth communication) for 30 consecutive calendar days or 
less to a BES Cyber Asset, a network within an [Electronic Security 
Perimeter], or a [Protected Cyber Asset].'' NERC explains that examples 
of Transient Cyber Assets include but are not limited to: Diagnostic 
test equipment, packet sniffers, equipment used for BES Cyber System 
maintenance, equipment used for BES Cyber System configuration or 
equipment used to perform vulnerability assessments, and may include 
devices or platforms such as laptops, desktops or tablet computers 
which run applications that support BES Cyber Systems.\55\
---------------------------------------------------------------------------

    \55\ Id. at 36.
---------------------------------------------------------------------------

    38. NERC proposes to define the term Removable Media as: ``Storage 
media that (i) are not Cyber Assets, (ii) are capable of transferring 
executable code, (iii) can be used to store, copy, move, or access 
data, and (iv) are directly connected for 30 consecutive calendar days 
or less to a BES Cyber Asset, a network within an [Electronic Security 
Perimeter] or a Protected Cyber Asset. Examples include but are not 
limited to floppy disks, compact disks, USB flash drives, external hard 
drives and other flash memory cards/drives that contain nonvolatile 
memory.'' \56\
---------------------------------------------------------------------------

    \56\ Id. at 36.
---------------------------------------------------------------------------

    39. NERC explains that proposed Reliability Standard CIP-010-2, 
Requirement R4 requires entities to document and implement a plan for 
managing and protecting Transient Cyber Assets and Removable Media in 
order to protect BES Cyber Systems from the risks associated with 
transient devices. Specifically, Requirement R4 provides that ``[e]ach 
responsible entity for its high impact and medium impact BES Cyber 
Systems and associated Protected Cyber Assets, shall implement, except 
under CIP Exceptional Circumstances, one or more documented plans for 
Transient Cyber

[[Page 43360]]

Assets and Removable Media that include the sections in Attachment 1 
[to the proposed standard].'' NERC indicates that Attachment 1 does not 
prescribe a standard method or set of controls that each entity must 
implement to protect its transient devices, but rather requires 
responsible entities to meet certain security objectives by 
implementing the controls that the responsible entity determines are 
necessary to meet its affirmative obligation to protect BES Cyber 
Systems.\57\
---------------------------------------------------------------------------

    \57\ Id. at 37.
---------------------------------------------------------------------------

    40. NERC further explains that Attachment 1 to CIP-010-2, 
Requirement R4 requires a responsible entity to adopt controls to 
address the following areas: (1) Protections for Transient Cyber Assets 
managed by responsible entities; (2) protections for Transient Cyber 
Assets managed by another party; and (3) protections for Removable 
Media. NERC indicates that these provisions reflect the standard 
drafting team's recognition that the security controls required for a 
particular transient device must account for (1) the functionality of 
that device and (2) whether the responsible entity or a third party 
manages the device. NERC also states that, because Transient Cyber 
Assets and Removable Media have different capabilities, they present 
different levels of risk to the bulk electric system.\58\
---------------------------------------------------------------------------

    \58\ Id. at 38.
---------------------------------------------------------------------------

Discussion
    41. Based on our review, proposed Reliability Standard CIP-010-2 
appears to provide a satisfactory level of security for transient 
devices used at High and Medium Impact BES Cyber Systems. As described 
above, proposed Reliability Standard CIP-010-2, Requirement R4 
addresses the following security elements: (1) Device authorization; 
(2) software authorization; (3) security patch management; (4) malware 
prevention; and (5) unauthorized use. The proposed security controls, 
taken together, constitute a reasonable approach to address the 
reliability objectives outlined by the Commission in Order No. 791. The 
proposed security controls outlined in Attachment 1 should ensure that 
responsible entities apply multiple security controls to provide 
defense-in-depth protection to transient devices (i.e., transient cyber 
assets and removable media) in the High and Medium Impact BES Cyber 
System environments.
    42. We are concerned, however, that NERC's proposed revisions do 
not provide adequate security controls to address the risks posed by 
transient devices used at Low Impact BES Cyber Systems, including Low 
Impact control centers, due to the limited applicability of Requirement 
R4. We believe that this omission may result in a gap in protection for 
Low Impact BES Cyber Systems. For example, malware inserted via a USB 
flash drive at a single Low Impact substation could propagate through a 
network of many substations without encountering a single security 
control under NERC's proposal. In addition, we note that Low Impact 
security controls do not provide for the use of mandatory anti-malware/
antivirus protections within the Low Impact facilities, heightening the 
risk that malware or malicious code could propagate through these 
systems without being detected.
    43. We do not believe that NERC has provided an adequate 
justification to limit the applicability of Reliability Standard CIP-
010-2. In its petition, NERC states that ``the application of the 
proposed transient devices requirements to transient devices associated 
with low impact BES Cyber Systems was unnecessary, and likely 
counterproductive, given the risks low impact BES Cyber Systems present 
to the Bulk Electric System.'' \59\ Essentially, NERC posits that 
resources are better placed in the protection of High and Medium Impact 
devices. The burden of expanding the applicability of Reliability 
Standard CIP-010-2 to transient devices at Low Impact BES Cyber 
Systems, however, is not clear from the information in the record. Nor 
is it clear what information and analysis led NERC to conclude that the 
application of the transient device requirements to Low Impact BES 
Cyber Systems ``was unnecessary.'' \60\ Therefore, we direct NERC to 
provide additional information supporting the proposed limitation in 
Reliability Standard CIP-010-2 to High and Medium Impact BES Cyber 
Systems. Depending on the information provided, we may direct NERC to 
address the potential reliability gap by developing a solution, which 
could include modifying the applicability section of CIP-010-2, 
Requirement R4 to include Low Impact BES Cyber Systems, that 
effectively addresses, and is appropriately tailored to address, the 
risks posed by transient devices to Low Impact BES Cyber Systems.
---------------------------------------------------------------------------

