Petition of North American Electric Reliability Corporation (NERC) for Approval of Proposed Reliability Standard CIP-008-6-Cyber Security-Incident Reporting and Response Planning, 30105-30108 [2019-13587]
Download as PDF
<![CDATA[
jbell on DSK3GLQ082PROD with NOTICES
Federal Register / Vol. 84, No. 123 / Wednesday, June 26, 2019 / Notices
Filed Date: 6/20/19.
Accession Number: 20190620–5021.
Comments Due: 5 p.m. ET 7/11/19.
Docket Numbers: ER19–2208–000.
Applicants: Pacific Gas and Electric
Company.
Description: § 205(d) Rate Filing: First
Amendment to Llagas Energy Storage
SGIA (SA 387) to be effective 8/18/2019.
Filed Date: 6/19/19.
Accession Number: 20190619–5135.
Comments Due: 5 p.m. ET 7/10/19.
Docket Numbers: ER19–2209–000.
Applicants: Midcontinent
Independent System Operator, Inc.,
MidAmerican Energy Company.
Description: § 205(d) Rate Filing:
2019–06–20_SA 3322 ATXI–MEC–ITC
T–T (MVP 7) to be effective 6/20/2019.
Filed Date: 6/20/19.
Accession Number: 20190620–5018.
Comments Due: 5 p.m. ET 7/11/19.
Docket Numbers: ER19–2210–000.
Applicants: Midcontinent
Independent System Operator, Inc.
Description: § 205(d) Rate Filing:
2019–06–20_SA 3323 Prairie State
Solar-Ameren Illinois GIA (J808) to be
effective 6/6/2019.
Filed Date: 6/20/19.
Accession Number: 20190620–5033.
Comments Due: 5 p.m. ET 7/11/19.
Docket Numbers: ER19–2211–000.
Applicants: Southwestern Public
Service Company.
Description: § 205(d) Rate Filing: SPSMulti Pty-Kiowa IA–SPS 711–0.0.0 to be
effective 6/21/2019.
Filed Date: 6/20/19.
Accession Number: 20190620–5055.
Comments Due: 5 p.m. ET 7/11/19.
Docket Numbers: ER19–2212–000.
Applicants: CFE International LLC.
Description: § 205(d) Rate Filing:
normal filing 2019 to be effective 6/21/
2019.
Filed Date: 6/20/19.
Accession Number: 20190620–5068.
Comments Due: 5 p.m. ET 7/11/19.
Docket Numbers: ER19–2213–000.
Applicants: Florida Power & Light
Company.
Description: § 205(d) Rate Filing: FPL
and Seminole Rate Schedule No. 327
Revisions to Exhibit A to be effective
6/21/2019.
Filed Date: 6/20/19.
Accession Number: 20190620–5075.
Comments Due: 5 p.m. ET 7/11/19.
Docket Numbers: ER19–2214–000.
Applicants: Milford Wind Corridor
Phase I, LLC.
Description: Compliance filing:
Request for Cat. 1 Seller Status in the
SW Region & Revised MBR Tariff to be
effective 6/21/2019.
Filed Date: 6/20/19.
VerDate Sep<11>2014
18:47 Jun 25, 2019
Jkt 247001
Accession Number: 20190620–5093.
Comments Due: 5 p.m. ET 7/11/19.
Docket Numbers: ER19–2215–000.
Applicants: Milford Wind Corridor
Phase II, LLC.
Description: § 205(d) Rate Filing:
Request for Cat. 1 Seller Status in the
SW Region & Revised MBR Tariff to be
effective 6/21/2019.
Filed Date: 6/20/19.
Accession Number: 20190620–5097.
Comments Due: 5 p.m. ET 7/11/19.
Docket Numbers: ER19–2216–000.
Applicants: Agua Caliente Solar, LLC.
Description: § 205(d) Rate Filing:
Revisions to Market-Based Rate Tariff
and Requests for Waivers to be effective
6/21/2019.
Filed Date: 6/20/19.
Accession Number: 20190620–5107.
Comments Due: 5 p.m. ET 7/11/19.
Take notice that the Commission
received the following electric securities
filings:
Docket Numbers: ES19–30–000.
Applicants: GridLiance West LLC.
Description: Amendment to May 17,
2019 Application [Revised Exhibit D]
under Section 204 of the Federal Power
Act for Authorization to Issue Securities
of GridLiance West LLC.
Filed Date: 6/20/19.
Accession Number: 20190620–5036.
Comments Due: 5 p.m. ET 7/1/19.
Docket Numbers: ES19–35–000.
Applicants: Michigan Electric
Transmission Company, LLC.
Description: Application under
Section 204 of the Federal Power Act for
Authorization to Issue Securities of
Michigan Electric Transmission
Company, LLC.
Filed Date: 6/19/19.
Accession Number: 20190619–5173.
Comments Due: 5 p.m. ET 7/10/19.
The filings are accessible in the
Commission’s eLibrary system by
clicking on the links or querying the
docket number.
Any person desiring to intervene or
protest in any of the above proceedings
must file in accordance with Rules 211
and 214 of the Commission’s
Regulations (18 CFR 385.211 and
385.214) on or before 5:00 p.m. Eastern
time on the specified comment date.
Protests may be considered, but
intervention is necessary to become a
party to the proceeding.
eFiling is encouraged. More detailed
information relating to filing
requirements, interventions, protests,
service, and qualifying facilities filings
can be found at: https://www.ferc.gov/
docs-filing/efiling/filing-req.pdf. For
other information, call (866) 208–3676
(toll free). For TTY, call (202) 502–8659.
PO 00000
Frm 00024
Fmt 4703
Sfmt 4703
30105
Dated: June 20, 2019.
Nathaniel J. Davis, Sr.,
Deputy Secretary.
