Cyber Systems in Control Centers, 49641-49644 [2016-17854]

Download as PDF Lhorne on DSK30JT082PROD with NOTICES Federal Register / Vol. 81, No. 145 / Thursday, July 28, 2016 / Notices Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426. The first page of any filing should include docket number P–2426–049. The Commission’s Rules of Practice and Procedure require all intervenors filing documents with the Commission to serve a copy of that document on each person whose name appears on the official service list for the project. Further, if an intervenor files comments or documents with the Commission relating to the merits of an issue that may affect the responsibilities of a particular resource agency, they must also serve a copy of the document on that resource agency. k. Description of Request: California Department of Water Resources requests Commission approval of a proposed recreation plan for the project. The recreation plan provides a detailed description of all existing recreation amenities and facilities in the immediate vicinity of Pyramid Lake, Silverwood Lake, and Quail Lake, which are components of the project. The recreation plan also includes visitation data, concessionaire reports, and site plan drawings. l. Locations of the Application: A copy of the application is available for inspection and reproduction at the Commission’s Public Reference Room, located at 888 First Street NE., Room 2A, Washington, DC 20426, or by calling (202) 502–8371. This filing may also be viewed on the Commission’s Web site at http://www.ferc.gov using the ‘‘eLibrary’’ link. Enter the docket number excluding the last three digits in the docket number field to access the document. You may also register online at http://www.ferc.gov/docs-filing/ esubscription.asp to be notified via email of new filings and issuances related to this or other pending projects. For assistance, call 1–866–208–3676 or email FERCOnlineSupport@ferc.gov, for TTY, call (202) 502–8659. A copy is also available for inspection and reproduction at the address in item (h) above. Agencies may obtain copies of the application directly from the applicant. m. Individuals desiring to be included on the Commission’s mailing list should so indicate by writing to the Secretary of the Commission. n. Comments, Protests, or Motions to Intervene: Anyone may submit comments, a protest, or a motion to intervene in accordance with the requirements of Rules of Practice and Procedure, 18 CFR 385.210, .211, .214, respectively. In determining the appropriate action to take, the Commission will consider all protests or other comments filed, but only those VerDate Sep<11>2014 14:44 Jul 27, 2016 Jkt 238001 who file a motion to intervene in accordance with the Commission’s Rules may become a party to the proceeding. Any comments, protests, or motions to intervene must be received on or before the specified comment date for the particular application. o. Filing and Service of Documents: Any filing must (1) bear in all capital letters the title ‘‘COMMENTS’’, ‘‘PROTEST’’, or ‘‘MOTION TO INTERVENE’’ as applicable; (2) set forth in the heading the name of the applicant and the project number of the application to which the filing responds; (3) furnish the name, address, and telephone number of the person commenting, protesting or intervening; and (4) otherwise comply with the requirements of 18 CFR 385.2001 through 385.2005. All comments, motions to intervene, or protests must set forth their evidentiary basis. Any filing made by an intervenor must be accompanied by proof of service on all persons listed in the service list prepared by the Commission in this proceeding, in accordance with 18 CFR 385.2010. Dated: July 22, 2016. Kimberly D. Bose, Secretary. [FR Doc. 2016–17859 Filed 7–27–16; 8:45 am] BILLING CODE 6717–01–P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission [Docket No. RM16–18–000] Cyber Systems in Control Centers Federal Energy Regulatory Commission, Department of Energy. ACTION: Notice of Inquiry. AGENCY: In this Notice of Inquiry, the Federal Energy Regulatory Commission seeks comment on possible modifications to the Critical Infrastructure Protection Reliability Standards regarding the cybersecurity of Control Centers used to monitor and control the bulk electric system in real time. DATES: Comments are due September 26, 2016. ADDRESSES: You may submit comments, identified by docket number and in accordance with the requirements posted on the Commission’s Web site, http://www.ferc.gov. Comments may be submitted by any of the following methods: • Agency Web site: Documents created electronically using word SUMMARY: PO 00000 Frm 00024 Fmt 4703 Sfmt 4703 49641 processing software should be filed in native applications or print-to-PDF format and not in a scanned format, at http://www.ferc.gov/docs-filing/ efiling.asp. • Mail/Hand Delivery: Those unable to file electronically must mail or hand deliver comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE., Washington, DC 20426. Instructions: For detailed instructions on submitting comments and additional information on the rulemaking process, see the Comment Procedures Section of this document. FOR FURTHER INFORMATION CONTACT: David DeFalaise (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502– 8180, David.DeFalaise@ferc.gov Robert T. Stroh (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502–8473, Robert.Stroh@ ferc.gov SUPPLEMENTARY INFORMATION: 1. In this Notice of Inquiry, pursuant to section 215 of the Federal Power Act (FPA),1 the Commission seeks comment on the need for, and possible effects of, modifications to the Critical Infrastructure Protection (CIP) Reliability Standards regarding the cybersecurity of Control Centers used to monitor and control the bulk electric system in real time.2 Cyber systems are used extensively for the operation and maintenance of interconnected transmission networks.3 A 2015 1 16 U.S.C. 824o. Section 215(a)(3) of the FPA defines ‘‘Reliability Standard’’ to include ‘‘. . . requirements for the operation of existing bulkpower system facilities, including cybersecurity protection . . .’’ 2 NERC defines ‘‘Control Center’’ as ‘‘[o]ne or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in realtime to perform the reliability tasks, including their associated data centers . . . .’’ NERC Glossary of Terms Used in Reliability Standards (May 17, 2016) at 33 (NERC Glossary). 3 Cyber systems are referred to as ‘‘BES Cyber Systems’’ in the CIP Reliability Standards. The NERC Glossary defines BES Cyber Systems as ‘‘One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.’’ NERC Glossary at 15. The NERC Glossary defines ‘‘BES Cyber Asset’’ as ‘‘A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or nonoperation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each E:\FR\FM\28JYN1.SGM Continued 28JYN1 49642 Federal Register / Vol. 81, No. 145 / Thursday, July 28, 2016 / Notices cyberattack on the electric grid in Ukraine is an example of how cyber systems used to operate and maintain interconnected networks, unless adequately protected, may be vulnerable to cyberattack. While certain controls in the CIP Reliability Standards may reduce the risk of such attacks,4 the Commission seeks comment on whether additional controls should be required. 