Revised Critical Infrastructure Protection Reliability Standards, 49878-49894 [2016-17842]
Download as PDF
<![CDATA[
49878
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
(a) Effective Date
This AD is effective September 2, 2016.
(b) Affected ADs
None.
(c) Applicability
This AD applies to the airplanes,
certificated in any category, identified in
paragraphs (c)(1), (c)(2), (c)(3), and (c)(4) of
this AD.
(1) Bombardier, Inc. Model CL–600–2C10
(Regional Jet Series 700, 701, & 702)
airplanes, serial numbers 10002 through
10342 inclusive.
(2) Bombardier, Inc. Model CL–600–2D15
(Regional Jet Series 705) airplanes, serial
numbers 15001 through 15361 inclusive.
(3) Bombardier, Inc. Model CL–600–2D24
(Regional Jet Series 900) airplanes, serial
numbers 15001 through 15361 inclusive.
(4) Bombardier, Inc. Model CL–600–2E25
(Regional Jet Series 1000) airplanes, serial
numbers 19001 through 19041 inclusive.
(d) Subject
Air Transport Association (ATA) of
America Code 27, Flight controls.
(e) Reason
This AD was prompted by reports of
corrosion found on the slat and flap torque
tubes in the slat and flap control system. We
are issuing this AD to prevent rupture of a
corroded slat or flap torque tube. This
condition could result in an inoperative slat
or flap system and consequent reduced
controllability of the airplane.
asabaliauskas on DSK3SPTVN1PROD with RULES
(f) Compliance
Comply with this AD within the
compliance times specified, unless already
done.
(g) Replace Slat and Flap Torque Tubes in
the Slat and Flap Control System
Within the compliance times specified in
paragraph (g)(1), (g)(2), or (g)(3) of this AD,
as applicable: Replace the slat and flap
torque tubes in the slat and flap control
system with new or modified slat and flap
torque tubes, in accordance with the
Accomplishment Instructions of Bombardier
Service Bulletin 670BA–27–067, Revision A,
dated February 23, 2015.
(1) For airplanes that have accumulated
28,000 total flight hours or less as of the
effective date of this AD, or 137 months or
less since the date of issuance of the original
Canadian certificate of airworthiness or date
of issuance of the original Canadian export
certificate of airworthiness as of the effective
date of this AD: Before the accumulation of
34,000 total flight hours or within 167
months since the date of issuance of the
original Canadian certificate of airworthiness
or date of issuance of the original Canadian
export certificate of airworthiness, whichever
occurs first.
(2) For airplanes that have accumulated
more than 28,000 total flight hours but not
more than 36,000 total flight hours as of the
effective date of this AD, and more than 137
months but not more than 176 months since
the date of issuance of the original Canadian
certificate of airworthiness or date of
issuance of the original Canadian export
VerDate Sep<11>2014
17:04 Jul 28, 2016
Jkt 238001
certificate of airworthiness as of the effective
date of this AD: At the earlier of the times
specified in paragraphs (g)(2)(i) and (g)(2)(ii)
of this AD.
(i) Within 6,000 flight hours or 30 months,
whichever occurs first, after the effective date
of this AD.
(ii) Before the accumulation of 38,000 total
flight hours, or within 186 months since the
date of issuance of the original Canadian
certificate of airworthiness or date of
issuance of the original Canadian export
certificate of airworthiness, whichever occurs
first.
(3) For airplanes that have accumulated
more than 36,000 total flight hours as of the
effective date of this AD, or more than 176
months since the date of issuance of the
original Canadian certificate of airworthiness
or date of issuance of the original Canadian
export certificate of airworthiness as of the
effective date of this AD: Within 2,000 flight
hours or 10 months, whichever occurs first,
after the effective date of this AD.
(h) Credit for Previous Actions
This paragraph provides credit for actions
required by paragraph (g) of this AD, if those
actions were performed before the effective
date of this AD using Bombardier Service
Bulletin 670BA–27–067, dated January 15,
2015.
(i) Other FAA AD Provisions
The following provisions also apply to this
AD:
(1) Alternative Methods of Compliance
(AMOCs): The Manager, New York Aircraft
Certification Office (ACO), ANE–170, FAA,
has the authority to approve AMOCs for this
AD, if requested using the procedures found
in 14 CFR 39.19. In accordance with 14 CFR
39.19, send your request to your principal
inspector or local Flight Standards District
Office, as appropriate. If sending information
directly to the ACO, send it to ATTN:
Program Manager, Continuing Operational
Safety, FAA, New York ACO, 1600 Stewart
Avenue, Suite 410, Westbury, NY 11590;
telephone: 516–228–7300; fax: 516–794–
5531. Before using any approved AMOC,
notify your appropriate principal inspector,
or lacking a principal inspector, the manager
of the local flight standards district office/
certificate holding district office. The AMOC
approval letter must specifically reference
this AD.
(2) Contacting the Manufacturer: For any
requirement in this AD to obtain corrective
actions from a manufacturer, the action must
be accomplished using a method approved
by the Manager, New York ACO, ANE–170,
FAA; or Transport Canada Civil Aviation
(TCCA); or Bombardier, Inc.’s TCCA Design
Approval Organization (DAO). If approved by
the DAO, the approval must include the
DAO-authorized signature.
(j) Related Information
(1) Refer to Mandatory Continuing
Airworthiness Information (MCAI) Canadian
AD CF–2016–03R1, dated February 18, 2016,
for related information. This MCAI may be
found in the AD docket on the Internet at
https://www.regulations.gov by searching for
and locating Docket No. FAA–2016–5463.
PO 00000
Frm 00024
Fmt 4700
Sfmt 4700
(2) Service information identified in this
AD that is not incorporated by reference is
available at the addresses specified in
paragraphs (k)(3) and (k)(4) of this AD.
(k) Material Incorporated by Reference
(1) The Director of the Federal Register
approved the incorporation by reference
(IBR) of the service information listed in this
paragraph under 5 U.S.C. 552(a) and 1 CFR
part 51.
(2) You must use this service information
as applicable to do the actions required by
this AD, unless this AD specifies otherwise.
(i) Bombardier Service Bulletin 670BA–27–
067, Revision A, dated February 23, 2015.
(ii) Reserved.
(3) For service information identified in
ˆ
this AD, contact Bombardier, Inc., 400 Cote´
Vertu Road West, Dorval, Quebec H4S 1Y9,
Canada; Widebody Customer Response
Center North America toll-free telephone: 1–
866–538–1247 or direct-dial telephone: 1–
514–855–2999; fax: 514–855–7401; email:
ac.yul@aero.bombardier.com; Internet https://
www.bombardier.com.
(4) You may view this service information
at the FAA, Transport Airplane Directorate,
1601 Lind Avenue SW., Renton, WA. For
information on the availability of this
material at the FAA, call 425–227–1221.
(5) You may view this service information
that is incorporated by reference at the
National Archives and Records
Administration (NARA). For information on
the availability of this material at NARA, call
202–741–6030, or go to: https://
www.archives.gov/federal-register/cfr/ibrlocations.html.
Issued in Renton, Washington, on July 21,
2016.
Michael Kaszycki,
Acting Manager, Transport Airplane
Directorate, Aircraft Certification Service.
[FR Doc. 2016–17863 Filed 7–28–16; 8:45 am]
BILLING CODE 4910–13–P
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
18 CFR Part 40
[Docket No. RM15–14–002; Order No. 829]
Revised Critical Infrastructure
Protection Reliability Standards
Federal Energy Regulatory
Commission.
ACTION: Final rule.
AGENCY:
The Federal Energy
Regulatory Commission (Commission)
directs the North American Electric
Reliability Corporation to develop a new
or modified Reliability Standard that
addresses supply chain risk
management for industrial control
system hardware, software, and
computing and networking services
SUMMARY:
E:\FR\FM\29JYR1.SGM
29JYR1
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
associated with bulk electric system
operations. The new or modified
Reliability Standard is intended to
mitigate the risk of a cybersecurity
incident affecting the reliable operation
of the Bulk-Power System.
DATES: This rule is effective September
27, 2016.
FOR FURTHER INFORMATION CONTACT:
Daniel Phillips (Technical Information),
Office of Electric Reliability, Federal
Energy Regulatory Commission, 888
First Street NE., Washington, DC 20426,
(202) 502–6387, daniel.phillips@
ferc.gov.
Simon Slobodnik (Technical
Information), Office of Electric
Reliability, Federal Energy Regulatory
Commission, 888 First Street NE.,
Washington, DC 20426, (202) 502–6707,
simon.slobodnik@ferc.gov.
Kevin Ryan (Legal Information),
Office of the General Counsel, Federal
Energy Regulatory Commission, 888
First Street NE., Washington, DC 20426,
(202) 502–6840, kevin.ryan@ferc.gov.
SUPPLEMENTARY INFORMATION:
asabaliauskas on DSK3SPTVN1PROD with RULES
Order No. 829
Final Rule
1. Pursuant to section 215(d)(5) of the
Federal Power Act (FPA),1 the
Commission directs the North American
Electric Reliability Corporation (NERC)
to develop a new or modified Reliability
Standard that addresses supply chain
risk management for industrial control
system hardware, software, and
computing and networking services
associated with bulk electric system
operations. The new or modified
Reliability Standard is intended to
mitigate the risk of a cybersecurity
incident affecting the reliable operation
of the Bulk-Power System.
2. The record developed in this
proceeding supports our determination
under FPA section 215(d)(5) that it is
appropriate to direct the creation of
mandatory requirements that protect
aspects of the supply chain that are
within the control of responsible
entities and that fall within the scope of
our authority under FPA section 215.
Specifically, we direct NERC to develop
a forward-looking, objective-based
Reliability Standard to require each
affected entity to develop and
implement a plan that includes security
controls for supply chain management
for industrial control system hardware,
software, and services associated with
bulk electric system operations.2 The
1 16
U.S.C. 824o(d)(5).
2 Revised Critical Infrastructure Protection
Reliability Standards, Notice of Proposed
Rulemaking, 80 FR 43,354 (Jul. 22, 2015), 152 FERC
¶ 61,054, at P 66 (2015) (NOPR).
VerDate Sep<11>2014
17:04 Jul 28, 2016
Jkt 238001
new or modified Reliability Standard
should address the following security
objectives, discussed in detail below: (1)
Software integrity and authenticity; (2)
vendor remote access; (3) information
system planning; and (4) vendor risk
management and procurement controls.
In making this directive, the
Commission does not require NERC to
impose any specific controls, nor does
the Commission require NERC to
propose ‘‘one-size-fits-all’’
requirements. The new or modified
Reliability Standard should instead
require responsible entities to develop a
plan to meet the four objectives, or some
equally efficient and effective means to
meet these objectives, while providing
flexibility to responsible entities as to
how to meet those objectives.
I. Background
A. Section 215 and Mandatory
Reliability Standards
3. Section 215 of the FPA requires a
Commission-certified Electric
Reliability Organization (ERO) to
develop mandatory and enforceable
Reliability Standards, subject to
Commission review and approval.
Reliability Standards may be enforced
by the ERO, subject to Commission
oversight, or by the Commission
independently.3 Pursuant to section 215
of the FPA, the Commission established
a process to select and certify an ERO,4
and subsequently certified NERC.5
49879
for supply chain management for
industrial control system hardware,
software, and services associated with
bulk electric system operations.7
5. Recognizing that developing supply
chain management requirements would
likely be a significant undertaking and
require extensive engagement with
stakeholders to define the scope,
content, and timing of the Reliability
Standard, the Commission sought
comment on: (1) the general proposal to
direct that NERC develop a Reliability
Standard to address supply chain
management; (2) the anticipated features
of, and requirements that should be
included in, such a standard; and (3) a
reasonable timeframe for development
of a Reliability Standard.8
6. In response to the NOPR, thirtyfour entities submitted comments on the
NOPR proposal regarding supply chain
risk management. A list of these
commenters appears in Appendix A.
C. January 28, 2016 Technical
Conference
7. On January 28, 2016, Commission
staff led a Technical Conference to
facilitate a dialogue on supply chain
risk management issues that were
identified by the Commission in the
NOPR. The January 28 Technical
Conference addressed: (1) The need for
a new or modified Reliability Standard;
(2) the scope and implementation of a
new or modified Reliability Standard;
and (3) current supply chain risk
B. Notice of Proposed Rulemaking
management practices and collaborative
4. The NOPR, inter alia, identified as
efforts.
a reliability concern the potential risks
8. Twenty-four entities representing
to bulk electric system reliability posed
industry, government, vendors, and
by the ‘‘supply chain’’ (i.e., the sequence academia participated in the January 28
of processes involved in the production Technical Conference through written
and distribution of, inter alia, industrial comments and/or presentations.9
control system hardware, software, and
9. We address below the comments
services). The NOPR explained that
submitted in response to the NOPR and
changes in the bulk electric system
comments made as part of the January
cyber threat landscape, exemplified by
28 Technical Conference.
recent malware campaigns targeting
supply chain vendors, have highlighted II. Discussion
a gap in the Critical Infrastructure
10. Pursuant to section 215(d)(5) of
Protection (CIP) Reliability Standards.6
the FPA, the Commission determines
To address this gap, the NOPR proposed that it is appropriate to direct NERC to
to direct that NERC develop a forwarddevelop a new or modified Reliability
looking, objective-driven Reliability
Standard(s) that address supply chain
Standard that provides security controls risk management for industrial control
system hardware, software, and
3 16 U.S.C. 824o(e).
computing and networking services
4 Rules Concerning Certification of the Electric
associated with bulk electric system
Reliability Organization; and Procedures for the
Establishment, Approval, and Enforcement of
Electric Reliability Standards, Order No. 672, FERC
Stats. & Regs. ¶ 31,204, order on reh’g, Order No.
672–A, FERC Stats. & Regs. ¶ 31,212 (2006).
5 North American Electric Reliability Corp., 116
FERC ¶ 61,062, order on reh’g and compliance, 117
FERC ¶ 61,126 (2006), aff’d sub nom. Alcoa, Inc.
v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
6 NOPR, 152 FERC ¶ 61,054 at P 63.
PO 00000
Frm 00025
Fmt 4700
Sfmt 4700
7 Id.
P 66.
8 Id.
9 Written presentations at the January 28, 2016
Technical Conference and the Technical Conference
transcript referenced in this Final Rule are
accessible through the Commission’s eLibrary
document retrieval system in Docket No. RM15–14–
000.
E:\FR\FM\29JYR1.SGM
29JYR1
49880
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
asabaliauskas on DSK3SPTVN1PROD with RULES
operations.10 Based on the comments
received in response to the NOPR and
at the technical conference, we
determine that the record in this
proceeding supports the development of
mandatory requirements for the
protection of aspects of the supply chain
that are within the control of
responsible entities and that fall within
the scope of our authority under FPA
section 215.
11. In its NOPR comments, NERC
acknowledges that ‘‘supply chains for
information and communications
technology and industrial control
systems present significant risks to
[Bulk-Power System] security, providing
various opportunities for adversaries to
initiate cyberattacks.’’ 11 Several other
commenters also recognized the risks
posed to the bulk electric system by
supply chain security issues and
generally support, or at least do not
oppose, Commission action to address
the reliability gap.12 For example, in
prepared remarks submitted for the
January 28 Technical Conference, one
panelist noted that attacks targeting the
supply chain are on the rise,
particularly attacks involving third
party service providers.13 In addition, it
was noted that, while many responsible
entities are already independently
assessing supply chain risks and asking
vendors to address the risks, these
individual efforts are likely to be less
effective than a mandatory Reliability
Standard.14
12. We recognize, however, that most
commenters oppose development of
Reliability Standards addressing supply
chain management for various reasons.
These commenters contend that
Commission action on supply chain risk
management would, among other
things, address or influence activities
10 16 U.S.C. 824o(d)(5) (‘‘The Commission . . .
may order the [ERO] to submit to the Commission
a proposed reliability standard or a modification to
a reliability standard that addresses as specific
matter if the Commission considers such a new or
modified reliability standard appropriate to carry
out this section.’’).
11 NERC NOPR Comments at 8.
12 See Peak NOPR Comments at 3–6; ITC NOPR
Comments at 13–15; CyberArk NOPR Comments at
4; Ericsson NOPR Comments at 2; Isologic and
Resilient Societies Joint NOPR Comments at 9–12;
ACS NOPR Comments at 4; ISO NE NOPR
Comments at 2–3; NEMA NOPR Comments at 1–2.
13 Olcott Technical Conference Comments at 1–2.
14 Galloway Technical Conference Comments at 1
(‘‘. . . ISO–NE supports the Commission’s proposal
to direct NERC to develop requirements relating to
supply chain risk management. We believe that the
risks to the reliability of the Bulk Electric System
that result from compromised third-party software
are real, significant and largely unaddressed by
existing reliability standards. While many public
utilities are already assessing these risks and asking
vendors to address them, these one-off efforts are
far less likely to be effective than an industry-wide
reliability standard.’’).
VerDate Sep<11>2014
17:04 Jul 28, 2016
Jkt 238001
beyond the scope of the Commission’s
FPA section 215 jurisdiction.15
Commenters also assert that the existing
CIP Reliability Standards adequately
address potential risks to the bulk
electric system from supply chain
issues.16 In addition, commenters claim
that responsible entities have minimal
control over their suppliers and are not
able to identify all potential
vulnerabilities associated with each of
their products or parts; therefore, even
if a responsible entity identifies a
vulnerability created by a supplier, the
responsible entity does not necessarily
have any authority, influence or means
to require the supplier to apply
mitigation.17 Other commenters argue
that the Commission’s proposal may
unintentionally inhibit innovation.18 A
number of commenters assert that
voluntary guidelines would be more
effective at addressing the Commission’s
concerns.19 Finally, commenters are
concerned that the contractual
flexibility necessary to effectively
address supply chain concerns does not
fit well with a mandatory Reliability
Standard.20
13. As discussed below, we conclude
that our directive falls within the
Commission’s authority under FPA
section 215. We also determine that,
notwithstanding the concerns raised by
commenters opposed to the NOPR
proposal, it is appropriate to direct the
development of mandatory
requirements to protect industrial
control system hardware, software, and
computing and networking services
associated with bulk electric system
operations. Many of the commenters’
concerns are addressed by the flexibility
inherent in our directive to develop a
forward-looking, objective-based
Reliability Standard that includes
specific security objectives that a
responsible entity must achieve, but
affords flexibility in how to meet these
objectives. The Commission does not
15 See Trade Associations NOPR Comments at 24;
Southern NOPR Comments at 14–16; CEA NOPR
Comments at 4–5; NIPSCO NOPR Comments at 7.
16 See Trade Associations NOPR Comments at
20–25; Gridwise NOPR Comments at 3; Arkansas
NOPR Comments at 6; G&T Cooperatives NOPR
Comments at 8–9; NEI NOPR Comments at 3–5;
NIPSCO NOPR Comments at 5–6; Luminant NOPR
Comments at 4–5; SCE NOPR Comments at 4.
17 See Arkansas NOPR Comments at 5–6; G&T
Cooperatives NOPR Comments at 9; Trade
Associations NOPR Comments at 25.
18 See Arkansas NOPR Comments at 6; G&T
Cooperatives NOPR Comments at 9; NERC NOPR
Comments at 13.
19 See Trade Associations NOPR Comments at 23;
Southern NOPR Comments at 13; AEP NOPR
Comments at 5; NextEra NOPR Comments at 4–5;
Luminant NOPR Comments at 5.
20 See Arkansas NOPR Comments at 6; Southern
NOPR Comments at 13.
PO 00000
Frm 00026
Fmt 4700
Sfmt 4700
require NERC to impose any specific
controls nor does the Commission
require NERC to propose ‘‘one-size-fitsall’’ requirements. The new or modified
Reliability Standard should instead
require responsible entities to develop a
plan to meet the four objectives, or some
equally efficient and effective means to
meet these objectives, while providing
flexibility to responsible entities as to
how to meet those objectives. Moreover,
our directive comports well with the
NOPR comments submitted by NERC, in
which NERC explained what it believes
would be the features of a workable
supply chain management Reliability
Standard.21
14. We address below the following
issues raised in the NOPR, NOPR
comments, and January 28 Technical
Conference comments: (1) the
Commission’s authority to direct the
ERO to develop supply chain
management Reliability Standards
under FPA section 215(d)(5); and (2) the
need for supply chain management
Reliability Standards, including the
risks posed by the supply chain,
objectives of a supply chain
management Reliability Standard,
existing CIP Reliability Standards, and
responsible entities’ ability to affect the
supply chain.
A. Commission Authority To Direct the
ERO To Develop Supply Chain
Management Reliability Standards
Under FPA Section 215(d)(5)
NOPR
15. In the NOPR, the Commission
stated that it anticipates that a
Reliability Standard addressing supply
chain management security would, inter
alia, respect FPA Section 215
jurisdiction by only addressing the
obligations of responsible entities and
not directly imposing obligations on
suppliers, vendors, or other entities that
provide products or services to
responsible entities.22
Comments
16. Commenters contend that the
Commission’s proposal to direct NERC
to develop mandatory Reliability
Standards to address supply chain risks
could exceed the Commission’s
21 NERC NOPR Comments at 8–9. The record
evidence on which the directive in this Final Rule
is based is either comparable or superior to past
instances in which the Commission has directed,
pursuant to FPA section 215(d)(5), that NERC
propose a Reliability Standard to address a gap in
existing Reliability Standards. See, e.g., Reliability
Standards for Physical Security Measures, 146
FERC ¶ 61,166 (2014) (directing, without seeking
comment, that NERC develop proposed Reliability
Standards to protect against physical security risks
related to the Bulk-Power System).
22 NOPR, 152 FERC ¶ 61,054 at P 66.
E:\FR\FM\29JYR1.SGM
29JYR1
asabaliauskas on DSK3SPTVN1PROD with RULES
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
jurisdiction under FPA section 215. The
Trade Associations state that the NOPR
discussion ‘‘appears to suggest a new
mandate, over and above Section 215 for
energy security, integrity, quality, and
supply chain resilience, and the future
acquisition of products and services.’’ 23
The Trade Associations assert that the
Commission’s NOPR proposal does not
provide any reasoning that connects
energy security and integrity with
reliable operations for Bulk-Power
System reliability. The Trade
Associations seek clarification that the
Commission does not intend to define
energy security as a new policy
mandate.24
17. Southern states that it agrees with
the Trade Associations that expanding
the focus of the NERC Reliability
Standards ‘‘to include concepts such as
security, integrity, and supply chain
resilience is beyond the statutory
authority granted in Section 215.’’ 25
Southern contends that while these
areas ‘‘have an impact on the reliable
operation of the bulk power system,
[. . .] they are areas that are beyond the
scope of [the Commission’s] jurisdiction
under Section 215.’’ 26 NIPSCO raises a
similar argument, stating that the
existing CIP Reliability Standards
should address the Commission’s
concerns ‘‘without involving processes
and industries outside of the
Commission’s jurisdiction under section
215 of the Federal Power Act.’’ 27
18. Southern questions how a
mandatory Reliability Standard that
achieves all of the objectives specified
in the NOPR ‘‘could effectively address
[the Commission’s] concerns and still
stay within the bounds of [the
Commission’s] scope and mission under
Section 215.’’ 28 Southern asserts that ‘‘a
reading of Section 215 indicates that
[the Commission’s] mission and
authority under Section 215 is focused
on the operation of the bulk power
system elements, not on the acquisition
of those elements and associated
procurement practices.’’ 29 In support of
its assertion, Southern points to the
definition in FPA section 215 of
‘‘reliability standard,’’ noting the use
and meaning of the terms ‘‘reliable
operation’’ and ‘‘operation.’’ Southern
contends that ‘‘Section 215 standards
should ensure that a given BES Cyber
System asset is protected from
vulnerabilities once connected to the
23 Trade
Associations NOPR Comments at 24.
24 Id.
Discussion
21. We are satisfied that FPA section
215 provides the Commission with the
authority to direct NERC to address the
reliability gap concerning supply chain
management risks identified in the
NOPR. We reject the contention that our
directive could be read to address issues
outside of the Commission’s FPA
section 215 jurisdiction. However, to be
clear, we reiterate the statement in the
NOPR that any action taken by NERC in
response to the Commission’s directive
to address the supply chain-related
reliability gap should respect ‘‘section
215 jurisdiction by only addressing the
obligations of responsible entities’’ and
‘‘not directly impose obligations on
30 Id.
at 16.
Associations NOPR Comments at 24–25;
Southern NOPR Comments at 17; see also Trade
Associations Post-Technical Conference Comments
at 20–21.
32 Trade Associations NOPR Comments at 24–25.
33 CEA NOPR Comments at 5.
34 Trade Associations NOPR Comments at 25.
31 Trade
25 Southern
NOPR Comments at 16.
NOPR Comments at 16; see also
Trade Association NOPR Comments at 24.
27 NIPSCO NOPR Comments at 7.
28 Southern NOPR Comments at 14–15.
29 Id. at 15 (emphasis in original).
26 Southern
VerDate Sep<11>2014
BES, and should not be concerned about
how the Responsible Entity works with
its vendors and suppliers to ensure such
reliability (such as higher financial
incentives or greater contractual
penalties).’’ 30
19. The Trade Associations and
Southern also observe that, while the
NOPR indicates that the Commission
has no direct oversight authority over
third-party suppliers or vendors and
cannot indirectly assert authority over
them through jurisdictional entities, the
NOPR proposal appears to assert that
authority.31 The Trade Associations
maintain that such an extension of the
Commission’s authority would be
unlawful and, therefore, seek
clarification that ‘‘the Commission will
avoid seeking to extend its authority
since such an extension would set a
troubling precedent.’’ 32 CEA raises a
concern that the NOPR proposal
‘‘appears to lend itself to the
interpretation that authority is
indirectly being asserted over nonjurisdictional entities.’’ 33
20. The Trade Associations also
maintain that the Commission’s use of
the term ‘‘industrial control system’’ in
the scope of its proposal suggests that
the Commission is seeking to address
issues beyond CIP and cybersecurityrelated issues. The Trade Associations
seek clarification that the Commission
does not intend for NERC broadly to
address industrial control systems, such
as fuel procurement and delivery
systems or system protection devices,
but intends for its proposal to be limited
to CIP and cybersecurity-related
issues.34
17:04 Jul 28, 2016
Jkt 238001
PO 00000
Frm 00027
Fmt 4700
Sfmt 4700
49881
suppliers, vendors or other entities that
provide products or services to
responsible entities.’’ 35 The
Commission expects that NERC will
adhere to this instruction as it works
with stakeholders to develop a new or
modified Reliability Standard to address
the Commission’s directive. As
discussed below, we reject the
remaining comments regarding the
Commission’s authority to direct the
development of supply chain
management Reliability Standards
under FPA section 215(d)(5).