    \59\ NERC Petition at 34-35.
    \60\ Id.
---------------------------------------------------------------------------

D. Protection of Bulk Electric System Communication Networks

Order No. 791
    44. In Order No. 791, the Commission approved a revised definition 
of the NERC Glossary term Cyber Asset, including the removal of the 
phrase ``communication networks.'' In reaching its decision, the 
Commission recognized that maintaining the phrase ``communication 
networks'' in the definition of ``cyber asset'' could cause confusion 
and potentially complicate implementation of the CIP version 5 
Standards ``as many communication network components, such as cabling, 
cannot strictly comply with the CIP Reliability Standards.'' \61\
---------------------------------------------------------------------------

    \61\ Order No. 791, 145 FERC ] 61,160 at P 148.
---------------------------------------------------------------------------

    45. However, while the Commission approved the revised Cyber Asset 
definition, the Commission also directed NERC to create a definition of 
communication networks. Specifically, the Commission stated that 
``[t]he definition of communication networks should define what 
equipment and components should be protected, in light of the statutory 
inclusion of communication networks for the reliable operation of the 
Bulk-Power System.'' \62\
---------------------------------------------------------------------------

    \62\ Id. P 150.
---------------------------------------------------------------------------

    46. The Commission also directed NERC to develop new or modified 
Reliability Standards to address the reliability gap resulting from the 
removal of the phrase ``communication networks'' from the Cyber Asset 
definition. Specifically, the Commission found that a gap in protection 
may exist since the CIP version 5 Standards ``do not address security 
controls needed to protect the nonprogrammable components of 
communication networks.'' \63\ The Commission explained that the new or 
modified Reliability Standards should require appropriate and 
reasonable controls to protect the non-programmable aspects of 
communication networks.\64\ The Commission provided examples of other 
relevant information security standards that address the protection of 
the nonprogrammable aspects of communication networks by requiring, 
among other things, locked wiring closets, disconnected or locked spare 
jacks, protection of cabling by conduit or cable trays, or generally 
emphasizing the protection of communication network cabling from 
interception or damage.\65\
---------------------------------------------------------------------------

    \63\ Id. P 149.
    \64\ Id. P 150.
    \65\ Id. P 149 (referencing NIST SP 800-53 Revision 3, security 
control family Physical and Environmental Protection, Annex 2, page 
54; BSI ISO/IEC (2005). Information technology--Security 
techniques--Information security management systems--Requirements 
(ISO/IEC 27001:2005).British Standards Institute).

---------------------------------------------------------------------------

[[Page 43361]]

NERC Petition
    47. In its petition, NERC states that the standard drafting team 
concluded that it did not need to create a new definition for 
communication networks to address the Commission's concerns. NERC 
explains that the term communication network ``is generally understood 
to encompass both programmable and nonprogrammable components (i.e., a 
communication network includes computer peripherals, terminals, and 
databases as well as communication mediums such as wires).'' \66\ 
Therefore, NERC concludes that any proposed definition of communication 
network ``would need to be sufficiently broad to encompass all 
components in a communication network as they exist now and in the 
future.'' \67\ NERC explains that, based on that conclusion, the 
standard drafting team identified the types of equipment and components 
that responsible entities must protect, and developed reasonable 
controls to secure those components based on the risk they pose to the 
bulk electric system, rather than develop a specific definition.
---------------------------------------------------------------------------

    \66\ NERC Petition at 52 (citing North American Electric 
Reliability Corp., 142 FERC ] 61,203, at PP 13-14 (2013)).
    \67\ Id. at 52.
---------------------------------------------------------------------------

    48. NERC states that the revised CIP Reliability Standards, as 
proposed, address the ultimate security objective of protecting both 
the programmable and nonprogrammable components of communication 
networks.\68\ NERC explains that the proposed standards include 
protections for cables and other nonprogrammable components of 
communication networks through proposed Reliability Standard CIP-006-6, 
Requirement R1, Part 1.10, which augments the existing protections for 
programmable communication components by requiring entities to 
implement various security controls to restrict and manage physical 
access to Physical Security Perimeters.\69\ NERC further states that 
the standard drafting team focused on nonprogrammable communication 
components at control centers with High or Medium Impact BES Cyber 
Systems because those locations present a heightened risk to the Bulk-
Power System, warranting the increased protections.\70\
---------------------------------------------------------------------------

    \68\ Id.
    \69\ Id. at 52-53.
    \70\ Id. at 48.
---------------------------------------------------------------------------

    49. NERC explains that proposed Reliability Standard CIP-006-6, 
Requirement R1, Part 1.10 provides that, for High and Medium Impact BES 
Cyber Systems and their associated Protected Cyber Assets, responsible 
entities must restrict physical access to cabling and other 
nonprogrammable communication components used for connection between 
covered Cyber Assets within the same Electronic Security Perimeter in 
those instances when such cabling and components are located outside of 
a Physical Security Perimeter. NERC explains further that, where 
physical access restrictions to such cabling and components are not 
feasible, Part 1.10 provides that the responsible entity must document 
and implement encryption of data transmitted over such cabling and 
components and/or monitor the status of the communication link composed 
of such cabling and components. Further, pursuant to Part 1.10, a 
responsible entity must issue an alarm or alert in response to detected 
communication failures to the personnel identified in the BES Cyber 
Security Incident response plan within 15 minutes of detection, or 
implement an equally effective logical protection.\71\
---------------------------------------------------------------------------

    \71\ Id. at 48-49.
---------------------------------------------------------------------------

    50. NERC states that proposed Reliability Standard CIP-006-6 
provides flexibility for responsible entities to implement the physical 
security measures that best suit their needs and to account for 
configurations where logical measures are necessary because the entity 
cannot implement physical access restrictions effectively. Responsible 
entities have the discretion as to the type of physical or logical 
protections to implement pursuant to Part 1.10, provided that the 
protections are designed to meet the overall security objective. 
According to NERC, the protections required by Part 1.10 will reduce 
the possibility of tampering and the likelihood that ``man-in-the-
middle'' attacks could compromise the integrity of BES Cyber Systems or 
Protected Cyber Assets at control centers with High or Medium Impact 
BES Cyber Systems.\72\
---------------------------------------------------------------------------