[FR Doc. 2019–13585 Filed 6–25–19; 8:45 am]
BILLING CODE 6717–01–P
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
[Docket No. RD19–3–000]
Petition of North American Electric
Reliability Corporation (NERC) for
Approval of Proposed Reliability
Standard CIP–008–6—Cyber Security—
Incident Reporting and Response
Planning
In Reply Refer to: North American
Electric Reliability Corporation, Docket
No. RD19–3–000.
North American Electric Reliability
Corporation, 1325 G Street NW, Suite
600, Washington, DC 20005.
Attention: Lauren Perotti, Marisa Hecht
Dear Ms. Perotti and Ms. Hecht:
1. On March 7, 2019, the North
American Electric Reliability
Corporation (NERC) filed a petition
requesting approval of proposed
Reliability Standard CIP–008–6 (Cyber
Security—Incident Reporting and
Response Planning). NERC also
requested approval of: (1) The
associated implementation plan,
violation risk factors and violation
severity levels; (2) the inclusion of
proposed revised definitions of ‘‘Cyber
Security Incident’’ and ‘‘Reportable
Cyber Security Incident’’ into the NERC
Glossary; 1 and (3) the retirement of
currently-effective Reliability Standard
CIP–008–5. For the reasons discussed
below, we grant the requested
approvals.
2. In Order No. 848, the Commission
directed NERC to enhance the
mandatory reporting of Cyber Security
Incidents.2 The Commission explained
that the currently-effective reporting
threshold, which only requires reporting
in cases where a Cyber Security Incident
has ‘‘compromised or disrupted one or
more reliability tasks,’’ may understate
the true scope of cyber-related threats to
the Bulk-Power System.3 To address
this reliability gap, pursuant to section
215(d)(5) of the Federal Power Act
(FPA), the Commission directed NERC
to develop and submit modifications to
1 Glossary of Terms Used in NERC Reliability
Standards (NERC Glossary).
2 Cyber Security Incident Reporting Reliability
Standards, Order No. 848, 164 FERC ¶ 61,033
(2018).
3 Id. PP 2–3.
E:\FR\FM\26JNN1.SGM
26JNN1
30106
Federal Register / Vol. 84, No. 123 / Wednesday, June 26, 2019 / Notices
the Reliability Standard to require the
reporting of Cyber Security Incidents
that compromise, or attempt to
compromise, a responsible entity’s
Electronic Security Perimeter (ESP) or
associated Electronic Access Control or
Monitoring Systems (EACMS).4 With
respect to EACMS, the Commission
directed that enhanced reporting should
apply, at a minimum, to EACMS that
perform the following functions: (1)
Authentication; (2) monitoring and
logging; (3) access control; (4)
Interactive Remote Access; and (5)
alerting.
3. The Commission also directed that
information in Cyber Security Incident
reports should include certain
minimum information to improve the
quality of reporting and allow for ease
of comparison by ensuring that each
report includes specified fields of
information.5 The Commission further
directed that filing deadlines for Cyber
Security Incident reports should be
established and that Cyber Security
Incident reports should be sent to the
Electricity Information Sharing and
Analysis Center (E–ISAC) and the
Department of Homeland Security
Industrial Control Systems Cyber
Emergency Response Team (ICS–CERT)
or any successor organization.
4. In its petition, NERC states that
proposed Reliability Standard CIP–008–
6 broadens the mandatory reporting of
Cyber Security Incidents and thus
addresses the concern that currentlyeffective Reliability Standard CIP–008–
5 may not encompass the full scope of
cyber-related threats to the Bulk-Power
System.6 As a predicate to the
augmented reporting requirements in
proposed Reliability Standard CIP–008–
6, NERC proposes revised NERC
Glossary definitions of Cyber Security
Incident and Reportable Cyber Security
Incident. NERC explains that, by
applying the revised definitions, Cyber
Security Incidents (i.e., attempts to
compromise) and Reportable Cyber
Security Incidents (i.e., actual
compromises) will be reported under
proposed Reliability Standard CIP–008–
6.
5. As proposed by NERC, the revised
Cyber Security Incident definition
includes events involving
4 16
U.S.C. 824o(d)(5) (2012).
Commission identified the following
minimum fields of information to be reported: ‘‘(1)
the functional impact, where possible, that the
Cyber Security Incident achieved or attempted to
achieve; (2) the attack vector that was used to
achieve or attempted to achieve the Cyber Security
Incident; and (3) the level of intrusion that was
achieved or attempted or as a result of the Cyber
Security Incident.’’ Order No. 848, 164 FERC
¶ 61,033 at P 91.
6 NERC Petition at 3.
jbell on DSK3GLQ082PROD with NOTICES
5 The
VerDate Sep<11>2014
18:47 Jun 25, 2019
Jkt 247001
‘‘compromises or attempts to
compromise’’ ESPs, EACMS, and
Physical Security Perimeters (PSPs)
associated with high and medium
impact BES Cyber Systems and
‘‘disrupt[ion] or attempts to disrupt the
operation of a BES Cyber System.’’ 7
NERC contends that the proposed
definition of Cyber Security Incident
addresses the directives in Order No.
848 because, as discussed below, once
a responsible entity determines that an
event is a Cyber Security Incident, it
must comply with the requirements of
proposed Reliability Standard CIP–008–
6, including initiating its response plan
and reporting the incident to the E–
ISAC and, if subject to the jurisdiction
of the United States, the National
Cybersecurity and Communications
Integration Center (NCCIC), which is the
successor to ICS–CERT.
6. NERC’s proposed revisions to the
Reportable Cyber Security Incident
definition broaden the scope of
reportable events to include
compromises or disruptions of BES
Cyber Systems that perform one or more
reliability tasks as well as compromises
or disruptions to EACMS and ESPs
associated with high and medium
impact BES Cyber Systems. NERC
explains that responsible entities will be
required to report on a compromise of
a BES Cyber System even if it has not
affected performance of that BES Cyber
System’s tasks.8 For example, NERC
states that the revised definition would
require responsible entities to report on
malware installed on a BES Cyber Asset
component of a BES Cyber System that
performs one or more reliability tasks
regardless of whether the BES Cyber
System still operates. NERC indicates
that while the revised Reportable Cyber
Security Incident definition does not
encompass attempts to compromise,
under proposed Reliability Standard
CIP–008–6, attempts to compromise are
reported using the Cyber Security
Incident definition.