2. Specifically, as discussed below, the Commission seeks comment on possible modifications to the CIP Reliability Standards—and any potential impacts on the operation of the Bulk-Power System resulting from such modifications—to address the following matters: (1) Separation between the Internet and BES Cyber Systems in Control Centers performing transmission operator functions; and (2) computer administration practices that prevent unauthorized programs from running, referred to as ‘‘application whitelisting,’’ for cyber systems in Control Centers. I. Background Lhorne on DSK30JT082PROD with NOTICES 3. On January 28, 2008, the Commission approved an initial set of eight CIP Reliability Standards pertaining to cybersecurity.5 In addition, the Commission directed NERC to develop certain modifications to the CIP Reliability Standards. Since 2008, the CIP Reliability Standards have undergone multiple revisions to address Commission directives and respond to emerging cybersecurity issues. 4. On December 23, 2015, three regional electric power distribution companies in Ukraine experienced a cyberattack resulting in power outages that affected at least 225,000 customers. An analysis conducted by a team from the Electricity Information Sharing and Analysis Center (E–ISAC) and SANS Industrial Control Systems (SANS ICS) observed that ‘‘the cyber attacks in Ukraine are the first publicly BES Cyber Asset is included in one or more BES Cyber Systems.’’ Id. 4 See, e.g., Reliability Standard CIP–005–5 (Electronic Security Perimeter(s)), Requirement R2, which protects against unauthorized interactive remote access; Reliability Standard CIP–006–6 (Physical Security of BES Cyber Systems), Requirement R2, which protects against unauthorized physical access and Reliability Standard CIP–007–6 (System Security Management), Requirement R3, which protects against malware. 5 Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC ¶ 61,040, denying reh’g and granting clarification, Order No. 706–A, 123 FERC ¶ 61,174 (2008), order on clarification, Order No. 706–B, 126 FERC ¶ 61,229 (2009), order denying clarification, Order No. 706–C, 127 FERC ¶ 61,273 (2009). VerDate Sep<11>2014 14:44 Jul 27, 2016 Jkt 238001 acknowledged incidents to result in power outages.’’ 6 5. On February 25, 2016, the U.S. Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team issued an ‘‘Alert’’ in response to the Ukraine incident.7 The Alert stated that the cyberattack was sophisticated and well planned. The Alert reported that the cyberattacks at each company occurred within 30 minutes of each other and affected multiple central and regional facilities. The Alert also explained that during the cyberattacks: malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access. In addition, the Alert reported that the affected companies indicated that the attackers wiped some systems at the conclusion of the cyberattack, which erased selected files, rendering systems inoperable. 6. In response to the Ukraine incident, the Alert recommended the following key examples of best practice mitigation strategies: procurement and licensing of trusted hardware and software systems; knowing who and what is on your network through hardware and software asset management automation; on time patching of systems; and strategic technology refresh.8 II. Request for Comments 7. The Commission seeks comment on whether to modify the CIP Reliability Standards to better secure Control Centers from cyberattacks. The Commission also seeks comment on the potential consequences or complications arising from implementing such modifications. In response to lessons learned from the Alert and analyses of the Ukraine incident, the Commission seeks comment on whether to modify the CIP Reliability Standards to require: (1) Separation between the Internet and BES Cyber Systems in Control Centers 6 E–ISAC, Analysis of the Cyber Attack on the Ukrainian Power Grid (March 18, 2016) at 3, http:// www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_ SANS_Ukraine_DUC_18Mar2016.pdf. 7 See Department of Homeland Security, Alert (IR–ALERT–H–16–056–01) Cyber-Attack Against Ukrainian Critical Infrastructure (February 25, 2016) (Alert), https://ics-cert.us-cert.gov/alerts/IRALERT-H-16-056-01. 8 Id. at Mitigation Section. By ‘‘strategic technology refresh,’’ the Alert referred to the benefit of replacing legacy cyber systems that no longer receive security patches and, as a result, might not be secure. PO 00000 Frm 00025 Fmt 4703 Sfmt 4703 performing transmission operator functions; and (2) ‘‘application whitelisting’’ for BES Cyber Systems in Control Centers. A. Isolation of Transmission Operator Control Centers From the Internet 8. In response to the Ukraine incident, the Alert recommended that: [o]rganizations should isolate [industrial control system] networks from any untrusted networks, especially the Internet. All unused ports should be locked down and all unused services turned off. If a defined business requirement or control function exists, only allow real-time connectivity to external networks. If one-way communication can accomplish a task, use optical separation (‘data diode’). If bidirectional communication is necessary, then use a single open port over a restricted network path. 9. Commission-approved Reliability Standard CIP–007–6, Requirement R1 (Ports and Services), Part 1.1 requires, where technically feasible, unused logical ports to be disabled.9 In addition, Reliability Standard CIP–007– 6, Requirement R1, Part 1.2 requires protection of physical ports against unnecessary use.10 These requirements therefore address the Alert’s recommendation that ‘‘[a]ll unused ports should be locked down and all unused services turned off.’’ 10. The current CIP Reliability Standards do not require isolation between the Internet and BES Cyber Systems in Control Centers performing transmission operator functions through use of physical (hardware) or logical (software) means. Although BES Cyber Systems are protected by electronic security perimeters and the disabling of unused logical ports, BES Cyber Systems are permitted, within the scope of the current CIP Reliability Standards, to route, or connect, to the Internet.11 Requiring physical separation between the Internet and cyber systems in Control Centers performing transmission operator functions would require data connections to Control Centers or other facilities owned by transmission operators over dedicated data lines owned or leased by the transmission operator, rather than allowing communications over the 9 Logical ports are connection points where two applications communicate to identify different applications or processes running on a cyber asset. 10 A physical port serves as an interface or connection between a cyber asset and another cyber asset, or peripheral device, using a physical medium such as a cable. 