    \72\ Id. at 49-50.
---------------------------------------------------------------------------

    51. NERC explains that proposed Part 1.10 applies only to 
nonprogrammable components outside of a Physical Security Perimeter 
because nonprogrammable components located within a Physical Security 
Perimeter are already subject to physical security protections by 
virtue of their location. NERC further states that Part 1.10 only 
applies to nonprogrammable components used for connection between 
applicable Cyber Assets within the same Electronic Security Perimeter 
because Reliability Standard CIP-005-5 already requires logical 
protections for communications between discrete Electronic Security 
Perimeters.\73\
---------------------------------------------------------------------------

    \73\ Id. at 49.
---------------------------------------------------------------------------

    52. In addition, NERC asserts that the proposed Reliability 
Standards will strengthen the defense-in-depth approach by further 
minimizing the ``attack surface'' of BES Cyber Systems. NERC also 
clarifies that the standard drafting team limited the applicability in 
this manner to clarify that responsible entities are not responsible 
for protecting nonprogrammable communication components outside of the 
responsible entity's control (i.e., components of a telecommunication 
carrier's network).\74\
---------------------------------------------------------------------------

    \74\ Id. at 51.
---------------------------------------------------------------------------

Discussion
    53. We believe that NERC's proposed alternative approach to 
addressing the Commission's Order No. 791 directive regarding the 
definition of communication networks adequately addresses part of the 
underlying concerns set forth in Order No. 791. Proposed Reliability 
Standard CIP-006-6, Requirement R1.10 specifies the types of assets 
subject to mandatory protection by using the existing definitions of 
Electronic Security Perimeter \75\ and Physical Security Perimeter.\76\ 
Proposed Reliability Standard CIP-006-6 addresses protection for non-
programmable components of communication networks, such as network 
cabling and switches, that are located within the same Electronic 
Security Perimeter, but span separate Physical Security Perimeters. 
Specifically, proposed Reliability Standard CIP-006-6 requires 
responsible entities to restrict physical access to cabling and other 
nonprogrammable communication components between BES Cyber Assets 
within the same Electronic Security Perimeter in those instances when 
such cabling and components are located outside of a Physical Security 
Perimeter. Where physical access restrictions to such cabling and 
components is not feasible, Part 1.10 provides that responsible 
entities must document and implement encryption of data transmitted 
over such cabling and components, monitor the status of the

[[Page 43362]]

communication link composed of such cabling and components, or 
implement an equally effective logical protection.
---------------------------------------------------------------------------

    \75\ Electronic Security Perimeter: The logical border 
surrounding a network to which Critical Cyber Assets are connected 
and for which access is controlled. See NERC Glossary at 33.
    \76\ Physical Security Perimeter: The physical, completely 
enclosed (``six-wall'') border surrounding computer rooms, 
telecommunications rooms, operations centers, and other locations in 
which Critical Cyber Assets are housed and for which access is 
controlled. See NERC Glossary at 60.
---------------------------------------------------------------------------

    54. We propose to accept NERC's proposed omission of a definition 
of communication networks based on NERC's explanation that responsible 
entities must develop controls to secure the non-programmable 
components of communication networks based on the risk they pose to the 
bulk electric system, rather than develop a specific definition of 
communication networks to identify assets for protection. NERC's 
proposal is an equally efficient and effective solution to the 
Commission's directive in Order No. 791 that NERC develop a definition 
of communication networks, subject to the proposed modification 
discussed below.
    55. NERC's proposed solution for the protection of nonprogrammable 
components of communication networks, however, does not fully meet the 
intent of the Commission's Order No. 791 directive, resulting in a gap 
in security for bulk electric system communication systems. While the 
technical substance of CIP-006-6, Requirement R1, Part 1.10 appears to 
be adequate, we are concerned that the limited applicability of the 
provision results in limited protection for the nonprogrammable 
components of the communication systems at issue. Specifically, 
proposed CIP-006-6, Requirement R1, Part 1.10 would only apply to 
nonprogrammable components of communication networks within the same 
Electronic Security Perimeter, excluding from protection other 
programmable and non-programmable communication network components that 
may exist outside of a discrete Electronic Security Perimeter.
    56. While NERC asserts that this limitation is justified by the 
controls required under Reliability Standard CIP-005-5, NERC's position 
does not appear to consider that the controls set forth in Reliability 
Standard CIP-005-5 are limited to interactive remote access into an 
Electronic Security Perimeter, and can only be applied on programmable 
electronic devices and data that exists within an Electronic Security 
Perimeter.\77\ This limitation would exclude communication network 
components that may be necessary to facilitate the automated 
transmission of reliability data between bulk electric system Control 
Centers in discrete Electronic Security Perimeters and would also 
exclude real time monitoring data that is used by Reliability 
Coordinators to monitor and assess the operation of their control 
areas. In other words, revised Reliability Standard CIP-006-6, 
Requirement R1 provides mandatory protection against: (1) Physical 
attacks on nonprogrammable equipment; (2) man-in-the-middle attacks; 
and (3) session hijacking attacks within the confines of a bulk 
electric system Control Center, but does not extend protections to 
real-time data passing between Control Centers outside of a facility.
---------------------------------------------------------------------------

    \77\ See Reliability Standard CIP-005-5 (Electronic Security 
Perimeters), Requirement R2.
---------------------------------------------------------------------------

    57. Comments from participants at the April 29, 2014 Technical 
Conference suggest that the Commission should take action to ensure the 
confidentiality, integrity, and availability of sensitive bulk electric 
system data when it is in motion both inside and outside of an 
Electronic Security Perimeter.\78\ We understand that inter-Control 
Center communications play a vital role in maintaining bulk electric 
system reliability and, as a result, we believe that the communication 
links and data used to control and monitor the bulk electric system 
should receive protection under the CIP Reliability Standards.
---------------------------------------------------------------------------