22. Our directive does not suggest, as
the Trade Associations contend, a new
mandate above and beyond FPA section
215. The Commission’s directive to
NERC to address supply chain risk
management for industrial control
system hardware, software, and
computing and networking services
associated with bulk electric system
operations is not intended to ‘‘define
‘energy security’ as a new policy
mandate’’ under the CIP Reliability
Standards.36 Instead, our directive is
meant to enhance bulk electric system
cybersecurity by addressing the gap in
the CIP Reliability Standards identified
in the NOPR relating to supply chain
risk management for industrial control
system hardware, software, and
computing and networking services
associated with bulk electric system
operations. This directive is squarely
within the statutory definition of a
‘‘reliability standard,’’ which includes
requirements for ‘‘cybersecurity
protection.’’ 37
23. We reject Southern’s argument
that FPA section 215 limits the scope of
the NERC Reliability Standards to
‘‘ensur[ing] that a given BES Cyber
System asset is protected from
vulnerabilities once connected’’ to the
bulk electric system.38 While Southern’s
comment implies that the Commission
should only be concerned with real-time
operations based on the definition of the
term ‘‘reliable operation,’’ the definition
of ‘‘reliability standard’’ in FPA section
215 also includes requirements for ‘‘the
design of planned additions or
modifications’’ to bulk electric system
facilities ‘‘necessary to provide for
reliable operation of the bulk-power
35 NOPR,
152 FERC ¶ 61,054 at P 66.
Trade Associations NOPR Comments at 24.
37 See 16 U.S.C. 824o(a)(3) (defining ‘‘reliability
standard’’ to mean ‘‘a requirement, approved by the
Commission under [section 215 of the FPA] to
provide for the reliable operation of the bulk-power
system. The term includes requirements for the
operation of existing bulk-power system facilities,
including cybersecurity protection, and the design
of planned additions or modifications to such
facilities to the extent necessary to provide for
reliable operation . . .’’) (emphasis added).
38 See Southern NOPR Comments at 16.
36 See
E:\FR\FM\29JYR1.SGM
29JYR1
49882
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
system.’’ 39 Moreover, as noted, FPA
section 215 is clear that maintaining
reliable operation also includes
protecting the bulk electric system from
cybersecurity incidents.40 Indeed, our
findings and directives in the Final Rule
are intended to better protect the BulkPower System from potential
cybersecurity incidents that could
adversely affect reliable operation of the
Bulk-Power System. Accordingly, we
would not be carrying out our
obligations under FPA section 215 if the
Commission determined that
cybersecurity incidents resulting from
gaps in supply chain risk management
were outside the scope of FPA section
215.
24. With regard to concerns that the
NOPR’s use of the term ‘‘industrial
control system’’ signals the
Commission’s intent to address issues
beyond the CIP Reliability Standards or
cybersecurity controls, we clarify that
our directive is only intended to address
the protection of hardware, software,
and computing and networking services
associated with bulk electric system
operations from supply chain-related
cybersecurity threats and
vulnerabilities.
B. Need for a New or Modified
Reliability Standard
asabaliauskas on DSK3SPTVN1PROD with RULES
1. Cyber Risks Posed by the Supply
Chain
NOPR
25. In the NOPR, the Commission
observed that the global supply chain,
while providing an opportunity for
significant benefits to customers,
enables opportunities for adversaries to
directly or indirectly affect the
operations of companies that may result
in risks to the end user. The NOPR
identified supply chain risks including
the insertion of counterfeits,
unauthorized production, tampering,
theft, or insertion of malicious software,
as well as poor manufacturing and
development practices. The NOPR
pointed to changes in the bulk electric
system cyber threat landscape,
evidenced by recent malware campaigns
targeting supply chain vendors, which
highlighted a gap in the protections
under the current CIP Reliability
Standards.41
26. Specifically, the NOPR identified
two focused malware campaigns
identified by the Department of
Homeland Security’s Industry Control
System—Computer Emergency
39 See 16 U.S.C. 824o(a)(4) (defining ‘‘reliable
operation’’); see also 16 U.S.C. 824o(a)(3).
40 See 16 U.S.C. 824o(a)(4).
41 NOPR, 152 FERC ¶ 61,054 at PP 61–62.
VerDate Sep<11>2014
17:04 Jul 28, 2016
Jkt 238001
Readiness Team (ICS–CERT) in 2014.42
The NOPR stated that this new type of
malware campaign is based on the
injection of malware while a product or
service remains in the control of the
hardware or software vendor, prior to
delivery to the customer.43
Comments
27. NERC acknowledges the NOPR’s
concerns regarding the threats posed by
supply chain management risks to the
Bulk-Power System. NERC states that
‘‘the supply chains for information and
communications technology and
industrial control systems present
significant risks to [Bulk-Power System]
security, providing various
opportunities for adversaries to initiate
cyberattacks.’’ 44 NERC further explains
that ‘‘supply chains risks are . . .
complex, multidimensional, and
constantly evolving, and may include,
as the Commission states, insertion of
counterfeits, unauthorized production,
tampering, theft, insertion of malicious
software and hardware, as well as poor
manufacturing and development
practices.’’ 45 NERC states, however, that
as to these supply chains, there are
‘‘significant challenges to developing a
mandatory Reliability Standard
consistent with [FPA] Section 215
. . . .’’ 46
28. IRC, Peak, Idaho Power, CyberArk,
NEMA, Resilient Societies and other
commenters share the NOPR’s concern
that supply chain risks pose a threat to
bulk electric system reliability. IRC
states that it supports the Commission’s
efforts to address the risks associated
with supply chain management.47 Peak
explains that ‘‘the security risk of
supply chain management is a real
threat, and . . . a CIP standard for
supply chain management may be
necessary.’’ 48 Peak notes, for example,
that it is possible for a malware
campaign to infect industrial control
software with malicious code while the
product or service is in the control of
the hardware and software vendor, and
states that, ‘‘[w]ithout proper controls,
42 Id. P 63 (citing ICS–CERT, Alert: ICS Focused
Malware (Update A), https://ics-cert.us-cert.gov/
alerts/ICS-ALERT-14-176-02A; ICS–CERT, Alert
Ongoing Sophisticated Malware Campaign
Compromising ICS (Update E), https://ics-cert.uscert.gov/alerts/ICS-ALERT-14-281-01B). ICS–CERT
is a division of the Department of Homeland
Security that works to reduce risks within and
across all critical infrastructure sectors by
partnering with law enforcement agencies and the
intelligence community.
43 NOPR, 152 FERC ¶ 61,054 at P 63.
44 NERC NOPR Comments at 8.
45 Id. at 10.
46 Id. at 2.
47 IRC NOPR Comments at 1–2.
48 Peak NOPR Comments at 3.
PO 00000
Frm 00028
Fmt 4700
Sfmt 4700
the vendor may deliver this infected
product or service, unknowingly
passing the risk onto the utility industry
customer.’’ 49 Isologic and Resilient
Societies comments that supply chain
vulnerabilities are one of the most
difficult areas of cybersecurity because,
among other concerns, entities ‘‘are
seldom aware of the risks [supply chain
vulnerabilities] pose.’’ 50
29. Idaho Power agrees ‘‘that the
supply chain could pose an attack
vector for certain risks to the bulk
electric system.’’ 51 CyberArk states that
‘‘infection of vendor Web sites is just
one of the potential ways a supply chain
management attack could be executed’’
and notes that network communications
links between a vendor and its customer
could be used as well.52 NEMA agrees
with the NOPR that ‘‘keeping the
electric sector supply chain free from
malware and other cybersecurity risks is
essential.’’ 53 NEMA highlights a
number of principles it represents as
vendor best practices, and encourages
the Commission and NERC to reference
those principles as the effort to address
supply chain risks progresses.54
30. Other commenters do not agree
that the risks identified in the NOPR
support the Commission’s NOPR
proposal. The Trade Associations,
Southern, and NIPSCO contend that the
two malware campaigns identified by
ICS–CERT and cited in the NOPR do not
actually represent a changed threat
landscape that defines a reliability gap.
Specifically, the Trade Associations
state that the two identified malware
campaigns ‘‘seek to inject malware,
while a product is in the control of and
in use by the customer and not, as the
NOPR suggests, the vendor.’’ 55 In
support of this position, the Trade
Associations note that the ICS–CERT
mitigation measures for the two alerts
‘‘focused on the customer and do not
address security controls, while the
products are under control of the
vendors.’’ 56
31. The Trade Associations and
Southern also contend that there is no
information from various NERC
programs and activities that leads to a
reasonable conclusion that supply chain
management issues have caused events
or disturbances on the bulk electric
49 Id.
at 3.
50 Isologic
and Resilient Societies Joint NOPR
Comments at 9.
51 Idaho Power NOPR Comments at 3.
52 CyberArk NOPR Comments at 4.
53 NEMA NOPR Comments at 1.
54 Id. at 2.
55 Trade Associations NOPR Comments at 20–21.
56 Trade Associations NOPR Comments at 21; see
also NIPSCO NOPR Comments at 6.
E:\FR\FM\29JYR1.SGM
29JYR1
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
system.57 Luminant states that it ‘‘does
not perceive the same reliability gap
that is expressed in the NOPR
concerning risks associated with supply
chain management’’ and contends that it
is important to understand the potential
risks and cost impacts related to any
potential mitigation efforts before
developing any additional security
controls.58 KCP&L states that it does not
share the Commission’s view of the
supply chain-related reliability gap
described in the NOPR and, therefore,
does not support the Commission’s
proposal.59
asabaliauskas on DSK3SPTVN1PROD with RULES
Discussion
32. We find ample support in the
record to conclude that supply chain
management risks pose a threat to bulk
electric system reliability. As NERC
commented, ‘‘the supply chains for
information and communications
technology and industrial control
systems present significant risks to
[Bulk-Power System] security, providing
various opportunities for adversaries to
initiate cyberattacks.’’ 60 The malware
campaigns analyzed by ICS–CERT and
identified in the NOPR are only
examples of such risks (i.e., supply
chain attacks targeting supply chain
vendors). Commenters identified
additional supply chain-related
threats,61 including events targeting
electric utility vendors.62
57 Trade Associations NOPR Comments at 21;
Southern Comments at 11.
58 Luminant NOPR Comments at 4.
59 KCP&L NOPR Comments at 7.
60 NERC NOPR Comments at 8.
61 Commenters reference tools and information
security frameworks, such as ES–C2M2, NIST–SP–
800–161 and NIST–SP–800–53, which describe the
scope of supply chain risk that could impact bulk
electric system operations. See Department of
Energy, Electricity Subsector Cybersecurity
Capability Maturity Model (February 2014), https://
energy.gov/sites/prod/files/2014/02/f7/ES-C2M2-v11-Feb2014.pdf; NIST Special Publication 800–161,
Supply Chain Risk Management Practices for
Federal Information Systems and Organizations at
51, https://nvlpubs.nist.gov/nistpubs/
SpecialPublications/NIST.SP.800-161.pdf; NIST
Special Publication 800–53, Security and Privacy
Controls for Federal Information Systems and
Organizations, https://nvlpubs.nist.gov/nistpubs/
SpecialPublications/NIST.SP.800-53r4.pdf. These
risks include the insertion of counterfeits,
unauthorized production and modification of
products, tampering, theft, intentional insertion of
tracking software, as well as poor manufacturing
and development practices. One technical
conference participant noted that supply chain
attacks can target either (1) the hardware/software
components of a system (thereby creating
vulnerabilities that can be exploited by a remote
attacker) or (2) a third party service provider who
has access to sensitive IT infrastructure or holds/
maintains sensitive data. See Olcott Technical
Conference Comments at 1.
62 Olcott discusses two events targeting electric
utility vendors and service providers. Olcott
Technical Conference Comments at 2. Specific
recent examples of attacks on third party vendors
VerDate Sep<11>2014
17:04 Jul 28, 2016
Jkt 238001
33. Even among the comments
opposed to the NOPR, there is
acknowledgment that supply chain
reliability risks exist. The Trade
Associations state that their ‘‘respective
members have identified security issues
associated with potential supply chain
disruption or compromise as being a
significant threat.’’ 63 Recognizing that
such risks exist, we reject the assertion
by the Trade Associations and Southern
that there is an inadequate basis for the
Commission to take action because
‘‘[t]he Trade Associations can find
nothing within various NERC programs
and activities that lead to a reasonable
conclusion that supply chain
management issues have caused events
or disturbances on the bulk power
system.’’ 64
34. We disagree with the Trade
Associations’ arguments suggesting that
the two malware campaigns identified
in the NOPR do not represent a change
in the threat landscape to the bulk
electric system. First, while the Trade
Associations are correct that the ICS–
CERT alerts referenced in the NOPR
describe remediation steps for
customers to take in the event of a
breach, the vulnerabilities exploited by
those campaigns were the direct result
of vendor decisions about: (1) How to
deliver software patches to their
customers and (2) the necessary degree
of remote access functionality for their
information and communications
technology products.65 Second, the
malware campaigns also demonstrate
that attackers have expanded their
efforts to include the execution of broad
access campaigns targeting vendors and
software applications, rather than just
individual entities. The targeting of
vendors and software applications with
potentially broad access to BES Cyber
Systems 66 marks a turning point in that
include: (1) unauthorized code found in Juniper
Firewalls in 2015; (2) the 2013 Target incident
involving stolen vendor credentials; (3) the 2015
Office of Personnel Management incident also
involving stolen vendor credentials; and (4) two
events targeting electric utility vendors. See id. at
1–4.
63 Trade Associations NOPR Comments at 17.
64 See Trade Associations NOPR Comments at 21.
65 The ICS–CERT alert regarding ICS Focused
Malware indicated that ‘‘the software installers for
. . . vendors were infected with malware known as
the Havex Trojan.’’
66 Cyber systems are referred to as ‘‘BES Cyber
Systems’’ in the CIP Reliability Standards. The
NERC Glossary defines BES Cyber Systems as ‘‘One
or more BES Cyber Assets logically grouped by a
responsible entity to perform one or more reliability
tasks for a functional entity.’’ NERC Glossary of
Terms Used in Reliability Standards (May 17, 2016)
at 15 (NERC Glossary). The NERC Glossary defines
‘‘BES Cyber Asset’’ as ‘‘A Cyber Asset that if
rendered unavailable, degraded, or misused would,
within 15 minutes of its required operation,
misoperation, or non-operation, adversely impact
PO 00000
Frm 00029
Fmt 4700
Sfmt 4700
49883
it is no longer sufficient to focus
protection strategies exclusively on
post-acquisition activities at individual
entities. Instead, we believe that
attention should also be focused on
minimizing the attack surfaces of
information and communications
technology products procured to
support bulk electric system operations.
2. Objectives of a Supply Chain
Management Reliability Standard
NOPR
35. The NOPR stated that the
reliability goal of a supply chain risk
management Reliability Standard
should be a forward-looking, objectivedriven Reliability Standard that
encompasses activities in the system
development life cycle: from research
and development, design and
manufacturing stages (where
applicable), to acquisition, delivery,
integration, operations, retirement, and
eventual disposal of the responsible
entity’s information and
communications technology and
industrial control system supply chain
equipment and services. The NOPR
explained that the Reliability Standard
should support and ensure security,
integrity, quality, and resilience of the
supply chain and the future acquisition
of products and services.67
36. The NOPR recognized that, due to
the breadth of the topic and the
individualized nature of many aspects
of supply chain management, a
Reliability Standard pertaining to
supply chain management security
should:
• Respect FPA section 215
jurisdiction by only addressing the
obligations of responsible entities. A
Reliability Standard should not directly
impose obligations on suppliers,
vendors or other entities that provide
products or services to responsible
entities.
• Be forward-looking in the sense that
the Reliability Standard should not
dictate the abrogation or re-negotiation
of currently-effective contracts with
vendors, suppliers or other entities.
• Recognize the individualized nature
of many aspects of supply chain
management by setting goals (the
‘‘what’’), while allowing flexibility in
how a responsible entity subject to the
one or more Facilities, systems, or equipment,
which, if destroyed, degraded, or otherwise
rendered unavailable when needed, would affect
the reliable operation of the Bulk Electric System.
Redundancy of affected Facilities, systems, and
equipment shall not be considered when
determining adverse impact. Each BES Cyber Asset
is included in one or more BES Cyber Systems.’’ Id.
67 NOPR, 152 FERC ¶ 61,054 at P 64.
E:\FR\FM\29JYR1.SGM
29JYR1
49884
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
asabaliauskas on DSK3SPTVN1PROD with RULES
Reliability Standard achieves that goal
(the ‘‘how’’).
• Given the types of specialty
products involved and the diversity of
acquisition processes, the Reliability
Standard may need to allow exceptions
(e.g., to meet safety requirements and
fill operational gaps if no secure
products are available).
• Provide enough specificity so that
compliance obligations are clear and
enforceable. In particular, the
Commission anticipated that a
Reliability Standard that simply
requires a responsible entity to ‘‘have a
plan’’ addressing supply chain
management would not suffice. Rather,
to adequately address the concerns
identified in the NOPR, the Commission
stated a Reliability Standard should
identify specific controls.68
37. The NOPR recognized that,
because security controls for supply
chain management likely vary greatly
with each responsible entity due to
variations in individual business
practices, the right set of supply chain
management security controls should
accommodate, inter alia, an entity’s: (1)
Procurement process; (2) vendor
relations; (3) system requirements; (4)
information technology implementation;
and (5) privileged commercial or
financial information. As examples of
controls that may be instructional in the
development of any new Reliability
Standard, the NOPR identified the
following Supply Chain Risk
Management controls from NIST SP
800–161: (1) Access Control Policy and
Procedures; (2) Security Assessment
Authorization; (3) Configuration
Management; (4) Identification and
Authentication; (5) System Maintenance
Policy and Procedures; (6) Personnel
Security Policy and Procedures; (7)
System and Services Acquisition; (8)
Supply Chain Protection; and (9)
Component Authenticity.69
Comments
38. NERC states that a Commission
directive requiring the development of a
supply chain risk management
Reliability Standard: (1) Should provide
a minimum of two years for Reliability
Standard development activities; (2)
should clarify that any such Reliability
Standard build on existing protections
in the CIP Reliability Standards and the
practices of responsible entities, and
focus primarily on those procedural
controls that responsible entities can
reasonably be expected to implement
during the procurement of products and
68 Id.
P 66.
152 FERC ¶ 61,054 at P 65 (citing NIST
Special Publication 800–161 at 51).
69 NOPR,
VerDate Sep<11>2014
17:04 Jul 28, 2016
Jkt 238001
services associated with bulk electric
system operations to manage supply
chain risks; and (3) must be flexible to
account for differences in the needs and
characteristics of responsible entities,
the diversity of bulk electric system
environments, technologies, risks, and
issues related to the limited
applicability of mandatory NERC
Reliability Standards.70
39. While sharing the Commission’s
concern that supply chain risks pose a
threat to bulk electric system reliability,
some commenters suggest that the
Commission address certain threshold
issues before moving forward with the
NOPR proposal. IRC notes its concern
that the NOPR proposal is overly broad,
which IRC states could hamper
industry’s ability to address the
Commission’s concerns.71 Idaho Power
expresses a concern ‘‘that tightening
purchasing controls too tightly could
also pose a risk because there are
limited vendors’’ available to
industry.72 Idaho Power states that any
supply chain Reliability Standard
‘‘should be laid out in terms of
requirements built around controls that
are developed by the regulated entity
rather than prescriptive requirements
like many other CIP standards.’’ 73 ISO–
NE supports the development of
procedural controls ‘‘such as
requirements that Registered Entities
must transact with organizations that
meet certain criteria, use specified
procurement language in contracts, and
review and validate vendors’ security
practices.’’ 74 Peak notes that ‘‘the
number of vendors for certain hardware,
software and services may be limited’’
and, therefore, a supply chain-related
Reliability Standard should grant
responsible entities the flexibility ‘‘to
show preference for, but not the
obligation to use, vendors who
demonstrate sound supply chain
security practices.’’ 75
40. NERC, the Trade Associations,
Southern, Gridwise, and other
commenters request that, should the
Commission find it reasonable to direct
NERC to develop a new or modified
Reliability Standard for supply chain
management, the Commission adopt
certain principles for NERC to follow in
the standards development process. As
an initial matter, NERC and other
commenters state that the Commission
should identify the risks that it intends
NOPR Comments at 8–9.
NOPR Comments at 2.
72 Idaho Power NOPR Comments at 3.
73 Id. at 3–4.
74 ISO–NE NOPR Comments at 2 (citing NERC
NOPR Comments at 17–18).
75 Peak NOPR Comments at 4.
PO 00000
70 NERC
71 IRC
Frm 00030
Fmt 4700
Sfmt 4700
NERC to address.76 In addition, NERC,
SPP RE, and AEP state that the
Commission should ensure that any
new or modified supply chain-related
Reliability Standard carefully considers
the risk being addressed against the cost
of mitigating that risk.77
41. NERC states that the focus of any
supply chain risk management
Reliability Standard ‘‘should be a set of
requirements outlining those procedural
controls that entities should take, as
purchasers of products and services, to
design more secure products and
modify the security practices of
suppliers, vendors, and other parties
throughout the supply chain.’’ 78
Similarly, SPP RE notes that, while one
responsible entity alone may not have
adequate leverage to make a vendor or
supplier adopt adequate security
practices, ‘‘the collective application of
the procurement language across a
broad collection of Responsible Entities
may achieve the intended improvement
in security safeguards.’’ 79 Isologic and
Resilient Societies recommends limiting
the Reliability Standard requirements to
a few that are immediately necessary,
such as: (1) Preventing the installation
of cyber related system or grid
components which have been reported
by ICS–CERT to be provably vulnerable
to a supply chain attack, unless the
vulnerability has been corrected; (2)
removing from operation any system or
component reported by ICS–CERT as
containing an exploitable vulnerability;
and (3) subjecting hardware and
software to penetration testing prior to
installation on the grid.80
42. In post-technical conference
comments, while still opposing the
NOPR proposal, APPA suggests certain
parameters that should govern the
development of any supply chainrelated Reliability Standard.81
Specifically, APPA states that a supply
chain-related Reliability Standard
should be risk-based and ‘‘must embody
an approach that enables utilities to
perform a risk assessment of the
hardware and systems that create
potential vulnerabilities,’’ similar to the
approach taken in Reliability Standard
CIP–014–2, Requirement R1 (Physical
76 NERC NOPR Comments at 9–11; Trade
Associations NOPR Comments at 26; Gridwise
NOPR Comments at 5; AEP NOPR Comments at 8;
SPP RE NOPR Comments at 11; EnergySec NOPR
Comments at 4.
77 NERC NOPR Comments at 11–12; SPP RE
NOPR Comments at 11; AEP NOPR Comments at 9.
78 NERC NOPR Comments at 17.
79 SPP RE NOPR Comments at 12.
80 Isologic and Resilient Societies Joint NOPR
Comments at 11.
81 APPA’s post-technical conference comments
were submitted jointly with LPPC and TAPS.
E:\FR\FM\29JYR1.SGM
29JYR1
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
Security).82 In addition, APPA states
that a supply chain-related Reliability
Standard should not require responsible
entities to actively manage third-party
vendors or their processes since that
would risk involving utilities in areas
that are outside of their core expertise.
APPA also argues that ‘‘it would be
unreasonable for any standard that
FERC directs to hold utilities liable for
the actions of third-party vendors or
suppliers.’’ 83 Finally, APPA states that
responsible entities should be able to
rely on a credible attestation by a
vendor or supplier that it complied with
identified supply chain security
process. APPA contends that this would
be the most efficient way to ‘‘establish
a standard of care on the suppliers’
part.’’ 84
asabaliauskas on DSK3SPTVN1PROD with RULES
Discussion
43. We direct that NERC, pursuant to
section 215(d)(5) of the FPA, develop a
forward-looking, objective-driven new
or modified Reliability Standard to
require each affected entity to develop
and implement a plan that includes
security controls for supply chain
management for industrial control
system hardware, software, and services
associated with bulk electric system
operations. Our directive is consistent
with the NOPR comments advocating
flexibility as to what form the
Commission’s directive should take.
44. We agree with NERC and other
commenters that a supply chain risk
management Reliability Standard
should be flexible and fall within the
scope of what is possible using
Reliability Standards under FPA section
215. The directive discussed below, we
believe, is consistent with both points.
In particular, the flexibility inherent in
our directive should account for, among
other things, differences in the needs
and characteristics of responsible
entities and the diversity of BES Cyber
System environments, technologies and
risks. For example, the new or modified
Reliability Standard may allow a
responsible entity to meet the security
objectives discussed below by having a
plan to apply different controls based on
the criticality of different assets. And by
directing NERC to develop a new or
modified Reliability Standard, the
Commission affords NERC the option of
modifying existing Reliability Standards
to satisfy our directive. Finally, we
direct NERC to submit the new or
modified Reliability Standard within
82 APPA
Post-Technical Conference Comments at
3–4.
83 Id.
84 Id.
at 4–5.
at 5.
VerDate Sep<11>2014
17:04 Jul 28, 2016
Jkt 238001
one year of the effective date of this
Final Rule.85
45. The plan required by the new or
modified Reliability Standard
developed by NERC should address, at
a minimum, the following four specific
security objectives in the context of
addressing supply chain management
risks: (1) Software integrity and
authenticity; (2) vendor remote access;
(3) information system planning; and (4)
vendor risk management and
procurement controls. Responsible
entities should be required to achieve
these four objectives but have the
flexibility as to how to reach the
objective (i.e., the Reliability Standard
should set goals (the ‘‘what’’), while
allowing flexibility in how a responsible
entity subject to the Reliability Standard
achieves that goal (the ‘‘how’’)).86
Alternatively, NERC can propose an
equally effective and efficient approach
to address the issues raised in the
objectives identified below. In addition,
while in the discussion below we
identify four objectives, NERC may
address additional supply chain
management objectives in the standards
development process, as it deems
appropriate.
46. The new or modified Reliability
Standard should also require a periodic
reassessment of the utility’s selected
controls. Consistent with or similar to
the requirement in Reliability Standard
CIP–003–6, Requirement R1, the
Reliability Standard should require the
responsible entity’s CIP Senior Manager
to review and approve the controls
adopted to meet the specific security
objectives identified in the Reliability
Standard at least every 15 months. This
periodic assessment should better
ensure that the required plan remains
up-to-date, addressing current and
emerging supply chain-related concerns
and vulnerabilities.
