Cyber Systems in Control Centers, 49641-49644 [2016-17854]
Download as PDF
<![CDATA[
Lhorne on DSK30JT082PROD with NOTICES
Federal Register / Vol. 81, No. 145 / Thursday, July 28, 2016 / Notices
Energy Regulatory Commission, 888
First Street NE., Washington, DC 20426.
The first page of any filing should
include docket number P–2426–049.
The Commission’s Rules of Practice
and Procedure require all intervenors
filing documents with the Commission
to serve a copy of that document on
each person whose name appears on the
official service list for the project.
Further, if an intervenor files comments
or documents with the Commission
relating to the merits of an issue that
may affect the responsibilities of a
particular resource agency, they must
also serve a copy of the document on
that resource agency.
k. Description of Request: California
Department of Water Resources requests
Commission approval of a proposed
recreation plan for the project. The
recreation plan provides a detailed
description of all existing recreation
amenities and facilities in the
immediate vicinity of Pyramid Lake,
Silverwood Lake, and Quail Lake,
which are components of the project.
The recreation plan also includes
visitation data, concessionaire reports,
and site plan drawings.
l. Locations of the Application: A
copy of the application is available for
inspection and reproduction at the
Commission’s Public Reference Room,
located at 888 First Street NE., Room
2A, Washington, DC 20426, or by calling
(202) 502–8371. This filing may also be
viewed on the Commission’s Web site at
https://www.ferc.gov using the
‘‘eLibrary’’ link. Enter the docket
number excluding the last three digits in
the docket number field to access the
document. You may also register online
at https://www.ferc.gov/docs-filing/
esubscription.asp to be notified via
email of new filings and issuances
related to this or other pending projects.
For assistance, call 1–866–208–3676 or
email FERCOnlineSupport@ferc.gov, for
TTY, call (202) 502–8659. A copy is also
available for inspection and
reproduction at the address in item (h)
above. Agencies may obtain copies of
the application directly from the
applicant.
m. Individuals desiring to be included
on the Commission’s mailing list should
so indicate by writing to the Secretary
of the Commission.
n. Comments, Protests, or Motions to
Intervene: Anyone may submit
comments, a protest, or a motion to
intervene in accordance with the
requirements of Rules of Practice and
Procedure, 18 CFR 385.210, .211, .214,
respectively. In determining the
appropriate action to take, the
Commission will consider all protests or
other comments filed, but only those
VerDate Sep<11>2014
14:44 Jul 27, 2016
Jkt 238001
who file a motion to intervene in
accordance with the Commission’s
Rules may become a party to the
proceeding. Any comments, protests, or
motions to intervene must be received
on or before the specified comment date
for the particular application.
o. Filing and Service of Documents:
Any filing must (1) bear in all capital
letters the title ‘‘COMMENTS’’,
‘‘PROTEST’’, or ‘‘MOTION TO
INTERVENE’’ as applicable; (2) set forth
in the heading the name of the applicant
and the project number of the
application to which the filing
responds; (3) furnish the name, address,
and telephone number of the person
commenting, protesting or intervening;
and (4) otherwise comply with the
requirements of 18 CFR 385.2001
through 385.2005. All comments,
motions to intervene, or protests must
set forth their evidentiary basis. Any
filing made by an intervenor must be
accompanied by proof of service on all
persons listed in the service list
prepared by the Commission in this
proceeding, in accordance with 18 CFR
385.2010.
Dated: July 22, 2016.
Kimberly D. Bose,
Secretary.
[FR Doc. 2016–17859 Filed 7–27–16; 8:45 am]
BILLING CODE 6717–01–P
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
[Docket No. RM16–18–000]
Cyber Systems in Control Centers
Federal Energy Regulatory
Commission, Department of Energy.
ACTION: Notice of Inquiry.
AGENCY:
In this Notice of Inquiry, the
Federal Energy Regulatory Commission
seeks comment on possible
modifications to the Critical
Infrastructure Protection Reliability
Standards regarding the cybersecurity of
Control Centers used to monitor and
control the bulk electric system in real
time.
DATES: Comments are due September
26, 2016.
ADDRESSES: You may submit comments,
identified by docket number and in
accordance with the requirements
posted on the Commission’s Web site,
https://www.ferc.gov. Comments may be
submitted by any of the following
methods:
• Agency Web site: Documents
created electronically using word
SUMMARY:
PO 00000
Frm 00024
Fmt 4703
Sfmt 4703
49641
processing software should be filed in
native applications or print-to-PDF
format and not in a scanned format, at
https://www.ferc.gov/docs-filing/
efiling.asp.
• Mail/Hand Delivery: Those unable
to file electronically must mail or hand
deliver comments to: Federal Energy
Regulatory Commission, Secretary of the
Commission, 888 First Street NE.,
Washington, DC 20426.
Instructions: For detailed instructions
on submitting comments and additional
information on the rulemaking process,
see the Comment Procedures Section of
this document.
FOR FURTHER INFORMATION CONTACT:
David DeFalaise (Technical
Information), Office of Electric
Reliability, Federal Energy Regulatory
Commission, 888 First Street NE.,
Washington, DC 20426, (202) 502–
8180, David.DeFalaise@ferc.gov
Robert T. Stroh (Legal Information),
Office of the General Counsel, Federal
Energy Regulatory Commission, 888
First Street NE., Washington, DC
20426, (202) 502–8473, Robert.Stroh@
ferc.gov
SUPPLEMENTARY INFORMATION:
1. In this Notice of Inquiry, pursuant
to section 215 of the Federal Power Act
(FPA),1 the Commission seeks comment
on the need for, and possible effects of,
modifications to the Critical
Infrastructure Protection (CIP)
Reliability Standards regarding the
cybersecurity of Control Centers used to
monitor and control the bulk electric
system in real time.2 Cyber systems are
used extensively for the operation and
maintenance of interconnected
transmission networks.3 A 2015
1 16 U.S.C. 824o. Section 215(a)(3) of the FPA
defines ‘‘Reliability Standard’’ to include ‘‘. . .
requirements for the operation of existing bulkpower system facilities, including cybersecurity
protection . . .’’