    \78\ See Transcript at pp. 19, 24, 74-75 (Kevin Perry speaking), 
79 (Mikhail Falkovich speaking).
---------------------------------------------------------------------------

    58. We also recognize that third party communication infrastructure 
(e.g., facilities owned by a telecommunications company) cannot 
necessarily be physically protected by responsible entities. This fact, 
however, does not alleviate the need to protect reliability data that 
traverses third party communication infrastructure. Proposed 
Reliability Standard CIP-006-6, Requirement R1, Part 1.10 mandates that 
logical controls, such as encryption and connection link monitoring, be 
applied to cabling and components that cannot be physically restricted 
by the responsible entity. However, similar protections are not 
afforded to communications and data leaving bulk electric system 
Control Centers where they may be intercepted and altered while 
traversing communication networks.
    59. Therefore, pursuant to section 215(d)(5) of the FPA, we propose 
to direct NERC to develop a modification to proposed Reliability 
Standard CIP-006-6 to require responsible entities to implement 
controls to protect, at a minimum, all communication links and 
sensitive bulk electric system data communicated between all bulk 
electric system Control Centers. This includes communication between 
two (or more) Control Centers, but not between a Control Center and 
non-Control Center facilities such as substations. Also, if latency 
concerns mitigate against use of encryption as a logical control for 
any inter-Control Center communications, our understanding is that 
other logical protections are available, and we seek comment on this 
point.
    60. Further, as discussed at the April 29, 2014 technical 
conference, panelists identified suggestions that could be explored to 
enhance protections for remote access, including the addition of 
logical or physical controls to provide additional network segmentation 
behind the intermediate systems. For example, the Commission is 
interested in comments that address the value achieved if the CIP 
standards were to require the incorporation of additional network 
segmentation controls, connection monitoring, and session termination 
controls behind responsible entity intermediate systems. We seek 
comment on whether these or other steps to improve remote access 
protection are needed, and whether the adoption of any additional 
security controls addressing this topic would provide substantial 
reliability and security benefits.

E. Risks Posed by Lack of Controls for Supply Chain Management

    61. The information and communications technology and industrial 
control system supply chains provide hardware, software and operations 
support for computer networks. Such supply chains are complex, globally 
distributed and interconnected systems that have geographically diverse 
routes and consist of multiple tiers of outsourcing. The supply chain 
includes public and private sector entities that depend on each other 
to develop, integrate, and use information and communications 
technology and industrial control system supply chain products and 
services. Thus, the supply chain provides the opportunity for 
significant benefits to customers, including low cost, 
interoperability, rapid innovation, a variety of product features and 
choice.
    62. However, the global supply chain also enables opportunities for 
adversaries to directly or indirectly affect the management or 
operations of companies that may result in risks to the end user. 
Supply chain risks may include the insertion of counterfeits, 
unauthorized production, tampering, theft, or insertion of malicious 
software, as well as poor manufacturing and development practices. To 
address these risks, NIST developed SP 800-161 \79\ to

[[Page 43363]]

provide guidance and controls that can be used to comply with Federal 
Information Processing Standard 199 Standards for Security 
Categorization of Federal Information and Information Systems for 
Federal Government Information Systems.\80\ Similarly, the Department 
of Energy has developed guidance on cybersecurity procurement language 
for energy delivery systems.\81\
---------------------------------------------------------------------------

    \79\ NIST SP 800-161, Supply Chain Risk Management Practices for 
Federal Information Systems and Organizations (April 2015), 
available at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf.
    \80\ Federal Information Processing Standard Publication, 
Standards for Security Categorization of Federal Information and 
Information Systems, available at: http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.
    \81\ Cybersecurity Procurement Language for Energy Delivery 
Systems, April 2014 at page 1. http://www.energy.gov/sites/prod/files/2014/04/f15/CybersecProcurementLanguage-EnergyDeliverySystems_040714_fin.pdf.
---------------------------------------------------------------------------

    63. While the Commission did not address supply chain management in 
Order No. 791, changes in the bulk electric system cyber threat 
landscape identified through recent malware campaigns targeting supply 
chain vendors have highlighted a gap in the protections under the CIP 
Standards. Specifically, in 2014, after Order No. 791 was issued, the 
Industry Control System--Computer Emergency Readiness Team (ICS-CERT) 
reported on two focused malware campaigns.\82\ This new type of malware 
campaign is based on the injection of malware while a product or 
service remains in the control of the hardware or software vendor, 
prior to delivery to the customer.
---------------------------------------------------------------------------

    \82\ ICS-CERT is a division of the Department of Homeland 
Security that works to reduce risks within and across all critical 
infrastructure sectors by partnering with law enforcement agencies 
and the intelligence community. See https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-176-02A; and https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B for ``alert'' information on supply 
chain malware campaigns.
---------------------------------------------------------------------------

    64. We believe that it is reasonable to direct NERC to develop a 
new or modified Reliability Standard to provide security controls for 
supply chain management for industrial control system hardware, 
software, and computing and networking services associated with bulk 
electric system operations. The reliability goal should be to create a 
forward-looking, objective-driven standard that encompasses activities 
in the system development life cycle: from research and development, 
design and manufacturing stages (where applicable), to acquisition, 
delivery, integration, operations, retirement, and eventual disposal of 
the Registered Entity's information and communications technology and 
industrial control system supply chain equipment and services. The 
standard should support and ensure security, integrity, quality, and 
resilience of the supply chain and the future acquisition of products 
and services.
    65. Since security controls for supply chain management will likely 
vary greatly with each responsible entity due to variations in 
individual business practices, the right set of supply chain management 
security controls should accommodate for, among other things, an 
entity's: (1) Procurement process; (2) vendor relations; (3) system 
requirements; (4) information technology implementation; and (5) 
privileged commercial or financial information. The following Supply 
Chain Risk Management controls from NIST SP 800-161 may be 
instructional in the development of any new reliability standard to 
address this security topic: \83\ (1) Access Control Policy and 
Procedures; (2) Security Assessment Authorization; (3) Configuration 
Management; (4) Identification and Authentication; (5) System 
Maintenance Policy and Procedures; (6) Personnel Security Policy and 
Procedures; (7) System and Services Acquisition; (8) Supply Chain 
Protection; and (9) Component Authenticity.\84\
---------------------------------------------------------------------------