47. Also, consistent with this reliance
on an objectives-based approach, and as
part of this periodic review and
approval, the responsible entity’s CIP
Senior Manager should consider any
guidance issued by NERC, the U.S.
Department of Homeland Security
(DHS) or other relevant authorities for
the planning, procurement, and
operation of industrial control systems
and supporting information systems
85 We note that the Trade Associations request
that the Commission allow ‘‘at least one year for
discussion, development, and approval by the
NERC Board of Trustees.’’ See Trade Associations
Post-Technical Conference Comments at 22. NERC
should submit an informational filing within ninety
days of the effective date of this Final Rule with a
plan to address the Commission’s directive.
86 See Order No. 672, FERC Stats. & Regs. ¶
31,204 at P 260.
PO 00000
Frm 00031
Fmt 4700
Sfmt 4700
49885
equipment since the prior approval, and
identify any changes made to address
the recent guidance. This periodic
reconsideration will help ensure an
ongoing, affirmative process for
reviewing and, when appropriate,
incorporating such guidance.
First Objective: Software Integrity and
Authenticity
48. The new or modified Reliability
Standard must address verification of:
(1) The identity of the software
publisher for all software and patches
that are intended for use on BES Cyber
Systems; and (2) the integrity of the
software and patches before they are
installed in the BES Cyber System
environment.
49. This objective is intended to
reduce the likelihood that an attacker
could exploit legitimate vendor patch
management processes to deliver
compromised software updates or
patches to a BES Cyber System. One of
the two focused malware campaigns
identified by ICS–CERT in 2014 utilized
similar tactics, executing what is
commonly referred to as a ‘‘Watering
Hole’’ attack 87 to exploit affected
information systems. Similar tactics
appear to have been used in a recently
disclosed attack targeting electric sector
infrastructure in Japan.88 These types of
attacks might have been prevented had
the affected entities applied adequate
integrity and authenticity controls to
their patch management processes.
50. As NERC recognizes in its NOPR
comments, NIST SP–800–161
‘‘establish[es] instructional reference
points for NERC and its stakeholders to
leverage in evaluating the appropriate
framework for and security controls to
include in any mandatory supply chain
management Reliability Standard.’’ 89
NIST SP–800–161 includes a number of
security controls which, when taken
together, reduce the probability of a
successful Watering Hole or similar
cyberattack in the industrial control
system environment and thus could
assist in addressing this objective. For
example, in the System and Information
87 ‘‘Watering Hole’’ attacks exploit poor vendor/
client patching and updating processes. Attackers
generally compromise a vendor of the intended
victim and then use the vendor’s information
system as a jumping off point for their attack.
Attackers will often inject malware or replace
legitimate files with corrupted files (usually a patch
or update) on the vendor’s Web site as part of the
attack. The victim then downloads the files without
verifying each file’s legitimacy believing that it is
included in a legitimate patch or update.
88 See Cylance, Operation DustStorm, https://
www.cylance.com/hubfs/2015_cylance_website/
assets/operation-dust-storm/Op_Dust_Storm_
Report.pdf.
89 NERC NOPR Comments at 16–17; see also
Resilient Societies NOPR Comments at 11.
E:\FR\FM\29JYR1.SGM
29JYR1
49886
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
Integrity (SI) control family, control SI–
7 suggests that the integrity of
information systems and components
should be tested and verified using
controls such as digital signatures and
obtaining software directly from the
developer. In the Configuration
Management (CM) control family,
control CM–5(3) requires that the
information system prevent the
installation of firmware or software
without verification that the component
has been digitally signed to ensure that
hardware and software components are
genuine and valid. NIST SP–800–161,
while not meant to be definitive,
provides examples of controls for
addressing the Commission’s directive
regarding this first objective. Other
security controls also could meet this
objective.
asabaliauskas on DSK3SPTVN1PROD with RULES
Second Objective: Vendor Remote
Access to BES Cyber Systems
51. The new or modified Reliability
Standard must address responsible
entities’ logging and controlling all
third-party (i.e., vendor) initiated
remote access sessions. This objective
covers both user-initiated and machineto-machine vendor remote access.
52. This objective addresses the threat
that vendor credentials could be stolen
and used to access a BES Cyber System
without the responsible entity’s
knowledge, as well as the threat that a
compromise at a trusted vendor could
traverse over an unmonitored
connection into a responsible entity’s
BES Cyber System. The theft of
legitimate user credentials appears to
have been a critical aspect to the
successful execution of the 2015
cyberattack on Ukraine’s power grid.90
In addition, controls adopted under this
objective should give responsible
entities the ability to rapidly disable
remote access sessions in the event of a
system breach.
53. DHS noted the importance of
controlling vendor remote access in its
alert on the Ukrainian cyberattack:
‘‘Remote persistent vendor connections
should not be allowed into the control
network. Remote access should be
operator controlled, time limited, and
procedurally similar to ‘‘lock out, tag
out.’’ The same remote access paths for
vendor and employee connections can
be used; however, double standards
should not be allowed.’’ 91
90 See E–ISAC, Analysis of the Cyber Attack on
the Ukrainian Power Grid at 3 (Mar. 18, 2016),
https://www.nerc.com/pa/CI/ESISAC/Documents/EISAC_SANS_Ukraine_DUC_18Mar2016.pdf.
91 See ICS–CERT Alert, Cyber-Attack Against
Ukrainian Critical Infrastructure, https://ics-cert.uscert.gov/alerts/IR-ALERT-H-16-056-01.
VerDate Sep<11>2014
17:04 Jul 28, 2016
Jkt 238001
54. NIST SP–800–53 and NIST SP–
800–161 provide several security
controls which, when taken together,
reduce the probability that an attacker
could use legitimate third-party access
to compromise responsible entity
information systems. In the Systems and
Communications (SC) control family, for
example, control SC–7 addressing
boundary protection requires that an
entity implement appropriate
monitoring and control mechanisms and
processes at the boundary between the
entity and its suppliers, and that
provisions for boundary protections
should be incorporated into agreements
with suppliers. These protections are
applied regardless of whether the
remote access session is user-initiated or
interactive in nature.
55. In the Access Control (AC) control
family, control AC–17 requires usage
restrictions, configuration/connection
requirements, and monitoring and
control for remote access sessions,
including the entity’s ability to
expeditiously disconnect or disable
remote access. In the Identification and
Authentication (IA) control family,
control IA–5 requires changing default
‘‘authenticators’’ (e.g., passwords) prior
to information system installation. In
the System and Information Integrity
(SI) control family, control SI–4
addresses monitoring of vulnerabilities
resulting from past information and
communication technology supply
chain compromises, such as malicious
code implanted during software
development and set to activate after
deployment. These sources, while not
meant to be definitive, provide
examples of controls for addressing the
Commission’s directive regarding
objective two. Other security controls
also could meet this objective.
Third Objective: Information System
Planning and Procurement
56. The new or modified Reliability
Standard must address how a
responsible entity will include security
considerations as part of its information
system planning and system
development lifecycle processes. As
part of this objective, the new or
modified Reliability Standard must
address a responsible entity’s CIP Senior
Manager’s (or delegate’s) identification
and documentation of the risks of
proposed information system planning
and system development actions. This
objective is intended to ensure adequate
consideration of these risks, as well as
the available options for hardening the
responsible entity’s information system
and minimizing the attack surface.
57. This third objective addresses the
risk that responsible entities could
PO 00000
Frm 00032
Fmt 4700
Sfmt 4700
unintentionally plan to procure and
install unsecure equipment or software
within their information systems, or
could unintentionally fail to anticipate
security issues that may arise due to
their network architecture or during
technology and vendor transitions. For
example, the BlackEnergy malware
campaign identified by ICS–CERT and
referenced in the NOPR resulted from
the remote exploitation of previously
unidentified vulnerabilities, which
allowed attackers to remotely execute
malicious code on remotely accessible
devices.92 According to ICS–CERT, this
attack might have been mitigated if
affected entities had taken steps during
system development and planning to:
(1) Minimize network exposure for all
control system devices/subsystems; (2)
ensure that devices were not accessible
from the internet; (3) place devices
behind firewalls; and (4) utilize secure
remote access techniques.93 The third
objective also supports, where
appropriate, the need for strategic
technology refreshes as recommended
by ICS–CERT in response to the 2015
Ukraine cybersecurity incident.94
58. NIST SP 800–53 and SP 800–161
provide several controls which, when
taken together, reduce the likelihood
that an information system will be
deployed and/or remain in service with
potential vulnerabilities that have not
been identified or adequately
considered. For example, in the NIST
SP 800–53 Systems Acquisition (SA)
control family, control SA–3 provides
that organizations should: (1) Manage
information systems using an
organizationally-defined system
development life cycle that incorporates
information security considerations; and
(2) integrate the organizational
information security risk management
process into system development life
cycle activities.95 Similarly, control SA–
8 recommends using secure engineering
principles during the planning and
acquisition phases of future projects
such as: (1) Developing layered
protections; (2) establishing sound
security policy, architecture, and
controls as the foundation for design; (3)
incorporating security requirements into
the system development life cycle; and
(4) reducing risk to acceptable levels,
thus enabling informed risk
92 See ICS–CERT Alert, Ongoing Sophisticated
Malware Campaign Compromising ICS (Update E).
93 See ICS–CERT Advisory, GE Proficy
Vulnerabilities, https://ics-cert.us-cert.gov/
advisories/ICSA–14–023–01.
94 See ICS–CERT Alert, Cyber-Attack Against
Ukrainian Critical Infrastructure.
95 NIST Special Publication 800–53, Appendix F
(Security Control Catalog) at 157.
E:\FR\FM\29JYR1.SGM
29JYR1
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
asabaliauskas on DSK3SPTVN1PROD with RULES
management decisions.96 Finally,
control SA–22 provides controls to
address unsupported system
components, recommending the
replacement of information and
communication technology components
when support is no longer available, or
the justification and approval of an
unsupported system component to meet
specific business needs. These sources,
while not meant to be definitive,
provide examples of controls for
addressing the Commission’s directive
regarding objective three. Other security
controls also could meet this objective.
Fourth Objective: Vendor Risk
Management and Procurement Controls
59. The new or modified Reliability
Standard must address the provision
and verification of relevant security
concepts in future contracts for
industrial control system hardware,
software, and computing and
networking services associated with
bulk electric system operations.
Specifically, NERC must address
controls for the following topics: (1)
Vendor security event notification
processes; (2) vendor personnel
termination notification for employees
with access to remote and onsite
systems; (3) product/services
vulnerability disclosures, such as
accounts that are able to bypass
authentication or the presence of
hardcoded passwords; (4) coordinated
incident response activities; and (5)
other related aspects of procurement.
NERC should also consider provisions
to help responsible entities obtain
necessary information from their
vendors to minimize potential
disruptions from vendor-related security
events.
60. This fourth objective addresses the
risk that responsible entities could enter
into contracts with vendors who pose
significant risks to their information
systems, as well as the risk that
products procured by a responsible
entity fail to meet minimum security
criteria. In addition, this objective
addresses the risk that a compromised
vendor would not provide adequate
notice and related incident response to
responsible entities with whom that
vendor is connected.
61. The Department of Energy (DOE)
Cybersecurity Procurement Language for
Energy Delivery Systems document
outlines security principles and controls
for entities to consider when designing
and procuring control system products
and services (e.g., software, systems,
maintenance, and networks), and
provides example language that could
96 Id.
at 162.
VerDate Sep<11>2014
17:04 Jul 28, 2016
Jkt 238001
be incorporated into procurement
specifications. The procurement
language encourages buyers to
incorporate baseline procurement
language that ensures the supplier
establishes, documents and implements
risk management practices for supply
chain delivery of hardware, software,
and firmware.97 In addition, NIST SP
800–161 encourages buyers to use the
Information and Communications
Technology supply chain risk
management (ICT SCRM) plans for their
respective systems and missions
throughout their acquisition activities.98
The controls in the ICT SCRM plans can
be applied in different life cycle
processes.
62. NIST SP 800–161 also provides
specific recommendations in control
SA–4 pertaining to systems acquisition
processes, which are relevant for
consideration during the standards
development process, including but not
limited to: (1) Defining requirements
that cover regulatory requirements (i.e.,
telecommunications or IT), technical
requirements, chain of custody,
transparency and visibility, sharing
information on supply chain security
incidents throughout the supply chain,
rules for disposal or retention of
elements such as components, data, or
intellectual property, and other relevant
requirements; (2) defining requirements
for critical elements in the supply chain
to demonstrate a capability to remediate
emerging vulnerabilities based on open
source information and other sources;
and (3) defining requirements for the
expected life span of the system and
ensuring that suppliers can provide
insights into their plans for the end-oflife of components. Other relevant
provisions can be found in the System
and Communications Protection (SC)
control family under control SC–18
addressing SCRM guidance for mobile
code, which recommends that
organizations employ rigorous supply
chain protection techniques in the
acquisition, development, and use of
mobile code to be deployed in
information systems.99 These sources,
97 See Energy Sector Control Systems Working
Group, Cybersecurity Procurement Language—
Energy Delivery Systems at 27, https://
www.energy.gov/sites/prod/files/2014/04/f15/
CybersecProcurementLanguageEnergyDeliverySystems_040714_fin.pdf.
98 See NIST Special Publication 800–161 at 51.
99 Mobile code is a software program or parts of
a program obtained from remote information
systems, transmitted across a network, and
executed on a local information system without
explicit installation or execution by the recipient.
NIST Special Publication 800–53, Appendix B
(Glossary) at 14. Mobile code technologies include,
for example, Java, JavaScript, ActiveX, Postscript,
PDF, Shockwave movies, Flash animations, and
VBScript. Id.
PO 00000
Frm 00033
Fmt 4700
Sfmt 4700
49887
while not meant to be definitive,
provide examples of controls for
addressing the Commission’s directive
regarding objective four. Other security
controls also could meet this objective.
3. Existing CIP Reliability Standards
Comments
63. NERC comments that although the
CIP Reliability Standards do not
explicitly address supply chain
procurement practices, existing
requirements mitigate the supply chain
risks identified in the NOPR. In
particular, NERC states that
requirements in Reliability Standards
CIP–004–6, CIP–005–5, CIP–006–6, CIP–
007–6, CIP–008–5, CIP–009–6, CIP–
010–2, and CIP–011–2 ‘‘include controls
that correspond to controls in NIST SP
800–161.’’ 100
64. For example, NERC explains that
responsible entity compliance with
Reliability Standard CIP–004–6,
addressing the implementation of
cybersecurity awareness programs, may
include reinforcement of cybersecurity
practices to mitigate supply chain risks.
NERC also states that requirements in
Reliability Standard CIP–004–6
(addressing personnel risk assessment)
and requirements in Reliability
Standards CIP–004–6, CIP–005–5, CIP–
006–6, CIP–007–6, and CIP–010–2
(addressing electronic and physical
access) apply to any outside vendors or
contractors.
65. The Trade Associations, Arkansas,
G&T Cooperatives, NIPSCO, Luminant,
Southern, NextEra, and SCE contend
that the existing CIP Reliability
Standards, at least partly, address
supply chain risks that are within a
responsible entity’s control.
66. The Trade Associations state that,
while the existing CIP Reliability
Standards do not contain explicit
provisions addressing supply chain
management, ‘‘transmission owners and
operators already have significant
responsibilities to perform under
various Commission-approved CIP
standards that already address supply
chain issues.’’ 101 Specifically, the Trade
Associations, NIPSCO, and others state
that Reliability Standard CIP–010–2
establishes requirements for cyber asset
change management that mandate
extensive baseline configuration testing
and change monitoring, as well as
vulnerability assessments, prior to
connecting a new cyber asset to a High
Impact BES Cyber Asset.102
100 NERC
NOPR Comments at 15–16.
Associations NOPR Comments at 19–20.
102 Trade Associations NOPR Comments at 20;
NIPSCO NOPR Comments at 5; Southern NOPR
101 Trade
E:\FR\FM\29JYR1.SGM
Continued
29JYR1
asabaliauskas on DSK3SPTVN1PROD with RULES
49888
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
67. The Trade Associations also
contend that the CIP Reliability
Standards provide adequate vendor
remote access protections by mandating:
(1) Controls that restrict personnel
access (physical and electronic) to
protected information systems; (2)
controls that prevent direct access to
applicable systems for interactive
remote access sessions using routable
protocols; (3) the use of encryption for
connections extending outside of an
electronic security perimeter; (4) the use
of two factor authentication when
accessing medium and high impact
systems; and (5) integration controls
which require changing known default
accounts and passwords.103
68. NIPSCO, Luminant, and G&T
Cooperatives point to Reliability
Standard CIP–007–6 as an existing
Reliability Standard that addresses
supply chain risks. Reliability Standard
CIP–007–6 requires responsible entities
to have processes under which only
necessary ports and services should be
enabled; security patches should be
tracked, evaluated, and installed on
applicable BES Cyber Systems; and antivirus software or other prevention tools
should be used to prevent the
introduction and propagation of
malicious software on all Cyber Assets
within an Electronic Security
Perimeter.104
69. Commenters also identify existing
voluntary guidelines that, they contend,
augment the existing CIP Reliability
Standards to further address any
potential risks posed by the supply
chain. Southern points to voluntary
cybersecurity procurement guidance
materials developed by the DHS and the
DOE as examples of procurement
language that could be used in the
course of vendor negotiations. Southern
states that the DHS and DOE guidelines
recognize the need for flexibility and
allow for multiple contractual
approaches.105
70. Commenters suggest that the
Commission direct NERC to develop
cybersecurity procurement guidance
documents as opposed to a mandatory
Reliability Standard. AEP, NextEra, and
Southern state that the Commission
could direct NERC to develop guidance
documents addressing supply chain risk
management based, in part, on the DHS
and DOE voluntary cybersecurity
Comments at 12; Luminant NOPR Comments at 4–
5; SCE NOPR Comments at 6.
103 Trade Associations Post-Technical Conference
Comments at 6.
104 NIPSCO NOPR Comments at 5; Luminant
NOPR Comments at 4; G&T Cooperatives NOPR
Comments at 8–9.
105 Southern NOPR Comments at 13.
VerDate Sep<11>2014
17:04 Jul 28, 2016
Jkt 238001
procurement guidance materials.106
Luminant asserts that NERC-developed
guidance ‘‘would effectively
communicate key issues while
permitting industry the flexibility to
effectively protect their BES Cyber
Systems in a way most effective for that
entity and at the lowest cost.’’ 107
Discussion
71. While we recognize that existing
CIP Reliability Standards include
requirements that address aspects of
supply chain management, we
determine that existing Reliability
Standards do not adequately protect
against supply chain risks that are
within a responsible entity’s control.
Specifically, we find that existing CIP
Reliability Standards do not provide
adequate protection for the four aspects
of supply chain risk management that
underlie the four objectives for a new or
modified Reliability Standard discussed
above.108 Moreover, a fundamental
premise of cyber security is ‘‘defense in
depth,’’ and addressing issues in the
supply chain (to the extent a utility
reasonably can) is an important
component of a strong, multi-layered
defense.
Software Integrity and Authenticity
72. With regard to software integrity
and authenticity, we agree with
commenters who state that the existing
CIP Reliability Standards contain
requirements for responsible entities to
implement a patch management process
for tracking, evaluating, and installing
cybersecurity patches and to implement
processes to detect, prevent, and
mitigate the threat of malicious code.
These provisions, however, do not
require responsible entities to verify the
identity of the software publisher for all
software and patches that are intended
for use on their BES Cyber Systems or
to verify the integrity of the software
and patches before they are installed in
the BES Cyber System environment.109
As discussed above, the CIP Reliability
Standards should address compromised
software or patches that a responsible
entity receives from a vendor, in order
106 AEP NOPR Comments at 7–8; NextEra NOPR
Comments at 4–5; Southern NOPR Comments at
12–13.
107 Luminant NOPR Comments at 5.
108 Since the directive to NERC to develop a new
or modified Reliability Standard is limited to the
four objectives discussed above, we limit our
analysis of the existing CIP Reliability Standards to
requirements that relate to those objectives.
109 See Trade Associations NOPR Comments at 38
(indicating that integrity checking mechanisms
used to verify software, firmware, and information
integrity found in the NIST SP–800–161 System
and Information Integrity (SI) control family are not
addressed in the CIP version 5 Reliability
Standards).
PO 00000
Frm 00034
Fmt 4700
Sfmt 4700
to protect the bulk electric system from
Watering-Hole or similar cyberattacks.
These concerns are not addressed by
existing CIP Reliability Standards.
73. Mandatory controls in the existing
CIP Reliability Standards referenced by
commenters do not provide sufficient
protection against attacks that
compromise software and software
patch integrity and authenticity. For
example, while Reliability Standard
CIP–007–6, Requirement R2 requires
responsible entities to enforce a patch
management process for tracking,
evaluating, and installing cyber security
patches for applicable systems,
including evaluating security patches
for applicability, the requirement does
not address mechanisms to acquire the
patch file from a vendor in a secure
manner and methods to validate the
integrity of a patch file before
installation.
74. With respect to mandatory
configuration controls, Reliability
Standard CIP–010–2, Requirement R1
requires responsible entities to
authorize and document all changes to
baseline configurations and, where
technically feasible, test patches in a
test environment before installing.
However, NERC’s technical guidance
document for CIP–010–2, Requirement
R1, Part 1.2 does not require the
authorizer to first verify the authenticity
of a patch. Similarly, the testing of
patches in a test environment under
Requirement R1.5 would likely provide
insufficient protection as many malware
variants are programmed to execute
only after the system is rebooted several
times. Regarding patch source
monitoring, the guidelines and technical
basis section for Reliability Standard
CIP–007–6 suggests that responsible
entities should obtain security patches
from original sources, where possible,
and indicates that patches should be
approved or certified by another source
before being assessed and applied.110
The Reliability Standard, however, does
not require the use of these techniques.
Implementing controls that verify
integrity and authenticity of software
and its publishers may help mitigate
security gaps listed above.
75. In sum, the current CIP Reliability
Standards do contain certain controls
addressing the risks posed by malware,
as stated by commenters. Verifying
software integrity and authenticity,
however, is a reasonable and
appropriate complement to these
controls, is not required by the current
Standards, and is supported by the
110 Reliability Standard CIP–007–6 (Cyber
Security—Systems Security Management),
Guidelines and Technical Basis at 42–43.
E:\FR\FM\29JYR1.SGM
29JYR1
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
principle of defense-in-depth. In fact,
this verification can be viewed as the
first line of defense against malwareinfected software.
asabaliauskas on DSK3SPTVN1PROD with RULES
Vendor Remote Access to BES Cyber
Systems
76. On the subject of vendor remote
access, which includes vendor userinitiated Interactive Remote Access and
vendor machine-to-machine remote
access, existing CIP Reliability
Standards contain system access
requirements, including a requirement
for security event monitoring. However,
the CIP Reliability Standards do not
require remote access session logging for
machine-to-machine remote access, nor
do they address the ability to monitor or
close unsafe remote connections for
both vendor Interactive Remote Access
and vendor machine-to-machine remote
access.111 The CIP Reliability Standards
should address enhanced session
logging requirements for vendor remote
access in order to improve visibility of
activity on BES Cyber Systems and give
responsible entities the ability to rapidly
disable remote access sessions in the
event of a system breach.
77. The existing requirements
referenced by NERC, the Trade
Associations, and other commenters do
not adequately address access
restrictions for vendors. For example,
while Reliability Standard CIP–004–6,
Requirements R4 and R5 provide
controls that must be applied to vendors
such as restricting access to individuals
‘‘based on need,’’ these Requirements do
not include post-authorization logging
or control of remote access. The existing
CIP Reliability Standards do not require
a responsible entity to monitor data
traffic that traverses remote
communication to their BES Cyber
Systems. The absence of postauthorization monitoring and logging
presents an opportunity for
unmonitored malicious or otherwise
inappropriate remote communication to
or from a BES Cyber System. The
inability of a responsible entity to
rapidly terminate a connection may
allow malicious or otherwise
inappropriate communication to
propagate, contributing to a degradation
of a BES Cyber Asset’s function.
Enhanced visibility into remote
communications and the ability to
rapidly terminate a remote
111 See Trade Association NOPR Comments at 43
(indicating that mechanisms for monitoring for
unauthorized personnel, connections, devices, and
software found in the NIST SP–800–161 System
and Information Integrity (SI) control family are not
addressed in the CIP version 5 Reliability
Standards).
VerDate Sep<11>2014
17:04 Jul 28, 2016
Jkt 238001
communication could mitigate such a
vulnerability.
78. Reliability Standard CIP–005–5,
Requirement R1 provides controls for
vendor machine-to-machine and vendor
user-initiated Interactive Remote Access
sessions by restricting all inbound and
outbound communications through an
identified Electronic Access Point for bidirectional routable protocol
connections. Reliability Standard CIP–
005–5, Requirement R2 provides
controls for vendor interactive remote
access sessions by requiring the use of
encryption and requiring multi-factor
authentication. However, the provisions
of Reliability Standard CIP–005–5,
Requirement R2 addressing interactive
remote access management do not apply
to vendor machine-to-machine remote
access. The Reliability Standard CIP–
005–5, Requirement R2 controls
addressing interactive remote access
management only apply to remote
connections that are user-initiated (i.e.,
initiated by a person). Machine-tomachine connections are not userinitiated and, therefore, are not subject
to the requirements of Reliability
Standard CIP–005–5, Requirement R2.
When the interactive remote access
management controls of Reliability
Standard CIP–005–5, Requirement R2
do not apply, a machine-to-machine
remote communication may access a
BES Cyber System without any access
credentials, over an unencrypted
channel, and without going through an
Intermediate System.
79. For both Interactive Remote
Access and machine-to-machine remote
access, Reliability Standard CIP–007–6,
Requirement R3 requires monitoring for
malicious code and Requirement R4
requires logging of successful and
unsuccessful login attempts, as well as
logging detected malicious code.
However, Reliability Standard CIP–007–
6 does not address the risks posed by
inappropriate activity that could occur
during a remote communication. The
lack of a requirement addressing the
detection of inappropriate activity
represents a risk because the responsible
entity may not be aware if an authorized
user is performing inappropriate activity
on a BES Cyber Asset via a remote
connection. This risk is higher for
machine-to-machine communication
due to the lack of authentication and
encryption requirements in the existing
CIP Reliability Standards, lowering the
threshold for a malicious actor to
execute a man-in-the-middle attack to
gain access to a BES Cyber System and
conduct inappropriate activity such as
reconnaissance or code modification.