2 NERC defines ‘‘Control Center’’ as ‘‘[o]ne or
more facilities hosting operating personnel that
monitor and control the Bulk Electric System (BES)
in realtime to perform the reliability tasks,
including their associated data centers . . . .’’ NERC
Glossary of Terms Used in Reliability Standards
(May 17, 2016) at 33 (NERC Glossary).
3 Cyber systems are referred to as ‘‘BES Cyber
Systems’’ in the CIP Reliability Standards. The
NERC Glossary defines BES Cyber Systems as ‘‘One
or more BES Cyber Assets logically grouped by a
responsible entity to perform one or more reliability
tasks for a functional entity.’’ NERC Glossary at 15.
The NERC Glossary defines ‘‘BES Cyber Asset’’ as
‘‘A Cyber Asset that if rendered unavailable,
degraded, or misused would, within 15 minutes of
its required operation, misoperation, or nonoperation, adversely impact one or more Facilities,
systems, or equipment, which, if destroyed,
degraded, or otherwise rendered unavailable when
needed, would affect the reliable operation of the
Bulk Electric System. Redundancy of affected
Facilities, systems, and equipment shall not be
considered when determining adverse impact. Each
E:\FR\FM\28JYN1.SGM
Continued
28JYN1
49642
Federal Register / Vol. 81, No. 145 / Thursday, July 28, 2016 / Notices
cyberattack on the electric grid in
Ukraine is an example of how cyber
systems used to operate and maintain
interconnected networks, unless
adequately protected, may be vulnerable
to cyberattack. While certain controls in
the CIP Reliability Standards may
reduce the risk of such attacks,4 the
Commission seeks comment on whether
additional controls should be required.
2. Specifically, as discussed below,
the Commission seeks comment on
possible modifications to the CIP
Reliability Standards—and any
potential impacts on the operation of
the Bulk-Power System resulting from
such modifications—to address the
following matters: (1) Separation
between the Internet and BES Cyber
Systems in Control Centers performing
transmission operator functions; and (2)
computer administration practices that
prevent unauthorized programs from
running, referred to as ‘‘application
whitelisting,’’ for cyber systems in
Control Centers.
I. Background
Lhorne on DSK30JT082PROD with NOTICES
3. On January 28, 2008, the
Commission approved an initial set of
eight CIP Reliability Standards
pertaining to cybersecurity.5 In
addition, the Commission directed
NERC to develop certain modifications
to the CIP Reliability Standards. Since
2008, the CIP Reliability Standards have
undergone multiple revisions to address
Commission directives and respond to
emerging cybersecurity issues.
4. On December 23, 2015, three
regional electric power distribution
companies in Ukraine experienced a
cyberattack resulting in power outages
that affected at least 225,000 customers.
An analysis conducted by a team from
the Electricity Information Sharing and
Analysis Center (E–ISAC) and SANS
Industrial Control Systems (SANS ICS)
observed that ‘‘the cyber attacks in
Ukraine are the first publicly
BES Cyber Asset is included in one or more BES
Cyber Systems.’’ Id.
4 See, e.g., Reliability Standard CIP–005–5
(Electronic Security Perimeter(s)), Requirement R2,
which protects against unauthorized interactive
remote access; Reliability Standard CIP–006–6
(Physical Security of BES Cyber Systems),
Requirement R2, which protects against
unauthorized physical access and Reliability
Standard CIP–007–6 (System Security
Management), Requirement R3, which protects
against malware.
5 Mandatory Reliability Standards for Critical
Infrastructure Protection, Order No. 706, 122 FERC
¶ 61,040, denying reh’g and granting clarification,
Order No. 706–A, 123 FERC ¶ 61,174 (2008), order
on clarification, Order No. 706–B, 126 FERC
¶ 61,229 (2009), order denying clarification, Order
No. 706–C, 127 FERC ¶ 61,273 (2009).
VerDate Sep<11>2014
14:44 Jul 27, 2016
Jkt 238001
acknowledged incidents to result in
power outages.’’ 6
5. On February 25, 2016, the U.S.
Department of Homeland Security
(DHS) Industrial Control Systems Cyber
Emergency Response Team issued an
‘‘Alert’’ in response to the Ukraine
incident.7 The Alert stated that the
cyberattack was sophisticated and well
planned. The Alert reported that the
cyberattacks at each company occurred
within 30 minutes of each other and
affected multiple central and regional
facilities. The Alert also explained that
during the cyberattacks:
malicious remote operation of the breakers
was conducted by multiple external humans
using either existing remote administration
tools at the operating system level or remote
industrial control system (ICS) client
software via virtual private network (VPN)
connections. The companies believe that the
actors acquired legitimate credentials prior to
the cyber-attack to facilitate remote access.
In addition, the Alert reported that the
affected companies indicated that the
attackers wiped some systems at the
conclusion of the cyberattack, which
erased selected files, rendering systems
inoperable.
6. In response to the Ukraine incident,
the Alert recommended the following
key examples of best practice mitigation
strategies:
procurement and licensing of trusted
hardware and software systems; knowing
who and what is on your network through
hardware and software asset management
automation; on time patching of systems; and
strategic technology refresh.8
II. Request for Comments
7. The Commission seeks comment on
whether to modify the CIP Reliability
Standards to better secure Control
Centers from cyberattacks. The
Commission also seeks comment on the
potential consequences or
complications arising from
implementing such modifications. In
response to lessons learned from the
Alert and analyses of the Ukraine
incident, the Commission seeks
comment on whether to modify the CIP
Reliability Standards to require: (1)
Separation between the Internet and
BES Cyber Systems in Control Centers
6 E–ISAC, Analysis of the Cyber Attack on the
Ukrainian Power Grid (March 18, 2016) at 3, https://
www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_
SANS_Ukraine_DUC_18Mar2016.pdf.