    \83\ The listed controls do not reflect a comprehensive scope of 
the proposed standard.
    \84\ See NIST SP 800-161.
---------------------------------------------------------------------------

    66. Therefore, pursuant to section 215(d)(5) of the FPA, we propose 
to direct NERC to develop a new reliability standard or modified 
reliability standard to provide security controls for supply chain 
management for industrial control system hardware, software, and 
services associated with bulk electric system operations. In addition 
to the parameters discussed above, due to the broadness of the topic 
and the individualized nature of many aspects of supply chain 
management, we anticipate that a Reliability Standard pertaining to 
supply chain management security would:
     Respect section 215 jurisdiction by only addressing the 
obligations of registered entities. A reliability standard should not 
directly impose obligations on suppliers, vendors or other entities 
that provide products or services to registered entities.
     Be forward-looking in the sense that the reliability 
standard should not dictate the abrogation or re-negotiation of 
currently-effective contracts with vendors, suppliers or other 
entities.
     Recognize the individualized nature of many aspects of 
supply chain management by setting goals (the ``what''), while allowing 
flexibility in how a registered entity subject to the standard achieves 
that goal (the ``how'').\85\
---------------------------------------------------------------------------

    \85\ See Order No. 672, FERC Stats. & Regs. ] 31,204 at P 260.
---------------------------------------------------------------------------

     Given the types of specialty products involved and 
diversity of acquisition processes, the standard may need to allow 
exceptions, e.g., to meet safety requirements and fill operational gaps 
if no secure products are available.
     Provide enough specificity so that compliance obligations 
are clear and enforceable. In particular, we anticipate that a 
reliability standard that simply requires a registered entity to ``have 
a plan'' addressing supply chain management would not suffice. Rather, 
to adequately address our concerns, we believe that a reliability 
standard should identify specific controls. As discussed above, NIST SP 
800-161 may be instructional in identifying appropriate controls in the 
development of an effective supply chain management reliability 
standard.
    We recognize that developing a supply chain management standard 
would likely be a significant undertaking and require extensive 
engagement with stakeholders to define the scope, content, and timing 
of the standard. Accordingly, to further that stakeholder engagement, 
we seek comment on this proposal, including: (1) The general proposal 
to direct that NERC develop a Reliability Standard to address supply 
chain management; (2) the anticipated features of, and requirements 
that should be included in, such a standard; and (3) a reasonable 
timeframe for development of a standard. We also direct staff, after 
receipt and consideration of those comments, to engage in additional 
outreach to further the Commission's consideration of the need for, and 
scope, content, and timing of, a supply chain management standard.

F. Proposed Definitions

    67. The proposed revised CIP Reliability Standards include six new 
or revised definitions for inclusion in the NERC glossary. NERC's 
proposal includes four new definitions and two revised definitions. 
Specifically, NERC seeks approval for the following terms: (1) BES 
Cyber Asset; (2) Protected Cyber Asset; (3) Low Impact Electronic 
Access Point; (4) Low Impact External Routable Connectivity; (5) 
Removable Media; and (6) Transient Cyber Asset. We propose to approve 
the proposed definitions for inclusion in the NERC Glossary. We also 
seek comment on certain aspects of the proposed definition for Low 
Impact External Routable Connectivity, as discussed below. After 
receiving

[[Page 43364]]

comments, depending on the adequacy of the explanations provided in 
response to our questions, we may direct NERC to develop modifications 
to this definition to eliminate ambiguities and assure that the revised 
CIP Reliability Standards provide adequate protection for the bulk 
electric system.
Definition--Low Impact External Routable Connectivity
    68. In its petition, NERC proposes the following definition for Low 
Impact External Routable Connectivity:

    Direct user-initiated interactive access or a direct device-to-
device connection to a low impact BES Cyber System(s) from a Cyber 
Asset outside the asset containing those low impact BES Cyber 
System(s) via a bidirectional routable protocol connection. Point-
to-point communications between intelligent electronic devices that 
use routable communication protocols for time-sensitive protection 
or control functions between Transmission station or substation 
assets containing low impact BES Cyber Systems are excluded from 
this definition (examples of this communication include. but are not 
limited to, IEC 61850 GOOSE or vendor proprietary protocols).\86\
---------------------------------------------------------------------------

    \86\ NERC Petition at 28.

    69. NERC explains that the proposed definition describes the 
scenarios where responsible entities are required to apply Low Impact 
access controls under Reliability Standard CIP-003-6, Requirement R2 to 
their Low Impact assets. Specifically, if Low Impact External Routable 
Connectivity is used, a responsible entity must implement a Low Impact 
Electronic Access Point to permit only necessary inbound and outbound 
bidirectional routable protocol access.\87\
---------------------------------------------------------------------------

    \87\ Id. at 29.
---------------------------------------------------------------------------