80. Therefore, we recognize that the
current CIP Reliability Standards do
PO 00000
Frm 00035
Fmt 4700
Sfmt 4700
49889
contain certain controls addressing the
risks posed by vendor remote access, as
noted by commenters. However, the
current CIP Reliability Standards do not
require monitoring remote access
sessions or closing unsafe remote
connections for either vendor
Interactive Remote Access and vendor
machine-to-machine remote access.
Accordingly, we determine that vendor
remote access is not adequately
addressed in the approved CIP
Reliability Standards and, therefore, is
an objective that must be addressed in
the supply chain management plans
directed in this final rule.
Information System Planning and
Procurement
81. The existing CIP Reliability
Standards do not address information
system planning. Recent cybersecurity
incidents 112 have made it apparent that
overall system planning is as important
to overall BES Cyber System security
and reliability as any other component
of security architecture. In general, the
CIP Reliability Standards do not provide
a framework for maintaining ongoing
awareness of information security,
vulnerabilities, and threats to support
organization risk management
decisions; 113 nor do they address the
concept of integrating continuous
improvement of organizational security
posture with supply chain risk
management as recommended by NIST
SP 800–161.114 Based on the threats
evidenced by recent cybersecurity
incidents, the absence of security
considerations in system lifecycle
processes constitutes a gap in the CIP
Reliability Standards that could
contribute to pervasive and systemic
vulnerabilities that threaten bulk
electric system reliability.
82. The existing CIP Reliability
Standards also do not provide for
procurement controls for industrial
control system hardware, software, and
computing and networking services. As
discussed above, procurement controls
are intended to address the threat that
responsible entities could enter into
contracts with vendors who pose
significant risks to their information
systems or procure products that fail to
112 See E–ISAC, Analysis of the Cyber Attack on
the Ukrainian Power Grid at 3 (March 18, 2016); see
also Dell, Dell Security Annual Threat Report
(2015) at 7, https://software.dell.com/docs/2015dell-security-annual-threat-report-white-paper15657.pdf; Olcott Technical Conference Comments
at 2.
113 See NIST Special Publication 800–137,
Information Security Continuous Monitoring (ISCM)
for Federal Information Systems and Organizations
at vi, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/
nistspecialpublication800-137.pdf.
114 NIST Special Publication 800–161 at 46.
E:\FR\FM\29JYR1.SGM
29JYR1
49890
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
meet minimum security criteria, as well
as the risk that a compromised vendor
would not provide adequate notice and
related incident response to responsible
entities with whom that vendor is
connected.
83. With regard to commenters’
suggestion that the Commission direct
NERC to develop cybersecurity
procurement guidance documents as
opposed to a mandatory Reliability
Standard, we agree that the voluntary
efforts identified by commenters could
provide guidance or otherwise inform
NERC’s standard development process.
We conclude, however, that relying on
voluntary guidelines to address the
supply chain risks described above is
not sufficient to fulfill the Commission’s
responsibilities under FPA section 215.
asabaliauskas on DSK3SPTVN1PROD with RULES
4. Vendor Risk Management and
Procurement Controls
Comments
84. NERC, G&T Cooperatives,
Arkansas and others state that
responsible entities have limited
influence over vendors and contractors,
and, therefore, a limited ability to affect
the supply chain for industrial control
system hardware, software, and
computing and networking services
associated with bulk electric system
operations.115 NERC contends that any
supply chain management Reliability
Standard ‘‘must balance the reliability
need to implement supply chain
management security controls with
entities’ business need to obtain
products and services at a reasonable
cost.’’ 116 NERC maintains that
responsible entities lack bargaining
power to persuade vendors or suppliers
to implement cybersecurity controls
without significantly increasing the cost
of their products or services. NERC
points to NIST SP 800–161 to highlight
that implementing supply chain
security management controls ‘‘will
require financial and human resources,
not just from the [acquirer] directly but
also potentially from their system
integrators, suppliers, and external
service providers that would also result
in increased cost to the acquirer.’’ 117
85. G&T Cooperatives contend that
they ‘‘have minimal control over their
suppliers and are not able to identify all
potential vulnerabilities associated with
each and every supplier and their
products/parts.’’ 118 G&T Cooperatives
115 NERC NOPR Comments at 11–12; G&T
Cooperatives NOPR Comments at 9; Arkansas
NOPR Comments at 5.
116 NERC NOPR Comments at 11–12.
117 Id. (citing NIST Special Publication 800–161
at 3).
118 G&T Cooperatives NOPR Comments at 9.
VerDate Sep<11>2014
17:04 Jul 28, 2016
Jkt 238001
and Arkansas maintain that responsible
entities do not have the ability to force
a vendor to address all potential
vulnerabilities. G&T Cooperatives assert
that even if a contract between a
responsible entity and a supplier ‘‘could
include’’ language requiring the
supplier to implement security controls,
‘‘it is not feasible for contractual terms
. . . to address all potential
vulnerabilities related to supply chain
management.’’ 119
86. NERC, Trade Associations, G&T
Cooperatives and Arkansas also raise a
concern that the Commission’s proposal
could place compliance risk on
responsible entities for actions beyond
their control and, ultimately, incent
responsible entities to avoid upgrades
that could trigger such compliance
risk.120 NERC states that any supply
chain management Reliability Standard
should be drafted so that it ‘‘creates
affirmative obligations to implement
supply chain management security
controls without holding entities strictly
liable for any failure of those controls to
eliminate all supply chain threats and
vulnerabilities.’’ 121 NERC explains that
if a supply chain management
Reliability Standard is not reasonably
scoped to avoid unreasonable
compliance risk, it could create a
disincentive for responsible entities to
purchase and install new technologies
and equipment.
87. G&T Cooperatives state that
‘‘placing the compliance risk of vendor
and supplier security vulnerability on
Responsible Entities could incent
Responsible Entities to avoid upgrades
to their industrial control system
hardware, software, and other services.’’
G&T Cooperatives explain that there are
three primary incentives for a
responsible entity to avoid upgrades if
faced with compliance risks: (1) New
regulations would result in additional
costs for vendors and suppliers that
would be passed on to the end-user; (2)
since security patches are not issued by
vendors for unsupported hardware and
software, there is less security patch
management responsibility for the
responsible entity; and (3) avoiding new
hardware and software reduces the risk
of introducing undetected security
threats.122
Discussion
88. Our directive to NERC to develop
a new or modified Reliability Standard
at 9.
NOPR Comments at 13; Trade
Associations NOPR Comments at 24–25; G&T
Cooperatives NOPR Comments at 9–10; Arkansas
NOPR Comments at 6.
121 NERC NOPR Comments at 13.
122 G&T Cooperatives NOPR Comments at 9.
PO 00000
119 Id.
120 NERC
Frm 00036
Fmt 4700
Sfmt 4700
that addresses the objectives outlined
above balances the supply chain risks
facing the bulk electric system against
any potential challenges raised by
vendor relationships. We believe that
the concerns raised in comments with
respect to responsible entities’
relationships with vendors in relation to
supply chain risks are valid. Our
directive is informed by this concern
and reflects a reasonable balance
between the risks facing bulk electric
system reliability from the supply chain
and concerns over vendor relationships.
The directive strikes this balance by
addressing supply chain risks that are
within responsible entities’ control, and
we do not expect a new or modified
supply chain Reliability Standard to
impose obligations directly on vendors.
Moreover, entities will not be
responsible for vendor errors beyond the
scope of the controls implemented to
comply with the Reliability Standards.
89. With respect to concerns that the
Commission’s proposal could place
compliance risk on responsible entities
for actions beyond their control, which
some commenters argue would prompt
responsible entities to avoid upgrades
that could trigger such compliance risk,
we reiterate that the intent of the
directive is to address supply chain
risks that are within the responsible
entities’ control. As part of NERC’s
standard development process, we
expect NERC to establish provisions
addressing compliance obligations in a
manner that avoids shifting liability
from a vendor for its mistakes to a
responsible entity. Finally, we view the
argument that a new or modified
Reliability Standard will result in a
substantial increase in costs to be
speculative because, beyond requiring
NERC to address the four objectives
discussed above, or some equally
effective and efficient alternatives, our
directive does not require NERC to
develop a Reliability Standard that
mandates any particular controls or
actions.
III. Information Collection Statement
90. The Paperwork Reduction Act
(PRA) 123 requires each federal agency to
seek and obtain Office of Management
and Budget (OMB) approval before
undertaking a collection of information
directed to ten or more persons or
contained in a rule of general
applicability. OMB regulations 124
require approval of certain information
collection requirements imposed by
agency rules. Upon approval of a
collection of information, OMB will
123 44
124 5
E:\FR\FM\29JYR1.SGM
U.S.C. 3507(d).
CFR 1320.
29JYR1
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
assign an OMB control number and an
expiration date. Respondents subject to
the filing requirements of an agency rule
will not be penalized for failing to
respond to the collection of information
unless the collection of information
displays a valid OMB control number.
91. The Commission will submit the
information collection requirements to
OMB for its review and approval. The
Commission solicits public comments
on its need for this information, whether
the information will have practical
utility, the accuracy of burden and cost
estimates, ways to enhance the quality,
utility, and clarity of the information to
be collected or retained, and any
suggested methods for minimizing
respondents’ burden, including the use
of automated information techniques.
92. The information collection
requirements in this Final Rule in
Docket No. RM15–14–002 for NERC to
develop a new or to modify a Reliability
Standard for supply chain risk
management, should be part of FERC–
725 (Certification of Electric Reliability
Organization; Procedures for Electric
Reliability Standards (OMB Control No.
1902–0225)). However, there is an
unrelated item which is currently
pending OMB review under FERC–725,
and only one item per OMB Control No.
can be pending OMB review at a time.
Therefore, the requirements in this Final
Rule in RM15–14–002 are being
submitted under a new temporary or
interim collection number FERC–
725(1A) to ensure timely submittal to
OMB. In the long-term, Commission
staff plans to administratively move the
requirements and associated burden of
FERC–725(1A) to FERC–725.
93. Burden Estimate and Information
Collection Costs: The requirements for
the ERO to develop Reliability
Standards and to provide data to the
Commission are included in the existing
FERC–725. FERC–725 includes
information used by the Commission to
implement the statutory provisions of
section 215 of the FPA. FERC–725
includes the burden, reporting and
recordkeeping requirements associated
with: (a) Self-Assessment and ERO
Application, (b) Reliability
Assessments, (c) Reliability Standards
Development, (d) Reliability
Compliance, (e) Stakeholder Survey,
and (f) Other Reporting. In addition, the
Final Rule will not result in a
substantive increase in burden because
this requirement to develop standards is
covered under FERC–725. However
because FERC is using the temporary
information collection number, FERC–
725(1A), FERC will use ‘‘placeholder’’
estimates of 1 response and 1 burden
hour for the burden calculation.
IV. Regulatory Flexibility Act Analysis
94. The Regulatory Flexibility Act of
1980 (RFA) 125 generally requires a
description and analysis of final rules
that will have significant economic
impact on a substantial number of small
entities. The Small Business
Administration (SBA) revised its size
standard (effective January 22, 2014) for
electric utilities from a standard based
on megawatt hours to a standard based
on the number of employees, including
affiliates.126 The entities subject to the
Reliability Standards developed by the
North American Electric Reliability
Corporation (NERC) include users,
owners, and operators of the BulkPower System, which serves more than
334 million people. In addition, NERC’s
current responsibilities include the
development of Reliability Standards.
Accordingly, the Commission certifies
that the requirements in this Final Rule
will not have a significant economic
impact on a substantial number of small
entities, and no regulatory flexibility
analysis is required.
V. Environmental Analysis
95. The Commission is required to
prepare an Environmental Assessment
or an Environmental Impact Statement
for any action that may have a
significant adverse effect on the human
environment.127 The Commission has
categorically excluded certain actions
from this requirement as not having a
significant effect on the human
environment. Included in the exclusion
are rules that are clarifying, corrective,
or procedural or that do not
substantially change the effect of the
regulations being amended.128 The
actions proposed herein fall within this
categorical exclusion in the
Commission’s regulations.
VI. Effective Date and Congressional
Notification
96. This Final Rule is effective
September 27, 2016. The Commission
has determined, with the concurrence of
the Administrator of the Office of
Information and Regulatory Affairs of
OMB, that this rule is not a ‘‘major rule’’
as defined in section 351 of the Small
Business Regulatory Enforcement
Fairness Act of 1996. This Final Rule is
being submitted to the Senate, House,
and Government Accountability Office.
VII. Document Availability
97. In addition to publishing the full
text of this document in the Federal
Register, the Commission provides all
interested persons an opportunity to
view and/or print the contents of this
document via the Internet through the
Commission’s Home Page (https://
www.ferc.gov) and in the Commission’s
Public Reference Room during normal
business hours (8:30 a.m. to 5:00 p.m.
Eastern time) at 888 First Street NE.,
Room 2A, Washington, DC 20426.
98. From the Commission’s Home
Page on the Internet, this information is
available on eLibrary. The full text of
this document is available on eLibrary
in PDF and Microsoft Word format for
viewing, printing, and/or downloading.
To access this document in eLibrary,
type the docket number of this
document, excluding the last three
digits, in the docket number field.
User assistance is available for
eLibrary and the Commission’s Web site
during normal business hours from the
Commission’s Online Support at (202)
502–6652 (toll free at 1–866–208–3676)
or email at ferconlinesupport@ferc.gov,
or the Public Reference Room at (202)
502–8371, TTY (202) 502–8659. Email
the Public Reference Room at
public.referenceroom@ferc.gov.
By the Commission.
Issued: July 21, 2016.
Nathaniel J. Davis, Sr.,
Deputy Secretary.
Note: The following Appendix will not
appear in the Code of Federal Regulations.
asabaliauskas on DSK3SPTVN1PROD with RULES
APPENDIX—COMMENTERS
Abbreviation
Commenter
AEP ........................................................................
ACS ........................................................................
APS ........................................................................
125 5
U.S.C. 601–612.
Final Rule on ‘‘Small Business Size
Standards: Utilities,’’ 78 FR 77,343 (Dec. 23, 2013).
126 SBA
VerDate Sep<11>2014
17:04 Jul 28, 2016
Jkt 238001
American Electric Power Service Corporation.
Applied Control Solutions, LLC.
Arizona Public Service Company.
127 Regulations Implementing the National
Environmental Policy Act of 1969, Order No. 486,
FERC Stats. & Regs. ¶ 30,783 (1987).
PO 00000
Frm 00037
Fmt 4700
Sfmt 4700
49891
128 18
E:\FR\FM\29JYR1.SGM
CFR 380.4(a)(2)(ii).
29JYR1
49892
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
APPENDIX—COMMENTERS—Continued
Abbreviation
Commenter
Arkansas ................................................................
BPA ........................................................................
CEA ........................................................................
Consumers Energy ................................................
CyberArk ................................................................
EnergySec ..............................................................
Ericsson .................................................................
Resilient Societies ..................................................
G&T Cooperatives .................................................
Arkansas Electric Cooperative.
Bonneville Power Administration.
Canadian Electricity Association.
Consumers Energy Company.
CyberArk.
Energy Sector Security Consortium, Inc.
Ericsson.
Foundation for Resilient Societies.
Associated Electric Cooperative, Inc., Basin Electric Power Cooperative, and Tri-State Generation and Transmission Association, Inc.
Gridwise Alliance.
Idaho Power Company.
Indegy.
Independent Electricity System Operator.
ISO/RTO Council.
ISO New England Inc.
ITC Companies.
Isologic, LLC.
Kansas City Power & Light Company and KCP&L Greater Missouri Operations Company.
Luminant Generation Company, LLC.
National Electrical Manufacturers Association.
North American Electric Reliability Corporation.
NextEra Energy, Inc.
Northern Indiana Public Service Co.
Northwest Public Power Association.
Peak Reliability.
PNM Resources.
Department of Interior Bureau of Reclamation.
Security Industry Association.
Southern California Edison Company.
Southern Company Services.
Southwest Power Pool Regional Entity.
California Department of Water Resources State Water Project.
Tennessee Valley Authority.
Edison Electric Institute, American Public Power Association, National Rural Electric Cooperative Association, Electric Power Supply Association, Transmission Access Policy Study
Group, and Large Public Power Council.
Utilities Telecom Council.
Waterfall Security Solutions, Ltd.
Wisconsin Electric Power Company.
Gridwise .................................................................
Idaho Power ...........................................................
Indegy ....................................................................
IESO .......................................................................
IRC .........................................................................
ISO New England ..................................................
ITC .........................................................................
Isologic ...................................................................
KCP&L ...................................................................
Luminant ................................................................
NEMA .....................................................................
NERC .....................................................................
NextEra ..................................................................
NIPSCO .................................................................
NWPPA ..................................................................
Peak .......................................................................
PNM .......................................................................
Reclamation ...........................................................
SIA .........................................................................
SCE ........................................................................
Southern .................................................................
SPP RE ..................................................................
SWP .......................................................................
TVA ........................................................................
Trade Associations ................................................
UTC ........................................................................
Waterfall .................................................................
Wisconsin ...............................................................
UNITED STATES OF AMERICA
asabaliauskas on DSK3SPTVN1PROD with RULES
FEDERAL ENERGY REGULATORY
COMMISSION
Revised Critical Infrastructure Protection,
Reliability Standards Docket No. RM15–
14–002
(Issued July 21, 2016)
LaFLEUR, Commissioner dissenting:
In today’s order, the Commission elects to
proceed directly to a Final Rule and require
the development of a new reliability standard
on supply chain risk management for
industrial control system hardware, software,
and computing and networking services
associated with bulk electric system
operations. I fully support the Commission’s
continued attention to the threat of
inadequate supply chain risk management
procedures, which pose a very real threat to
grid reliability.
However, in my view, the importance and
complexity of this issue should guide the
Commission to proceed cautiously and
thoughtfully in directing the development of
a reliability standard to address these threats.
I am concerned that the Commission has not
adequately considered or vetted the Final
VerDate Sep<11>2014
17:04 Jul 28, 2016
Jkt 238001
Rule, which could hamper the development
and implementation of an effective,
auditable, and enforceable standard. I believe
that the more prudent course of action would
be to issue today’s Final Rule as a
Supplemental Notice of Proposed
Rulemaking (Supplemental NOPR), which
would provide NERC, industry, and
stakeholders the opportunity to comment on
the Commission’s proposed directives.
Accordingly, and as discussed below, I
dissent from today’s order.1
I. The Commission’s Decision To Proceed
Directly to Final Rule Is Flawed and Could
Delay Protection of the Grid Against Supply
Chain Risks
Last July, as part of its NOPR addressing
revisions to its cybersecurity critical
infrastructure protection (CIP) standards, the
Commission raised for the first time the
prospect of directing the development of a
standard to address risks posed by lack of
1 I do agree with one holding in the order: That
the Commission has authority under section 215 of
the Federal Power Act to promulgate a standard on
this issue.
PO 00000
Frm 00038
Fmt 4700
Sfmt 4700
controls for supply chain management.2 The
Commission indicated that new threats might
warrant directing NERC to develop a
standard to address those risks. While the
Commission noted a variety of considerations
that might shape the standard, including,
among others, jurisdictional limits and the
individualized nature of companies’ supply
chain management procedures, the
Commission notably did not propose a
specific standard for comment. Instead, the
Commission sought comment on (1) the
general proposal to require a standard, (2) the
anticipated features of, and requirements that
should be included in, such a standard, and
(3) a reasonable timeframe for development
of a standard.3
The record developed in comments
responding to the Supply Chain NOPR and
through the January 28, 2016 technical
conference reflects a wide diversity of views
2 Revised Critical Infrastructure Protection
Reliability Standards, Notice of Proposed
Rulemaking, 80 FR 43,354 (July 22, 2015), 152
FERC ¶ 61,054 (2015). I will refer to the section of
that order addressing supply chain issues as the
‘‘Supply Chain NOPR,’’ and the remainder of the
order as the ‘‘CIP NOPR.’’
3 Id. P 66.
E:\FR\FM\29JYR1.SGM
29JYR1
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
asabaliauskas on DSK3SPTVN1PROD with RULES
regarding the need for, and possible content
of, a reliability standard addressing supply
chain management. Notwithstanding these
diverse views, there was broad consensus on
one point: That effectively addressing
cybersecurity threats in supply chain
management is tremendously complicated,
due to a host of jurisdictional, technical,
economic, and business relationship issues.
Indeed, in the Supply Chain NOPR, the
Commission recognized ‘‘that developing a
supply chain management standard would
likely be a significant undertaking and
require extensive engagement with
stakeholders to define the scope, content, and
timing of the standard.’’ 4
Yet, the Commission is proceeding straight
to a Final Rule without in my view engaging
in sufficient outreach regarding, or
adequately vetting, the contents of the Final
Rule. As to those contents, it is worth noting
that the four objectives that will define the
scope and content of the standard were not
identified in the Supply Chain NOPR.
Therefore, even though the Final Rule
reflects feedback received on the Supply
Chain NOPR, and is not obviously
inconsistent with the Supply Chain NOPR,
no party has yet had an opportunity to
comment on those objectives or consider how
they could be translated into an effective and
enforceable standard.5 This is a consequence
of: (1) The lack of outreach on supply chain
threats prior to issuing the Supply Chain
NOPR; (2) the lack of detail in the Supply
Chain NOPR regarding what a standard might
look like; and (3) the decision today to
proceed straight to a Final Rule rather than
provide additional opportunities for public
feedback.
A. The Commission and the Public’s
Consideration of Supply Chain Risks Would
Benefit From Additional Stakeholder
Engagement
First, I believe that meaningful stakeholder
input on the content of any proposed rule is
essential to the Commission’s deliberative
process. This is especially important in our
reliability work, as any standard developed
by NERC must be approved by stakeholder
consensus before it may be filed at the
Commission. I do not believe that the record
developed to date establishes that the Final
Rule will lead to an appropriate solution to
address supply chain risks. I note that much
of the feedback we received in response to
the Supply Chain NOPR was not focused on
the merits of particular approaches to address
supply chain threats. Yet, in this order, the
Commission directs the development of a
standard based on objectives not reflected in
the Supply Chain NOPR, depriving the
public of the ability to comment, and the
Commission of the benefit of that public
comment.
In retrospect, given both the preliminary
nature of the consideration of the issue and
the lack of a concrete idea regarding what a
proposed standard would look like, I believe
4 Id.
5 To be clear, I am less concerned about whether
the Final Rule satisfies minimal notice
requirements than whether the Final Rule
represents reasoned decision making by the
Commission.
VerDate Sep<11>2014
17:04 Jul 28, 2016
Jkt 238001
that the Supply Chain NOPR was, in
substance, a de facto Notice of Inquiry and
should have been issued as such, rather than
as a subsection of the broader CIP NOPR on
changes to the CIP standards. For example,
it is instructive to compare the Supply Chain
NOPR with two other documents: (1) The
Notice of Inquiry being issued today on
cybersecurity issues arising from the recent
incident in Ukraine,6 and (2) the NOPR
concerning the proposed development of a
reliability standard to address geomagnetic
disturbances.7 The level of detail and
consideration of the issues presented in the
Supply Chain NOPR are much more
consistent with that in a Notice of Inquiry
than a traditional NOPR. As a result, I am
concerned that the Commission, by styling its
prior action as a NOPR, has skipped a critical
step in the rulemaking process: The
opportunity for public comment on its
directive to develop a standard and the
objectives that will frame the design and
development of that standard. As explained
below, I believe this procedural decision
actually makes it less likely that an effective,
auditable, and enforceable standard will be
implemented on a reasonable schedule,
particularly given the acknowledged
complexity of this issue.8
B. The Lack of Adequate Stakeholder
Engagement Will Have Negative
Consequences for the Standards
Development Process
I am also concerned about the
consequences for the standards development
process of the Commission’s decision to
proceed straight to a Final Rule. In particular,
I am concerned that the combination of
insufficient process and discussion to
develop the record and inadequate time for
standards development (since the
Commission substantially truncated NERC’s
suggested timeline) 9 will handicap NERC’s
6 Cyber Systems in Control Centers, Notice of
Inquiry, Docket No. RM16–18–000.
7 Reliability Standards for Geomagnetic
Disturbances, Notice of Proposed Rulemaking, 77
FR 64,935 (Oct. 24, 2012), 141 FERC 61,045 (2012).
8 I believe that Reliability Standards for Physical
Security Measures, 146 FERC ¶ 61,166 (2014)
(Physical Security Directive Order), which is cited
in the Final Rule as support for today’s action, is
primarily relevant to demonstrate a different point
than the order indicates. The Physical Security
Directive Order followed focused outreach with
NERC and other stakeholders to discuss how a
physical security standard could be designed and
implemented within the parameters of section 215
of the Federal Power Act. As a result of that
outreach, the directives in the Physical Security
Directive Order were clear, targeted, and reflected
shared priorities between the Commission and
NERC. Physical Security Directive Order, 146 FERC
¶ 61,166 at PP 6–9. Consequently, NERC was able
to develop and file a physical security standard
with the Commission in less than three months, and
the Commission ultimately approved that standard
in November 2014, only roughly eight months after
directing its development. Physical Security
Reliability Standard, 149 FERC ¶ 61,140 (2014). In
my view, this example demonstrates how essential
outreach is to the timely and effective development
of NERC standards.
9 In its comments responding to the Supply Chain
NOPR, NERC requested that, if the Commission
decides to direct the development of a standard, the
PO 00000
Frm 00039
Fmt 4700
Sfmt 4700
49893
ability to develop an effective and
enforceable proposed standard for the
Commission to consider. As noted above,
NERC, industry, and other stakeholders will
have no meaningful opportunity before
initiating their work to provide feedback on
the contents of the rule, to seek clarification
from the Commission, or to propose revisions
to the rule. Yet, this type of feedback is a
critical component of the rulemaking
process, to ensure that the entities tasked
with implementing the Commission’s
directive have been heard and understand
what they are supposed to do. I believe that
the Commission is essentially giving the
standards development team a homework
assignment without adequately explaining
what it expects them to hand in.
I do not believe that the Final Rule’s
flexibility is a justification for proceeding
straight to a Final Rule. Indeed, given the
inadequate process to date, I fear that the
flexibility is in fact a lack of guidance and
will therefore be a double-edged sword. The
Commission is issuing a general directive in
the Final Rule, in the hope that the standards
team will do what the Commission clearly
could not do: translate general supply chain
concerns into a clear, auditable, and
enforceable standard within the framework of
section 215 of the Federal Power Act. While
the Commission need not be prescriptive in
its standards directives, the Commission’s
order assumes that the standards
development team will be able to take the
‘‘objectives’’ of the Final Rule and translate
them into a standard that the Commission
will ultimately find acceptable. I believe that
issuing a Supplemental NOPR would benefit
the standards development process by
enabling additional discussion and feedback
regarding the design of a workable standard.