7 See Department of Homeland Security, Alert
(IR–ALERT–H–16–056–01) Cyber-Attack Against
Ukrainian Critical Infrastructure (February 25,
2016) (Alert), https://ics-cert.us-cert.gov/alerts/IRALERT-H-16-056-01.
8 Id. at Mitigation Section. By ‘‘strategic
technology refresh,’’ the Alert referred to the benefit
of replacing legacy cyber systems that no longer
receive security patches and, as a result, might not
be secure.
PO 00000
Frm 00025
Fmt 4703
Sfmt 4703
performing transmission operator
functions; and (2) ‘‘application
whitelisting’’ for BES Cyber Systems in
Control Centers.
A. Isolation of Transmission Operator
Control Centers From the Internet
8. In response to the Ukraine incident,
the Alert recommended that:
[o]rganizations should isolate [industrial
control system] networks from any untrusted
networks, especially the Internet. All unused
ports should be locked down and all unused
services turned off. If a defined business
requirement or control function exists, only
allow real-time connectivity to external
networks. If one-way communication can
accomplish a task, use optical separation
(‘data diode’). If bidirectional communication
is necessary, then use a single open port over
a restricted network path.
9. Commission-approved Reliability
Standard CIP–007–6, Requirement R1
(Ports and Services), Part 1.1 requires,
where technically feasible, unused
logical ports to be disabled.9 In
addition, Reliability Standard CIP–007–
6, Requirement R1, Part 1.2 requires
protection of physical ports against
unnecessary use.10 These requirements
therefore address the Alert’s
recommendation that ‘‘[a]ll unused
ports should be locked down and all
unused services turned off.’’
10. The current CIP Reliability
Standards do not require isolation
between the Internet and BES Cyber
Systems in Control Centers performing
transmission operator functions through
use of physical (hardware) or logical
(software) means. Although BES Cyber
Systems are protected by electronic
security perimeters and the disabling of
unused logical ports, BES Cyber
Systems are permitted, within the scope
of the current CIP Reliability Standards,
to route, or connect, to the Internet.11
Requiring physical separation between
the Internet and cyber systems in
Control Centers performing
transmission operator functions would
require data connections to Control
Centers or other facilities owned by
transmission operators over dedicated
data lines owned or leased by the
transmission operator, rather than
allowing communications over the
9 Logical ports are connection points where two
applications communicate to identify different
applications or processes running on a cyber asset.
10 A physical port serves as an interface or
connection between a cyber asset and another cyber
asset, or peripheral device, using a physical
medium such as a cable.
11 NERC defines an electronic security perimeter
as ‘‘the logical border surrounding a network to
which BES Cyber Systems are connected using a
routable protocol.’’ NERC Glossary at 39.
E:\FR\FM\28JYN1.SGM
28JYN1
Federal Register / Vol. 81, No. 145 / Thursday, July 28, 2016 / Notices
Internet.12 Logical separation, in some
contexts, can achieve a similar objective
through different means.
11. The Commission seeks comment
on whether the CIP Reliability
Standards should be modified to require
isolation between the Internet and BES
Cyber Systems in Control Centers
performing the functions of a
transmission operator. In addition, the
Commission seeks comment on the
operational impact to the Bulk-Power
System if BES Cyber Systems were
isolated from the Internet in all Control
Centers performing transmission
operator functions. Specifically, the
Commission seeks comment on what, if
any, reliability issues might arise from
such a requirement. For example, would
requiring isolation prevent an activity
required by another Reliability
Standard? If isolation is required, is
logical isolation preferable to physical
isolation (or vice versa) and, if so, why?
The Commission also seeks comment on
whether and how such a requirement
might affect a transmission operator’s
communications with its reliability
coordinator or other applicable entities
required under the Reliability Standard.
Finally, if isolation is not required, are
there communications with these
Control Centers for which the use of
one-way data diodes would be reliable
and appropriate?
B. Application Whitelisting for BES
Cyber Systems in Control Centers
Lhorne on DSK30JT082PROD with NOTICES
12. Application whitelisting is a
computer administration practice used
to prevent unauthorized programs from
running.13 The purpose is primarily to
protect computers and networks from
harmful applications, and, to a lesser
extent, to prevent unnecessary demand
for computer resources. The ‘‘whitelist’’
is a list of applications granted
permission to run by the user or an
administrator. Whitelisting works best
when applied to static cyber systems.14
13. In response to the Ukraine
incident, the Alert recommended that:
asset owners take defensive measures by
leveraging best practices to minimize the risk
from similar malicious cyber activity.
Application Whitelisting (AWL) can detect
and prevent attempted execution of malware
uploaded by malicious actors. The static
nature of some systems, such as database
servers and HMI computers, make these ideal
candidates to run AWL. Operators are
encouraged to work with their vendors to
baseline and calibrate AWL deployments.
12 See Alert at Mitigation Section; see also
Department of Homeland Security, Seven Steps to
Effectively Defend Industrial Control Systems at 3.