11 NERC defines an electronic security perimeter as ‘‘the logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.’’ NERC Glossary at 39. E:\FR\FM\28JYN1.SGM 28JYN1 Federal Register / Vol. 81, No. 145 / Thursday, July 28, 2016 / Notices Internet.12 Logical separation, in some contexts, can achieve a similar objective through different means. 11. The Commission seeks comment on whether the CIP Reliability Standards should be modified to require isolation between the Internet and BES Cyber Systems in Control Centers performing the functions of a transmission operator. In addition, the Commission seeks comment on the operational impact to the Bulk-Power System if BES Cyber Systems were isolated from the Internet in all Control Centers performing transmission operator functions. Specifically, the Commission seeks comment on what, if any, reliability issues might arise from such a requirement. For example, would requiring isolation prevent an activity required by another Reliability Standard? If isolation is required, is logical isolation preferable to physical isolation (or vice versa) and, if so, why? The Commission also seeks comment on whether and how such a requirement might affect a transmission operator’s communications with its reliability coordinator or other applicable entities required under the Reliability Standard. Finally, if isolation is not required, are there communications with these Control Centers for which the use of one-way data diodes would be reliable and appropriate? B. Application Whitelisting for BES Cyber Systems in Control Centers Lhorne on DSK30JT082PROD with NOTICES 12. Application whitelisting is a computer administration practice used to prevent unauthorized programs from running.13 The purpose is primarily to protect computers and networks from harmful applications, and, to a lesser extent, to prevent unnecessary demand for computer resources. The ‘‘whitelist’’ is a list of applications granted permission to run by the user or an administrator. Whitelisting works best when applied to static cyber systems.14 13. In response to the Ukraine incident, the Alert recommended that: asset owners take defensive measures by leveraging best practices to minimize the risk from similar malicious cyber activity. Application Whitelisting (AWL) can detect and prevent attempted execution of malware uploaded by malicious actors. The static nature of some systems, such as database servers and HMI computers, make these ideal candidates to run AWL. Operators are encouraged to work with their vendors to baseline and calibrate AWL deployments. 12 See Alert at Mitigation Section; see also Department of Homeland Security, Seven Steps to Effectively Defend Industrial Control Systems at 3. 13 See Alert at Mitigation Section. 14 Id. VerDate Sep<11>2014 14:44 Jul 27, 2016 Jkt 238001 Similarly, a December 2015 document by DHS identifies application whitelisting as the first of seven strategies to defend industrial control systems and states that this strategy would have ‘‘potentially mitigated’’ 38 percent of ICS–CERT Fiscal Year 2014 and 2015 incidents, more than any of the other strategies.15 While the NERC Guidelines and Technical Basis document associated with Reliability Standard CIP–007–6, Requirement R3 identifies application whitelisting as an option for mitigating malicious cyber activity, its use is not mandatory.16 The Guidelines and Technical Basis discussion in Reliability Standard CIP– 007–6 explains: Due to the wide range of equipment comprising the BES Cyber Systems and the wide variety of vulnerability and capability of that equipment to malware as well as the constantly evolving threat and resultant tools and controls, it is not practical within the standard to prescribe how malware is to be addressed on each Cyber Asset. Rather, the Responsible Entity determines on a BES Cyber System basis, which Cyber Assets have susceptibility to malware intrusions and documents their plans and processes for addressing those risks and provides evidence that they follow those plans and processes. There are numerous options available including traditional antivirus solutions for common operating systems, white-listing solutions, network isolation techniques, Intrusion Detection/Prevention (IDS/IPS) solutions, etc.17 14. While application whitelisting is identified above as one available option, the Ukraine incident and the subsequent Alert raise the question of whether application whitelisting should be required. Application whitelisting could be a more effective mitigation tool than other mitigation measures because whitelisting allows only software applications and processes that are reviewed and tested before use in the system network. By knowing all installed applications, the security professional can set the application whitelisting program to know the 15 Seven Steps to Effectively Defend Industrial Control Systems at 1. 16 Reliability Standard CIP–007–6, Requirement R3 provides that ‘‘[e]ach Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP–007–6 Table R3— Malicious Code Prevention’’ and lists application whitelisting as an option. In addition, the CIP Reliability Standards require a combination of ensuring that an individual’s privileges are the minimum necessary to perform their work function (i.e., ‘‘least privilege’’) and anti-malware (i.e., ‘‘blacklisting’’). See, e.g., Reliability Standard CIP– 004–6, Requirement R4 and Guidelines and Technical Basis; Reliability Standard CIP–007–6, Requirement R3. 17 Reliability Standard CIP–007–6, Guidelines and Technical Basis, at 4. PO 00000 Frm 00026 Fmt 4703 Sfmt 4703 49643 application is approved; all unapproved applications will trigger an alert. 15. The Commission seeks comment on whether the CIP Reliability Standards should be modified to require application whitelisting for all BES Cyber Systems in Control Centers. Is application whitelisting appropriate for all such systems? If not, are there certain devices or components on such systems for which it is appropriate? In addition, the Commission seeks comment on the operational impact, including potential reliability concerns, for each approach. III. Comment Procedures 16. The Commission invites interested persons to submit comments, and other information on the matters, issues and specific questions identified in this notice. Comments are due September 26, 2016. Comments must refer to Docket No. RM16–18–000, and must include the commenter’s name, the organization they represent, if applicable, and their address in their comments. 17. The Commission encourages comments to be filed electronically via the eFiling link on the Commission’s Web site at http://www.ferc.gov. The Commission accepts most standard word processing formats. Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format. Commenters filing electronically do not need to make a paper filing. 18. Commenters that are not able to file comments electronically must send an original of their comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE., Washington, DC 20426. 