C. By Failing To Engage in Adequate
Stakeholder Outreach Before Directing
Development of a Standard, the Commission
Increases the Likelihood That
Implementation of a Standard Will Be
Delayed
A compressed and possibly compromised
standards development process also has real
consequences for the Commission’s
consideration of that proposed standard,
whenever it is filed for our review. Unlike
our authority under section 206 of the FPA,
the Commission lacks authority under
section 215 to directly modify a flawed
reliability standard. Instead, to correct any
flaws, the statute requires that we remand the
standard to NERC and the standards
development process.10 Thus,
notwithstanding the majority’s desire to
quickly proceed to Final Rule, the statutory
Commission provide a minimum of two years for
the standards development process. However, the
Commission disregards that request and directs
NERC to develop a standard in just one year,
apparently based solely on the Trade Associations’
request that the Commission allow at least one year
for the standards development process. I believe
this timeline is inconsistent with the Commission’s
own recognition of the complexity of this issue,
and, as discussed herein, likely to delay rather than
expedite the implementation of an effective,
auditable, and enforceable standard.
10 18 U.S.C. 824o(d)(4).
E:\FR\FM\29JYR1.SGM
29JYR1
49894
Federal Register / Vol. 81, No. 146 / Friday, July 29, 2016 / Rules and Regulations
construct constrains our ability to timely
address a flawed standard, which could
actually delay implementation of the
protections the Commission seeks to put in
place.
Given the realities of the standards
development and approval process, we are
likely years away from a supply chain
standard being implemented, even under the
aggressive schedule contemplated in the
order. I believe that the Commission should
endeavor to provide as much advance
guidance as possible before mandating the
development of a standard, to increase the
likelihood that NERC develops a standard
that will be satisfactory to the Commission
and reduce the need for a remand. I worry
that the limited process that preceded the
Final Rule and the expedited timetable will
make it extremely difficult for NERC to file
a standard that the Commission can cleanly
approve. Had the Commission committed
itself to conducting adequate outreach, I
believe we could have mitigated the
likelihood of that outcome, and more
effectively and promptly addressed the
supply chain threat in the long term.
‘‘Delaying’’ action for a few months thus
would, in the long run, lead to prompter and
stronger protection for the grid.
II. Conclusion
The choice the Commission faces today on
supply chain risk management is not
between action and inaction. Rather, given
the importance of this issue, I believe that
more considered action and a more
developed Commission order, even if
delayed by a few months, is better than a
quick decision to ‘‘do something.’’
Ultimately, an effective, auditable, and
enforceable standard on supply chain
management will require thoughtful
consideration of the complex challenges of
addressing cybersecurity threats posed
through the supply chain within the
structure of the FERC/NERC reliability
process. In my view, the Commission gains
very little and does not meaningfully
advance the security of the grid by
proceeding straight to a Final Rule, rather
than taking the time to build a record to
support a workable standard.
Accordingly, I respectfully dissent.
21 CFR Part 80
Final rule; technical
amendment.
ACTION:
The Food and Drug
Administration (FDA or we) is
amending our regulations to reflect a
change in the address for the Center for
Food Safety and Applied Nutrition
(CFSAN). This action is editorial in
nature and is intended to improve the
accuracy of our regulations.
DATES: This rule is effective July 29,
2016.
SUMMARY:
FOR FURTHER INFORMATION CONTACT:
John
Reilly, Center for Food Safety and
Applied Nutrition (HFS–024), Food and
Drug Administration, 5001 Campus Dr.,
College Park, MD 20740.
SUPPLEMENTARY INFORMATION: We are
amending our regulations in 21 CFR
parts 1, 5, 70, 71, 73, 80, 100, 101, 102,
106, 107, 108, 109, 110, 112, 117, 118,
130, 161, 170, 171, 172, 173, 175, 176,
177, 178, 180, 181, 184, 189, 190, 211,
507, 701, 710, 720, and 1250 to reflect
a change in the address for CFSAN. The
street address listed currently in our
regulations for CFSAN is 5100 Paint
Branch Pkwy., College Park, MD 20740.
The street has been renamed and the
street number has been changed; the
new street address is 5001 Campus Dr.,
College Park, MD 20740. Consequently,
we are amending our regulations to
reflect the new street address.
Publication of this document
constitutes final action on these changes
under the Administrative Procedure Act
(5 U.S.C. 553). Notice and public
procedure are unnecessary because we
are merely updating the street address
for CFSAN.
List of Subjects
21 CFR Part 1
Cosmetics, Drugs, Exports, Food
labeling, Imports, Labeling, Reporting
and recordkeeping requirements.
21 CFR Part 5
Cheryl A. LaFleur,
Commissioner.
BILLING CODE 6717–01–P
21 CFR Part 70
Color additives, Cosmetics, Drugs,
Labeling, Packaging and containers.
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
21 CFR Part 71
asabaliauskas on DSK3SPTVN1PROD with RULES
Food and Drug Administration
Change of Address; Technical
Amendment
Food and Drug Administration,
VerDate Sep<11>2014
17:04 Jul 28, 2016
Jkt 238001
21 CFR Part 101
Food labeling, Nutrition, Reporting
and recordkeeping requirements.
21 CFR Part 102
Beverages, Food grades and standards,
Food labeling, Frozen foods, Oils and
fats, Onions, Potatoes, Seafood.
21 CFR Part 106
Food grades and standards, Infants
and children, Nutrition, Reporting and
recordkeeping requirements.
21 CFR Part 107
Food labeling, Infants and children,
Nutrition, Reporting and recordkeeping
requirements, Signs and symbols.
21 CFR Part 108
Administrative practice and
procedure, Foods, Reporting and
recordkeeping requirements.
21 CFR Part 109
Food packaging, Foods,
Polychlorinated biphenyls (PCB’s).
21 CFR Part 110
Food packaging, Foods.
21 CFR Part 112
Foods, Fruits and vegetables,
Incorporation by reference, Packaging
and containers, Recordkeeping
requirements, Safety.
21 CFR Part 117
21 CFR Part 118
Eggs and egg products, Incorporation
by reference, Recordkeeping
requirements, Safety.
21 CFR Part 130
Food additives, Food grades and
standards.
21 CFR Part 161
21 CFR Part 73
21 CFR Chapter I
HHS.
Administrative practice and
procedure, Food labeling, Food
packaging, Foods, Intergovernmental
relations.
Administrative practice and
procedure, Color additives, Confidential
business information, Cosmetics, Drugs,
Reporting and recordkeeping
requirements.
[Docket No. FDA–2016–N–0011]
AGENCY:
21 CFR Part 100
Food packaging, Foods.
Authority delegations (Government
agencies), Imports, Organization and
functions (Government agencies).
[FR Doc. 2016–17842 Filed 7–28–16; 8:45 am]
Color additives, Cosmetics, Drugs,
Reporting and recordkeeping
requirements.
Administrative practice and
procedure, Food additives, Reporting
and recordkeeping requirements.
Color additives, Cosmetics, Drugs,
Medical devices.
PO 00000
Frm 00040
Fmt 4700
Sfmt 4700
Food grades and standards, Frozen
foods, Seafood.
21 CFR Part 170
E:\FR\FM\29JYR1.SGM
29JYR1
]]>Agencies
[Federal Register Volume 81, Number 146 (Friday, July 29, 2016)]
[Rules and Regulations]
[Pages 49878-49894]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-17842]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
18 CFR Part 40
[Docket No. RM15-14-002; Order No. 829]
Revised Critical Infrastructure Protection Reliability Standards
AGENCY: Federal Energy Regulatory Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Federal Energy Regulatory Commission (Commission) directs
the North American Electric Reliability Corporation to develop a new or
modified Reliability Standard that addresses supply chain risk
management for industrial control system hardware, software, and
computing and networking services
[[Page 49879]]
associated with bulk electric system operations. The new or modified
Reliability Standard is intended to mitigate the risk of a
cybersecurity incident affecting the reliable operation of the Bulk-
Power System.
DATES: This rule is effective September 27, 2016.
FOR FURTHER INFORMATION CONTACT: Daniel Phillips (Technical
Information), Office of Electric Reliability, Federal Energy Regulatory
Commission, 888 First Street NE., Washington, DC 20426, (202) 502-6387,
daniel.phillips@ferc.gov.
Simon Slobodnik (Technical Information), Office of Electric
Reliability, Federal Energy Regulatory Commission, 888 First Street
NE., Washington, DC 20426, (202) 502-6707, simon.slobodnik@ferc.gov.
Kevin Ryan (Legal Information), Office of the General Counsel,
Federal Energy Regulatory Commission, 888 First Street NE., Washington,
DC 20426, (202) 502-6840, kevin.ryan@ferc.gov.
SUPPLEMENTARY INFORMATION:
Order No. 829
Final Rule
1. Pursuant to section 215(d)(5) of the Federal Power Act (FPA),\1\
the Commission directs the North American Electric Reliability
Corporation (NERC) to develop a new or modified Reliability Standard
that addresses supply chain risk management for industrial control
system hardware, software, and computing and networking services
associated with bulk electric system operations. The new or modified
Reliability Standard is intended to mitigate the risk of a
cybersecurity incident affecting the reliable operation of the Bulk-
Power System.
---------------------------------------------------------------------------
\1\ 16 U.S.C. 824o(d)(5).
---------------------------------------------------------------------------
2. The record developed in this proceeding supports our
determination under FPA section 215(d)(5) that it is appropriate to
direct the creation of mandatory requirements that protect aspects of
the supply chain that are within the control of responsible entities
and that fall within the scope of our authority under FPA section 215.
Specifically, we direct NERC to develop a forward-looking, objective-
based Reliability Standard to require each affected entity to develop
and implement a plan that includes security controls for supply chain
management for industrial control system hardware, software, and
services associated with bulk electric system operations.\2\ The new or
modified Reliability Standard should address the following security
objectives, discussed in detail below: (1) Software integrity and
authenticity; (2) vendor remote access; (3) information system
planning; and (4) vendor risk management and procurement controls. In
making this directive, the Commission does not require NERC to impose
any specific controls, nor does the Commission require NERC to propose
``one-size-fits-all'' requirements. The new or modified Reliability
Standard should instead require responsible entities to develop a plan
to meet the four objectives, or some equally efficient and effective
means to meet these objectives, while providing flexibility to
responsible entities as to how to meet those objectives.
---------------------------------------------------------------------------
\2\ Revised Critical Infrastructure Protection Reliability
Standards, Notice of Proposed Rulemaking, 80 FR 43,354 (Jul. 22,
2015), 152 FERC ] 61,054, at P 66 (2015) (NOPR).
---------------------------------------------------------------------------
I. Background
A. Section 215 and Mandatory Reliability Standards
3. Section 215 of the FPA requires a Commission-certified Electric
Reliability Organization (ERO) to develop mandatory and enforceable
Reliability Standards, subject to Commission review and approval.
Reliability Standards may be enforced by the ERO, subject to Commission
oversight, or by the Commission independently.\3\ Pursuant to section
215 of the FPA, the Commission established a process to select and
certify an ERO,\4\ and subsequently certified NERC.\5\
---------------------------------------------------------------------------
\3\ 16 U.S.C. 824o(e).
\4\ Rules Concerning Certification of the Electric Reliability
Organization; and Procedures for the Establishment, Approval, and
Enforcement of Electric Reliability Standards, Order No. 672, FERC
Stats. & Regs. ] 31,204, order on reh'g, Order No. 672-A, FERC
Stats. & Regs. ] 31,212 (2006).
\5\ North American Electric Reliability Corp., 116 FERC ]
61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006),
aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
---------------------------------------------------------------------------
B. Notice of Proposed Rulemaking
4. The NOPR, inter alia, identified as a reliability concern the
potential risks to bulk electric system reliability posed by the
``supply chain'' (i.e., the sequence of processes involved in the
production and distribution of, inter alia, industrial control system
hardware, software, and services). The NOPR explained that changes in
the bulk electric system cyber threat landscape, exemplified by recent
malware campaigns targeting supply chain vendors, have highlighted a
gap in the Critical Infrastructure Protection (CIP) Reliability
Standards.\6\ To address this gap, the NOPR proposed to direct that
NERC develop a forward-looking, objective-driven Reliability Standard
that provides security controls for supply chain management for
industrial control system hardware, software, and services associated
with bulk electric system operations.\7\
---------------------------------------------------------------------------
\6\ NOPR, 152 FERC ] 61,054 at P 63.
\7\ Id. P 66.
---------------------------------------------------------------------------
5. Recognizing that developing supply chain management requirements
would likely be a significant undertaking and require extensive
engagement with stakeholders to define the scope, content, and timing
of the Reliability Standard, the Commission sought comment on: (1) the
general proposal to direct that NERC develop a Reliability Standard to
address supply chain management; (2) the anticipated features of, and
requirements that should be included in, such a standard; and (3) a
reasonable timeframe for development of a Reliability Standard.\8\
---------------------------------------------------------------------------
\8\ Id.
---------------------------------------------------------------------------
6. In response to the NOPR, thirty-four entities submitted comments
on the NOPR proposal regarding supply chain risk management. A list of
these commenters appears in Appendix A.
C. January 28, 2016 Technical Conference
7. On January 28, 2016, Commission staff led a Technical Conference
to facilitate a dialogue on supply chain risk management issues that
were identified by the Commission in the NOPR. The January 28 Technical
Conference addressed: (1) The need for a new or modified Reliability
Standard; (2) the scope and implementation of a new or modified
Reliability Standard; and (3) current supply chain risk management
practices and collaborative efforts.
8. Twenty-four entities representing industry, government, vendors,
and academia participated in the January 28 Technical Conference
through written comments and/or presentations.\9\
---------------------------------------------------------------------------
\9\ Written presentations at the January 28, 2016 Technical
Conference and the Technical Conference transcript referenced in
this Final Rule are accessible through the Commission's eLibrary
document retrieval system in Docket No. RM15-14-000.
---------------------------------------------------------------------------
9. We address below the comments submitted in response to the NOPR
and comments made as part of the January 28 Technical Conference.
II. Discussion
10. Pursuant to section 215(d)(5) of the FPA, the Commission
determines that it is appropriate to direct NERC to develop a new or
modified Reliability Standard(s) that address supply chain risk
management for industrial control system hardware, software, and
computing and networking services associated with bulk electric system
[[Page 49880]]
operations.\10\ Based on the comments received in response to the NOPR
and at the technical conference, we determine that the record in this
proceeding supports the development of mandatory requirements for the
protection of aspects of the supply chain that are within the control
of responsible entities and that fall within the scope of our authority
under FPA section 215.
---------------------------------------------------------------------------
\10\ 16 U.S.C. 824o(d)(5) (``The Commission . . . may order the
[ERO] to submit to the Commission a proposed reliability standard or
a modification to a reliability standard that addresses as specific
matter if the Commission considers such a new or modified
reliability standard appropriate to carry out this section.'').
---------------------------------------------------------------------------
11. In its NOPR comments, NERC acknowledges that ``supply chains
for information and communications technology and industrial control
systems present significant risks to [Bulk-Power System] security,
providing various opportunities for adversaries to initiate
cyberattacks.'' \11\ Several other commenters also recognized the risks
posed to the bulk electric system by supply chain security issues and
generally support, or at least do not oppose, Commission action to
address the reliability gap.\12\ For example, in prepared remarks
submitted for the January 28 Technical Conference, one panelist noted
that attacks targeting the supply chain are on the rise, particularly
attacks involving third party service providers.\13\ In addition, it
was noted that, while many responsible entities are already
independently assessing supply chain risks and asking vendors to
address the risks, these individual efforts are likely to be less
effective than a mandatory Reliability Standard.\14\
---------------------------------------------------------------------------
\11\ NERC NOPR Comments at 8.
\12\ See Peak NOPR Comments at 3-6; ITC NOPR Comments at 13-15;
CyberArk NOPR Comments at 4; Ericsson NOPR Comments at 2; Isologic
and Resilient Societies Joint NOPR Comments at 9-12; ACS NOPR
Comments at 4; ISO NE NOPR Comments at 2-3; NEMA NOPR Comments at 1-
2.
\13\ Olcott Technical Conference Comments at 1-2.
\14\ Galloway Technical Conference Comments at 1 (``. . . ISO-NE
supports the Commission's proposal to direct NERC to develop
requirements relating to supply chain risk management. We believe
that the risks to the reliability of the Bulk Electric System that
result from compromised third-party software are real, significant
and largely unaddressed by existing reliability standards. While
many public utilities are already assessing these risks and asking
vendors to address them, these one-off efforts are far less likely
to be effective than an industry-wide reliability standard.'').
---------------------------------------------------------------------------
12. We recognize, however, that most commenters oppose development
of Reliability Standards addressing supply chain management for various
reasons. These commenters contend that Commission action on supply
chain risk management would, among other things, address or influence
activities beyond the scope of the Commission's FPA section 215
jurisdiction.\15\ Commenters also assert that the existing CIP
Reliability Standards adequately address potential risks to the bulk
electric system from supply chain issues.\16\ In addition, commenters
claim that responsible entities have minimal control over their
suppliers and are not able to identify all potential vulnerabilities
associated with each of their products or parts; therefore, even if a
responsible entity identifies a vulnerability created by a supplier,
the responsible entity does not necessarily have any authority,
influence or means to require the supplier to apply mitigation.\17\
Other commenters argue that the Commission's proposal may
unintentionally inhibit innovation.\18\ A number of commenters assert
that voluntary guidelines would be more effective at addressing the
Commission's concerns.\19\ Finally, commenters are concerned that the
contractual flexibility necessary to effectively address supply chain
concerns does not fit well with a mandatory Reliability Standard.\20\
---------------------------------------------------------------------------
\15\ See Trade Associations NOPR Comments at 24; Southern NOPR
Comments at 14-16; CEA NOPR Comments at 4-5; NIPSCO NOPR Comments at
7.
\16\ See Trade Associations NOPR Comments at 20-25; Gridwise
NOPR Comments at 3; Arkansas NOPR Comments at 6; G&T Cooperatives
NOPR Comments at 8-9; NEI NOPR Comments at 3-5; NIPSCO NOPR Comments
at 5-6; Luminant NOPR Comments at 4-5; SCE NOPR Comments at 4.
\17\ See Arkansas NOPR Comments at 5-6; G&T Cooperatives NOPR
Comments at 9; Trade Associations NOPR Comments at 25.
\18\ See Arkansas NOPR Comments at 6; G&T Cooperatives NOPR
Comments at 9; NERC NOPR Comments at 13.
\19\ See Trade Associations NOPR Comments at 23; Southern NOPR
Comments at 13; AEP NOPR Comments at 5; NextEra NOPR Comments at 4-
5; Luminant NOPR Comments at 5.
\20\ See Arkansas NOPR Comments at 6; Southern NOPR Comments at
13.
---------------------------------------------------------------------------
13. As discussed below, we conclude that our directive falls within
the Commission's authority under FPA section 215. We also determine
that, notwithstanding the concerns raised by commenters opposed to the
NOPR proposal, it is appropriate to direct the development of mandatory
requirements to protect industrial control system hardware, software,
and computing and networking services associated with bulk electric
system operations. Many of the commenters' concerns are addressed by
the flexibility inherent in our directive to develop a forward-looking,
objective-based Reliability Standard that includes specific security
objectives that a responsible entity must achieve, but affords
flexibility in how to meet these objectives. The Commission does not
require NERC to impose any specific controls nor does the Commission
require NERC to propose ``one-size-fits-all'' requirements. The new or
modified Reliability Standard should instead require responsible
entities to develop a plan to meet the four objectives, or some equally
efficient and effective means to meet these objectives, while providing
flexibility to responsible entities as to how to meet those objectives.
Moreover, our directive comports well with the NOPR comments submitted
by NERC, in which NERC explained what it believes would be the features
of a workable supply chain management Reliability Standard.\21\
---------------------------------------------------------------------------
\21\ NERC NOPR Comments at 8-9. The record evidence on which the
directive in this Final Rule is based is either comparable or
superior to past instances in which the Commission has directed,
pursuant to FPA section 215(d)(5), that NERC propose a Reliability
Standard to address a gap in existing Reliability Standards. See,
e.g., Reliability Standards for Physical Security Measures, 146 FERC
] 61,166 (2014) (directing, without seeking comment, that NERC
develop proposed Reliability Standards to protect against physical
security risks related to the Bulk-Power System).
---------------------------------------------------------------------------
14. We address below the following issues raised in the NOPR, NOPR
comments, and January 28 Technical Conference comments: (1) the
Commission's authority to direct the ERO to develop supply chain
management Reliability Standards under FPA section 215(d)(5); and (2)
the need for supply chain management Reliability Standards, including
the risks posed by the supply chain, objectives of a supply chain
management Reliability Standard, existing CIP Reliability Standards,
and responsible entities' ability to affect the supply chain.
A. Commission Authority To Direct the ERO To Develop Supply Chain
Management Reliability Standards Under FPA Section 215(d)(5)
NOPR
15. In the NOPR, the Commission stated that it anticipates that a
Reliability Standard addressing supply chain management security would,
inter alia, respect FPA Section 215 jurisdiction by only addressing the
obligations of responsible entities and not directly imposing
obligations on suppliers, vendors, or other entities that provide
products or services to responsible entities.\22\
---------------------------------------------------------------------------
\22\ NOPR, 152 FERC ] 61,054 at P 66.
---------------------------------------------------------------------------
Comments
16. Commenters contend that the Commission's proposal to direct
NERC to develop mandatory Reliability Standards to address supply chain
risks could exceed the Commission's
[[Page 49881]]
jurisdiction under FPA section 215. The Trade Associations state that
the NOPR discussion ``appears to suggest a new mandate, over and above
Section 215 for energy security, integrity, quality, and supply chain
resilience, and the future acquisition of products and services.'' \23\
The Trade Associations assert that the Commission's NOPR proposal does
not provide any reasoning that connects energy security and integrity
with reliable operations for Bulk-Power System reliability. The Trade
Associations seek clarification that the Commission does not intend to
define energy security as a new policy mandate.\24\
---------------------------------------------------------------------------
\23\ Trade Associations NOPR Comments at 24.
\24\ Id.
---------------------------------------------------------------------------
17. Southern states that it agrees with the Trade Associations that
expanding the focus of the NERC Reliability Standards ``to include
concepts such as security, integrity, and supply chain resilience is
beyond the statutory authority granted in Section 215.'' \25\ Southern
contends that while these areas ``have an impact on the reliable
operation of the bulk power system, [. . .] they are areas that are
beyond the scope of [the Commission's] jurisdiction under Section
215.'' \26\ NIPSCO raises a similar argument, stating that the existing
CIP Reliability Standards should address the Commission's concerns
``without involving processes and industries outside of the
Commission's jurisdiction under section 215 of the Federal Power Act.''
\27\
---------------------------------------------------------------------------
\25\ Southern NOPR Comments at 16.
\26\ Southern NOPR Comments at 16; see also Trade Association
NOPR Comments at 24.
\27\ NIPSCO NOPR Comments at 7.
---------------------------------------------------------------------------
18. Southern questions how a mandatory Reliability Standard that
achieves all of the objectives specified in the NOPR ``could
effectively address [the Commission's] concerns and still stay within
the bounds of [the Commission's] scope and mission under Section 215.''
\28\ Southern asserts that ``a reading of Section 215 indicates that
[the Commission's] mission and authority under Section 215 is focused
on the operation of the bulk power system elements, not on the
acquisition of those elements and associated procurement practices.''
\29\ In support of its assertion, Southern points to the definition in
FPA section 215 of ``reliability standard,'' noting the use and meaning
of the terms ``reliable operation'' and ``operation.'' Southern
contends that ``Section 215 standards should ensure that a given BES
Cyber System asset is protected from vulnerabilities once connected to
the BES, and should not be concerned about how the Responsible Entity
works with its vendors and suppliers to ensure such reliability (such
as higher financial incentives or greater contractual penalties).''
\30\
---------------------------------------------------------------------------
\28\ Southern NOPR Comments at 14-15.
\29\ Id. at 15 (emphasis in original).
\30\ Id. at 16.
---------------------------------------------------------------------------
19. The Trade Associations and Southern also observe that, while
the NOPR indicates that the Commission has no direct oversight
authority over third-party suppliers or vendors and cannot indirectly
assert authority over them through jurisdictional entities, the NOPR
proposal appears to assert that authority.\31\ The Trade Associations
maintain that such an extension of the Commission's authority would be
unlawful and, therefore, seek clarification that ``the Commission will
avoid seeking to extend its authority since such an extension would set
a troubling precedent.'' \32\ CEA raises a concern that the NOPR
proposal ``appears to lend itself to the interpretation that authority
is indirectly being asserted over non-jurisdictional entities.'' \33\
---------------------------------------------------------------------------
\31\ Trade Associations NOPR Comments at 24-25; Southern NOPR
Comments at 17; see also Trade Associations Post-Technical
Conference Comments at 20-21.
\32\ Trade Associations NOPR Comments at 24-25.
\33\ CEA NOPR Comments at 5.
---------------------------------------------------------------------------
20. The Trade Associations also maintain that the Commission's use
of the term ``industrial control system'' in the scope of its proposal
suggests that the Commission is seeking to address issues beyond CIP
and cybersecurity-related issues. The Trade Associations seek
clarification that the Commission does not intend for NERC broadly to
address industrial control systems, such as fuel procurement and
delivery systems or system protection devices, but intends for its
proposal to be limited to CIP and cybersecurity-related issues.\34\
---------------------------------------------------------------------------
\34\ Trade Associations NOPR Comments at 25.
---------------------------------------------------------------------------
Discussion
21. We are satisfied that FPA section 215 provides the Commission
with the authority to direct NERC to address the reliability gap
concerning supply chain management risks identified in the NOPR. We
reject the contention that our directive could be read to address
issues outside of the Commission's FPA section 215 jurisdiction.
However, to be clear, we reiterate the statement in the NOPR that any
action taken by NERC in response to the Commission's directive to
address the supply chain-related reliability gap should respect
``section 215 jurisdiction by only addressing the obligations of
responsible entities'' and ``not directly impose obligations on
suppliers, vendors or other entities that provide products or services
to responsible entities.'' \35\ The Commission expects that NERC will
adhere to this instruction as it works with stakeholders to develop a
new or modified Reliability Standard to address the Commission's
directive. As discussed below, we reject the remaining comments
regarding the Commission's authority to direct the development of
supply chain management Reliability Standards under FPA section
215(d)(5).