13 See Alert at Mitigation Section.
14 Id.
VerDate Sep<11>2014
14:44 Jul 27, 2016
Jkt 238001
Similarly, a December 2015 document
by DHS identifies application
whitelisting as the first of seven
strategies to defend industrial control
systems and states that this strategy
would have ‘‘potentially mitigated’’ 38
percent of ICS–CERT Fiscal Year 2014
and 2015 incidents, more than any of
the other strategies.15 While the NERC
Guidelines and Technical Basis
document associated with Reliability
Standard CIP–007–6, Requirement R3
identifies application whitelisting as an
option for mitigating malicious cyber
activity, its use is not mandatory.16 The
Guidelines and Technical Basis
discussion in Reliability Standard CIP–
007–6 explains:
Due to the wide range of equipment
comprising the BES Cyber Systems and the
wide variety of vulnerability and capability
of that equipment to malware as well as the
constantly evolving threat and resultant tools
and controls, it is not practical within the
standard to prescribe how malware is to be
addressed on each Cyber Asset. Rather, the
Responsible Entity determines on a BES
Cyber System basis, which Cyber Assets have
susceptibility to malware intrusions and
documents their plans and processes for
addressing those risks and provides evidence
that they follow those plans and processes.
There are numerous options available
including traditional antivirus solutions for
common operating systems, white-listing
solutions, network isolation techniques,
Intrusion Detection/Prevention (IDS/IPS)
solutions, etc.17
14. While application whitelisting is
identified above as one available option,
the Ukraine incident and the subsequent
Alert raise the question of whether
application whitelisting should be
required. Application whitelisting could
be a more effective mitigation tool than
other mitigation measures because
whitelisting allows only software
applications and processes that are
reviewed and tested before use in the
system network. By knowing all
installed applications, the security
professional can set the application
whitelisting program to know the
15 Seven Steps to Effectively Defend Industrial
Control Systems at 1.
16 Reliability Standard CIP–007–6, Requirement
R3 provides that ‘‘[e]ach Responsible Entity shall
implement one or more documented process(es)
that collectively include each of the applicable
requirement parts in CIP–007–6 Table R3—
Malicious Code Prevention’’ and lists application
whitelisting as an option. In addition, the CIP
Reliability Standards require a combination of
ensuring that an individual’s privileges are the
minimum necessary to perform their work function
(i.e., ‘‘least privilege’’) and anti-malware (i.e.,
‘‘blacklisting’’). See, e.g., Reliability Standard CIP–
004–6, Requirement R4 and Guidelines and
Technical Basis; Reliability Standard CIP–007–6,
Requirement R3.
17 Reliability Standard CIP–007–6, Guidelines
and Technical Basis, at 4.
PO 00000
Frm 00026
Fmt 4703
Sfmt 4703
49643
application is approved; all unapproved
applications will trigger an alert.
15. The Commission seeks comment
on whether the CIP Reliability
Standards should be modified to require
application whitelisting for all BES
Cyber Systems in Control Centers. Is
application whitelisting appropriate for
all such systems? If not, are there certain
devices or components on such systems
for which it is appropriate? In addition,
the Commission seeks comment on the
operational impact, including potential
reliability concerns, for each approach.
III. Comment Procedures
16. The Commission invites interested
persons to submit comments, and other
information on the matters, issues and
specific questions identified in this
notice. Comments are due September
26, 2016. Comments must refer to
Docket No. RM16–18–000, and must
include the commenter’s name, the
organization they represent, if
applicable, and their address in their
comments.
17. The Commission encourages
comments to be filed electronically via
the eFiling link on the Commission’s
Web site at https://www.ferc.gov. The
Commission accepts most standard
word processing formats. Documents
created electronically using word
processing software should be filed in
native applications or print-to-PDF
format and not in a scanned format.
Commenters filing electronically do not
need to make a paper filing.
18. Commenters that are not able to
file comments electronically must send
an original of their comments to:
Federal Energy Regulatory Commission,
Secretary of the Commission, 888 First
Street NE., Washington, DC 20426.
19. All comments will be placed in
the Commission’s public files and may
be viewed, printed, or downloaded
remotely as described in the Document
Availability section below. Commenters
on this proposal are not required to
serve copies of their comments on other
commenters.
IV. Document Availability
20. In addition to publishing the full
text of this document in the Federal
Register, the Commission provides all
interested persons an opportunity to
view and/or print the contents of this
document via the Internet through
FERC’s Home Page (https://
www.ferc.gov) and in FERC’s Public
Reference Room during normal business
hours (8:30 a.m. to 5:00 p.m. Eastern
time) at 888 First Street NE., Room 2A,
Washington, DC 20426.
21. From FERC’s Home Page on the
Internet, this information is available on
E:\FR\FM\28JYN1.SGM
28JYN1
49644
Federal Register / Vol. 81, No. 145 / Thursday, July 28, 2016 / Notices
eLibrary. The full text of this document
is available on eLibrary in PDF and
Microsoft Word format for viewing,
printing, and/or downloading. To access
this document in eLibrary, type the
docket number excluding the last three
digits of this document in the docket
number field.
22. User assistance is available for
eLibrary and the FERC’s Web site during
normal business hours from FERC
Online Support at 202–502–6652 (toll
free at 1–866–208–3676) or email at
ferconlinesupport@ferc.gov, or the
Public Reference Room at (202) 502–
8371, TTY (202) 502–8659. Email the
Public Reference Room at
public.referenceroom@ferc.gov.
By direction of the Commission.
Issued: July 21, 2016.
Kimberly D. Bose,
Secretary.
[FR Doc. 2016–17854 Filed 7–27–16; 8:45 am]
BILLING CODE 6717–01–P
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
[Docket Nos. EL16–101–000]
Tri-State Generation and Transmission
Association, Inc.; Notice of Petition for
Partial Waiver
July 20, 2016.