7. NERC states that proposed
Reliability Standard CIP–008–6,
Requirement R1, Parts 1.2.1 and 1.2.2
address the Order No. 848 directive to
broaden reporting on Cyber Security
Incidents to include those that ‘‘attempt
to compromise’’ an ESP or EACMS.9 In
proposed Requirement R1, Part 1.2.1,
each responsible entity must develop a
7 NERC indicates that the standard drafting team
included all EACMS within the proposed Cyber
Security Incident and Reportable Cyber Security
incident definitions because nearly all EACMS
associated with high and medium impact BES
Cyber Systems perform one of the functions
identified in Order No. 848. Id. at 13–14.
8 Id. at 15.
9 Id. at 18.
PO 00000
Frm 00025
Fmt 4703
Sfmt 4703
process that includes criteria to evaluate
and define attempts to compromise
applicable systems. Proposed
Requirement R1, Part 1.2.2 requires that
each responsible entity develop a
process that identifies whether a Cyber
Security Incident is an ‘‘attempt to
compromise’’ pursuant to the criteria
required by Part 1.2.1. NERC explains
that Parts 1.2.1 and 1.2.2 work together
to help ensure each responsible entity
first develops criteria for identifying an
attempt to compromise and then applies
the criteria during its Cyber Security
Incident identification process.10 NERC
maintains that proposed Parts 1.2.1 and
1.2.2 acknowledge the differences in
system architecture among responsible
entities and provide each responsible
entity with the flexibility to develop
criteria that reflect what it considers
‘‘suspicious.’’ NERC contends that the
benefit of such an approach, compared
to a one-size-fits-all approach, is that it
enables responsible entities to better
capture real attempts to compromise.11
8. Similar to the proposed revisions in
Requirement R1, NERC states that the
proposed revisions to Reliability
Standard CIP–008–6, Requirement R2
address the Commission’s directive in
Order No. 848 regarding attempts to
compromise.12 The proposed revisions
to Part 2.2 do so by requiring that
responsible entities use their Cyber
Security Incident response plans when
responding to a Cyber Security Incident
determined to be an attempt to
compromise applicable systems.
NERC contends that proposed
Reliability Standard CIP–008–6,
Requirement R4 addresses the
Commission’s directive to require that
responsible entities must send each
report and update to the E–ISAC and
ICS–CERT.13 Under proposed
Reliability Standard CIP–008–6,
Requirement R4, Part 4.1, responsible
entities are required to submit incident
reports for both Reportable Cyber
Security Incidents and Cyber Security
Incidents. In addition, proposed
Reliability Standard CIP–008–6
specifies that the report must contain:
(1) The functional impact; (2) the attack
vector used; and (3) the achieved or
attempted level of intrusion. Proposed
Reliability Standard CIP–008–6,
Requirement R4, Parts 4.2 and 4.3
include timelines for initial reports as
well as follow up reports to the E–ISAC
and NCCIC. NERC states that initial
reports for Reportable Cyber Security
Incidents must occur within one hour of
10 Id.
11 Id.
at 19.
at 20.
13 Id. at 22.
12 Id.
E:\FR\FM\26JNN1.SGM
26JNN1
Federal Register / Vol. 84, No. 123 / Wednesday, June 26, 2019 / Notices
its determination. By contrast, NERC
indicates that once a responsible entity
has determined that a Cyber Security
Incident meets its criteria for an attempt
to compromise an applicable system, it
must report the Cyber Security Incident
by the end of the next calendar day.
NERC justifies the difference by
explaining that the ‘‘proposed
notification timelines appropriately
reflect the severity of the risk of the
respective incidents.’’ 14 Finally, if a
responsible entity does not include one
or more of the attributes in its initial
report because it was unknown at the
time of the initial reporting, it must
report the attributes within seven days
of determining the attribute.
9. Notice of NERC’s March 7, 2019
filing was published in the Federal
Register, 84 FR 10,061 (2019), with
interventions and protests due on or
before April 11, 2019. Pursuant to Rule
214 of the Commission’s Rules of
Practice and Procedure, 18 CFR 385.214
(2018), the timely, unopposed motions
to intervene serve to make the entities
that filed them parties to this
proceeding.15
10. Pursuant to section 215(d)(2) of
the FPA, we approve Reliability
Standard CIP–008–6, its associated
implementation plan, violation risk
factors and violation severity levels, and
the revised definitions of Cyber Security
Incident and Reportable Cyber Security
Incident.16 We determine that the
proposed Reliability Standard and
revised definitions satisfy the directive
in Order No. 848 to broaden mandatory
reporting to include Cyber Security
Incidents that compromise, or attempt
to compromise, a responsible entity’s
ESP or associated EACMS, as well as
modifications to specify the required
information in Cyber Security Incident
reports, their dissemination, and
deadlines for filing reports.
Information Collection Statement
11. In compliance with the
requirements of the Paperwork
Reduction Act of 1995, 44 U.S.C.
3506(c)(2)(A), the Commission is
soliciting public comment on revisions
to the information collection FERC–
725B (Mandatory Reliability Standards
for Critical Infrastructure Protection
(CIP) Reliability Standards), which will
be submitted to the Office of
Management and Budget (OMB) for a
review of the information collection
30107
requirements. Comments on the
collection of information are due within
60 days of the date this order is
published in the Federal Register.
Respondents subject to the filing
requirements of this order will not be
penalized for failing to respond to these
collections of information unless the
collections of information display a
valid OMB control number.
12. Proposed Reliability Standard
CIP–008–6 requires Responsible
Entities 17 to broaden the mandatory
reporting of Cyber Security Incidents to
include compromises or attempts to
compromise BES Cyber Systems or their
associated ESPs or EACMS. The revised
Reliability Standard will not
significantly increase the reporting
burden on entities because it builds off
the currently-effective reporting
threshold by expanding it to address
reliability gaps, pursuant to section
215(d)(5) of the FPA.