19. All comments will be placed in the Commission’s public files and may be viewed, printed, or downloaded remotely as described in the Document Availability section below. Commenters on this proposal are not required to serve copies of their comments on other commenters. IV. Document Availability 20. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the Internet through FERC’s Home Page (http:// www.ferc.gov) and in FERC’s Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE., Room 2A, Washington, DC 20426. 21. From FERC’s Home Page on the Internet, this information is available on E:\FR\FM\28JYN1.SGM 28JYN1 49644 Federal Register / Vol. 81, No. 145 / Thursday, July 28, 2016 / Notices eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number excluding the last three digits of this document in the docket number field. 22. User assistance is available for eLibrary and the FERC’s Web site during normal business hours from FERC Online Support at 202–502–6652 (toll free at 1–866–208–3676) or email at ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502– 8371, TTY (202) 502–8659. Email the Public Reference Room at public.referenceroom@ferc.gov. By direction of the Commission. Issued: July 21, 2016. Kimberly D. Bose, Secretary. [FR Doc. 2016–17854 Filed 7–27–16; 8:45 am] BILLING CODE 6717–01–P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission [Docket Nos. EL16–101–000] Tri-State Generation and Transmission Association, Inc.; Notice of Petition for Partial Waiver July 20, 2016. Take notice that on July 15, 2016, pursuant to section 292.402 of the Federal Energy Regulatory Commission’s (Commission) Rules of Practice and Procedure,1 Tri-State Generation and Transmission Association, Inc. (Tri-State) on behalf of itself and its electric distribution cooperative member-owners (collectively, the Participating Members),2 filed a petition for partial 1 18 CFR 292.402. member owners joining in this petition are Big Horn Rural Electric Company, Carbon Power and Light, Inc., Central New Mexico Electric Cooperative, Inc., Chimney Rock Public Power District, Continental Divide Electric Cooperative, Inc., Garland Light and Power Company, High Plains Power, Inc., High West Energy, Inc., Highline Electric Association, Jemez Mountains Electric Cooperative, Inc., K.C. Electric Association, Inc., The Midwest Electric Cooperative Corporation, Mora-San Miguel Electric Cooperative, Inc., Morgan County Rural Electric Association, Mountain Parks Electric, Inc., Mountain View Electric Association, Inc., Niobrara Electric Association, Inc., Northern Rio Arriba Electric Cooperative, Inc., Otero County Electric Cooperative, Inc., Panhandle Rural Electric Membership Association, Roosevelt Public Power District, San Luis Valley Rural Electric Cooperative, Inc., Sierra Electric Cooperative, Inc., Socorm Electric Cooperative, Inc., Southeast Colorado Power Association, Southwestern Electric Cooperative, Inc., Springer Electric Cooperative, Lhorne on DSK30JT082PROD with NOTICES 2 Tri-State’s VerDate Sep<11>2014 14:44 Jul 27, 2016 Jkt 238001 waiver of certain obligations imposed on Tri-State and the Participating Members under Sections 292.303(a) and 292.303(b) of the Commission’s regulations, all as more fully explained in the petition. Any person desiring to intervene or to protest this filing must file in accordance with Rules 211 and 214 of the Commission’s Rules of Practice and Procedure (18 CFR 385.211and 385.214). Protests will be considered by the Commission in determining the appropriate action to be taken, but will not serve to make protestants parties to the proceeding. Any person wishing to become a party must file a notice of intervention or motion to intervene, as appropriate. Such notices, motions, or protests must be filed on or before the comment date. Anyone filing a motion to intervene or protest must serve a copy of that document on the Petitioner. The Commission encourages electronic submission of protests and interventions in lieu of paper using the ‘‘eFiling’’ link at http://www.ferc.gov. Persons unable to file electronically should submit an original and 5 copies of the protest or intervention to the Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426. This filing is accessible online at http://www.ferc.gov, using the ‘‘eLibrary’’ link and is available for review in the Commission’s Public Reference Room in Washington, DC. There is an ‘‘eSubscription’’ link on the Web site that enables subscribers to receive email notification when a document is added to a subscribed docket(s). For assistance with any FERC Online service, please email FERCOnlineSupport@ferc.gov, or call (866) 208–3676 (toll free). For TTY, call (202) 502–8659. Comment Date: 5:00 p.m. Eastern time on August 5, 2016. Dated: July 20, 2016. Kimberly D. Bose, Secretary. [FR Doc. 2016–17858 Filed 7–27–16; 8:45 am] BILLING CODE 6717–01–P Inc., Wheatland Rural Electric Association, Inc., Wyrulec Company, and Y–W Electric Association, Inc. PO 00000 Frm 00027 Fmt 4703 Sfmt 4703 DEPARTMENT OF ENERGY Federal Energy Regulatory Commission [Project No. 14680–002] Water Street Land, LLC; Notice of Application Tendered for Filing With the Commission and Soliciting Additional Study Requests Take notice that the following hydroelectric application has been filed with the Commission and is available for public inspection. a. Type of Application: Exemption from Licensing. b. Project No.: 14680–002. c. Date filed: July 13, 2016. d. Applicant: Water Street Land, LLC. e. Name of Project: Natick Pond Dam Hydroelectric Project. f. Location: On the Pawtuxet River, in the Towns of Warwick and West Warwick, in Kent County, Rhode Island. No federal lands would be occupied by project works or located within the project boundary. g. Filed Pursuant to: Public Utility Regulatory Policies Act of 1978, 16 U.S.C. 2705, 2708 (2012), amended by the Hydropower Regulatory Efficiency Act of 2013, Pub. L. 113–23, 127 Stat. 493 (2013). h. Applicant Contact: Mr. Rob Cioe, Water Street Land, LLC, P.O. Box 358, North Kingstown, Rhode Island 02852; (480) 797–3077. i. FERC Contact: John Ramer, (202) 502–8969, john.ramer@ferc.gov. j. Cooperating agencies: Federal, state, local, and tribal agencies with jurisdiction and/or special expertise with respect to environmental issues that wish to cooperate in the preparation of the environmental document should follow the instructions for filing such requests described in item l below. Cooperating agencies should note the Commission’s policy that agencies that cooperate in the preparation of the environmental document cannot also intervene. See, 94 FERC ¶ 61,076 (2001). k. Pursuant to section 4.32(b)(7) of 18 CFR of the Commission’s regulations, if any resource agency, Indian Tribe, or person believes that an additional scientific study should be conducted in order to form an adequate factual basis for a complete analysis of the application on its merit, the resource agency, Indian Tribe, or person must file a request for a study with the Commission not later than 60 days from the date of filing of the application, and serve a copy of the request on the applicant. E:\FR\FM\28JYN1.SGM 28JYN1