Take notice that on July 15, 2016,
pursuant to section 292.402 of the
Federal Energy Regulatory
Commission’s (Commission) Rules of
Practice and Procedure,1 Tri-State
Generation and Transmission
Association, Inc. (Tri-State) on behalf of
itself and its electric distribution
cooperative member-owners
(collectively, the Participating
Members),2 filed a petition for partial
1 18
CFR 292.402.
member owners joining in this
petition are Big Horn Rural Electric Company,
Carbon Power and Light, Inc., Central New Mexico
Electric Cooperative, Inc., Chimney Rock Public
Power District, Continental Divide Electric
Cooperative, Inc., Garland Light and Power
Company, High Plains Power, Inc., High West
Energy, Inc., Highline Electric Association, Jemez
Mountains Electric Cooperative, Inc., K.C. Electric
Association, Inc., The Midwest Electric Cooperative
Corporation, Mora-San Miguel Electric Cooperative,
Inc., Morgan County Rural Electric Association,
Mountain Parks Electric, Inc., Mountain View
Electric Association, Inc., Niobrara Electric
Association, Inc., Northern Rio Arriba Electric
Cooperative, Inc., Otero County Electric
Cooperative, Inc., Panhandle Rural Electric
Membership Association, Roosevelt Public Power
District, San Luis Valley Rural Electric Cooperative,
Inc., Sierra Electric Cooperative, Inc., Socorm
Electric Cooperative, Inc., Southeast Colorado
Power Association, Southwestern Electric
Cooperative, Inc., Springer Electric Cooperative,
Lhorne on DSK30JT082PROD with NOTICES
2 Tri-State’s
VerDate Sep<11>2014
14:44 Jul 27, 2016
Jkt 238001
waiver of certain obligations imposed
on Tri-State and the Participating
Members under Sections 292.303(a) and
292.303(b) of the Commission’s
regulations, all as more fully explained
in the petition.
Any person desiring to intervene or to
protest this filing must file in
accordance with Rules 211 and 214 of
the Commission’s Rules of Practice and
Procedure (18 CFR 385.211and
385.214). Protests will be considered by
the Commission in determining the
appropriate action to be taken, but will
not serve to make protestants parties to
the proceeding. Any person wishing to
become a party must file a notice of
intervention or motion to intervene, as
appropriate. Such notices, motions, or
protests must be filed on or before the
comment date. Anyone filing a motion
to intervene or protest must serve a copy
of that document on the Petitioner.
The Commission encourages
electronic submission of protests and
interventions in lieu of paper using the
‘‘eFiling’’ link at https://www.ferc.gov.
Persons unable to file electronically
should submit an original and 5 copies
of the protest or intervention to the
Federal Energy Regulatory Commission,
888 First Street NE., Washington, DC
20426.
This filing is accessible online at
https://www.ferc.gov, using the
‘‘eLibrary’’ link and is available for
review in the Commission’s Public
Reference Room in Washington, DC.
There is an ‘‘eSubscription’’ link on the
Web site that enables subscribers to
receive email notification when a
document is added to a subscribed
docket(s). For assistance with any FERC
Online service, please email
FERCOnlineSupport@ferc.gov, or call
(866) 208–3676 (toll free). For TTY, call
(202) 502–8659.
Comment Date: 5:00 p.m. Eastern time
on August 5, 2016.
Dated: July 20, 2016.
Kimberly D. Bose,
Secretary.
[FR Doc. 2016–17858 Filed 7–27–16; 8:45 am]
BILLING CODE 6717–01–P
Inc., Wheatland Rural Electric Association, Inc.,
Wyrulec Company, and Y–W Electric Association,
Inc.
PO 00000
Frm 00027
Fmt 4703
Sfmt 4703
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
[Project No. 14680–002]
Water Street Land, LLC; Notice of
Application Tendered for Filing With
the Commission and Soliciting
Additional Study Requests
Take notice that the following
hydroelectric application has been filed
with the Commission and is available
for public inspection.
a. Type of Application: Exemption
from Licensing.
b. Project No.: 14680–002.
c. Date filed: July 13, 2016.
d. Applicant: Water Street Land, LLC.
e. Name of Project: Natick Pond Dam
Hydroelectric Project.
f. Location: On the Pawtuxet River, in
the Towns of Warwick and West
Warwick, in Kent County, Rhode Island.
No federal lands would be occupied by
project works or located within the
project boundary.
g. Filed Pursuant to: Public Utility
Regulatory Policies Act of 1978, 16
U.S.C. 2705, 2708 (2012), amended by
the Hydropower Regulatory Efficiency
Act of 2013, Pub. L. 113–23, 127 Stat.
493 (2013).
h. Applicant Contact: Mr. Rob Cioe,
Water Street Land, LLC, P.O. Box 358,
North Kingstown, Rhode Island 02852;
(480) 797–3077.
i. FERC Contact: John Ramer, (202)
502–8969, john.ramer@ferc.gov.
j. Cooperating agencies: Federal, state,
local, and tribal agencies with
jurisdiction and/or special expertise
with respect to environmental issues
that wish to cooperate in the
preparation of the environmental
document should follow the
instructions for filing such requests
described in item l below. Cooperating
agencies should note the Commission’s
policy that agencies that cooperate in
the preparation of the environmental
document cannot also intervene. See, 94
FERC ¶ 61,076 (2001).
k. Pursuant to section 4.32(b)(7) of 18
CFR of the Commission’s regulations, if
any resource agency, Indian Tribe, or
person believes that an additional
scientific study should be conducted in
order to form an adequate factual basis
for a complete analysis of the
application on its merit, the resource
agency, Indian Tribe, or person must file
a request for a study with the
Commission not later than 60 days from
the date of filing of the application, and
serve a copy of the request on the
applicant.
E:\FR\FM\28JYN1.SGM
28JYN1
]]>Agencies
[Federal Register Volume 81, Number 145 (Thursday, July 28, 2016)]
[Notices]
[Pages 49641-49644]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-17854]
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
[Docket No. RM16-18-000]
Cyber Systems in Control Centers
AGENCY: Federal Energy Regulatory Commission, Department of Energy.
ACTION: Notice of Inquiry.
-----------------------------------------------------------------------
SUMMARY: In this Notice of Inquiry, the Federal Energy Regulatory
Commission seeks comment on possible modifications to the Critical
Infrastructure Protection Reliability Standards regarding the
cybersecurity of Control Centers used to monitor and control the bulk
electric system in real time.