13. Burden 18 Estimate: The
Commission estimates the changes in
the annual public reporting burden and
cost as indicated below.19
RD19–3–000—COMMISSION LETTER ORDER
[Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards]
Number of
respondents &
type of
entity 20
Annual
number of
responses per
respondent
Total number
of responses
Average burden &
cost
per response 21
Total annual burden hours
& total annual cost
Cost per
respondent
($)
(1)
(2)
(1) * (2) = (3)
(4)
(3) * (4) = (5)
(5) ÷ (1)
288
1
288
50 hrs.; $4,050 .....
14,400 hrs.; $1,166,400 ....
$4,050
288
1
288
10 hrs.; $810 ........
2880 hrs.; $233,280 ..........
810
288
1
288
10 hrs.; $810 ........
2880 hrs.; $233,280 ..........
810
288
12
3,456
12 hrs.; $972 ........
3456 hrs.; $279,936 ..........
972
Total (one-time) .......................................
........................
........................
288
...............................
14,400 hrs.; $1,166,400 ....
........................
Total (ongoing) ........................................
........................
........................
4,032
...............................
9,216 hrs.; $746,496 .........
........................
Update internal procedures to comply with
augmented reporting requirements (onetime) 22 (CIP–008–6 R1–R4).
Annual cyber security incident plan review
(ongoing) 23 (CIP–008–6 R2.1).
Update cyber security incident plan per review findings (ongoing) CIP–008–6 R3).
Incident reporting burden (ongoing) (CIP–
008–6 R4).
14 Id.
at 23.
April 11, 2019, Public Citizen submitted
comments requesting that the Commission direct
NERC to require the mandatory public disclosure of
entity names in Notices of Penalty for violations of
Critical Infrastructure Protection Reliability
Standards. Public Citizen’s comments do not
address proposed Reliability Standard CIP–006–8 or
any other proposal contained in NERC’s petition,
and they are therefore outside the scope of this
proceeding.
16 16 U.S.C. 824o(d)(2).
17 ‘‘Responsible Entities’’ refers to Balancing
Authority (BA), Distribution Provider (DP),
Generator Operator (GOP), Generator Owner (GO),
Reliability Coordinator (RC), Transmission Operator
(TOP), and Transmission Owner (TO).
18 Burden is defined as the total time, effort, or
financial resources expended by persons to
generate, maintain, retain, or disclose or provide
jbell on DSK3GLQ082PROD with NOTICES
15 On
VerDate Sep<11>2014
18:47 Jun 25, 2019
Jkt 247001
information to or for a Federal agency. For further
explanation of what is included in the information
collection burden, refer to 5 CFR 1320.3.
19 For the Reliability Standard being retired in
Docket No. RD19–3–000, the baseline numbers for
respondents, burden, and cost are the same figures
as those in Order No. 848. The requirements and
burdens (from the Reliability Standard being
retired) are continuing in Reliability Standard CIP–
008–6, plus the additional requirements and
burdens as indicated in the table.
20 There are 1,414 unique registered entities in the
NERC compliance registry as of May 24, 2019. Of
this total, we estimate that 288 entities will face an
increased paperwork burden.
21 The loaded hourly wage figure (includes
benefits) is based on the average of the occupational
categories for 2017 found on the Bureau of Labor
Statistics website: https://www.bls.gov/oes/2017/
may/oessrci.htm.
PO 00000
Frm 00026
Fmt 4703
Sfmt 4703
Legal (Occupation Code: 23–0000): $143.68
Information Security Analysts (Occupation Code
15–1122): $61.55
Computer and Information Systems Managers
(Occupation Code: 11–3021): $96.51
Management (Occupation Code: 11–0000): $94.28
Electrical Engineer (Occupation Code: 17–2071):
$66.90
Management Analyst (Code: 43–0000): $63.32
These various occupational categories are
weighted as follows: [($94.28)(.10) + ($61.55)(.315)
+ ($66.90)(.02) + ($143.68)(.15) + ($96.51)(.10) +
($63.32)(.315)] = $81.30. The figure is rounded to
$81.00 for use in calculating wage figures in this
order.
22 One-time burdens apply in Year 1 only.
23 Ongoing burdens apply in Year 2 and beyond.
E:\FR\FM\26JNN1.SGM
26JNN1
30108
Federal Register / Vol. 84, No. 123 / Wednesday, June 26, 2019 / Notices
Title: FERC–725B, Mandatory
Reliability Standards for Critical
Infrastructure Protection (CIP)
Reliability Standards.
Action: Proposed revision to FERC–
725B information collection.
OMB Control No: 1902–0248.
Respondents: Responsible Entities.
Frequency of Responses: On occasion.
14. Necessity of the Information: This
order approves the requested
modifications to Reliability Standards
pertaining to critical infrastructure
protection. As discussed above, the
Commission approves Reliability
Standard CIP–008–6 pursuant to section
215(d)(2) of the FPA because it
improves upon the currently-effective
suite of CIP Reliability Standards.
15. Interested persons may obtain
information on the reporting
requirements by contacting the
following: Federal Energy Regulatory
Commission, 888 First Street NE,
Washington, DC 20426 [Attention: Ellen
Brown, Office of the Executive Director],
email: DataClearance@ferc.gov, Phone:
(202) 502–8663, fax: (202) 273–0873.
16. Comments (identified by Docket
No. RD19–3–000) concerning the
collection of information and the
associated burden estimate(s) may also
be sent by either of the following
methods: eFiling at Commission’s
website: https://www.ferc.gov/docsfiling/efiling.asp or Mail/Hand Delivery/
Courier: Federal Energy Regulatory
Commission, Secretary of the
Commission, 888 First Street NE,
Washington, DC 20426. Please refer to
FERC–725B, OMB Control No. 1902–
0248 in your submission.