---------------------------------------------------------------------------
\35\ NOPR, 152 FERC ] 61,054 at P 66.
---------------------------------------------------------------------------
22. Our directive does not suggest, as the Trade Associations
contend, a new mandate above and beyond FPA section 215. The
Commission's directive to NERC to address supply chain risk management
for industrial control system hardware, software, and computing and
networking services associated with bulk electric system operations is
not intended to ``define `energy security' as a new policy mandate''
under the CIP Reliability Standards.\36\ Instead, our directive is
meant to enhance bulk electric system cybersecurity by addressing the
gap in the CIP Reliability Standards identified in the NOPR relating to
supply chain risk management for industrial control system hardware,
software, and computing and networking services associated with bulk
electric system operations. This directive is squarely within the
statutory definition of a ``reliability standard,'' which includes
requirements for ``cybersecurity protection.'' \37\
---------------------------------------------------------------------------
\36\ See Trade Associations NOPR Comments at 24.
\37\ See 16 U.S.C. 824o(a)(3) (defining ``reliability standard''
to mean ``a requirement, approved by the Commission under [section
215 of the FPA] to provide for the reliable operation of the bulk-
power system. The term includes requirements for the operation of
existing bulk-power system facilities, including cybersecurity
protection, and the design of planned additions or modifications to
such facilities to the extent necessary to provide for reliable
operation . . .'') (emphasis added).
---------------------------------------------------------------------------
23. We reject Southern's argument that FPA section 215 limits the
scope of the NERC Reliability Standards to ``ensur[ing] that a given
BES Cyber System asset is protected from vulnerabilities once
connected'' to the bulk electric system.\38\ While Southern's comment
implies that the Commission should only be concerned with real-time
operations based on the definition of the term ``reliable operation,''
the definition of ``reliability standard'' in FPA section 215 also
includes requirements for ``the design of planned additions or
modifications'' to bulk electric system facilities ``necessary to
provide for reliable operation of the bulk-power
[[Page 49882]]
system.'' \39\ Moreover, as noted, FPA section 215 is clear that
maintaining reliable operation also includes protecting the bulk
electric system from cybersecurity incidents.\40\ Indeed, our findings
and directives in the Final Rule are intended to better protect the
Bulk-Power System from potential cybersecurity incidents that could
adversely affect reliable operation of the Bulk-Power System.
Accordingly, we would not be carrying out our obligations under FPA
section 215 if the Commission determined that cybersecurity incidents
resulting from gaps in supply chain risk management were outside the
scope of FPA section 215.
---------------------------------------------------------------------------
\38\ See Southern NOPR Comments at 16.
\39\ See 16 U.S.C. 824o(a)(4) (defining ``reliable operation'');
see also 16 U.S.C. 824o(a)(3).
\40\ See 16 U.S.C. 824o(a)(4).
---------------------------------------------------------------------------
24. With regard to concerns that the NOPR's use of the term
``industrial control system'' signals the Commission's intent to
address issues beyond the CIP Reliability Standards or cybersecurity
controls, we clarify that our directive is only intended to address the
protection of hardware, software, and computing and networking services
associated with bulk electric system operations from supply chain-
related cybersecurity threats and vulnerabilities.
B. Need for a New or Modified Reliability Standard
1. Cyber Risks Posed by the Supply Chain
NOPR
25. In the NOPR, the Commission observed that the global supply
chain, while providing an opportunity for significant benefits to
customers, enables opportunities for adversaries to directly or
indirectly affect the operations of companies that may result in risks
to the end user. The NOPR identified supply chain risks including the
insertion of counterfeits, unauthorized production, tampering, theft,
or insertion of malicious software, as well as poor manufacturing and
development practices. The NOPR pointed to changes in the bulk electric
system cyber threat landscape, evidenced by recent malware campaigns
targeting supply chain vendors, which highlighted a gap in the
protections under the current CIP Reliability Standards.\41\
---------------------------------------------------------------------------
\41\ NOPR, 152 FERC ] 61,054 at PP 61-62.
---------------------------------------------------------------------------
26. Specifically, the NOPR identified two focused malware campaigns
identified by the Department of Homeland Security's Industry Control
System--Computer Emergency Readiness Team (ICS-CERT) in 2014.\42\ The
NOPR stated that this new type of malware campaign is based on the
injection of malware while a product or service remains in the control
of the hardware or software vendor, prior to delivery to the
customer.\43\
---------------------------------------------------------------------------
\42\ Id. P 63 (citing ICS-CERT, Alert: ICS Focused Malware
(Update A), https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-176-02A; ICS-CERT, Alert Ongoing Sophisticated Malware Campaign
Compromising ICS (Update E), https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B). ICS-CERT is a division of the Department of
Homeland Security that works to reduce risks within and across all
critical infrastructure sectors by partnering with law enforcement
agencies and the intelligence community.
\43\ NOPR, 152 FERC ] 61,054 at P 63.
---------------------------------------------------------------------------
Comments
27. NERC acknowledges the NOPR's concerns regarding the threats
posed by supply chain management risks to the Bulk-Power System. NERC
states that ``the supply chains for information and communications
technology and industrial control systems present significant risks to
[Bulk-Power System] security, providing various opportunities for
adversaries to initiate cyberattacks.'' \44\ NERC further explains that
``supply chains risks are . . . complex, multidimensional, and
constantly evolving, and may include, as the Commission states,
insertion of counterfeits, unauthorized production, tampering, theft,
insertion of malicious software and hardware, as well as poor
manufacturing and development practices.'' \45\ NERC states, however,
that as to these supply chains, there are ``significant challenges to
developing a mandatory Reliability Standard consistent with [FPA]
Section 215 . . . .'' \46\
---------------------------------------------------------------------------
\44\ NERC NOPR Comments at 8.
\45\ Id. at 10.
\46\ Id. at 2.
---------------------------------------------------------------------------
28. IRC, Peak, Idaho Power, CyberArk, NEMA, Resilient Societies and
other commenters share the NOPR's concern that supply chain risks pose
a threat to bulk electric system reliability. IRC states that it
supports the Commission's efforts to address the risks associated with
supply chain management.\47\ Peak explains that ``the security risk of
supply chain management is a real threat, and . . . a CIP standard for
supply chain management may be necessary.'' \48\ Peak notes, for
example, that it is possible for a malware campaign to infect
industrial control software with malicious code while the product or
service is in the control of the hardware and software vendor, and
states that, ``[w]ithout proper controls, the vendor may deliver this
infected product or service, unknowingly passing the risk onto the
utility industry customer.'' \49\ Isologic and Resilient Societies
comments that supply chain vulnerabilities are one of the most
difficult areas of cybersecurity because, among other concerns,
entities ``are seldom aware of the risks [supply chain vulnerabilities]
pose.'' \50\
---------------------------------------------------------------------------
\47\ IRC NOPR Comments at 1-2.
\48\ Peak NOPR Comments at 3.
\49\ Id. at 3.
\50\ Isologic and Resilient Societies Joint NOPR Comments at 9.
---------------------------------------------------------------------------
29. Idaho Power agrees ``that the supply chain could pose an attack
vector for certain risks to the bulk electric system.'' \51\ CyberArk
states that ``infection of vendor Web sites is just one of the
potential ways a supply chain management attack could be executed'' and
notes that network communications links between a vendor and its
customer could be used as well.\52\ NEMA agrees with the NOPR that
``keeping the electric sector supply chain free from malware and other
cybersecurity risks is essential.'' \53\ NEMA highlights a number of
principles it represents as vendor best practices, and encourages the
Commission and NERC to reference those principles as the effort to
address supply chain risks progresses.\54\
---------------------------------------------------------------------------
\51\ Idaho Power NOPR Comments at 3.
\52\ CyberArk NOPR Comments at 4.
\53\ NEMA NOPR Comments at 1.
\54\ Id. at 2.
---------------------------------------------------------------------------
30. Other commenters do not agree that the risks identified in the
NOPR support the Commission's NOPR proposal. The Trade Associations,
Southern, and NIPSCO contend that the two malware campaigns identified
by ICS-CERT and cited in the NOPR do not actually represent a changed
threat landscape that defines a reliability gap. Specifically, the
Trade Associations state that the two identified malware campaigns
``seek to inject malware, while a product is in the control of and in
use by the customer and not, as the NOPR suggests, the vendor.'' \55\
In support of this position, the Trade Associations note that the ICS-
CERT mitigation measures for the two alerts ``focused on the customer
and do not address security controls, while the products are under
control of the vendors.'' \56\
---------------------------------------------------------------------------
\55\ Trade Associations NOPR Comments at 20-21.
\56\ Trade Associations NOPR Comments at 21; see also NIPSCO
NOPR Comments at 6.
---------------------------------------------------------------------------
31. The Trade Associations and Southern also contend that there is
no information from various NERC programs and activities that leads to
a reasonable conclusion that supply chain management issues have caused
events or disturbances on the bulk electric
[[Page 49883]]
system.\57\ Luminant states that it ``does not perceive the same
reliability gap that is expressed in the NOPR concerning risks
associated with supply chain management'' and contends that it is
important to understand the potential risks and cost impacts related to
any potential mitigation efforts before developing any additional
security controls.\58\ KCP&L states that it does not share the
Commission's view of the supply chain-related reliability gap described
in the NOPR and, therefore, does not support the Commission's
proposal.\59\
---------------------------------------------------------------------------
\57\ Trade Associations NOPR Comments at 21; Southern Comments
at 11.
\58\ Luminant NOPR Comments at 4.
\59\ KCP&L NOPR Comments at 7.
---------------------------------------------------------------------------
Discussion
32. We find ample support in the record to conclude that supply
chain management risks pose a threat to bulk electric system
reliability. As NERC commented, ``the supply chains for information and
communications technology and industrial control systems present
significant risks to [Bulk-Power System] security, providing various
opportunities for adversaries to initiate cyberattacks.'' \60\ The
malware campaigns analyzed by ICS-CERT and identified in the NOPR are
only examples of such risks (i.e., supply chain attacks targeting
supply chain vendors). Commenters identified additional supply chain-
related threats,\61\ including events targeting electric utility
vendors.\62\
---------------------------------------------------------------------------
\60\ NERC NOPR Comments at 8.
\61\ Commenters reference tools and information security
frameworks, such as ES-C2M2, NIST-SP-800-161 and NIST-SP-800-53,
which describe the scope of supply chain risk that could impact bulk
electric system operations. See Department of Energy, Electricity
Subsector Cybersecurity Capability Maturity Model (February 2014),
https://energy.gov/sites/prod/files/2014/02/f7/ES-C2M2-v1-1-Feb2014.pdf; NIST Special Publication 800-161, Supply Chain Risk
Management Practices for Federal Information Systems and
Organizations at 51, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf; NIST Special Publication
800-53, Security and Privacy Controls for Federal Information
Systems and Organizations, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. These risks include the
insertion of counterfeits, unauthorized production and modification
of products, tampering, theft, intentional insertion of tracking
software, as well as poor manufacturing and development practices.
One technical conference participant noted that supply chain attacks
can target either (1) the hardware/software components of a system
(thereby creating vulnerabilities that can be exploited by a remote
attacker) or (2) a third party service provider who has access to
sensitive IT infrastructure or holds/maintains sensitive data. See
Olcott Technical Conference Comments at 1.
\62\ Olcott discusses two events targeting electric utility
vendors and service providers. Olcott Technical Conference Comments
at 2. Specific recent examples of attacks on third party vendors
include: (1) unauthorized code found in Juniper Firewalls in 2015;
(2) the 2013 Target incident involving stolen vendor credentials;
(3) the 2015 Office of Personnel Management incident also involving
stolen vendor credentials; and (4) two events targeting electric
utility vendors. See id. at 1-4.
---------------------------------------------------------------------------
33. Even among the comments opposed to the NOPR, there is
acknowledgment that supply chain reliability risks exist. The Trade
Associations state that their ``respective members have identified
security issues associated with potential supply chain disruption or
compromise as being a significant threat.'' \63\ Recognizing that such
risks exist, we reject the assertion by the Trade Associations and
Southern that there is an inadequate basis for the Commission to take
action because ``[t]he Trade Associations can find nothing within
various NERC programs and activities that lead to a reasonable
conclusion that supply chain management issues have caused events or
disturbances on the bulk power system.'' \64\
---------------------------------------------------------------------------
\63\ Trade Associations NOPR Comments at 17.
\64\ See Trade Associations NOPR Comments at 21.
---------------------------------------------------------------------------
34. We disagree with the Trade Associations' arguments suggesting
that the two malware campaigns identified in the NOPR do not represent
a change in the threat landscape to the bulk electric system. First,
while the Trade Associations are correct that the ICS-CERT alerts
referenced in the NOPR describe remediation steps for customers to take
in the event of a breach, the vulnerabilities exploited by those
campaigns were the direct result of vendor decisions about: (1) How to
deliver software patches to their customers and (2) the necessary
degree of remote access functionality for their information and
communications technology products.\65\ Second, the malware campaigns
also demonstrate that attackers have expanded their efforts to include
the execution of broad access campaigns targeting vendors and software
applications, rather than just individual entities. The targeting of
vendors and software applications with potentially broad access to BES
Cyber Systems \66\ marks a turning point in that it is no longer
sufficient to focus protection strategies exclusively on post-
acquisition activities at individual entities. Instead, we believe that
attention should also be focused on minimizing the attack surfaces of
information and communications technology products procured to support
bulk electric system operations.
---------------------------------------------------------------------------
\65\ The ICS-CERT alert regarding ICS Focused Malware indicated
that ``the software installers for . . . vendors were infected with
malware known as the Havex Trojan.''
\66\ Cyber systems are referred to as ``BES Cyber Systems'' in
the CIP Reliability Standards. The NERC Glossary defines BES Cyber
Systems as ``One or more BES Cyber Assets logically grouped by a
responsible entity to perform one or more reliability tasks for a
functional entity.'' NERC Glossary of Terms Used in Reliability
Standards (May 17, 2016) at 15 (NERC Glossary). The NERC Glossary
defines ``BES Cyber Asset'' as ``A Cyber Asset that if rendered
unavailable, degraded, or misused would, within 15 minutes of its
required operation, misoperation, or non-operation, adversely impact
one or more Facilities, systems, or equipment, which, if destroyed,
degraded, or otherwise rendered unavailable when needed, would
affect the reliable operation of the Bulk Electric System.
Redundancy of affected Facilities, systems, and equipment shall not
be considered when determining adverse impact. Each BES Cyber Asset
is included in one or more BES Cyber Systems.'' Id.
---------------------------------------------------------------------------
2. Objectives of a Supply Chain Management Reliability Standard
NOPR
35. The NOPR stated that the reliability goal of a supply chain
risk management Reliability Standard should be a forward-looking,
objective-driven Reliability Standard that encompasses activities in
the system development life cycle: from research and development,
design and manufacturing stages (where applicable), to acquisition,
delivery, integration, operations, retirement, and eventual disposal of
the responsible entity's information and communications technology and
industrial control system supply chain equipment and services. The NOPR
explained that the Reliability Standard should support and ensure
security, integrity, quality, and resilience of the supply chain and
the future acquisition of products and services.\67\
---------------------------------------------------------------------------
\67\ NOPR, 152 FERC ] 61,054 at P 64.
---------------------------------------------------------------------------
36. The NOPR recognized that, due to the breadth of the topic and
the individualized nature of many aspects of supply chain management, a
Reliability Standard pertaining to supply chain management security
should:
Respect FPA section 215 jurisdiction by only addressing
the obligations of responsible entities. A Reliability Standard should
not directly impose obligations on suppliers, vendors or other entities
that provide products or services to responsible entities.
Be forward-looking in the sense that the Reliability
Standard should not dictate the abrogation or re-negotiation of
currently-effective contracts with vendors, suppliers or other
entities.
Recognize the individualized nature of many aspects of
supply chain management by setting goals (the ``what''), while allowing
flexibility in how a responsible entity subject to the
[[Page 49884]]
Reliability Standard achieves that goal (the ``how'').
Given the types of specialty products involved and the
diversity of acquisition processes, the Reliability Standard may need
to allow exceptions (e.g., to meet safety requirements and fill
operational gaps if no secure products are available).
Provide enough specificity so that compliance obligations
are clear and enforceable. In particular, the Commission anticipated
that a Reliability Standard that simply requires a responsible entity
to ``have a plan'' addressing supply chain management would not
suffice. Rather, to adequately address the concerns identified in the
NOPR, the Commission stated a Reliability Standard should identify
specific controls.\68\
---------------------------------------------------------------------------
\68\ Id. P 66.
---------------------------------------------------------------------------
37. The NOPR recognized that, because security controls for supply
chain management likely vary greatly with each responsible entity due
to variations in individual business practices, the right set of supply
chain management security controls should accommodate, inter alia, an
entity's: (1) Procurement process; (2) vendor relations; (3) system
requirements; (4) information technology implementation; and (5)
privileged commercial or financial information. As examples of controls
that may be instructional in the development of any new Reliability
Standard, the NOPR identified the following Supply Chain Risk
Management controls from NIST SP 800-161: (1) Access Control Policy and
Procedures; (2) Security Assessment Authorization; (3) Configuration
Management; (4) Identification and Authentication; (5) System
Maintenance Policy and Procedures; (6) Personnel Security Policy and
Procedures; (7) System and Services Acquisition; (8) Supply Chain
Protection; and (9) Component Authenticity.\69\
---------------------------------------------------------------------------
\69\ NOPR, 152 FERC ] 61,054 at P 65 (citing NIST Special
Publication 800-161 at 51).
---------------------------------------------------------------------------
Comments
38. NERC states that a Commission directive requiring the
development of a supply chain risk management Reliability Standard: (1)
Should provide a minimum of two years for Reliability Standard
development activities; (2) should clarify that any such Reliability
Standard build on existing protections in the CIP Reliability Standards
and the practices of responsible entities, and focus primarily on those
procedural controls that responsible entities can reasonably be
expected to implement during the procurement of products and services
associated with bulk electric system operations to manage supply chain
risks; and (3) must be flexible to account for differences in the needs
and characteristics of responsible entities, the diversity of bulk
electric system environments, technologies, risks, and issues related
to the limited applicability of mandatory NERC Reliability
Standards.\70\
---------------------------------------------------------------------------
\70\ NERC NOPR Comments at 8-9.
---------------------------------------------------------------------------
39. While sharing the Commission's concern that supply chain risks
pose a threat to bulk electric system reliability, some commenters
suggest that the Commission address certain threshold issues before
moving forward with the NOPR proposal. IRC notes its concern that the
NOPR proposal is overly broad, which IRC states could hamper industry's
ability to address the Commission's concerns.\71\ Idaho Power expresses
a concern ``that tightening purchasing controls too tightly could also
pose a risk because there are limited vendors'' available to
industry.\72\ Idaho Power states that any supply chain Reliability
Standard ``should be laid out in terms of requirements built around
controls that are developed by the regulated entity rather than
prescriptive requirements like many other CIP standards.'' \73\ ISO-NE
supports the development of procedural controls ``such as requirements
that Registered Entities must transact with organizations that meet
certain criteria, use specified procurement language in contracts, and
review and validate vendors' security practices.'' \74\ Peak notes that
``the number of vendors for certain hardware, software and services may
be limited'' and, therefore, a supply chain-related Reliability
Standard should grant responsible entities the flexibility ``to show
preference for, but not the obligation to use, vendors who demonstrate
sound supply chain security practices.'' \75\
---------------------------------------------------------------------------
\71\ IRC NOPR Comments at 2.
\72\ Idaho Power NOPR Comments at 3.
\73\ Id. at 3-4.
\74\ ISO-NE NOPR Comments at 2 (citing NERC NOPR Comments at 17-
18).
\75\ Peak NOPR Comments at 4.
---------------------------------------------------------------------------
40. NERC, the Trade Associations, Southern, Gridwise, and other
commenters request that, should the Commission find it reasonable to
direct NERC to develop a new or modified Reliability Standard for
supply chain management, the Commission adopt certain principles for
NERC to follow in the standards development process. As an initial
matter, NERC and other commenters state that the Commission should
identify the risks that it intends NERC to address.\76\ In addition,
NERC, SPP RE, and AEP state that the Commission should ensure that any
new or modified supply chain-related Reliability Standard carefully
considers the risk being addressed against the cost of mitigating that
risk.\77\
---------------------------------------------------------------------------
\76\ NERC NOPR Comments at 9-11; Trade Associations NOPR
Comments at 26; Gridwise NOPR Comments at 5; AEP NOPR Comments at 8;
SPP RE NOPR Comments at 11; EnergySec NOPR Comments at 4.
\77\ NERC NOPR Comments at 11-12; SPP RE NOPR Comments at 11;
AEP NOPR Comments at 9.
---------------------------------------------------------------------------
41. NERC states that the focus of any supply chain risk management
Reliability Standard ``should be a set of requirements outlining those
procedural controls that entities should take, as purchasers of
products and services, to design more secure products and modify the
security practices of suppliers, vendors, and other parties throughout
the supply chain.'' \78\ Similarly, SPP RE notes that, while one
responsible entity alone may not have adequate leverage to make a
vendor or supplier adopt adequate security practices, ``the collective
application of the procurement language across a broad collection of
Responsible Entities may achieve the intended improvement in security
safeguards.'' \79\ Isologic and Resilient Societies recommends limiting
the Reliability Standard requirements to a few that are immediately
necessary, such as: (1) Preventing the installation of cyber related
system or grid components which have been reported by ICS-CERT to be
provably vulnerable to a supply chain attack, unless the vulnerability
has been corrected; (2) removing from operation any system or component
reported by ICS-CERT as containing an exploitable vulnerability; and
(3) subjecting hardware and software to penetration testing prior to
installation on the grid.\80\
---------------------------------------------------------------------------
\78\ NERC NOPR Comments at 17.
\79\ SPP RE NOPR Comments at 12.
\80\ Isologic and Resilient Societies Joint NOPR Comments at 11.
---------------------------------------------------------------------------
42. In post-technical conference comments, while still opposing the
NOPR proposal, APPA suggests certain parameters that should govern the
development of any supply chain-related Reliability Standard.\81\
Specifically, APPA states that a supply chain-related Reliability
Standard should be risk-based and ``must embody an approach that
enables utilities to perform a risk assessment of the hardware and
systems that create potential vulnerabilities,'' similar to the
approach taken in Reliability Standard CIP-014-2, Requirement R1
(Physical
[[Page 49885]]
Security).\82\ In addition, APPA states that a supply chain-related
Reliability Standard should not require responsible entities to
actively manage third-party vendors or their processes since that would
risk involving utilities in areas that are outside of their core
expertise. APPA also argues that ``it would be unreasonable for any
standard that FERC directs to hold utilities liable for the actions of
third-party vendors or suppliers.'' \83\ Finally, APPA states that
responsible entities should be able to rely on a credible attestation
by a vendor or supplier that it complied with identified supply chain
security process. APPA contends that this would be the most efficient
way to ``establish a standard of care on the suppliers' part.'' \84\
---------------------------------------------------------------------------
\81\ APPA's post-technical conference comments were submitted
jointly with LPPC and TAPS.
\82\ APPA Post-Technical Conference Comments at 3-4.
\83\ Id. at 4-5.
\84\ Id. at 5.
---------------------------------------------------------------------------
Discussion
43. We direct that NERC, pursuant to section 215(d)(5) of the FPA,
develop a forward-looking, objective-driven new or modified Reliability
Standard to require each affected entity to develop and implement a
plan that includes security controls for supply chain management for
industrial control system hardware, software, and services associated
with bulk electric system operations. Our directive is consistent with
the NOPR comments advocating flexibility as to what form the
Commission's directive should take.
44. We agree with NERC and other commenters that a supply chain
risk management Reliability Standard should be flexible and fall within
the scope of what is possible using Reliability Standards under FPA
section 215. The directive discussed below, we believe, is consistent
with both points. In particular, the flexibility inherent in our
directive should account for, among other things, differences in the
needs and characteristics of responsible entities and the diversity of
BES Cyber System environments, technologies and risks. For example, the
new or modified Reliability Standard may allow a responsible entity to
meet the security objectives discussed below by having a plan to apply
different controls based on the criticality of different assets. And by
directing NERC to develop a new or modified Reliability Standard, the
Commission affords NERC the option of modifying existing Reliability
Standards to satisfy our directive. Finally, we direct NERC to submit
the new or modified Reliability Standard within one year of the
effective date of this Final Rule.\85\
---------------------------------------------------------------------------
\85\ We note that the Trade Associations request that the
Commission allow ``at least one year for discussion, development,
and approval by the NERC Board of Trustees.'' See Trade Associations
Post-Technical Conference Comments at 22. NERC should submit an
informational filing within ninety days of the effective date of
this Final Rule with a plan to address the Commission's directive.
---------------------------------------------------------------------------
45. The plan required by the new or modified Reliability Standard
developed by NERC should address, at a minimum, the following four
specific security objectives in the context of addressing supply chain
management risks: (1) Software integrity and authenticity; (2) vendor
remote access; (3) information system planning; and (4) vendor risk
management and procurement controls. Responsible entities should be
required to achieve these four objectives but have the flexibility as
to how to reach the objective (i.e., the Reliability Standard should
set goals (the ``what''), while allowing flexibility in how a
responsible entity subject to the Reliability Standard achieves that
goal (the ``how'')).\86\ Alternatively, NERC can propose an equally
effective and efficient approach to address the issues raised in the
objectives identified below. In addition, while in the discussion below
we identify four objectives, NERC may address additional supply chain
management objectives in the standards development process, as it deems
appropriate.
---------------------------------------------------------------------------
\86\ See Order No. 672, FERC Stats. & Regs. ] 31,204 at P 260.
---------------------------------------------------------------------------
46. The new or modified Reliability Standard should also require a
periodic reassessment of the utility's selected controls. Consistent
with or similar to the requirement in Reliability Standard CIP-003-6,
Requirement R1, the Reliability Standard should require the responsible
entity's CIP Senior Manager to review and approve the controls adopted
to meet the specific security objectives identified in the Reliability
Standard at least every 15 months. This periodic assessment should
better ensure that the required plan remains up-to-date, addressing
current and emerging supply chain-related concerns and vulnerabilities.
47. Also, consistent with this reliance on an objectives-based
approach, and as part of this periodic review and approval, the
responsible entity's CIP Senior Manager should consider any guidance
issued by NERC, the U.S. Department of Homeland Security (DHS) or other
relevant authorities for the planning, procurement, and operation of
industrial control systems and supporting information systems equipment
since the prior approval, and identify any changes made to address the
recent guidance. This periodic reconsideration will help ensure an
ongoing, affirmative process for reviewing and, when appropriate,
incorporating such guidance.