DATES: Comments are due September 26, 2016.
ADDRESSES: You may submit comments, identified by docket number and in
accordance with the requirements posted on the Commission's Web site,
https://www.ferc.gov. Comments may be submitted by any of the following
methods:
Agency Web site: Documents created electronically using
word processing software should be filed in native applications or
print-to-PDF format and not in a scanned format, at https://www.ferc.gov/docs-filing/efiling.asp.
Mail/Hand Delivery: Those unable to file electronically
must mail or hand deliver comments to: Federal Energy Regulatory
Commission, Secretary of the Commission, 888 First Street NE.,
Washington, DC 20426.
Instructions: For detailed instructions on submitting comments and
additional information on the rulemaking process, see the Comment
Procedures Section of this document.
FOR FURTHER INFORMATION CONTACT:
David DeFalaise (Technical Information), Office of Electric
Reliability, Federal Energy Regulatory Commission, 888 First Street
NE., Washington, DC 20426, (202) 502-8180, David.DeFalaise@ferc.gov
Robert T. Stroh (Legal Information), Office of the General Counsel,
Federal Energy Regulatory Commission, 888 First Street NE., Washington,
DC 20426, (202) 502-8473, Robert.Stroh@ferc.gov
SUPPLEMENTARY INFORMATION:
1. In this Notice of Inquiry, pursuant to section 215 of the
Federal Power Act (FPA),\1\ the Commission seeks comment on the need
for, and possible effects of, modifications to the Critical
Infrastructure Protection (CIP) Reliability Standards regarding the
cybersecurity of Control Centers used to monitor and control the bulk
electric system in real time.\2\ Cyber systems are used extensively for
the operation and maintenance of interconnected transmission
networks.\3\ A 2015
[[Page 49642]]
cyberattack on the electric grid in Ukraine is an example of how cyber
systems used to operate and maintain interconnected networks, unless
adequately protected, may be vulnerable to cyberattack. While certain
controls in the CIP Reliability Standards may reduce the risk of such
attacks,\4\ the Commission seeks comment on whether additional controls
should be required.
---------------------------------------------------------------------------
\1\ 16 U.S.C. 824o. Section 215(a)(3) of the FPA defines
``Reliability Standard'' to include ``. . . requirements for the
operation of existing bulk-power system facilities, including
cybersecurity protection . . .''
\2\ NERC defines ``Control Center'' as ``[o]ne or more
facilities hosting operating personnel that monitor and control the
Bulk Electric System (BES) in realtime to perform the reliability
tasks, including their associated data centers . . . .'' NERC
Glossary of Terms Used in Reliability Standards (May 17, 2016) at 33
(NERC Glossary).
\3\ Cyber systems are referred to as ``BES Cyber Systems'' in
the CIP Reliability Standards. The NERC Glossary defines BES Cyber
Systems as ``One or more BES Cyber Assets logically grouped by a
responsible entity to perform one or more reliability tasks for a
functional entity.'' NERC Glossary at 15. The NERC Glossary defines
``BES Cyber Asset'' as ``A Cyber Asset that if rendered unavailable,
degraded, or misused would, within 15 minutes of its required
operation, misoperation, or non-operation, adversely impact one or
more Facilities, systems, or equipment, which, if destroyed,
degraded, or otherwise rendered unavailable when needed, would
affect the reliable operation of the Bulk Electric System.
Redundancy of affected Facilities, systems, and equipment shall not
be considered when determining adverse impact. Each BES Cyber Asset
is included in one or more BES Cyber Systems.'' Id.
\4\ See, e.g., Reliability Standard CIP-005-5 (Electronic
Security Perimeter(s)), Requirement R2, which protects against
unauthorized interactive remote access; Reliability Standard CIP-
006-6 (Physical Security of BES Cyber Systems), Requirement R2,
which protects against unauthorized physical access and Reliability
Standard CIP-007-6 (System Security Management), Requirement R3,
which protects against malware.
---------------------------------------------------------------------------
2. Specifically, as discussed below, the Commission seeks comment
on possible modifications to the CIP Reliability Standards--and any
potential impacts on the operation of the Bulk-Power System resulting
from such modifications--to address the following matters: (1)
Separation between the Internet and BES Cyber Systems in Control
Centers performing transmission operator functions; and (2) computer
administration practices that prevent unauthorized programs from
running, referred to as ``application whitelisting,'' for cyber systems
in Control Centers.
I. Background
3. On January 28, 2008, the Commission approved an initial set of
eight CIP Reliability Standards pertaining to cybersecurity.\5\ In
addition, the Commission directed NERC to develop certain modifications
to the CIP Reliability Standards. Since 2008, the CIP Reliability
Standards have undergone multiple revisions to address Commission
directives and respond to emerging cybersecurity issues.
---------------------------------------------------------------------------
\5\ Mandatory Reliability Standards for Critical Infrastructure
Protection, Order No. 706, 122 FERC ] 61,040, denying reh'g and
granting clarification, Order No. 706-A, 123 FERC ] 61,174 (2008),
order on clarification, Order No. 706-B, 126 FERC ] 61,229 (2009),
order denying clarification, Order No. 706-C, 127 FERC ] 61,273
(2009).
---------------------------------------------------------------------------
4. On December 23, 2015, three regional electric power distribution
companies in Ukraine experienced a cyberattack resulting in power
outages that affected at least 225,000 customers. An analysis conducted
by a team from the Electricity Information Sharing and Analysis Center
(E-ISAC) and SANS Industrial Control Systems (SANS ICS) observed that
``the cyber attacks in Ukraine are the first publicly acknowledged
incidents to result in power outages.'' \6\
---------------------------------------------------------------------------
\6\ E-ISAC, Analysis of the Cyber Attack on the Ukrainian Power
Grid (March 18, 2016) at 3, https://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf.