17. All submissions must be formatted
and filed in accordance with submission
guidelines at: https://www.ferc.gov/help/
submission-guide.asp. For user
assistance, contact FERC Online
Support by email at ferconlinesupport@
ferc.gov, or by phone at: (866) 208–3676
(toll-free), or (202) 502–8659 for TTY.
By direction of the Commission.
Dated: June 20, 2019.
Nathaniel J. Davis, Sr.,
Deputy Secretary.
DEPARTMENT OF ENERGY
jbell on DSK3GLQ082PROD with NOTICES
Dated: June 20, 2019.
Nathaniel J. Davis, Sr.,
Deputy Secretary.
[FR Doc. 2019–13581 Filed 6–25–19; 8:45 am]
BILLING CODE 6717–01–P
ENVIRONMENTAL PROTECTION
AGENCY
Information Collection Request
Submitted to OMB for Review and
Approval; Comment Request; NESHAP
for Plastic Parts and Products Surface
Coating (Renewal)
BILLING CODE 6717–01–P
Environmental Protection
Agency (EPA).
ACTION: Notice.
AGENCY:
Federal Energy Regulatory
Commission
Combined Notice of Filings
The Environmental Protection
Agency (EPA) has submitted an
information collection request (ICR),
NESHAP for Plastic Parts and Products
SUMMARY:
Take notice that the Commission has
received the following Natural Gas
Pipeline Rate and Refund Report filings:
18:47 Jun 25, 2019
Docket Numbers: RP19–1322–000.
Applicants: NEXUS Gas
Transmission, LLC.
Description: § 4(d) Rate Filing: OBA
GTC Section 18 Cleanup Filing to be
effective 7/19/2019.
Filed Date: 6/19/19.
Accession Number: 20190619–5042.
Comments Due: 5 p.m. ET 7/1/19.
Docket Numbers: RP19–1323–000.
Applicants: BP Energy Company,
Petrohawk Energy Corporation.
Description: Joint Petition for
Temporary Waivers, et al. of BP Energy
Company, et al. under RP19–1323.
Filed Date: 6/19/19.
Accession Number: 20190619–5170.
Comments Due: 5 p.m. ET 6/26/19.
The filings are accessible in the
Commission’s eLibrary system by
clicking on the links or querying the
docket number.
Any person desiring to intervene or
protest in any of the above proceedings
must file in accordance with Rules 211
and 214 of the Commission’s
Regulations (18 CFR 385.211 and
385.214) on or before 5:00 p.m. Eastern
time on the specified comment date.
Protests may be considered, but
intervention is necessary to become a
party to the proceeding.
eFiling is encouraged. More detailed
information relating to filing
requirements, interventions, protests,
service, and qualifying facilities filings
can be found at: https://www.ferc.gov/
docs-filing/efiling/filing-req.pdf. For
other information, call (866) 208–3676
(toll free). For TTY, call (202) 502–8659.
[EPA–HQ–OECA–2012–0688; FRL–9995–
72–OMS]
[FR Doc. 2019–13587 Filed 6–25–19; 8:45 am]
VerDate Sep<11>2014
Filings Instituting Proceedings
Jkt 247001
PO 00000
Frm 00027
Fmt 4703
Sfmt 4703
Surface Coating (EPA ICR Number
2044.07, OMB Control Number 2060–
0537), to the Office of Management and
Budget (OMB) for review and approval
in accordance with the Paperwork
Reduction Act. This is a proposed
extension of the ICR, which is currently
approved through August 31, 2019.
Public comments were previously
requested, via the Federal Register, on
May 30, 2018 during a 60-day comment
period. This notice allows for an
additional 30 days for public comments.
A fuller description of the ICR is given
below, including its estimated burden
and cost to the public. An agency may
neither conduct nor sponsor, and a
person is not required to respond to, a
collection of information unless it
displays a currently valid OMB control
number.
DATES: Additional comments may be
submitted on or before July 26, 2019.
ADDRESSES: Submit your comments,
referencing Docket ID Number EPA–
HQ–OECA–2012–0688, to: (1) EPA
online using www.regulations.gov (our
preferred method), or by email to
docket.oeca@epa.gov, or by mail to: EPA
Docket Center, Environmental
Protection Agency, Mail Code 28221T,
1200 Pennsylvania Ave. NW,
Washington, DC 20460; and (2) OMB via
email to oira_submission@omb.eop.gov.
Address comments to OMB Desk Officer
for EPA.
EPA’s policy is that all comments
received will be included in the public
docket without change, including any
personal information provided, unless
the comment includes profanity, threats,
information claimed to be Confidential
Business Information (CBI), or other
information whose disclosure is
restricted by statute.
FOR FURTHER INFORMATION CONTACT:
Patrick Yellin, Monitoring, Assistance,
and Media Programs Division, Office of
Compliance, Mail Code 2227A,
Environmental Protection Agency, 1200
Pennsylvania Ave. NW, Washington, DC
20460; telephone number: (202) 564–
2970; fax number: (202) 564–0050;
email address: yellin.patrick@epa.gov.
SUPPLEMENTARY INFORMATION:
Supporting documents, which explain
in detail the information that the EPA
will be collecting, are available in the
public docket for this ICR. The docket
can be viewed online at
www.regulations.gov, or in person at the
EPA Docket Center, WJC West, Room
3334, 1301 Constitution Ave. NW,
Washington, DC. The telephone number
for the Docket Center is 202–566–1744.
For additional information about EPA’s
public docket, visit: https://
www.epa.gov/dockets.
E:\FR\FM\26JNN1.SGM
26JNN1
]]>Agencies
[Federal Register Volume 84, Number 123 (Wednesday, June 26, 2019)]
[Notices]
[Pages 30105-30108]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-13587]
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
[Docket No. RD19-3-000]
Petition of North American Electric Reliability Corporation
(NERC) for Approval of Proposed Reliability Standard CIP-008-6--Cyber
Security--Incident Reporting and Response Planning
In Reply Refer to: North American Electric Reliability Corporation,
Docket No. RD19-3-000.