Agencies

[Federal Register Volume 81, Number 145 (Thursday, July 28, 2016)]
[Notices]
[Pages 49641-49644]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-17854]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. RM16-18-000]


Cyber Systems in Control Centers

AGENCY: Federal Energy Regulatory Commission, Department of Energy.

ACTION: Notice of Inquiry.

-----------------------------------------------------------------------

SUMMARY: In this Notice of Inquiry, the Federal Energy Regulatory 
Commission seeks comment on possible modifications to the Critical 
Infrastructure Protection Reliability Standards regarding the 
cybersecurity of Control Centers used to monitor and control the bulk 
electric system in real time.

DATES: Comments are due September 26, 2016.

ADDRESSES: You may submit comments, identified by docket number and in 
accordance with the requirements posted on the Commission's Web site, 
http://www.ferc.gov. Comments may be submitted by any of the following 
methods:
     Agency Web site: Documents created electronically using 
word processing software should be filed in native applications or 
print-to-PDF format and not in a scanned format, at http://www.ferc.gov/docs-filing/efiling.asp.
     Mail/Hand Delivery: Those unable to file electronically 
must mail or hand deliver comments to: Federal Energy Regulatory 
Commission, Secretary of the Commission, 888 First Street NE., 
Washington, DC 20426.
    Instructions: For detailed instructions on submitting comments and 
additional information on the rulemaking process, see the Comment 
Procedures Section of this document.

FOR FURTHER INFORMATION CONTACT: 
David DeFalaise (Technical Information), Office of Electric 
Reliability, Federal Energy Regulatory Commission, 888 First Street 
NE., Washington, DC 20426, (202) 502-8180, David.DeFalaise@ferc.gov

Robert T. Stroh (Legal Information), Office of the General Counsel, 
Federal Energy Regulatory Commission, 888 First Street NE., Washington, 
DC 20426, (202) 502-8473, Robert.Stroh@ferc.gov

SUPPLEMENTARY INFORMATION: 
    1. In this Notice of Inquiry, pursuant to section 215 of the 
Federal Power Act (FPA),\1\ the Commission seeks comment on the need 
for, and possible effects of, modifications to the Critical 
Infrastructure Protection (CIP) Reliability Standards regarding the 
cybersecurity of Control Centers used to monitor and control the bulk 
electric system in real time.\2\ Cyber systems are used extensively for 
the operation and maintenance of interconnected transmission 
networks.\3\ A 2015