---------------------------------------------------------------------------
5. On February 25, 2016, the U.S. Department of Homeland Security
(DHS) Industrial Control Systems Cyber Emergency Response Team issued
an ``Alert'' in response to the Ukraine incident.\7\ The Alert stated
that the cyberattack was sophisticated and well planned. The Alert
reported that the cyberattacks at each company occurred within 30
minutes of each other and affected multiple central and regional
facilities. The Alert also explained that during the cyberattacks:
---------------------------------------------------------------------------
\7\ See Department of Homeland Security, Alert (IR-ALERT-H-16-
056-01) Cyber-Attack Against Ukrainian Critical Infrastructure
(February 25, 2016) (Alert), https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01.
malicious remote operation of the breakers was conducted by multiple
external humans using either existing remote administration tools at
the operating system level or remote industrial control system (ICS)
client software via virtual private network (VPN) connections. The
companies believe that the actors acquired legitimate credentials
---------------------------------------------------------------------------
prior to the cyber-attack to facilitate remote access.
In addition, the Alert reported that the affected companies
indicated that the attackers wiped some systems at the conclusion of
the cyberattack, which erased selected files, rendering systems
inoperable.
6. In response to the Ukraine incident, the Alert recommended the
following key examples of best practice mitigation strategies:
procurement and licensing of trusted hardware and software systems;
knowing who and what is on your network through hardware and
software asset management automation; on time patching of systems;
and strategic technology refresh.\8\
---------------------------------------------------------------------------
\8\ Id. at Mitigation Section. By ``strategic technology
refresh,'' the Alert referred to the benefit of replacing legacy
cyber systems that no longer receive security patches and, as a
result, might not be secure.
---------------------------------------------------------------------------
II. Request for Comments
7. The Commission seeks comment on whether to modify the CIP
Reliability Standards to better secure Control Centers from
cyberattacks. The Commission also seeks comment on the potential
consequences or complications arising from implementing such
modifications. In response to lessons learned from the Alert and
analyses of the Ukraine incident, the Commission seeks comment on
whether to modify the CIP Reliability Standards to require: (1)
Separation between the Internet and BES Cyber Systems in Control
Centers performing transmission operator functions; and (2)
``application whitelisting'' for BES Cyber Systems in Control Centers.
A. Isolation of Transmission Operator Control Centers From the Internet
8. In response to the Ukraine incident, the Alert recommended that:
[o]rganizations should isolate [industrial control system] networks
from any untrusted networks, especially the Internet. All unused
ports should be locked down and all unused services turned off. If a
defined business requirement or control function exists, only allow
real-time connectivity to external networks. If one-way
communication can accomplish a task, use optical separation (`data
diode'). If bidirectional communication is necessary, then use a
single open port over a restricted network path.
9. Commission-approved Reliability Standard CIP-007-6, Requirement
R1 (Ports and Services), Part 1.1 requires, where technically feasible,
unused logical ports to be disabled.\9\ In addition, Reliability
Standard CIP-007-6, Requirement R1, Part 1.2 requires protection of
physical ports against unnecessary use.\10\ These requirements
therefore address the Alert's recommendation that ``[a]ll unused ports
should be locked down and all unused services turned off.''
---------------------------------------------------------------------------
\9\ Logical ports are connection points where two applications
communicate to identify different applications or processes running
on a cyber asset.
\10\ A physical port serves as an interface or connection
between a cyber asset and another cyber asset, or peripheral device,
using a physical medium such as a cable.
---------------------------------------------------------------------------
10. The current CIP Reliability Standards do not require isolation
between the Internet and BES Cyber Systems in Control Centers
performing transmission operator functions through use of physical
(hardware) or logical (software) means. Although BES Cyber Systems are
protected by electronic security perimeters and the disabling of unused
logical ports, BES Cyber Systems are permitted, within the scope of the
current CIP Reliability Standards, to route, or connect, to the
Internet.\11\ Requiring physical separation between the Internet and
cyber systems in Control Centers performing transmission operator
functions would require data connections to Control Centers or other
facilities owned by transmission operators over dedicated data lines
owned or leased by the transmission operator, rather than allowing
communications over the
[[Page 49643]]
Internet.\12\ Logical separation, in some contexts, can achieve a
similar objective through different means.
---------------------------------------------------------------------------
\11\ NERC defines an electronic security perimeter as ``the
logical border surrounding a network to which BES Cyber Systems are
connected using a routable protocol.'' NERC Glossary at 39.
\12\ See Alert at Mitigation Section; see also Department of
Homeland Security, Seven Steps to Effectively Defend Industrial
Control Systems at 3.
---------------------------------------------------------------------------
11. The Commission seeks comment on whether the CIP Reliability
Standards should be modified to require isolation between the Internet
and BES Cyber Systems in Control Centers performing the functions of a
transmission operator. In addition, the Commission seeks comment on the
operational impact to the Bulk-Power System if BES Cyber Systems were
isolated from the Internet in all Control Centers performing
transmission operator functions. Specifically, the Commission seeks
comment on what, if any, reliability issues might arise from such a
requirement. For example, would requiring isolation prevent an activity
required by another Reliability Standard? If isolation is required, is
logical isolation preferable to physical isolation (or vice versa) and,
if so, why? The Commission also seeks comment on whether and how such a
requirement might affect a transmission operator's communications with
its reliability coordinator or other applicable entities required under
the Reliability Standard. Finally, if isolation is not required, are
there communications with these Control Centers for which the use of
one-way data diodes would be reliable and appropriate?