North American Electric Reliability Corporation, 1325 G Street NW,
Suite 600, Washington, DC 20005.
Attention: Lauren Perotti, Marisa Hecht
Dear Ms. Perotti and Ms. Hecht:
1. On March 7, 2019, the North American Electric Reliability
Corporation (NERC) filed a petition requesting approval of proposed
Reliability Standard CIP-008-6 (Cyber Security--Incident Reporting and
Response Planning). NERC also requested approval of: (1) The associated
implementation plan, violation risk factors and violation severity
levels; (2) the inclusion of proposed revised definitions of ``Cyber
Security Incident'' and ``Reportable Cyber Security Incident'' into the
NERC Glossary; \1\ and (3) the retirement of currently-effective
Reliability Standard CIP-008-5. For the reasons discussed below, we
grant the requested approvals.
---------------------------------------------------------------------------
\1\ Glossary of Terms Used in NERC Reliability Standards (NERC
Glossary).
---------------------------------------------------------------------------
2. In Order No. 848, the Commission directed NERC to enhance the
mandatory reporting of Cyber Security Incidents.\2\ The Commission
explained that the currently-effective reporting threshold, which only
requires reporting in cases where a Cyber Security Incident has
``compromised or disrupted one or more reliability tasks,'' may
understate the true scope of cyber-related threats to the Bulk-Power
System.\3\ To address this reliability gap, pursuant to section
215(d)(5) of the Federal Power Act (FPA), the Commission directed NERC
to develop and submit modifications to
[[Page 30106]]
the Reliability Standard to require the reporting of Cyber Security
Incidents that compromise, or attempt to compromise, a responsible
entity's Electronic Security Perimeter (ESP) or associated Electronic
Access Control or Monitoring Systems (EACMS).\4\ With respect to EACMS,
the Commission directed that enhanced reporting should apply, at a
minimum, to EACMS that perform the following functions: (1)
Authentication; (2) monitoring and logging; (3) access control; (4)
Interactive Remote Access; and (5) alerting.
---------------------------------------------------------------------------
\2\ Cyber Security Incident Reporting Reliability Standards,
Order No. 848, 164 FERC ] 61,033 (2018).
\3\ Id. PP 2-3.
\4\ 16 U.S.C. 824o(d)(5) (2012).
---------------------------------------------------------------------------
3. The Commission also directed that information in Cyber Security
Incident reports should include certain minimum information to improve
the quality of reporting and allow for ease of comparison by ensuring
that each report includes specified fields of information.\5\ The
Commission further directed that filing deadlines for Cyber Security
Incident reports should be established and that Cyber Security Incident
reports should be sent to the Electricity Information Sharing and
Analysis Center (E-ISAC) and the Department of Homeland Security
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) or
any successor organization.
---------------------------------------------------------------------------
\5\ The Commission identified the following minimum fields of
information to be reported: ``(1) the functional impact, where
possible, that the Cyber Security Incident achieved or attempted to
achieve; (2) the attack vector that was used to achieve or attempted
to achieve the Cyber Security Incident; and (3) the level of
intrusion that was achieved or attempted or as a result of the Cyber
Security Incident.'' Order No. 848, 164 FERC ] 61,033 at P 91.
---------------------------------------------------------------------------
4. In its petition, NERC states that proposed Reliability Standard
CIP-008-6 broadens the mandatory reporting of Cyber Security Incidents
and thus addresses the concern that currently-effective Reliability
Standard CIP-008-5 may not encompass the full scope of cyber-related
threats to the Bulk-Power System.\6\ As a predicate to the augmented
reporting requirements in proposed Reliability Standard CIP-008-6, NERC
proposes revised NERC Glossary definitions of Cyber Security Incident
and Reportable Cyber Security Incident. NERC explains that, by applying
the revised definitions, Cyber Security Incidents (i.e., attempts to
compromise) and Reportable Cyber Security Incidents (i.e., actual
compromises) will be reported under proposed Reliability Standard CIP-
008-6.
---------------------------------------------------------------------------
\6\ NERC Petition at 3.
---------------------------------------------------------------------------
5. As proposed by NERC, the revised Cyber Security Incident
definition includes events involving ``compromises or attempts to
compromise'' ESPs, EACMS, and Physical Security Perimeters (PSPs)
associated with high and medium impact BES Cyber Systems and
``disrupt[ion] or attempts to disrupt the operation of a BES Cyber
System.'' \7\ NERC contends that the proposed definition of Cyber
Security Incident addresses the directives in Order No. 848 because, as
discussed below, once a responsible entity determines that an event is
a Cyber Security Incident, it must comply with the requirements of
proposed Reliability Standard CIP-008-6, including initiating its
response plan and reporting the incident to the E-ISAC and, if subject
to the jurisdiction of the United States, the National Cybersecurity
and Communications Integration Center (NCCIC), which is the successor
to ICS-CERT.
---------------------------------------------------------------------------
\7\ NERC indicates that the standard drafting team included all
EACMS within the proposed Cyber Security Incident and Reportable
Cyber Security incident definitions because nearly all EACMS
associated with high and medium impact BES Cyber Systems perform one
of the functions identified in Order No. 848. Id. at 13-14.
---------------------------------------------------------------------------
6. NERC's proposed revisions to the Reportable Cyber Security
Incident definition broaden the scope of reportable events to include
compromises or disruptions of BES Cyber Systems that perform one or
more reliability tasks as well as compromises or disruptions to EACMS
and ESPs associated with high and medium impact BES Cyber Systems. NERC
explains that responsible entities will be required to report on a
compromise of a BES Cyber System even if it has not affected
performance of that BES Cyber System's tasks.\8\ For example, NERC
states that the revised definition would require responsible entities
to report on malware installed on a BES Cyber Asset component of a BES
Cyber System that performs one or more reliability tasks regardless of
whether the BES Cyber System still operates. NERC indicates that while
the revised Reportable Cyber Security Incident definition does not
encompass attempts to compromise, under proposed Reliability Standard
CIP-008-6, attempts to compromise are reported using the Cyber Security
Incident definition.