[[Page 49642]]

cyberattack on the electric grid in Ukraine is an example of how cyber 
systems used to operate and maintain interconnected networks, unless 
adequately protected, may be vulnerable to cyberattack. While certain 
controls in the CIP Reliability Standards may reduce the risk of such 
attacks,\4\ the Commission seeks comment on whether additional controls 
should be required.
---------------------------------------------------------------------------

    \1\ 16 U.S.C. 824o. Section 215(a)(3) of the FPA defines 
``Reliability Standard'' to include ``. . . requirements for the 
operation of existing bulk-power system facilities, including 
cybersecurity protection . . .''
    \2\ NERC defines ``Control Center'' as ``[o]ne or more 
facilities hosting operating personnel that monitor and control the 
Bulk Electric System (BES) in realtime to perform the reliability 
tasks, including their associated data centers . . . .'' NERC 
Glossary of Terms Used in Reliability Standards (May 17, 2016) at 33 
(NERC Glossary).
    \3\ Cyber systems are referred to as ``BES Cyber Systems'' in 
the CIP Reliability Standards. The NERC Glossary defines BES Cyber 
Systems as ``One or more BES Cyber Assets logically grouped by a 
responsible entity to perform one or more reliability tasks for a 
functional entity.'' NERC Glossary at 15. The NERC Glossary defines 
``BES Cyber Asset'' as ``A Cyber Asset that if rendered unavailable, 
degraded, or misused would, within 15 minutes of its required 
operation, misoperation, or non-operation, adversely impact one or 
more Facilities, systems, or equipment, which, if destroyed, 
degraded, or otherwise rendered unavailable when needed, would 
affect the reliable operation of the Bulk Electric System. 
Redundancy of affected Facilities, systems, and equipment shall not 
be considered when determining adverse impact. Each BES Cyber Asset 
is included in one or more BES Cyber Systems.'' Id.
    \4\ See, e.g., Reliability Standard CIP-005-5 (Electronic 
Security Perimeter(s)), Requirement R2, which protects against 
unauthorized interactive remote access; Reliability Standard CIP-
006-6 (Physical Security of BES Cyber Systems), Requirement R2, 
which protects against unauthorized physical access and Reliability 
Standard CIP-007-6 (System Security Management), Requirement R3, 
which protects against malware.
---------------------------------------------------------------------------

    2. Specifically, as discussed below, the Commission seeks comment 
on possible modifications to the CIP Reliability Standards--and any 
potential impacts on the operation of the Bulk-Power System resulting 
from such modifications--to address the following matters: (1) 
Separation between the Internet and BES Cyber Systems in Control 
Centers performing transmission operator functions; and (2) computer 
administration practices that prevent unauthorized programs from 
running, referred to as ``application whitelisting,'' for cyber systems 
in Control Centers.

I. Background

    3. On January 28, 2008, the Commission approved an initial set of 
eight CIP Reliability Standards pertaining to cybersecurity.\5\ In 
addition, the Commission directed NERC to develop certain modifications 
to the CIP Reliability Standards. Since 2008, the CIP Reliability 
Standards have undergone multiple revisions to address Commission 
directives and respond to emerging cybersecurity issues.
---------------------------------------------------------------------------

    \5\ Mandatory Reliability Standards for Critical Infrastructure 
Protection, Order No. 706, 122 FERC ] 61,040, denying reh'g and 
granting clarification, Order No. 706-A, 123 FERC ] 61,174 (2008), 
order on clarification, Order No. 706-B, 126 FERC ] 61,229 (2009), 
order denying clarification, Order No. 706-C, 127 FERC ] 61,273 
(2009).
---------------------------------------------------------------------------

    4. On December 23, 2015, three regional electric power distribution 
companies in Ukraine experienced a cyberattack resulting in power 
outages that affected at least 225,000 customers. An analysis conducted 
by a team from the Electricity Information Sharing and Analysis Center 
(E-ISAC) and SANS Industrial Control Systems (SANS ICS) observed that 
``the cyber attacks in Ukraine are the first publicly acknowledged 
incidents to result in power outages.'' \6\
---------------------------------------------------------------------------

    \6\ E-ISAC, Analysis of the Cyber Attack on the Ukrainian Power 
Grid (March 18, 2016) at 3, http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf.
---------------------------------------------------------------------------

    5. On February 25, 2016, the U.S. Department of Homeland Security 
(DHS) Industrial Control Systems Cyber Emergency Response Team issued 
an ``Alert'' in response to the Ukraine incident.\7\ The Alert stated 
that the cyberattack was sophisticated and well planned. The Alert 
reported that the cyberattacks at each company occurred within 30 
minutes of each other and affected multiple central and regional 
facilities. The Alert also explained that during the cyberattacks:
---------------------------------------------------------------------------

    \7\ See Department of Homeland Security, Alert (IR-ALERT-H-16-
056-01) Cyber-Attack Against Ukrainian Critical Infrastructure 
(February 25, 2016) (Alert), https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01.

malicious remote operation of the breakers was conducted by multiple 
external humans using either existing remote administration tools at 
the operating system level or remote industrial control system (ICS) 
client software via virtual private network (VPN) connections. The 
companies believe that the actors acquired legitimate credentials 
---------------------------------------------------------------------------
prior to the cyber-attack to facilitate remote access.