    70. We seek comment on the following aspects of the proposed 
definition. First, we seek comment on the purpose of the meaning of the 
term ``direct'' in relation to the phrases ``direct user-initiated 
interactive access'' and ``direct device-to-device connection'' within 
the proposed definition. In addition, we seek comment on the 
implementation of the ``layer 7 application layer break'' contained in 
certain reference diagrams in the Guidelines and Technical Basis 
section of proposed Reliability Standard CIP-003-6.\88\ It appears that 
guidance provided in the Guidelines and Technical Basis section of the 
proposed standard may conflict with the plain reading of the term 
``direct.'' We are concerned that a conflict in the reading of the term 
``direct'' could lead to complications in the implementation of the 
proposed CIP Reliability Standards, hindering the adoption of effective 
security controls for Low Impact BES Cyber Assets. Depending upon the 
responses received, we may direct NERC to develop a modification to the 
definition of Low Impact External Routable Connectivity.
---------------------------------------------------------------------------

    \88\ See CIP-003-6 Guidelines and Technical Basis Section, 
Reference Model 6 at p. 39.
---------------------------------------------------------------------------

G. Implementation Plan

    71. NERC's proposed implementation plan for the proposed 
Reliability Standards is designed to match the effective dates of the 
proposed Reliability Standards with the effective dates of the prior 
versions of the related Reliability Standards under the implementation 
plan of the CIP version 5 Standards. NERC states that the purpose of 
this approach is to provide regulatory certainty by limiting the time, 
if any, that the CIP version 5 Standards with the ``identify, assess, 
and correct'' language would be effective. Specifically, pursuant to 
the CIP version 5 implementation plan, the effective date of each of 
the CIP version 5 Standards is April 1, 2016, except for the effective 
date for Requirement R2 of CIP-003-5, which is April 1, 2017. 
Consistent with those dates, the proposed implementation plan provides 
that: (1) each of the proposed reliability Standards shall become 
effective on the later of April 1, 2016 or the first day of the first 
calendar quarter that is three months after the effective date of the 
Commission's order approving the proposed Reliability Standard; and (2) 
responsible entities will not have to comply with the requirements 
applicable to Low Impact BES Cyber Systems (CIP-003-6, Requirement R1, 
Part 1.2 and Requirement R2) until April 1, 2017.\89\
---------------------------------------------------------------------------

    \89\ Id. at 53-54.
---------------------------------------------------------------------------

    72. NERC's proposed implementation plan also includes effective 
dates for the new and modified definitions associated with: (1) 
transient devices (i.e., BES Cyber Asset, Protected Cyber Asset, 
Removable Media, and Transient Cyber Asset); and (2) Low Impact 
controls (i.e., Low Impact Electronic Access Point and Low Impact 
External Routable Connectivity). Specifically, NERC proposes: (1) That 
the definitions associated with transient device become effective on 
the compliance date for Reliability Standard CIP-010-2, Requirement R4; 
and (2) that the definitions addressing the Low Impact controls become 
enforceable on the compliance date for Reliability Standard CIP-003-6, 
Requirement R2. Lastly, NERC proposes that the retirement of 
Reliability Standards CIP-003-5, CIP-004-5.1, CIP-006-5, CIP-007-5, 
CIP-009-5, CIP-010-1 and CIP-011-1 become effective on the effective 
date of the proposed Reliability Standards.\90\
---------------------------------------------------------------------------

    \90\ Id. at 56.
---------------------------------------------------------------------------

    73. We propose to approve NERC's implementation plan for the 
proposed CIP Reliability Standards, as described above.

H. Violation Risk Factor/Violation Severity Level Assignments

    74. NERC requests approval of the violation risk factors and 
violation severity levels assigned to the proposed Reliability 
Standards. Specifically, NERC requests approval of 19 violation risk 
factor and violation severity level assignments associated with the 
proposed Reliability Standards.\91\ We propose to accept these 
violation risk factors and violation severity levels.
---------------------------------------------------------------------------

    \91\ Id., Exhibit E.
---------------------------------------------------------------------------

III. Information Collection Statement

    75. The FERC-725B information collection requirements contained in 
this Proposed Rule are subject to review by the Office of Management 
and Budget (OMB) under section 3507(d) of the Paperwork Reduction Act 
of 1995.\92\ OMB's regulations require approval of certain information 
collection requirements imposed by agency rules.\93\ Upon approval of a 
collection of information, OMB will assign an OMB control number and 
expiration date. Respondents subject to the filing requirements of this 
rule will not be penalized for failing to respond to these collections 
of information unless the collections of information display a valid 
OMB control number. The Commission solicits comments on the 
Commission's need for this information, whether the information will 
have practical utility, the accuracy of the burden estimates, ways to 
enhance the quality, utility, and clarity of the information to be 
collected or retained, and any suggested methods for minimizing 
respondents' burden, including the use of automated information 
techniques.
---------------------------------------------------------------------------

    \92\ 44 U.S.C. 3507(d).
    \93\ 5 CFR 1320.11 (2012).
---------------------------------------------------------------------------

    76. The Commission based its paperwork burden estimates on the 
changes in paperwork burden presented by the proposed CIP Reliability 
Standards as compared to the CIP version 5 Standards. The Commission 
has already addressed the burden of implementing the CIP version 5 
Standards.\94\ As discussed above, the immediate rulemaking addresses 
four areas of modification to the CIP standards: (1) Removal of the 
``identify.

[[Page 43365]]

assess, and correct'' language from 17 CIP requirements; (2) 
development of enhanced security controls for low impact assets; (3) 
development of controls to protect transient devices (e.g. thumb drives 
and laptop computers); and (4) protection of communications networks. 
We do not anticipate that the removal of the ``identify, assess and 
correct'' language will impact the reporting burden, as the substantive 
compliance requirements would remain the same, while NERC indicates 
that the concept behind the deleted language continues to be 
implemented within NERC's compliance function. The development of 
controls to protect transient devices and protection of communication 
networks (as proposed by NERC) have associated reporting burdens that 
will affect a limited number of entities, i.e., those with Medium and 
High Impact BES Cyber Systems. The enhanced security controls for Low 
Impact assets are likely to impose a reporting burden on a much larger 
group of entities.
---------------------------------------------------------------------------

    \94\ See Order No. 791, 145 FERC ] 61,160 at PP 226-244.
---------------------------------------------------------------------------