---------------------------------------------------------------------------
\8\ Id. at 15.
---------------------------------------------------------------------------
7. NERC states that proposed Reliability Standard CIP-008-6,
Requirement R1, Parts 1.2.1 and 1.2.2 address the Order No. 848
directive to broaden reporting on Cyber Security Incidents to include
those that ``attempt to compromise'' an ESP or EACMS.\9\ In proposed
Requirement R1, Part 1.2.1, each responsible entity must develop a
process that includes criteria to evaluate and define attempts to
compromise applicable systems. Proposed Requirement R1, Part 1.2.2
requires that each responsible entity develop a process that identifies
whether a Cyber Security Incident is an ``attempt to compromise''
pursuant to the criteria required by Part 1.2.1. NERC explains that
Parts 1.2.1 and 1.2.2 work together to help ensure each responsible
entity first develops criteria for identifying an attempt to compromise
and then applies the criteria during its Cyber Security Incident
identification process.\10\ NERC maintains that proposed Parts 1.2.1
and 1.2.2 acknowledge the differences in system architecture among
responsible entities and provide each responsible entity with the
flexibility to develop criteria that reflect what it considers
``suspicious.'' NERC contends that the benefit of such an approach,
compared to a one-size-fits-all approach, is that it enables
responsible entities to better capture real attempts to compromise.\11\
---------------------------------------------------------------------------
\9\ Id. at 18.
\10\ Id.
\11\ Id. at 19.
---------------------------------------------------------------------------
8. Similar to the proposed revisions in Requirement R1, NERC states
that the proposed revisions to Reliability Standard CIP-008-6,
Requirement R2 address the Commission's directive in Order No. 848
regarding attempts to compromise.\12\ The proposed revisions to Part
2.2 do so by requiring that responsible entities use their Cyber
Security Incident response plans when responding to a Cyber Security
Incident determined to be an attempt to compromise applicable systems.
---------------------------------------------------------------------------
\12\ Id. at 20.
\13\ Id. at 22.
---------------------------------------------------------------------------
NERC contends that proposed Reliability Standard CIP-008-6,
Requirement R4 addresses the Commission's directive to require that
responsible entities must send each report and update to the E-ISAC and
ICS-CERT.\13\ Under proposed Reliability Standard CIP-008-6,
Requirement R4, Part 4.1, responsible entities are required to submit
incident reports for both Reportable Cyber Security Incidents and Cyber
Security Incidents. In addition, proposed Reliability Standard CIP-008-
6 specifies that the report must contain: (1) The functional impact;
(2) the attack vector used; and (3) the achieved or attempted level of
intrusion. Proposed Reliability Standard CIP-008-6, Requirement R4,
Parts 4.2 and 4.3 include timelines for initial reports as well as
follow up reports to the E-ISAC and NCCIC. NERC states that initial
reports for Reportable Cyber Security Incidents must occur within one
hour of
[[Page 30107]]
its determination. By contrast, NERC indicates that once a responsible
entity has determined that a Cyber Security Incident meets its criteria
for an attempt to compromise an applicable system, it must report the
Cyber Security Incident by the end of the next calendar day. NERC
justifies the difference by explaining that the ``proposed notification
timelines appropriately reflect the severity of the risk of the
respective incidents.'' \14\ Finally, if a responsible entity does not
include one or more of the attributes in its initial report because it
was unknown at the time of the initial reporting, it must report the
attributes within seven days of determining the attribute.
---------------------------------------------------------------------------
\14\ Id. at 23.
---------------------------------------------------------------------------
9. Notice of NERC's March 7, 2019 filing was published in the
Federal Register, 84 FR 10,061 (2019), with interventions and protests
due on or before April 11, 2019. Pursuant to Rule 214 of the
Commission's Rules of Practice and Procedure, 18 CFR 385.214 (2018),
the timely, unopposed motions to intervene serve to make the entities
that filed them parties to this proceeding.\15\
---------------------------------------------------------------------------
\15\ On April 11, 2019, Public Citizen submitted comments
requesting that the Commission direct NERC to require the mandatory
public disclosure of entity names in Notices of Penalty for
violations of Critical Infrastructure Protection Reliability
Standards. Public Citizen's comments do not address proposed
Reliability Standard CIP-006-8 or any other proposal contained in
NERC's petition, and they are therefore outside the scope of this
proceeding.
---------------------------------------------------------------------------
10. Pursuant to section 215(d)(2) of the FPA, we approve
Reliability Standard CIP-008-6, its associated implementation plan,
violation risk factors and violation severity levels, and the revised
definitions of Cyber Security Incident and Reportable Cyber Security
Incident.\16\ We determine that the proposed Reliability Standard and
revised definitions satisfy the directive in Order No. 848 to broaden
mandatory reporting to include Cyber Security Incidents that
compromise, or attempt to compromise, a responsible entity's ESP or
associated EACMS, as well as modifications to specify the required
information in Cyber Security Incident reports, their dissemination,
and deadlines for filing reports.
---------------------------------------------------------------------------
\16\ 16 U.S.C. 824o(d)(2).
---------------------------------------------------------------------------
Information Collection Statement
11. In compliance with the requirements of the Paperwork Reduction
Act of 1995, 44 U.S.C. 3506(c)(2)(A), the Commission is soliciting
public comment on revisions to the information collection FERC-725B
(Mandatory Reliability Standards for Critical Infrastructure Protection
(CIP) Reliability Standards), which will be submitted to the Office of
Management and Budget (OMB) for a review of the information collection
requirements. Comments on the collection of information are due within
60 days of the date this order is published in the Federal Register.
Respondents subject to the filing requirements of this order will not
be penalized for failing to respond to these collections of information
unless the collections of information display a valid OMB control
number.