    In addition, the Alert reported that the affected companies 
indicated that the attackers wiped some systems at the conclusion of 
the cyberattack, which erased selected files, rendering systems 
inoperable.
    6. In response to the Ukraine incident, the Alert recommended the 
following key examples of best practice mitigation strategies:

procurement and licensing of trusted hardware and software systems; 
knowing who and what is on your network through hardware and 
software asset management automation; on time patching of systems; 
and strategic technology refresh.\8\
---------------------------------------------------------------------------

    \8\ Id. at Mitigation Section. By ``strategic technology 
refresh,'' the Alert referred to the benefit of replacing legacy 
cyber systems that no longer receive security patches and, as a 
result, might not be secure.
---------------------------------------------------------------------------

II. Request for Comments

    7. The Commission seeks comment on whether to modify the CIP 
Reliability Standards to better secure Control Centers from 
cyberattacks. The Commission also seeks comment on the potential 
consequences or complications arising from implementing such 
modifications. In response to lessons learned from the Alert and 
analyses of the Ukraine incident, the Commission seeks comment on 
whether to modify the CIP Reliability Standards to require: (1) 
Separation between the Internet and BES Cyber Systems in Control 
Centers performing transmission operator functions; and (2) 
``application whitelisting'' for BES Cyber Systems in Control Centers.

A. Isolation of Transmission Operator Control Centers From the Internet

    8. In response to the Ukraine incident, the Alert recommended that:

[o]rganizations should isolate [industrial control system] networks 
from any untrusted networks, especially the Internet. All unused 
ports should be locked down and all unused services turned off. If a 
defined business requirement or control function exists, only allow 
real-time connectivity to external networks. If one-way 
communication can accomplish a task, use optical separation (`data 
diode'). If bidirectional communication is necessary, then use a 
single open port over a restricted network path.

    9. Commission-approved Reliability Standard CIP-007-6, Requirement 
R1 (Ports and Services), Part 1.1 requires, where technically feasible, 
unused logical ports to be disabled.\9\ In addition, Reliability 
Standard CIP-007-6, Requirement R1, Part 1.2 requires protection of 
physical ports against unnecessary use.\10\ These requirements 
therefore address the Alert's recommendation that ``[a]ll unused ports 
should be locked down and all unused services turned off.''
---------------------------------------------------------------------------

    \9\ Logical ports are connection points where two applications 
communicate to identify different applications or processes running 
on a cyber asset.
    \10\ A physical port serves as an interface or connection 
between a cyber asset and another cyber asset, or peripheral device, 
using a physical medium such as a cable.
---------------------------------------------------------------------------

    10. The current CIP Reliability Standards do not require isolation 
between the Internet and BES Cyber Systems in Control Centers 
performing transmission operator functions through use of physical 
(hardware) or logical (software) means. Although BES Cyber Systems are 
protected by electronic security perimeters and the disabling of unused 
logical ports, BES Cyber Systems are permitted, within the scope of the 
current CIP Reliability Standards, to route, or connect, to the 
Internet.\11\ Requiring physical separation between the Internet and 
cyber systems in Control Centers performing transmission operator 
functions would require data connections to Control Centers or other 
facilities owned by transmission operators over dedicated data lines 
owned or leased by the transmission operator, rather than allowing 
communications over the

[[Page 49643]]

Internet.\12\ Logical separation, in some contexts, can achieve a 
similar objective through different means.
---------------------------------------------------------------------------

    \11\ NERC defines an electronic security perimeter as ``the 
logical border surrounding a network to which BES Cyber Systems are 
connected using a routable protocol.'' NERC Glossary at 39.
    \12\ See Alert at Mitigation Section; see also Department of 
Homeland Security, Seven Steps to Effectively Defend Industrial 
Control Systems at 3.
---------------------------------------------------------------------------

    11. The Commission seeks comment on whether the CIP Reliability 
Standards should be modified to require isolation between the Internet 
and BES Cyber Systems in Control Centers performing the functions of a 
transmission operator. In addition, the Commission seeks comment on the 
operational impact to the Bulk-Power System if BES Cyber Systems were 
isolated from the Internet in all Control Centers performing 
transmission operator functions. Specifically, the Commission seeks 
comment on what, if any, reliability issues might arise from such a 
requirement. For example, would requiring isolation prevent an activity 
required by another Reliability Standard? If isolation is required, is 
logical isolation preferable to physical isolation (or vice versa) and, 
if so, why? The Commission also seeks comment on whether and how such a 
requirement might affect a transmission operator's communications with 
its reliability coordinator or other applicable entities required under 
the Reliability Standard. Finally, if isolation is not required, are 
there communications with these Control Centers for which the use of 
one-way data diodes would be reliable and appropriate?

B. Application Whitelisting for BES Cyber Systems in Control Centers

    12. Application whitelisting is a computer administration practice 
used to prevent unauthorized programs from running.\13\ The purpose is 
primarily to protect computers and networks from harmful applications, 
and, to a lesser extent, to prevent unnecessary demand for computer 
resources. The ``whitelist'' is a list of applications granted 
permission to run by the user or an administrator. Whitelisting works 
best when applied to static cyber systems.\14\
---------------------------------------------------------------------------

    \13\ See Alert at Mitigation Section.
    \14\ Id.
---------------------------------------------------------------------------

    13. In response to the Ukraine incident, the Alert recommended 
that:

asset owners take defensive measures by leveraging best practices to 
minimize the risk from similar malicious cyber activity. Application 
Whitelisting (AWL) can detect and prevent attempted execution of 
malware uploaded by malicious actors. The static nature of some 
systems, such as database servers and HMI computers, make these 
ideal candidates to run AWL. Operators are encouraged to work with 
their vendors to baseline and calibrate AWL deployments.