B. Application Whitelisting for BES Cyber Systems in Control Centers
12. Application whitelisting is a computer administration practice
used to prevent unauthorized programs from running.\13\ The purpose is
primarily to protect computers and networks from harmful applications,
and, to a lesser extent, to prevent unnecessary demand for computer
resources. The ``whitelist'' is a list of applications granted
permission to run by the user or an administrator. Whitelisting works
best when applied to static cyber systems.\14\
---------------------------------------------------------------------------
\13\ See Alert at Mitigation Section.
\14\ Id.
---------------------------------------------------------------------------
13. In response to the Ukraine incident, the Alert recommended
that:
asset owners take defensive measures by leveraging best practices to
minimize the risk from similar malicious cyber activity. Application
Whitelisting (AWL) can detect and prevent attempted execution of
malware uploaded by malicious actors. The static nature of some
systems, such as database servers and HMI computers, make these
ideal candidates to run AWL. Operators are encouraged to work with
their vendors to baseline and calibrate AWL deployments.
Similarly, a December 2015 document by DHS identifies application
whitelisting as the first of seven strategies to defend industrial
control systems and states that this strategy would have ``potentially
mitigated'' 38 percent of ICS-CERT Fiscal Year 2014 and 2015 incidents,
more than any of the other strategies.\15\ While the NERC Guidelines
and Technical Basis document associated with Reliability Standard CIP-
007-6, Requirement R3 identifies application whitelisting as an option
for mitigating malicious cyber activity, its use is not mandatory.\16\
The Guidelines and Technical Basis discussion in Reliability Standard
CIP-007-6 explains:
---------------------------------------------------------------------------
\15\ Seven Steps to Effectively Defend Industrial Control
Systems at 1.
\16\ Reliability Standard CIP-007-6, Requirement R3 provides
that ``[e]ach Responsible Entity shall implement one or more
documented process(es) that collectively include each of the
applicable requirement parts in CIP-007-6 Table R3--Malicious Code
Prevention'' and lists application whitelisting as an option. In
addition, the CIP Reliability Standards require a combination of
ensuring that an individual's privileges are the minimum necessary
to perform their work function (i.e., ``least privilege'') and anti-
malware (i.e., ``blacklisting''). See, e.g., Reliability Standard
CIP-004-6, Requirement R4 and Guidelines and Technical Basis;
Reliability Standard CIP-007-6, Requirement R3.
Due to the wide range of equipment comprising the BES Cyber
Systems and the wide variety of vulnerability and capability of that
equipment to malware as well as the constantly evolving threat and
resultant tools and controls, it is not practical within the
standard to prescribe how malware is to be addressed on each Cyber
Asset. Rather, the Responsible Entity determines on a BES Cyber
System basis, which Cyber Assets have susceptibility to malware
intrusions and documents their plans and processes for addressing
those risks and provides evidence that they follow those plans and
processes. There are numerous options available including
traditional antivirus solutions for common operating systems, white-
listing solutions, network isolation techniques, Intrusion
Detection/Prevention (IDS/IPS) solutions, etc.\17\
---------------------------------------------------------------------------
\17\ Reliability Standard CIP-007-6, Guidelines and Technical
Basis, at 4.
14. While application whitelisting is identified above as one
available option, the Ukraine incident and the subsequent Alert raise
the question of whether application whitelisting should be required.
Application whitelisting could be a more effective mitigation tool than
other mitigation measures because whitelisting allows only software
applications and processes that are reviewed and tested before use in
the system network. By knowing all installed applications, the security
professional can set the application whitelisting program to know the
application is approved; all unapproved applications will trigger an
alert.
15. The Commission seeks comment on whether the CIP Reliability
Standards should be modified to require application whitelisting for
all BES Cyber Systems in Control Centers. Is application whitelisting
appropriate for all such systems? If not, are there certain devices or
components on such systems for which it is appropriate? In addition,
the Commission seeks comment on the operational impact, including
potential reliability concerns, for each approach.
III. Comment Procedures
16. The Commission invites interested persons to submit comments,
and other information on the matters, issues and specific questions
identified in this notice. Comments are due September 26, 2016.
Comments must refer to Docket No. RM16-18-000, and must include the
commenter's name, the organization they represent, if applicable, and
their address in their comments.
17. The Commission encourages comments to be filed electronically
via the eFiling link on the Commission's Web site at https://www.ferc.gov. The Commission accepts most standard word processing
formats. Documents created electronically using word processing
software should be filed in native applications or print-to-PDF format
and not in a scanned format. Commenters filing electronically do not
need to make a paper filing.
18. Commenters that are not able to file comments electronically
must send an original of their comments to: Federal Energy Regulatory
Commission, Secretary of the Commission, 888 First Street NE.,
Washington, DC 20426.
19. All comments will be placed in the Commission's public files
and may be viewed, printed, or downloaded remotely as described in the
Document Availability section below. Commenters on this proposal are
not required to serve copies of their comments on other commenters.
IV. Document Availability
20. In addition to publishing the full text of this document in the
Federal Register, the Commission provides all interested persons an
opportunity to view and/or print the contents of this document via the
Internet through FERC's Home Page (https://www.ferc.gov) and in FERC's
Public Reference Room during normal business hours (8:30 a.m. to 5:00
p.m. Eastern time) at 888 First Street NE., Room 2A, Washington, DC
20426.
21. From FERC's Home Page on the Internet, this information is
available on
[[Page 49644]]
eLibrary. The full text of this document is available on eLibrary in
PDF and Microsoft Word format for viewing, printing, and/or
downloading. To access this document in eLibrary, type the docket
number excluding the last three digits of this document in the docket
number field.
22. User assistance is available for eLibrary and the FERC's Web
site during normal business hours from FERC Online Support at 202-502-
6652 (toll free at 1-866-208-3676) or email at
ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at
public.referenceroom@ferc.gov.
By direction of the Commission.
Issued: July 21, 2016.
Kimberly D. Bose,
Secretary.
[FR Doc. 2016-17854 Filed 7-27-16; 8:45 am]
BILLING CODE 6717-01-P