12. Proposed Reliability Standard CIP-008-6 requires Responsible
Entities \17\ to broaden the mandatory reporting of Cyber Security
Incidents to include compromises or attempts to compromise BES Cyber
Systems or their associated ESPs or EACMS. The revised Reliability
Standard will not significantly increase the reporting burden on
entities because it builds off the currently-effective reporting
threshold by expanding it to address reliability gaps, pursuant to
section 215(d)(5) of the FPA.
---------------------------------------------------------------------------
\17\ ``Responsible Entities'' refers to Balancing Authority
(BA), Distribution Provider (DP), Generator Operator (GOP),
Generator Owner (GO), Reliability Coordinator (RC), Transmission
Operator (TOP), and Transmission Owner (TO).
---------------------------------------------------------------------------
13. Burden \18\ Estimate: The Commission estimates the changes in
the annual public reporting burden and cost as indicated below.\19\
---------------------------------------------------------------------------
\18\ Burden is defined as the total time, effort, or financial
resources expended by persons to generate, maintain, retain, or
disclose or provide information to or for a Federal agency. For
further explanation of what is included in the information
collection burden, refer to 5 CFR 1320.3.
\19\ For the Reliability Standard being retired in Docket No.
RD19-3-000, the baseline numbers for respondents, burden, and cost
are the same figures as those in Order No. 848. The requirements and
burdens (from the Reliability Standard being retired) are continuing
in Reliability Standard CIP-008-6, plus the additional requirements
and burdens as indicated in the table.
\20\ There are 1,414 unique registered entities in the NERC
compliance registry as of May 24, 2019. Of this total, we estimate
that 288 entities will face an increased paperwork burden.
\21\ The loaded hourly wage figure (includes benefits) is based
on the average of the occupational categories for 2017 found on the
Bureau of Labor Statistics website: https://www.bls.gov/oes/2017/may/oessrci.htm.
Legal (Occupation Code: 23-0000): $143.68
Information Security Analysts (Occupation Code 15-1122): $61.55
Computer and Information Systems Managers (Occupation Code: 11-
3021): $96.51
Management (Occupation Code: 11-0000): $94.28
Electrical Engineer (Occupation Code: 17-2071): $66.90
Management Analyst (Code: 43-0000): $63.32
These various occupational categories are weighted as follows:
[($94.28)(.10) + ($61.55)(.315) + ($66.90)(.02) + ($143.68)(.15) +
($96.51)(.10) + ($63.32)(.315)] = $81.30. The figure is rounded to
$81.00 for use in calculating wage figures in this order.
\22\ One-time burdens apply in Year 1 only.
\23\ Ongoing burdens apply in Year 2 and beyond.
RD19-3-000--Commission Letter Order
[Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Number of
respondents & Annual number Total number Average burden & cost Total annual burden hours & Cost per
type of entity of responses of responses per response \21\ total annual cost respondent ($)
\20\ per respondent
(1) (2) (1) * (2) = (4).................... (3) * (4) = (5)............... (5) / (1)
(3)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Update internal procedures to 288 1 288 50 hrs.; $4,050........ 14,400 hrs.; $1,166,400....... $4,050
comply with augmented
reporting requirements (one-
time) \22\ (CIP-008-6 R1-R4).
Annual cyber security incident 288 1 288 10 hrs.; $810.......... 2880 hrs.; $233,280........... 810
plan review (ongoing) \23\
(CIP-008-6 R2.1).
Update cyber security incident 288 1 288 10 hrs.; $810.......... 2880 hrs.; $233,280........... 810
plan per review findings
(ongoing) CIP-008-6 R3).
Incident reporting burden 288 12 3,456 12 hrs.; $972.......... 3456 hrs.; $279,936........... 972
(ongoing) (CIP-008-6 R4).
------------------------------------------------------------------------------------------------------------------------
Total (one-time)........... .............. .............. 288 ....................... 14,400 hrs.; $1,166,400....... ..............
------------------------------------------------------------------------------------------------------------------------
Total (ongoing)............ .............. .............. 4,032 ....................... 9,216 hrs.; $746,496.......... ..............
--------------------------------------------------------------------------------------------------------------------------------------------------------
[[Page 30108]]
Title: FERC-725B, Mandatory Reliability Standards for Critical
Infrastructure Protection (CIP) Reliability Standards.
Action: Proposed revision to FERC-725B information collection.
OMB Control No: 1902-0248.
Respondents: Responsible Entities.
Frequency of Responses: On occasion.
14. Necessity of the Information: This order approves the requested
modifications to Reliability Standards pertaining to critical
infrastructure protection. As discussed above, the Commission approves
Reliability Standard CIP-008-6 pursuant to section 215(d)(2) of the FPA
because it improves upon the currently-effective suite of CIP
Reliability Standards.
15. Interested persons may obtain information on the reporting
requirements by contacting the following: Federal Energy Regulatory
Commission, 888 First Street NE, Washington, DC 20426 [Attention: Ellen
Brown, Office of the Executive Director], email:
[email protected], Phone: (202) 502-8663, fax: (202) 273-0873.
16. Comments (identified by Docket No. RD19-3-000) concerning the
collection of information and the associated burden estimate(s) may
also be sent by either of the following methods: eFiling at
Commission's website: https://www.ferc.gov/docs-filing/efiling.asp or
Mail/Hand Delivery/Courier: Federal Energy Regulatory Commission,
Secretary of the Commission, 888 First Street NE, Washington, DC 20426.
Please refer to FERC-725B, OMB Control No. 1902-0248 in your
submission.
17. All submissions must be formatted and filed in accordance with
submission guidelines at: https://www.ferc.gov/help/submission-guide.asp. For user assistance, contact FERC Online Support by email at
[email protected], or by phone at: (866) 208-3676 (toll-free),
or (202) 502-8659 for TTY.
By direction of the Commission.
Dated: June 20, 2019.
Nathaniel J. Davis, Sr.,
Deputy Secretary.
[FR Doc. 2019-13587 Filed 6-25-19; 8:45 am]
BILLING CODE 6717-01-P