    Similarly, a December 2015 document by DHS identifies application 
whitelisting as the first of seven strategies to defend industrial 
control systems and states that this strategy would have ``potentially 
mitigated'' 38 percent of ICS-CERT Fiscal Year 2014 and 2015 incidents, 
more than any of the other strategies.\15\ While the NERC Guidelines 
and Technical Basis document associated with Reliability Standard CIP-
007-6, Requirement R3 identifies application whitelisting as an option 
for mitigating malicious cyber activity, its use is not mandatory.\16\ 
The Guidelines and Technical Basis discussion in Reliability Standard 
CIP-007-6 explains:
---------------------------------------------------------------------------

    \15\ Seven Steps to Effectively Defend Industrial Control 
Systems at 1.
    \16\ Reliability Standard CIP-007-6, Requirement R3 provides 
that ``[e]ach Responsible Entity shall implement one or more 
documented process(es) that collectively include each of the 
applicable requirement parts in CIP-007-6 Table R3--Malicious Code 
Prevention'' and lists application whitelisting as an option. In 
addition, the CIP Reliability Standards require a combination of 
ensuring that an individual's privileges are the minimum necessary 
to perform their work function (i.e., ``least privilege'') and anti-
malware (i.e., ``blacklisting''). See, e.g., Reliability Standard 
CIP-004-6, Requirement R4 and Guidelines and Technical Basis; 
Reliability Standard CIP-007-6, Requirement R3.

    Due to the wide range of equipment comprising the BES Cyber 
Systems and the wide variety of vulnerability and capability of that 
equipment to malware as well as the constantly evolving threat and 
resultant tools and controls, it is not practical within the 
standard to prescribe how malware is to be addressed on each Cyber 
Asset. Rather, the Responsible Entity determines on a BES Cyber 
System basis, which Cyber Assets have susceptibility to malware 
intrusions and documents their plans and processes for addressing 
those risks and provides evidence that they follow those plans and 
processes. There are numerous options available including 
traditional antivirus solutions for common operating systems, white-
listing solutions, network isolation techniques, Intrusion 
Detection/Prevention (IDS/IPS) solutions, etc.\17\
---------------------------------------------------------------------------

    \17\ Reliability Standard CIP-007-6, Guidelines and Technical 
Basis, at 4.

    14. While application whitelisting is identified above as one 
available option, the Ukraine incident and the subsequent Alert raise 
the question of whether application whitelisting should be required. 
Application whitelisting could be a more effective mitigation tool than 
other mitigation measures because whitelisting allows only software 
applications and processes that are reviewed and tested before use in 
the system network. By knowing all installed applications, the security 
professional can set the application whitelisting program to know the 
application is approved; all unapproved applications will trigger an 
alert.
    15. The Commission seeks comment on whether the CIP Reliability 
Standards should be modified to require application whitelisting for 
all BES Cyber Systems in Control Centers. Is application whitelisting 
appropriate for all such systems? If not, are there certain devices or 
components on such systems for which it is appropriate? In addition, 
the Commission seeks comment on the operational impact, including 
potential reliability concerns, for each approach.

III. Comment Procedures

    16. The Commission invites interested persons to submit comments, 
and other information on the matters, issues and specific questions 
identified in this notice. Comments are due September 26, 2016. 
Comments must refer to Docket No. RM16-18-000, and must include the 
commenter's name, the organization they represent, if applicable, and 
their address in their comments.
    17. The Commission encourages comments to be filed electronically 
via the eFiling link on the Commission's Web site at http://www.ferc.gov. The Commission accepts most standard word processing 
formats. Documents created electronically using word processing 
software should be filed in native applications or print-to-PDF format 
and not in a scanned format. Commenters filing electronically do not 
need to make a paper filing.
    18. Commenters that are not able to file comments electronically 
must send an original of their comments to: Federal Energy Regulatory 
Commission, Secretary of the Commission, 888 First Street NE., 
Washington, DC 20426.
    19. All comments will be placed in the Commission's public files 
and may be viewed, printed, or downloaded remotely as described in the 
Document Availability section below. Commenters on this proposal are 
not required to serve copies of their comments on other commenters.

IV. Document Availability

    20. In addition to publishing the full text of this document in the 
Federal Register, the Commission provides all interested persons an 
opportunity to view and/or print the contents of this document via the 
Internet through FERC's Home Page (http://www.ferc.gov) and in FERC's 
Public Reference Room during normal business hours (8:30 a.m. to 5:00 
p.m. Eastern time) at 888 First Street NE., Room 2A, Washington, DC 
20426.
    21. From FERC's Home Page on the Internet, this information is 
available on

[[Page 49644]]

eLibrary. The full text of this document is available on eLibrary in 
PDF and Microsoft Word format for viewing, printing, and/or 
downloading. To access this document in eLibrary, type the docket 
number excluding the last three digits of this document in the docket 
number field.
    22. User assistance is available for eLibrary and the FERC's Web 
site during normal business hours from FERC Online Support at 202-502-
6652 (toll free at 1-866-208-3676) or email at 
ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at 
public.referenceroom@ferc.gov.

    By direction of the Commission.

    Issued: July 21, 2016.
Kimberly D. Bose,
Secretary.
[FR Doc. 2016-17854 Filed 7-27-16; 8:45 am]
BILLING CODE 6717-01-P