    77. The NERC Compliance Registry, as of June 2015, identifies 
approximately 1,435 U.S. entities that are subject to mandatory 
compliance with Reliability Standards. Of this total, we estimate that 
1,363 entities will face an increased paperwork burden under the 
proposed CIP Reliability Standards, and we estimate that a majority of 
these entities will have one or more Low Impact assets. In addition, we 
estimate that approximately 23 percent of the entities have assets that 
will be subject to Reliability Standards CIP-006-6 and CIP-010-2. Based 
on these assumptions, we estimate the following reporting burden:

----------------------------------------------------------------------------------------------------------------
                                                                   Total burden    Total burden    Total burden
               Registered entities                   Number of     hours in year   hours in year   hours in year
                                                     entities            1               2               3
----------------------------------------------------------------------------------------------------------------
Entities subject to CIP-006-6 and CIP-010-2 with             313          75,120         130,208         130,208
 Medium and/or High Impact Assets...............
                                                 ---------------------------------------------------------------
    Totals......................................             313          75,120         130,208         130,208
----------------------------------------------------------------------------------------------------------------

    78. The following shows the annual cost burden for each group, 
based on the burden hours in the table above:
     Year 1: Entities subject to CIP-006-6 and CIP-010-2 with 
Medium and/or High Impact Assets: 313 x 240 hours/entity * $76/hour = 
$5,709,120.
     Years 2 and 3: 313 entities x 416 hours/entity * $76/hour 
= $9,895,808 per year.
     The paperwork burden estimate includes costs associated 
with the initial development of a policy to address requirements 
relating to transient devices, as well as the ongoing data collection 
burden. Further, the estimate reflects the assumption that costs 
incurred in year 1 will pertain to policy development, while costs in 
years 2 and 3 will reflect the burden associated with maintaining logs 
and other records to demonstrate ongoing compliance.

----------------------------------------------------------------------------------------------------------------
                                                                   Total burden    Total burden    Total burden
               Registered entities                   Number of     hours in year   hours in year   hours in year
                                                     entities            1               2               3
----------------------------------------------------------------------------------------------------------------
Entities subject to CIP-003-6 with low impact              1,363         163,560         283,504         283,504
 Assets.........................................
                                                 ---------------------------------------------------------------
    Totals......................................           1,363         163,560         283,504         283,504
----------------------------------------------------------------------------------------------------------------

    79. The following shows the annual cost burden for each group, 
based on the burden hours in the table above:
     Year 1: Entities subject to CIP-003-6 with Low Impact 
Assets: 1,363 x 120 hours/entity * $76/hour = $12,430,560.
     Years 2 and 3: 1,363 entities x 208 hours/entity * $76/
hour = $21,546,304 per year.
     The paperwork burden estimate includes costs associated 
with the modification of existing policies to address requirements 
relating to low impact assets, as well as the ongoing data collection 
burden, as set forth in CIP-003-6, Requirements R1.2 and R2, and 
Attachment 1. Further, the estimate reflects the assumption that costs 
incurred in year 1 will pertain to revising existing policies, while 
costs in years 2 and 3 will reflect the burden associated with 
maintaining logs and other records to demonstrate ongoing compliance.
    80. The estimated hourly rate of $76 is the average loaded cost 
(wage plus benefits) of legal services ($129.68 per hour), technical 
employees ($58.17 per hour) and administrative support ($39.12 per 
hour), based on hourly rates and average benefits data from the Bureau 
of Labor Statistics.\95\
---------------------------------------------------------------------------

    \95\ See http://bls.gov/oes/current/naics2_22.htm and http://www.bls.gov/news.release/ecec.nr0.htm. Hourly figures as of June 1, 
2015.
---------------------------------------------------------------------------

    81. Title: Mandatory Reliability Standards, Revised Critical 
Infrastructure Protection Standards.
    Action: Proposed Collection FERC-725B.
    OMB Control No.: 1902-0248.
    Respondents: Businesses or other for-profit institutions; not-for-
profit institutions.
    Frequency of Responses: On Occasion.
    Necessity of the Information: This proposed rule proposes to 
approve the requested modifications to Reliability Standards pertaining 
to critical infrastructure protection. As discussed above, the 
Commission proposes to approve NERC's proposed revised CIP Reliability 
Standards pursuant to section 215(d)(2) of the FPA because they improve 
the currently-effective suite of cyber security CIP Reliability 
Standards.
    Internal Review: The Commission has reviewed the proposed 
Reliability Standards and made a determination that its action is 
necessary to implement section 215 of the FPA.
    82. Interested persons may obtain information on the reporting 
requirements by contacting the following: Federal Energy Regulatory 
Commission, 888 First Street NE., Washington, DC 20426 [Attention: 
Ellen Brown, Office of the Executive Director, email: 
DataClearance@ferc.gov, phone: (202) 502-8663, fax: (202) 273-0873].
    83. For submitting comments concerning the collection(s) of 
information and the associated burden estimate(s), please send your 
comments to the Commission, and to the Office of Management and Budget, 
Office of

[[Page 43366]]

Information and Regulatory Affairs, Washington, DC 20503 [Attention: 
Desk Officer for the Federal Energy Regulatory Commission, phone: (202) 
395-4638, fax: (202) 395-7285]. For security reasons, comments to OMB 
should be submitted by email to: oira_submission@omb.eop.gov. Comments 
submitted to OMB should include Docket Number RM15-14-000 and OMB 
Control Number 1902-0248.