First Objective: Software Integrity and Authenticity
48. The new or modified Reliability Standard must address
verification of: (1) The identity of the software publisher for all
software and patches that are intended for use on BES Cyber Systems;
and (2) the integrity of the software and patches before they are
installed in the BES Cyber System environment.
49. This objective is intended to reduce the likelihood that an
attacker could exploit legitimate vendor patch management processes to
deliver compromised software updates or patches to a BES Cyber System.
One of the two focused malware campaigns identified by ICS-CERT in 2014
utilized similar tactics, executing what is commonly referred to as a
``Watering Hole'' attack \87\ to exploit affected information systems.
Similar tactics appear to have been used in a recently disclosed attack
targeting electric sector infrastructure in Japan.\88\ These types of
attacks might have been prevented had the affected entities applied
adequate integrity and authenticity controls to their patch management
processes.
---------------------------------------------------------------------------
\87\ ``Watering Hole'' attacks exploit poor vendor/client
patching and updating processes. Attackers generally compromise a
vendor of the intended victim and then use the vendor's information
system as a jumping off point for their attack. Attackers will often
inject malware or replace legitimate files with corrupted files
(usually a patch or update) on the vendor's Web site as part of the
attack. The victim then downloads the files without verifying each
file's legitimacy believing that it is included in a legitimate
patch or update.
\88\ See Cylance, Operation DustStorm, https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf.
---------------------------------------------------------------------------
50. As NERC recognizes in its NOPR comments, NIST SP-800-161
``establish[es] instructional reference points for NERC and its
stakeholders to leverage in evaluating the appropriate framework for
and security controls to include in any mandatory supply chain
management Reliability Standard.'' \89\ NIST SP-800-161 includes a
number of security controls which, when taken together, reduce the
probability of a successful Watering Hole or similar cyberattack in the
industrial control system environment and thus could assist in
addressing this objective. For example, in the System and Information
[[Page 49886]]
Integrity (SI) control family, control SI-7 suggests that the integrity
of information systems and components should be tested and verified
using controls such as digital signatures and obtaining software
directly from the developer. In the Configuration Management (CM)
control family, control CM-5(3) requires that the information system
prevent the installation of firmware or software without verification
that the component has been digitally signed to ensure that hardware
and software components are genuine and valid. NIST SP-800-161, while
not meant to be definitive, provides examples of controls for
addressing the Commission's directive regarding this first objective.
Other security controls also could meet this objective.
---------------------------------------------------------------------------
\89\ NERC NOPR Comments at 16-17; see also Resilient Societies
NOPR Comments at 11.
---------------------------------------------------------------------------
Second Objective: Vendor Remote Access to BES Cyber Systems
51. The new or modified Reliability Standard must address
responsible entities' logging and controlling all third-party (i.e.,
vendor) initiated remote access sessions. This objective covers both
user-initiated and machine-to-machine vendor remote access.
52. This objective addresses the threat that vendor credentials
could be stolen and used to access a BES Cyber System without the
responsible entity's knowledge, as well as the threat that a compromise
at a trusted vendor could traverse over an unmonitored connection into
a responsible entity's BES Cyber System. The theft of legitimate user
credentials appears to have been a critical aspect to the successful
execution of the 2015 cyberattack on Ukraine's power grid.\90\ In
addition, controls adopted under this objective should give responsible
entities the ability to rapidly disable remote access sessions in the
event of a system breach.
---------------------------------------------------------------------------
\90\ See E-ISAC, Analysis of the Cyber Attack on the Ukrainian
Power Grid at 3 (Mar. 18, 2016), https://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf.
---------------------------------------------------------------------------
53. DHS noted the importance of controlling vendor remote access in
its alert on the Ukrainian cyberattack: ``Remote persistent vendor
connections should not be allowed into the control network. Remote
access should be operator controlled, time limited, and procedurally
similar to ``lock out, tag out.'' The same remote access paths for
vendor and employee connections can be used; however, double standards
should not be allowed.'' \91\
---------------------------------------------------------------------------
\91\ See ICS-CERT Alert, Cyber-Attack Against Ukrainian Critical
Infrastructure, https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01.
---------------------------------------------------------------------------
54. NIST SP-800-53 and NIST SP-800-161 provide several security
controls which, when taken together, reduce the probability that an
attacker could use legitimate third-party access to compromise
responsible entity information systems. In the Systems and
Communications (SC) control family, for example, control SC-7
addressing boundary protection requires that an entity implement
appropriate monitoring and control mechanisms and processes at the
boundary between the entity and its suppliers, and that provisions for
boundary protections should be incorporated into agreements with
suppliers. These protections are applied regardless of whether the
remote access session is user-initiated or interactive in nature.
55. In the Access Control (AC) control family, control AC-17
requires usage restrictions, configuration/connection requirements, and
monitoring and control for remote access sessions, including the
entity's ability to expeditiously disconnect or disable remote access.
In the Identification and Authentication (IA) control family, control
IA-5 requires changing default ``authenticators'' (e.g., passwords)
prior to information system installation. In the System and Information
Integrity (SI) control family, control SI-4 addresses monitoring of
vulnerabilities resulting from past information and communication
technology supply chain compromises, such as malicious code implanted
during software development and set to activate after deployment. These
sources, while not meant to be definitive, provide examples of controls
for addressing the Commission's directive regarding objective two.
Other security controls also could meet this objective.
Third Objective: Information System Planning and Procurement
56. The new or modified Reliability Standard must address how a
responsible entity will include security considerations as part of its
information system planning and system development lifecycle processes.
As part of this objective, the new or modified Reliability Standard
must address a responsible entity's CIP Senior Manager's (or
delegate's) identification and documentation of the risks of proposed
information system planning and system development actions. This
objective is intended to ensure adequate consideration of these risks,
as well as the available options for hardening the responsible entity's
information system and minimizing the attack surface.
57. This third objective addresses the risk that responsible
entities could unintentionally plan to procure and install unsecure
equipment or software within their information systems, or could
unintentionally fail to anticipate security issues that may arise due
to their network architecture or during technology and vendor
transitions. For example, the BlackEnergy malware campaign identified
by ICS-CERT and referenced in the NOPR resulted from the remote
exploitation of previously unidentified vulnerabilities, which allowed
attackers to remotely execute malicious code on remotely accessible
devices.\92\ According to ICS-CERT, this attack might have been
mitigated if affected entities had taken steps during system
development and planning to: (1) Minimize network exposure for all
control system devices/subsystems; (2) ensure that devices were not
accessible from the internet; (3) place devices behind firewalls; and
(4) utilize secure remote access techniques.\93\ The third objective
also supports, where appropriate, the need for strategic technology
refreshes as recommended by ICS-CERT in response to the 2015 Ukraine
cybersecurity incident.\94\
---------------------------------------------------------------------------
\92\ See ICS-CERT Alert, Ongoing Sophisticated Malware Campaign
Compromising ICS (Update E).
\93\ See ICS-CERT Advisory, GE Proficy Vulnerabilities, https://ics-cert.us-cert.gov/advisories/ICSA-14-023-01.
\94\ See ICS-CERT Alert, Cyber-Attack Against Ukrainian Critical
Infrastructure.
---------------------------------------------------------------------------
58. NIST SP 800-53 and SP 800-161 provide several controls which,
when taken together, reduce the likelihood that an information system
will be deployed and/or remain in service with potential
vulnerabilities that have not been identified or adequately considered.
For example, in the NIST SP 800-53 Systems Acquisition (SA) control
family, control SA-3 provides that organizations should: (1) Manage
information systems using an organizationally-defined system
development life cycle that incorporates information security
considerations; and (2) integrate the organizational information
security risk management process into system development life cycle
activities.\95\ Similarly, control SA-8 recommends using secure
engineering principles during the planning and acquisition phases of
future projects such as: (1) Developing layered protections; (2)
establishing sound security policy, architecture, and controls as the
foundation for design; (3) incorporating security requirements into the
system development life cycle; and (4) reducing risk to acceptable
levels, thus enabling informed risk
[[Page 49887]]
management decisions.\96\ Finally, control SA-22 provides controls to
address unsupported system components, recommending the replacement of
information and communication technology components when support is no
longer available, or the justification and approval of an unsupported
system component to meet specific business needs. These sources, while
not meant to be definitive, provide examples of controls for addressing
the Commission's directive regarding objective three. Other security
controls also could meet this objective.
---------------------------------------------------------------------------
\95\ NIST Special Publication 800-53, Appendix F (Security
Control Catalog) at 157.
\96\ Id. at 162.
---------------------------------------------------------------------------
Fourth Objective: Vendor Risk Management and Procurement Controls
59. The new or modified Reliability Standard must address the
provision and verification of relevant security concepts in future
contracts for industrial control system hardware, software, and
computing and networking services associated with bulk electric system
operations. Specifically, NERC must address controls for the following
topics: (1) Vendor security event notification processes; (2) vendor
personnel termination notification for employees with access to remote
and onsite systems; (3) product/services vulnerability disclosures,
such as accounts that are able to bypass authentication or the presence
of hardcoded passwords; (4) coordinated incident response activities;
and (5) other related aspects of procurement. NERC should also consider
provisions to help responsible entities obtain necessary information
from their vendors to minimize potential disruptions from vendor-
related security events.
60. This fourth objective addresses the risk that responsible
entities could enter into contracts with vendors who pose significant
risks to their information systems, as well as the risk that products
procured by a responsible entity fail to meet minimum security
criteria. In addition, this objective addresses the risk that a
compromised vendor would not provide adequate notice and related
incident response to responsible entities with whom that vendor is
connected.
61. The Department of Energy (DOE) Cybersecurity Procurement
Language for Energy Delivery Systems document outlines security
principles and controls for entities to consider when designing and
procuring control system products and services (e.g., software,
systems, maintenance, and networks), and provides example language that
could be incorporated into procurement specifications. The procurement
language encourages buyers to incorporate baseline procurement language
that ensures the supplier establishes, documents and implements risk
management practices for supply chain delivery of hardware, software,
and firmware.\97\ In addition, NIST SP 800-161 encourages buyers to use
the Information and Communications Technology supply chain risk
management (ICT SCRM) plans for their respective systems and missions
throughout their acquisition activities.\98\ The controls in the ICT
SCRM plans can be applied in different life cycle processes.
---------------------------------------------------------------------------
\97\ See Energy Sector Control Systems Working Group,
Cybersecurity Procurement Language--Energy Delivery Systems at 27,
https://www.energy.gov/sites/prod/files/2014/04/f15/CybersecProcurementLanguage-EnergyDeliverySystems_040714_fin.pdf.
\98\ See NIST Special Publication 800-161 at 51.
---------------------------------------------------------------------------
62. NIST SP 800-161 also provides specific recommendations in
control SA-4 pertaining to systems acquisition processes, which are
relevant for consideration during the standards development process,
including but not limited to: (1) Defining requirements that cover
regulatory requirements (i.e., telecommunications or IT), technical
requirements, chain of custody, transparency and visibility, sharing
information on supply chain security incidents throughout the supply
chain, rules for disposal or retention of elements such as components,
data, or intellectual property, and other relevant requirements; (2)
defining requirements for critical elements in the supply chain to
demonstrate a capability to remediate emerging vulnerabilities based on
open source information and other sources; and (3) defining
requirements for the expected life span of the system and ensuring that
suppliers can provide insights into their plans for the end-of-life of
components. Other relevant provisions can be found in the System and
Communications Protection (SC) control family under control SC-18
addressing SCRM guidance for mobile code, which recommends that
organizations employ rigorous supply chain protection techniques in the
acquisition, development, and use of mobile code to be deployed in
information systems.\99\ These sources, while not meant to be
definitive, provide examples of controls for addressing the
Commission's directive regarding objective four. Other security
controls also could meet this objective.
---------------------------------------------------------------------------
\99\ Mobile code is a software program or parts of a program
obtained from remote information systems, transmitted across a
network, and executed on a local information system without explicit
installation or execution by the recipient. NIST Special Publication
800-53, Appendix B (Glossary) at 14. Mobile code technologies
include, for example, Java, JavaScript, ActiveX, Postscript, PDF,
Shockwave movies, Flash animations, and VBScript. Id.
---------------------------------------------------------------------------
3. Existing CIP Reliability Standards
Comments
63. NERC comments that although the CIP Reliability Standards do
not explicitly address supply chain procurement practices, existing
requirements mitigate the supply chain risks identified in the NOPR. In
particular, NERC states that requirements in Reliability Standards CIP-
004-6, CIP-005-5, CIP-006-6, CIP-007-6, CIP-008-5, CIP-009-6, CIP-010-
2, and CIP-011-2 ``include controls that correspond to controls in NIST
SP 800-161.'' \100\
---------------------------------------------------------------------------
\100\ NERC NOPR Comments at 15-16.
---------------------------------------------------------------------------
64. For example, NERC explains that responsible entity compliance
with Reliability Standard CIP-004-6, addressing the implementation of
cybersecurity awareness programs, may include reinforcement of
cybersecurity practices to mitigate supply chain risks. NERC also
states that requirements in Reliability Standard CIP-004-6 (addressing
personnel risk assessment) and requirements in Reliability Standards
CIP-004-6, CIP-005-5, CIP-006-6, CIP-007-6, and CIP-010-2 (addressing
electronic and physical access) apply to any outside vendors or
contractors.
65. The Trade Associations, Arkansas, G&T Cooperatives, NIPSCO,
Luminant, Southern, NextEra, and SCE contend that the existing CIP
Reliability Standards, at least partly, address supply chain risks that
are within a responsible entity's control.
66. The Trade Associations state that, while the existing CIP
Reliability Standards do not contain explicit provisions addressing
supply chain management, ``transmission owners and operators already
have significant responsibilities to perform under various Commission-
approved CIP standards that already address supply chain issues.''
\101\ Specifically, the Trade Associations, NIPSCO, and others state
that Reliability Standard CIP-010-2 establishes requirements for cyber
asset change management that mandate extensive baseline configuration
testing and change monitoring, as well as vulnerability assessments,
prior to connecting a new cyber asset to a High Impact BES Cyber
Asset.\102\
---------------------------------------------------------------------------
\101\ Trade Associations NOPR Comments at 19-20.
\102\ Trade Associations NOPR Comments at 20; NIPSCO NOPR
Comments at 5; Southern NOPR Comments at 12; Luminant NOPR Comments
at 4-5; SCE NOPR Comments at 6.
---------------------------------------------------------------------------
[[Page 49888]]
67. The Trade Associations also contend that the CIP Reliability
Standards provide adequate vendor remote access protections by
mandating: (1) Controls that restrict personnel access (physical and
electronic) to protected information systems; (2) controls that prevent
direct access to applicable systems for interactive remote access
sessions using routable protocols; (3) the use of encryption for
connections extending outside of an electronic security perimeter; (4)
the use of two factor authentication when accessing medium and high
impact systems; and (5) integration controls which require changing
known default accounts and passwords.\103\
---------------------------------------------------------------------------
\103\ Trade Associations Post-Technical Conference Comments at
6.
---------------------------------------------------------------------------
68. NIPSCO, Luminant, and G&T Cooperatives point to Reliability
Standard CIP-007-6 as an existing Reliability Standard that addresses
supply chain risks. Reliability Standard CIP-007-6 requires responsible
entities to have processes under which only necessary ports and
services should be enabled; security patches should be tracked,
evaluated, and installed on applicable BES Cyber Systems; and anti-
virus software or other prevention tools should be used to prevent the
introduction and propagation of malicious software on all Cyber Assets
within an Electronic Security Perimeter.\104\
---------------------------------------------------------------------------
\104\ NIPSCO NOPR Comments at 5; Luminant NOPR Comments at 4;
G&T Cooperatives NOPR Comments at 8-9.
---------------------------------------------------------------------------
69. Commenters also identify existing voluntary guidelines that,
they contend, augment the existing CIP Reliability Standards to further
address any potential risks posed by the supply chain. Southern points
to voluntary cybersecurity procurement guidance materials developed by
the DHS and the DOE as examples of procurement language that could be
used in the course of vendor negotiations. Southern states that the DHS
and DOE guidelines recognize the need for flexibility and allow for
multiple contractual approaches.\105\
---------------------------------------------------------------------------
\105\ Southern NOPR Comments at 13.
---------------------------------------------------------------------------
70. Commenters suggest that the Commission direct NERC to develop
cybersecurity procurement guidance documents as opposed to a mandatory
Reliability Standard. AEP, NextEra, and Southern state that the
Commission could direct NERC to develop guidance documents addressing
supply chain risk management based, in part, on the DHS and DOE
voluntary cybersecurity procurement guidance materials.\106\ Luminant
asserts that NERC-developed guidance ``would effectively communicate
key issues while permitting industry the flexibility to effectively
protect their BES Cyber Systems in a way most effective for that entity
and at the lowest cost.'' \107\
---------------------------------------------------------------------------
\106\ AEP NOPR Comments at 7-8; NextEra NOPR Comments at 4-5;
Southern NOPR Comments at 12-13.
\107\ Luminant NOPR Comments at 5.
---------------------------------------------------------------------------
Discussion
71. While we recognize that existing CIP Reliability Standards
include requirements that address aspects of supply chain management,
we determine that existing Reliability Standards do not adequately
protect against supply chain risks that are within a responsible
entity's control. Specifically, we find that existing CIP Reliability
Standards do not provide adequate protection for the four aspects of
supply chain risk management that underlie the four objectives for a
new or modified Reliability Standard discussed above.\108\ Moreover, a
fundamental premise of cyber security is ``defense in depth,'' and
addressing issues in the supply chain (to the extent a utility
reasonably can) is an important component of a strong, multi-layered
defense.
---------------------------------------------------------------------------
\108\ Since the directive to NERC to develop a new or modified
Reliability Standard is limited to the four objectives discussed
above, we limit our analysis of the existing CIP Reliability
Standards to requirements that relate to those objectives.
---------------------------------------------------------------------------
Software Integrity and Authenticity
72. With regard to software integrity and authenticity, we agree
with commenters who state that the existing CIP Reliability Standards
contain requirements for responsible entities to implement a patch
management process for tracking, evaluating, and installing
cybersecurity patches and to implement processes to detect, prevent,
and mitigate the threat of malicious code. These provisions, however,
do not require responsible entities to verify the identity of the
software publisher for all software and patches that are intended for
use on their BES Cyber Systems or to verify the integrity of the
software and patches before they are installed in the BES Cyber System
environment.\109\ As discussed above, the CIP Reliability Standards
should address compromised software or patches that a responsible
entity receives from a vendor, in order to protect the bulk electric
system from Watering-Hole or similar cyberattacks. These concerns are
not addressed by existing CIP Reliability Standards.
---------------------------------------------------------------------------
\109\ See Trade Associations NOPR Comments at 38 (indicating
that integrity checking mechanisms used to verify software,
firmware, and information integrity found in the NIST SP-800-161
System and Information Integrity (SI) control family are not
addressed in the CIP version 5 Reliability Standards).
---------------------------------------------------------------------------
73. Mandatory controls in the existing CIP Reliability Standards
referenced by commenters do not provide sufficient protection against
attacks that compromise software and software patch integrity and
authenticity. For example, while Reliability Standard CIP-007-6,
Requirement R2 requires responsible entities to enforce a patch
management process for tracking, evaluating, and installing cyber
security patches for applicable systems, including evaluating security
patches for applicability, the requirement does not address mechanisms
to acquire the patch file from a vendor in a secure manner and methods
to validate the integrity of a patch file before installation.
74. With respect to mandatory configuration controls, Reliability
Standard CIP-010-2, Requirement R1 requires responsible entities to
authorize and document all changes to baseline configurations and,
where technically feasible, test patches in a test environment before
installing. However, NERC's technical guidance document for CIP-010-2,
Requirement R1, Part 1.2 does not require the authorizer to first
verify the authenticity of a patch. Similarly, the testing of patches
in a test environment under Requirement R1.5 would likely provide
insufficient protection as many malware variants are programmed to
execute only after the system is rebooted several times. Regarding
patch source monitoring, the guidelines and technical basis section for
Reliability Standard CIP-007-6 suggests that responsible entities
should obtain security patches from original sources, where possible,
and indicates that patches should be approved or certified by another
source before being assessed and applied.\110\ The Reliability
Standard, however, does not require the use of these techniques.
Implementing controls that verify integrity and authenticity of
software and its publishers may help mitigate security gaps listed
above.
---------------------------------------------------------------------------
\110\ Reliability Standard CIP-007-6 (Cyber Security--Systems
Security Management), Guidelines and Technical Basis at 42-43.
---------------------------------------------------------------------------
75. In sum, the current CIP Reliability Standards do contain
certain controls addressing the risks posed by malware, as stated by
commenters. Verifying software integrity and authenticity, however, is
a reasonable and appropriate complement to these controls, is not
required by the current Standards, and is supported by the
[[Page 49889]]
principle of defense-in-depth. In fact, this verification can be viewed
as the first line of defense against malware-infected software.
Vendor Remote Access to BES Cyber Systems
76. On the subject of vendor remote access, which includes vendor
user-initiated Interactive Remote Access and vendor machine-to-machine
remote access, existing CIP Reliability Standards contain system access
requirements, including a requirement for security event monitoring.
However, the CIP Reliability Standards do not require remote access
session logging for machine-to-machine remote access, nor do they
address the ability to monitor or close unsafe remote connections for
both vendor Interactive Remote Access and vendor machine-to-machine
remote access.\111\ The CIP Reliability Standards should address
enhanced session logging requirements for vendor remote access in order
to improve visibility of activity on BES Cyber Systems and give
responsible entities the ability to rapidly disable remote access
sessions in the event of a system breach.
---------------------------------------------------------------------------
\111\ See Trade Association NOPR Comments at 43 (indicating that
mechanisms for monitoring for unauthorized personnel, connections,
devices, and software found in the NIST SP-800-161 System and
Information Integrity (SI) control family are not addressed in the
CIP version 5 Reliability Standards).
---------------------------------------------------------------------------
77. The existing requirements referenced by NERC, the Trade
Associations, and other commenters do not adequately address access
restrictions for vendors. For example, while Reliability Standard CIP-
004-6, Requirements R4 and R5 provide controls that must be applied to
vendors such as restricting access to individuals ``based on need,''
these Requirements do not include post-authorization logging or control
of remote access. The existing CIP Reliability Standards do not require
a responsible entity to monitor data traffic that traverses remote
communication to their BES Cyber Systems. The absence of post-
authorization monitoring and logging presents an opportunity for
unmonitored malicious or otherwise inappropriate remote communication
to or from a BES Cyber System. The inability of a responsible entity to
rapidly terminate a connection may allow malicious or otherwise
inappropriate communication to propagate, contributing to a degradation
of a BES Cyber Asset's function. Enhanced visibility into remote
communications and the ability to rapidly terminate a remote
communication could mitigate such a vulnerability.
78. Reliability Standard CIP-005-5, Requirement R1 provides
controls for vendor machine-to-machine and vendor user-initiated
Interactive Remote Access sessions by restricting all inbound and
outbound communications through an identified Electronic Access Point
for bi-directional routable protocol connections. Reliability Standard
CIP-005-5, Requirement R2 provides controls for vendor interactive
remote access sessions by requiring the use of encryption and requiring
multi-factor authentication. However, the provisions of Reliability
Standard CIP-005-5, Requirement R2 addressing interactive remote access
management do not apply to vendor machine-to-machine remote access. The
Reliability Standard CIP-005-5, Requirement R2 controls addressing
interactive remote access management only apply to remote connections
that are user-initiated (i.e., initiated by a person). Machine-to-
machine connections are not user-initiated and, therefore, are not
subject to the requirements of Reliability Standard CIP-005-5,
Requirement R2. When the interactive remote access management controls
of Reliability Standard CIP-005-5, Requirement R2 do not apply, a
machine-to-machine remote communication may access a BES Cyber System
without any access credentials, over an unencrypted channel, and
without going through an Intermediate System.
79. For both Interactive Remote Access and machine-to-machine
remote access, Reliability Standard CIP-007-6, Requirement R3 requires
monitoring for malicious code and Requirement R4 requires logging of
successful and unsuccessful login attempts, as well as logging detected
malicious code. However, Reliability Standard CIP-007-6 does not
address the risks posed by inappropriate activity that could occur
during a remote communication. The lack of a requirement addressing the
detection of inappropriate activity represents a risk because the
responsible entity may not be aware if an authorized user is performing
inappropriate activity on a BES Cyber Asset via a remote connection.
This risk is higher for machine-to-machine communication due to the
lack of authentication and encryption requirements in the existing CIP
Reliability Standards, lowering the threshold for a malicious actor to
execute a man-in-the-middle attack to gain access to a BES Cyber System
and conduct inappropriate activity such as reconnaissance or code
modification.
80. Therefore, we recognize that the current CIP Reliability
Standards do contain certain controls addressing the risks posed by
vendor remote access, as noted by commenters. However, the current CIP
Reliability Standards do not require monitoring remote access sessions
or closing unsafe remote connections for either vendor Interactive
Remote Access and vendor machine-to-machine remote access. Accordingly,
we determine that vendor remote access is not adequately addressed in
the approved CIP Reliability Standards and, therefore, is an objective
that must be addressed in the supply chain management plans directed in
this final rule.
Information System Planning and Procurement
81. The existing CIP Reliability Standards do not address
information system planning. Recent cybersecurity incidents \112\ have
made it apparent that overall system planning is as important to
overall BES Cyber System security and reliability as any other
component of security architecture. In general, the CIP Reliability
Standards do not provide a framework for maintaining ongoing awareness
of information security, vulnerabilities, and threats to support
organization risk management decisions; \113\ nor do they address the
concept of integrating continuous improvement of organizational
security posture with supply chain risk management as recommended by
NIST SP 800-161.\114\ Based on the threats evidenced by recent
cybersecurity incidents, the absence of security considerations in
system lifecycle processes constitutes a gap in the CIP Reliability
Standards that could contribute to pervasive and systemic
vulnerabilities that threaten bulk electric system reliability.
---------------------------------------------------------------------------
\112\ See E-ISAC, Analysis of the Cyber Attack on the Ukrainian
Power Grid at 3 (March 18, 2016); see also Dell, Dell Security
Annual Threat Report (2015) at 7, https://software.dell.com/docs/2015-dell-security-annual-threat-report-white-paper-15657.pdf;
Olcott Technical Conference Comments at 2.