IV. Regulatory Flexibility Act Analysis

    84. The Regulatory Flexibility Act of 1980 (RFA) generally requires 
a description and analysis of Proposed Rules that will have significant 
economic impact on a substantial number of small entities.\96\ The 
Small Business Administration's (SBA) Office of Size Standards develops 
the numerical definition of a small business.\97\ The SBA revised its 
size standard for electric utilities (effective January 22, 2014) to a 
standard based on the number of employees, including affiliates (from 
the prior standard based on megawatt hour sales).\98\ Proposed 
Reliability Standards CIP-003-6, CIP-004-6, CIP-006-6, CIP-007-6, CIP-
009-6, CIP-010-2, and CIP-011-2 are expected to impose an additional 
burden on 1,363 entities \99\ (reliability coordinators, generator 
operators, generator owners, interchange coordinators or authorities, 
transmission operators, balancing authorities, transmission owners, and 
certain distribution providers).
---------------------------------------------------------------------------

    \96\ 5 U.S.C. 601-12.
    \97\ 13 CFR 121.101 (2013).
    \98\ SBA Final Rule on ``Small Business Size Standards: 
Utilities,'' 78 FR 77343 (Dec. 23, 2013).
    \99\ Public utilities may fall under one of several different 
categories, each with a size threshold based on the company's number 
of employees, including affiliates, the parent company, and 
subsidiaries. For the analysis in this NOPR, we are using a 500 
employee threshold for each affected entity to conduct a 
comprehensive analysis.
---------------------------------------------------------------------------

    85. Of the 1,363 affected entities discussed above, we estimate 
that 444 entities are small entities. We estimate that 399 of these 444 
small entities do not own BES Cyber Assets or BES Cyber Systems that 
are classified as Medium or High Impact and, therefore, will only be 
affected by the proposed modifications to Reliability Standard CIP-003-
6. As discussed above, proposed Reliability Standard CIP-003-6 enhances 
reliability by providing criteria against which NERC and the Commission 
can evaluate the sufficiency of an entity's protections for Low Impact 
BES Cyber Assets. We estimate that each of the 399 small entities to 
whom the proposed modifications to Reliability Standard CIP-003-6 
applies will incur one-time costs of approximately $149,358 per entity 
to implement this standard, as well as the ongoing paperwork burden 
reflected in the Information Collection Statement (approximately 
$15,000 per year per entity). We do not consider the estimated costs 
for these 399 small entities a significant economic impact.
    86. In addition, we estimate that 14 small entities own Medium 
Impact substations and that 31 small transmission operators own Medium 
or High impact control centers. These 45 small entities represent 10.1 
percent of the 444 affected small entities. We estimate that each of 
these 45 small entities may experience an economic impact of $50,000 
per entity in the first year of initial implementation to meet proposed 
Reliability Standard CIP-010-2 and $30,000 in ongoing annual 
costs,\100\ for a total of $110,000 per entity over the first three 
years. Therefore, we estimate that each of these 45 small entities will 
incur a total of $258,654 in costs over the first three years. We 
conclude that 10.1 percent of the total 444 affected small entities 
does not represent a substantial number in terms of the total number of 
regulated small entities.
---------------------------------------------------------------------------

    \100\ Estimated annual cost for year 2 and forward.
---------------------------------------------------------------------------

    87. Based on the above analysis, we propose to certify that the 
proposed Reliability Standards will not have a significant economic 
impact on a substantial number of small entities.

V. Environmental Analysis

    88. The Commission is required to prepare an Environmental 
Assessment or an Environmental Impact Statement for any action that may 
have a significant adverse effect on the human environment.\101\ The 
Commission has categorically excluded certain actions from this 
requirement as not having a significant effect on the human 
environment. Included in the exclusion are rules that are clarifying, 
corrective, or procedural or that do not substantially change the 
effect of the regulations being amended.\102\ The actions proposed 
herein fall within this categorical exclusion in the Commission's 
regulations.
---------------------------------------------------------------------------

    \101\ Regulations Implementing the National Environmental Policy 
Act of 1969, Order No. 486, FERC Stats. & Regs. ] 30,783 (1987).
    \102\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------

VI. Comment Procedures

    89. The Commission invites interested persons to submit comments on 
the matters and issues proposed in this notice to be adopted, including 
any related matters or alternative proposals that commenters may wish 
to discuss. Comments are due September 21, 2015. Comments must refer to 
Docket No. RM15-14-000, and must include the commenter's name, the 
organization they represent, if applicable, and address.
    90. The Commission encourages comments to be filed electronically 
via the eFiling link on the Commission's Web site at http://www.ferc.gov. The Commission accepts most standard word processing 
formats. Documents created electronically using word processing 
software should be filed in native applications or print-to-PDF format 
and not in a scanned format. Commenters filing electronically do not 
need to make a paper filing.
    91. Commenters that are not able to file comments electronically 
must send an original of their comments to: Federal Energy Regulatory 
Commission, Secretary of the Commission, 888 First Street NE., 
Washington, DC 20426.
    92. All comments will be placed in the Commission's public files 
and may be viewed, printed, or downloaded remotely as described in the 
Document Availability section below. Commenters on this proposal are 
not required to serve copies of their comments on other commenters.

VII. Document Availability

    93. In addition to publishing the full text of this document in the 
Federal Register, the Commission provides all interested persons an 
opportunity to view and/or print the contents of this document via the 
Internet through the Commission's Home Page (http://www.ferc.gov) and 
in the Commission's Public Reference Room during normal business hours 
(8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE., Room 2A, 
Washington, DC 20426.
    94. From the Commission's Home Page on the Internet, this 
information is available on eLibrary. The full text of this document is 
available on eLibrary in PDF and Microsoft Word format for viewing, 
printing, and/or downloading. To access this document in eLibrary, type 
the docket number of this document, excluding the last three digits, in 
the docket number field.
    User assistance is available for eLibrary and the Commission's Web 
site during normal business hours from the Commission's Online Support 
at (202) 502-6652 (toll free at 1-866-208-3676) or email at 
ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at 
public.referenceroom@ferc.gov.

    By direction of the Commission.


[[Page 43367]]


    Issued: July 16, 2015.
Nathaniel J. Davis, Sr.,
Deputy Secretary.
[FR Doc. 2015-17920 Filed 7-21-15; 8:45 am]
 BILLING CODE 6717-01-P