\113\ See NIST Special Publication 800-137, Information Security
Continuous Monitoring (ISCM) for Federal Information Systems and
Organizations at vi, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf.
\114\ NIST Special Publication 800-161 at 46.
---------------------------------------------------------------------------
82. The existing CIP Reliability Standards also do not provide for
procurement controls for industrial control system hardware, software,
and computing and networking services. As discussed above, procurement
controls are intended to address the threat that responsible entities
could enter into contracts with vendors who pose significant risks to
their information systems or procure products that fail to
[[Page 49890]]
meet minimum security criteria, as well as the risk that a compromised
vendor would not provide adequate notice and related incident response
to responsible entities with whom that vendor is connected.
83. With regard to commenters' suggestion that the Commission
direct NERC to develop cybersecurity procurement guidance documents as
opposed to a mandatory Reliability Standard, we agree that the
voluntary efforts identified by commenters could provide guidance or
otherwise inform NERC's standard development process. We conclude,
however, that relying on voluntary guidelines to address the supply
chain risks described above is not sufficient to fulfill the
Commission's responsibilities under FPA section 215.
4. Vendor Risk Management and Procurement Controls
Comments
84. NERC, G&T Cooperatives, Arkansas and others state that
responsible entities have limited influence over vendors and
contractors, and, therefore, a limited ability to affect the supply
chain for industrial control system hardware, software, and computing
and networking services associated with bulk electric system
operations.\115\ NERC contends that any supply chain management
Reliability Standard ``must balance the reliability need to implement
supply chain management security controls with entities' business need
to obtain products and services at a reasonable cost.'' \116\ NERC
maintains that responsible entities lack bargaining power to persuade
vendors or suppliers to implement cybersecurity controls without
significantly increasing the cost of their products or services. NERC
points to NIST SP 800-161 to highlight that implementing supply chain
security management controls ``will require financial and human
resources, not just from the [acquirer] directly but also potentially
from their system integrators, suppliers, and external service
providers that would also result in increased cost to the acquirer.''
\117\
---------------------------------------------------------------------------
\115\ NERC NOPR Comments at 11-12; G&T Cooperatives NOPR
Comments at 9; Arkansas NOPR Comments at 5.
\116\ NERC NOPR Comments at 11-12.
\117\ Id. (citing NIST Special Publication 800-161 at 3).
---------------------------------------------------------------------------
85. G&T Cooperatives contend that they ``have minimal control over
their suppliers and are not able to identify all potential
vulnerabilities associated with each and every supplier and their
products/parts.'' \118\ G&T Cooperatives and Arkansas maintain that
responsible entities do not have the ability to force a vendor to
address all potential vulnerabilities. G&T Cooperatives assert that
even if a contract between a responsible entity and a supplier ``could
include'' language requiring the supplier to implement security
controls, ``it is not feasible for contractual terms . . . to address
all potential vulnerabilities related to supply chain management.''
\119\
---------------------------------------------------------------------------
\118\ G&T Cooperatives NOPR Comments at 9.
\119\ Id. at 9.
---------------------------------------------------------------------------
86. NERC, Trade Associations, G&T Cooperatives and Arkansas also
raise a concern that the Commission's proposal could place compliance
risk on responsible entities for actions beyond their control and,
ultimately, incent responsible entities to avoid upgrades that could
trigger such compliance risk.\120\ NERC states that any supply chain
management Reliability Standard should be drafted so that it ``creates
affirmative obligations to implement supply chain management security
controls without holding entities strictly liable for any failure of
those controls to eliminate all supply chain threats and
vulnerabilities.'' \121\ NERC explains that if a supply chain
management Reliability Standard is not reasonably scoped to avoid
unreasonable compliance risk, it could create a disincentive for
responsible entities to purchase and install new technologies and
equipment.
---------------------------------------------------------------------------
\120\ NERC NOPR Comments at 13; Trade Associations NOPR Comments
at 24-25; G&T Cooperatives NOPR Comments at 9-10; Arkansas NOPR
Comments at 6.
\121\ NERC NOPR Comments at 13.
---------------------------------------------------------------------------
87. G&T Cooperatives state that ``placing the compliance risk of
vendor and supplier security vulnerability on Responsible Entities
could incent Responsible Entities to avoid upgrades to their industrial
control system hardware, software, and other services.'' G&T
Cooperatives explain that there are three primary incentives for a
responsible entity to avoid upgrades if faced with compliance risks:
(1) New regulations would result in additional costs for vendors and
suppliers that would be passed on to the end-user; (2) since security
patches are not issued by vendors for unsupported hardware and
software, there is less security patch management responsibility for
the responsible entity; and (3) avoiding new hardware and software
reduces the risk of introducing undetected security threats.\122\
---------------------------------------------------------------------------
\122\ G&T Cooperatives NOPR Comments at 9.
---------------------------------------------------------------------------
Discussion
88. Our directive to NERC to develop a new or modified Reliability
Standard that addresses the objectives outlined above balances the
supply chain risks facing the bulk electric system against any
potential challenges raised by vendor relationships. We believe that
the concerns raised in comments with respect to responsible entities'
relationships with vendors in relation to supply chain risks are valid.
Our directive is informed by this concern and reflects a reasonable
balance between the risks facing bulk electric system reliability from
the supply chain and concerns over vendor relationships. The directive
strikes this balance by addressing supply chain risks that are within
responsible entities' control, and we do not expect a new or modified
supply chain Reliability Standard to impose obligations directly on
vendors. Moreover, entities will not be responsible for vendor errors
beyond the scope of the controls implemented to comply with the
Reliability Standards.
89. With respect to concerns that the Commission's proposal could
place compliance risk on responsible entities for actions beyond their
control, which some commenters argue would prompt responsible entities
to avoid upgrades that could trigger such compliance risk, we reiterate
that the intent of the directive is to address supply chain risks that
are within the responsible entities' control. As part of NERC's
standard development process, we expect NERC to establish provisions
addressing compliance obligations in a manner that avoids shifting
liability from a vendor for its mistakes to a responsible entity.
Finally, we view the argument that a new or modified Reliability
Standard will result in a substantial increase in costs to be
speculative because, beyond requiring NERC to address the four
objectives discussed above, or some equally effective and efficient
alternatives, our directive does not require NERC to develop a
Reliability Standard that mandates any particular controls or actions.
III. Information Collection Statement
90. The Paperwork Reduction Act (PRA) \123\ requires each federal
agency to seek and obtain Office of Management and Budget (OMB)
approval before undertaking a collection of information directed to ten
or more persons or contained in a rule of general applicability. OMB
regulations \124\ require approval of certain information collection
requirements imposed by agency rules. Upon approval of a collection of
information, OMB will
[[Page 49891]]
assign an OMB control number and an expiration date. Respondents
subject to the filing requirements of an agency rule will not be
penalized for failing to respond to the collection of information
unless the collection of information displays a valid OMB control
number.
---------------------------------------------------------------------------
\123\ 44 U.S.C. 3507(d).
\124\ 5 CFR 1320.
---------------------------------------------------------------------------
91. The Commission will submit the information collection
requirements to OMB for its review and approval. The Commission
solicits public comments on its need for this information, whether the
information will have practical utility, the accuracy of burden and
cost estimates, ways to enhance the quality, utility, and clarity of
the information to be collected or retained, and any suggested methods
for minimizing respondents' burden, including the use of automated
information techniques.
92. The information collection requirements in this Final Rule in
Docket No. RM15-14-002 for NERC to develop a new or to modify a
Reliability Standard for supply chain risk management, should be part
of FERC-725 (Certification of Electric Reliability Organization;
Procedures for Electric Reliability Standards (OMB Control No. 1902-
0225)). However, there is an unrelated item which is currently pending
OMB review under FERC-725, and only one item per OMB Control No. can be
pending OMB review at a time. Therefore, the requirements in this Final
Rule in RM15-14-002 are being submitted under a new temporary or
interim collection number FERC-725(1A) to ensure timely submittal to
OMB. In the long-term, Commission staff plans to administratively move
the requirements and associated burden of FERC-725(1A) to FERC-725.
93. Burden Estimate and Information Collection Costs: The
requirements for the ERO to develop Reliability Standards and to
provide data to the Commission are included in the existing FERC-725.
FERC-725 includes information used by the Commission to implement the
statutory provisions of section 215 of the FPA. FERC-725 includes the
burden, reporting and recordkeeping requirements associated with: (a)
Self-Assessment and ERO Application, (b) Reliability Assessments, (c)
Reliability Standards Development, (d) Reliability Compliance, (e)
Stakeholder Survey, and (f) Other Reporting. In addition, the Final
Rule will not result in a substantive increase in burden because this
requirement to develop standards is covered under FERC-725. However
because FERC is using the temporary information collection number,
FERC-725(1A), FERC will use ``placeholder'' estimates of 1 response and
1 burden hour for the burden calculation.
IV. Regulatory Flexibility Act Analysis
94. The Regulatory Flexibility Act of 1980 (RFA) \125\ generally
requires a description and analysis of final rules that will have
significant economic impact on a substantial number of small entities.
The Small Business Administration (SBA) revised its size standard
(effective January 22, 2014) for electric utilities from a standard
based on megawatt hours to a standard based on the number of employees,
including affiliates.\126\ The entities subject to the Reliability
Standards developed by the North American Electric Reliability
Corporation (NERC) include users, owners, and operators of the Bulk-
Power System, which serves more than 334 million people. In addition,
NERC's current responsibilities include the development of Reliability
Standards. Accordingly, the Commission certifies that the requirements
in this Final Rule will not have a significant economic impact on a
substantial number of small entities, and no regulatory flexibility
analysis is required.
---------------------------------------------------------------------------
\125\ 5 U.S.C. 601-612.
\126\ SBA Final Rule on ``Small Business Size Standards:
Utilities,'' 78 FR 77,343 (Dec. 23, 2013).
---------------------------------------------------------------------------
V. Environmental Analysis
95. The Commission is required to prepare an Environmental
Assessment or an Environmental Impact Statement for any action that may
have a significant adverse effect on the human environment.\127\ The
Commission has categorically excluded certain actions from this
requirement as not having a significant effect on the human
environment. Included in the exclusion are rules that are clarifying,
corrective, or procedural or that do not substantially change the
effect of the regulations being amended.\128\ The actions proposed
herein fall within this categorical exclusion in the Commission's
regulations.
---------------------------------------------------------------------------
\127\ Regulations Implementing the National Environmental Policy
Act of 1969, Order No. 486, FERC Stats. & Regs. ] 30,783 (1987).
\128\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------
VI. Effective Date and Congressional Notification
96. This Final Rule is effective September 27, 2016. The Commission
has determined, with the concurrence of the Administrator of the Office
of Information and Regulatory Affairs of OMB, that this rule is not a
``major rule'' as defined in section 351 of the Small Business
Regulatory Enforcement Fairness Act of 1996. This Final Rule is being
submitted to the Senate, House, and Government Accountability Office.
VII. Document Availability
97. In addition to publishing the full text of this document in the
Federal Register, the Commission provides all interested persons an
opportunity to view and/or print the contents of this document via the
Internet through the Commission's Home Page (https://www.ferc.gov) and
in the Commission's Public Reference Room during normal business hours
(8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE., Room 2A,
Washington, DC 20426.
98. From the Commission's Home Page on the Internet, this
information is available on eLibrary. The full text of this document is
available on eLibrary in PDF and Microsoft Word format for viewing,
printing, and/or downloading. To access this document in eLibrary, type
the docket number of this document, excluding the last three digits, in
the docket number field.
User assistance is available for eLibrary and the Commission's Web
site during normal business hours from the Commission's Online Support
at (202) 502-6652 (toll free at 1-866-208-3676) or email at
ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at
public.referenceroom@ferc.gov.
By the Commission.
Issued: July 21, 2016.
Nathaniel J. Davis, Sr.,
Deputy Secretary.
Note: The following Appendix will not appear in the Code of
Federal Regulations.
Appendix--Commenters
------------------------------------------------------------------------
Abbreviation Commenter
------------------------------------------------------------------------
AEP............................... American Electric Power Service
Corporation.
ACS............................... Applied Control Solutions, LLC.
APS............................... Arizona Public Service Company.
[[Page 49892]]
Arkansas.......................... Arkansas Electric Cooperative.
BPA............................... Bonneville Power Administration.
CEA............................... Canadian Electricity Association.
Consumers Energy.................. Consumers Energy Company.
CyberArk.......................... CyberArk.
EnergySec......................... Energy Sector Security Consortium,
Inc.
Ericsson.......................... Ericsson.
Resilient Societies............... Foundation for Resilient Societies.
G&T Cooperatives.................. Associated Electric Cooperative,
Inc., Basin Electric Power
Cooperative, and Tri-State
Generation and Transmission
Association, Inc.
Gridwise.......................... Gridwise Alliance.
Idaho Power....................... Idaho Power Company.
Indegy............................ Indegy.
IESO.............................. Independent Electricity System
Operator.
IRC............................... ISO/RTO Council.
ISO New England................... ISO New England Inc.
ITC............................... ITC Companies.
Isologic.......................... Isologic, LLC.
KCP&L............................. Kansas City Power & Light Company
and KCP&L Greater Missouri
Operations Company.
Luminant.......................... Luminant Generation Company, LLC.
NEMA.............................. National Electrical Manufacturers
Association.
NERC.............................. North American Electric Reliability
Corporation.
NextEra........................... NextEra Energy, Inc.
NIPSCO............................ Northern Indiana Public Service Co.
NWPPA............................. Northwest Public Power Association.
Peak.............................. Peak Reliability.
PNM............................... PNM Resources.
Reclamation....................... Department of Interior Bureau of
Reclamation.
SIA............................... Security Industry Association.
SCE............................... Southern California Edison Company.
Southern.......................... Southern Company Services.
SPP RE............................ Southwest Power Pool Regional
Entity.
SWP............................... California Department of Water
Resources State Water Project.
TVA............................... Tennessee Valley Authority.
Trade Associations................ Edison Electric Institute, American
Public Power Association, National
Rural Electric Cooperative
Association, Electric Power Supply
Association, Transmission Access
Policy Study Group, and Large
Public Power Council.
UTC............................... Utilities Telecom Council.
Waterfall......................... Waterfall Security Solutions, Ltd.
Wisconsin......................... Wisconsin Electric Power Company.
------------------------------------------------------------------------
UNITED STATES OF AMERICA
FEDERAL ENERGY REGULATORY COMMISSION
Revised Critical Infrastructure Protection, Reliability Standards
Docket No. RM15-14-002
(Issued July 21, 2016)
LaFLEUR, Commissioner dissenting:
In today's order, the Commission elects to proceed directly to a
Final Rule and require the development of a new reliability standard
on supply chain risk management for industrial control system
hardware, software, and computing and networking services associated
with bulk electric system operations. I fully support the
Commission's continued attention to the threat of inadequate supply
chain risk management procedures, which pose a very real threat to
grid reliability.
However, in my view, the importance and complexity of this issue
should guide the Commission to proceed cautiously and thoughtfully
in directing the development of a reliability standard to address
these threats. I am concerned that the Commission has not adequately
considered or vetted the Final Rule, which could hamper the
development and implementation of an effective, auditable, and
enforceable standard. I believe that the more prudent course of
action would be to issue today's Final Rule as a Supplemental Notice
of Proposed Rulemaking (Supplemental NOPR), which would provide
NERC, industry, and stakeholders the opportunity to comment on the
Commission's proposed directives. Accordingly, and as discussed
below, I dissent from today's order.\1\
---------------------------------------------------------------------------
\1\ I do agree with one holding in the order: That the
Commission has authority under section 215 of the Federal Power Act
to promulgate a standard on this issue.
---------------------------------------------------------------------------
I. The Commission's Decision To Proceed Directly to Final Rule Is
Flawed and Could Delay Protection of the Grid Against Supply Chain
Risks
Last July, as part of its NOPR addressing revisions to its
cybersecurity critical infrastructure protection (CIP) standards,
the Commission raised for the first time the prospect of directing
the development of a standard to address risks posed by lack of
controls for supply chain management.\2\ The Commission indicated
that new threats might warrant directing NERC to develop a standard
to address those risks. While the Commission noted a variety of
considerations that might shape the standard, including, among
others, jurisdictional limits and the individualized nature of
companies' supply chain management procedures, the Commission
notably did not propose a specific standard for comment. Instead,
the Commission sought comment on (1) the general proposal to require
a standard, (2) the anticipated features of, and requirements that
should be included in, such a standard, and (3) a reasonable
timeframe for development of a standard.\3\
---------------------------------------------------------------------------
\2\ Revised Critical Infrastructure Protection Reliability
Standards, Notice of Proposed Rulemaking, 80 FR 43,354 (July 22,
2015), 152 FERC ] 61,054 (2015). I will refer to the section of that
order addressing supply chain issues as the ``Supply Chain NOPR,''
and the remainder of the order as the ``CIP NOPR.''
\3\ Id. P 66.
---------------------------------------------------------------------------
The record developed in comments responding to the Supply Chain
NOPR and through the January 28, 2016 technical conference reflects
a wide diversity of views
[[Page 49893]]
regarding the need for, and possible content of, a reliability
standard addressing supply chain management. Notwithstanding these
diverse views, there was broad consensus on one point: That
effectively addressing cybersecurity threats in supply chain
management is tremendously complicated, due to a host of
jurisdictional, technical, economic, and business relationship
issues. Indeed, in the Supply Chain NOPR, the Commission recognized
``that developing a supply chain management standard would likely be
a significant undertaking and require extensive engagement with
stakeholders to define the scope, content, and timing of the
standard.'' \4\
---------------------------------------------------------------------------
\4\ Id.
---------------------------------------------------------------------------
Yet, the Commission is proceeding straight to a Final Rule
without in my view engaging in sufficient outreach regarding, or
adequately vetting, the contents of the Final Rule. As to those
contents, it is worth noting that the four objectives that will
define the scope and content of the standard were not identified in
the Supply Chain NOPR. Therefore, even though the Final Rule
reflects feedback received on the Supply Chain NOPR, and is not
obviously inconsistent with the Supply Chain NOPR, no party has yet
had an opportunity to comment on those objectives or consider how
they could be translated into an effective and enforceable
standard.\5\ This is a consequence of: (1) The lack of outreach on
supply chain threats prior to issuing the Supply Chain NOPR; (2) the
lack of detail in the Supply Chain NOPR regarding what a standard
might look like; and (3) the decision today to proceed straight to a
Final Rule rather than provide additional opportunities for public
feedback.
---------------------------------------------------------------------------
\5\ To be clear, I am less concerned about whether the Final
Rule satisfies minimal notice requirements than whether the Final
Rule represents reasoned decision making by the Commission.
---------------------------------------------------------------------------
A. The Commission and the Public's Consideration of Supply Chain Risks
Would Benefit From Additional Stakeholder Engagement
First, I believe that meaningful stakeholder input on the
content of any proposed rule is essential to the Commission's
deliberative process. This is especially important in our
reliability work, as any standard developed by NERC must be approved
by stakeholder consensus before it may be filed at the Commission. I
do not believe that the record developed to date establishes that
the Final Rule will lead to an appropriate solution to address
supply chain risks. I note that much of the feedback we received in
response to the Supply Chain NOPR was not focused on the merits of
particular approaches to address supply chain threats. Yet, in this
order, the Commission directs the development of a standard based on
objectives not reflected in the Supply Chain NOPR, depriving the
public of the ability to comment, and the Commission of the benefit
of that public comment.
In retrospect, given both the preliminary nature of the
consideration of the issue and the lack of a concrete idea regarding
what a proposed standard would look like, I believe that the Supply
Chain NOPR was, in substance, a de facto Notice of Inquiry and
should have been issued as such, rather than as a subsection of the
broader CIP NOPR on changes to the CIP standards. For example, it is
instructive to compare the Supply Chain NOPR with two other
documents: (1) The Notice of Inquiry being issued today on
cybersecurity issues arising from the recent incident in Ukraine,\6\
and (2) the NOPR concerning the proposed development of a
reliability standard to address geomagnetic disturbances.\7\ The
level of detail and consideration of the issues presented in the
Supply Chain NOPR are much more consistent with that in a Notice of
Inquiry than a traditional NOPR. As a result, I am concerned that
the Commission, by styling its prior action as a NOPR, has skipped a
critical step in the rulemaking process: The opportunity for public
comment on its directive to develop a standard and the objectives
that will frame the design and development of that standard. As
explained below, I believe this procedural decision actually makes
it less likely that an effective, auditable, and enforceable
standard will be implemented on a reasonable schedule, particularly
given the acknowledged complexity of this issue.\8\
---------------------------------------------------------------------------
\6\ Cyber Systems in Control Centers, Notice of Inquiry, Docket
No. RM16-18-000.
\7\ Reliability Standards for Geomagnetic Disturbances, Notice
of Proposed Rulemaking, 77 FR 64,935 (Oct. 24, 2012), 141 FERC
61,045 (2012).
\8\ I believe that Reliability Standards for Physical Security
Measures, 146 FERC ] 61,166 (2014) (Physical Security Directive
Order), which is cited in the Final Rule as support for today's
action, is primarily relevant to demonstrate a different point than
the order indicates. The Physical Security Directive Order followed
focused outreach with NERC and other stakeholders to discuss how a
physical security standard could be designed and implemented within
the parameters of section 215 of the Federal Power Act. As a result
of that outreach, the directives in the Physical Security Directive
Order were clear, targeted, and reflected shared priorities between
the Commission and NERC. Physical Security Directive Order, 146 FERC
] 61,166 at PP 6-9. Consequently, NERC was able to develop and file
a physical security standard with the Commission in less than three
months, and the Commission ultimately approved that standard in
November 2014, only roughly eight months after directing its
development. Physical Security Reliability Standard, 149 FERC ]
61,140 (2014). In my view, this example demonstrates how essential
outreach is to the timely and effective development of NERC
standards.
---------------------------------------------------------------------------
B. The Lack of Adequate Stakeholder Engagement Will Have Negative
Consequences for the Standards Development Process
I am also concerned about the consequences for the standards
development process of the Commission's decision to proceed straight
to a Final Rule. In particular, I am concerned that the combination
of insufficient process and discussion to develop the record and
inadequate time for standards development (since the Commission
substantially truncated NERC's suggested timeline) \9\ will handicap
NERC's ability to develop an effective and enforceable proposed
standard for the Commission to consider. As noted above, NERC,
industry, and other stakeholders will have no meaningful opportunity
before initiating their work to provide feedback on the contents of
the rule, to seek clarification from the Commission, or to propose
revisions to the rule. Yet, this type of feedback is a critical
component of the rulemaking process, to ensure that the entities
tasked with implementing the Commission's directive have been heard
and understand what they are supposed to do. I believe that the
Commission is essentially giving the standards development team a
homework assignment without adequately explaining what it expects
them to hand in.
---------------------------------------------------------------------------
\9\ In its comments responding to the Supply Chain NOPR, NERC
requested that, if the Commission decides to direct the development
of a standard, the Commission provide a minimum of two years for the
standards development process. However, the Commission disregards
that request and directs NERC to develop a standard in just one
year, apparently based solely on the Trade Associations' request
that the Commission allow at least one year for the standards
development process. I believe this timeline is inconsistent with
the Commission's own recognition of the complexity of this issue,
and, as discussed herein, likely to delay rather than expedite the
implementation of an effective, auditable, and enforceable standard.
---------------------------------------------------------------------------
I do not believe that the Final Rule's flexibility is a
justification for proceeding straight to a Final Rule. Indeed, given
the inadequate process to date, I fear that the flexibility is in
fact a lack of guidance and will therefore be a double-edged sword.
The Commission is issuing a general directive in the Final Rule, in
the hope that the standards team will do what the Commission clearly
could not do: translate general supply chain concerns into a clear,
auditable, and enforceable standard within the framework of section
215 of the Federal Power Act. While the Commission need not be
prescriptive in its standards directives, the Commission's order
assumes that the standards development team will be able to take the
``objectives'' of the Final Rule and translate them into a standard
that the Commission will ultimately find acceptable. I believe that
issuing a Supplemental NOPR would benefit the standards development
process by enabling additional discussion and feedback regarding the
design of a workable standard.
C. By Failing To Engage in Adequate Stakeholder Outreach Before
Directing Development of a Standard, the Commission Increases the
Likelihood That Implementation of a Standard Will Be Delayed
A compressed and possibly compromised standards development
process also has real consequences for the Commission's
consideration of that proposed standard, whenever it is filed for
our review. Unlike our authority under section 206 of the FPA, the
Commission lacks authority under section 215 to directly modify a
flawed reliability standard. Instead, to correct any flaws, the
statute requires that we remand the standard to NERC and the
standards development process.\10\ Thus, notwithstanding the
majority's desire to quickly proceed to Final Rule, the statutory
[[Page 49894]]
construct constrains our ability to timely address a flawed
standard, which could actually delay implementation of the
protections the Commission seeks to put in place.
---------------------------------------------------------------------------
\10\ 18 U.S.C. 824o(d)(4).
---------------------------------------------------------------------------
Given the realities of the standards development and approval
process, we are likely years away from a supply chain standard being
implemented, even under the aggressive schedule contemplated in the
order. I believe that the Commission should endeavor to provide as
much advance guidance as possible before mandating the development
of a standard, to increase the likelihood that NERC develops a
standard that will be satisfactory to the Commission and reduce the
need for a remand. I worry that the limited process that preceded
the Final Rule and the expedited timetable will make it extremely
difficult for NERC to file a standard that the Commission can
cleanly approve. Had the Commission committed itself to conducting
adequate outreach, I believe we could have mitigated the likelihood
of that outcome, and more effectively and promptly addressed the
supply chain threat in the long term. ``Delaying'' action for a few
months thus would, in the long run, lead to prompter and stronger
protection for the grid.
II. Conclusion
The choice the Commission faces today on supply chain risk
management is not between action and inaction. Rather, given the
importance of this issue, I believe that more considered action and
a more developed Commission order, even if delayed by a few months,
is better than a quick decision to ``do something.'' Ultimately, an
effective, auditable, and enforceable standard on supply chain
management will require thoughtful consideration of the complex
challenges of addressing cybersecurity threats posed through the
supply chain within the structure of the FERC/NERC reliability
process. In my view, the Commission gains very little and does not
meaningfully advance the security of the grid by proceeding straight
to a Final Rule, rather than taking the time to build a record to
support a workable standard.
Accordingly, I respectfully dissent.
Cheryl A. LaFleur,
Commissioner.
[FR Doc. 2016-17842 Filed 7-28-16; 8:45 am]
BILLING CODE 6717-01-P
