81 FR 49641 - Cyber Systems in Control Centers
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission Federal Register Volume 81, Issue 145 (July 28, 2016)
Federal Energy Regulatory Commission
Federal Register Volume 81, Issue 145 (July 28, 2016)
| Page Range | 49641-49644 | |
| FR Document | 2016-17854 |
[Federal Register Volume 81, Number 145 (Thursday, July 28, 2016)] [Notices] [Pages 49641-49644] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2016-17854] ----------------------------------------------------------------------- DEPARTMENT OF ENERGY Federal Energy Regulatory Commission [Docket No. RM16-18-000] Cyber Systems in Control Centers AGENCY: Federal Energy Regulatory Commission, Department of Energy. ACTION: Notice of Inquiry. ----------------------------------------------------------------------- SUMMARY: In this Notice of Inquiry, the Federal Energy Regulatory Commission seeks comment on possible modifications to the Critical Infrastructure Protection Reliability Standards regarding the cybersecurity of Control Centers used to monitor and control the bulk electric system in real time. DATES: Comments are due September 26, 2016. ADDRESSES: You may submit comments, identified by docket number and in accordance with the requirements posted on the Commission's Web site, http://www.ferc.gov. Comments may be submitted by any of the following methods:Agency Web site: Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format, at http://www.ferc.gov/docs-filing/efiling.asp. Mail/Hand Delivery: Those unable to file electronically must mail or hand deliver comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE., Washington, DC 20426. Instructions: For detailed instructions on submitting comments and additional information on the rulemaking process, see the Comment Procedures Section of this document. FOR FURTHER INFORMATION CONTACT: David DeFalaise (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-8180, [email protected] Robert T. Stroh (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-8473, [email protected] SUPPLEMENTARY INFORMATION: 1. In this Notice of Inquiry, pursuant to section 215 of the Federal Power Act (FPA),\1\ the Commission seeks comment on the need for, and possible effects of, modifications to the Critical Infrastructure Protection (CIP) Reliability Standards regarding the cybersecurity of Control Centers used to monitor and control the bulk electric system in real time.\2\ Cyber systems are used extensively for the operation and maintenance of interconnected transmission networks.\3\ A 2015 [[Page 49642]] cyberattack on the electric grid in Ukraine is an example of how cyber systems used to operate and maintain interconnected networks, unless adequately protected, may be vulnerable to cyberattack. While certain controls in the CIP Reliability Standards may reduce the risk of such attacks,\4\ the Commission seeks comment on whether additional controls should be required. --------------------------------------------------------------------------- \1\ 16 U.S.C. 824o. Section 215(a)(3) of the FPA defines ``Reliability Standard'' to include ``. . . requirements for the operation of existing bulk-power system facilities, including cybersecurity protection . . .'' \2\ NERC defines ``Control Center'' as ``[o]ne or more facilities hosting operating personnel that monitor and control the Bulk Electric System (BES) in realtime to perform the reliability tasks, including their associated data centers . . . .'' NERC Glossary of Terms Used in Reliability Standards (May 17, 2016) at 33 (NERC Glossary). \3\ Cyber systems are referred to as ``BES Cyber Systems'' in the CIP Reliability Standards. The NERC Glossary defines BES Cyber Systems as ``One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.'' NERC Glossary at 15. The NERC Glossary defines ``BES Cyber Asset'' as ``A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems.'' Id. \4\ See, e.g., Reliability Standard CIP-005-5 (Electronic Security Perimeter(s)), Requirement R2, which protects against unauthorized interactive remote access; Reliability Standard CIP- 006-6 (Physical Security of BES Cyber Systems), Requirement R2, which protects against unauthorized physical access and Reliability Standard CIP-007-6 (System Security Management), Requirement R3, which protects against malware. --------------------------------------------------------------------------- 2. Specifically, as discussed below, the Commission seeks comment on possible modifications to the CIP Reliability Standards--and any potential impacts on the operation of the Bulk-Power System resulting from such modifications--to address the following matters: (1) Separation between the Internet and BES Cyber Systems in Control Centers performing transmission operator functions; and (2) computer administration practices that prevent unauthorized programs from running, referred to as ``application whitelisting,'' for cyber systems in Control Centers. I. Background 3. On January 28, 2008, the Commission approved an initial set of eight CIP Reliability Standards pertaining to cybersecurity.\5\ In addition, the Commission directed NERC to develop certain modifications to the CIP Reliability Standards. Since 2008, the CIP Reliability Standards have undergone multiple revisions to address Commission directives and respond to emerging cybersecurity issues. --------------------------------------------------------------------------- \5\ Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC ] 61,040, denying reh'g and granting clarification, Order No. 706-A, 123 FERC ] 61,174 (2008), order on clarification, Order No. 706-B, 126 FERC ] 61,229 (2009), order denying clarification, Order No. 706-C, 127 FERC ] 61,273 (2009). --------------------------------------------------------------------------- 4. On December 23, 2015, three regional electric power distribution companies in Ukraine experienced a cyberattack resulting in power outages that affected at least 225,000 customers. An analysis conducted by a team from the Electricity Information Sharing and Analysis Center (E-ISAC) and SANS Industrial Control Systems (SANS ICS) observed that ``the cyber attacks in Ukraine are the first publicly acknowledged incidents to result in power outages.'' \6\ --------------------------------------------------------------------------- \6\ E-ISAC, Analysis of the Cyber Attack on the Ukrainian Power Grid (March 18, 2016) at 3, http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf. --------------------------------------------------------------------------- 5. On February 25, 2016, the U.S. Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team issued an ``Alert'' in response to the Ukraine incident.\7\ The Alert stated that the cyberattack was sophisticated and well planned. The Alert reported that the cyberattacks at each company occurred within 30 minutes of each other and affected multiple central and regional facilities. The Alert also explained that during the cyberattacks: --------------------------------------------------------------------------- \7\ See Department of Homeland Security, Alert (IR-ALERT-H-16- 056-01) Cyber-Attack Against Ukrainian Critical Infrastructure (February 25, 2016) (Alert), https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01. malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials --------------------------------------------------------------------------- prior to the cyber-attack to facilitate remote access. In addition, the Alert reported that the affected companies indicated that the attackers wiped some systems at the conclusion of the cyberattack, which erased selected files, rendering systems inoperable. 6. In response to the Ukraine incident, the Alert recommended the following key examples of best practice mitigation strategies: procurement and licensing of trusted hardware and software systems; knowing who and what is on your network through hardware and software asset management automation; on time patching of systems; and strategic technology refresh.\8\ --------------------------------------------------------------------------- \8\ Id. at Mitigation Section. By ``strategic technology refresh,'' the Alert referred to the benefit of replacing legacy cyber systems that no longer receive security patches and, as a result, might not be secure. --------------------------------------------------------------------------- II. Request for Comments 7. The Commission seeks comment on whether to modify the CIP Reliability Standards to better secure Control Centers from cyberattacks. The Commission also seeks comment on the potential consequences or complications arising from implementing such modifications. In response to lessons learned from the Alert and analyses of the Ukraine incident, the Commission seeks comment on whether to modify the CIP Reliability Standards to require: (1) Separation between the Internet and BES Cyber Systems in Control Centers performing transmission operator functions; and (2) ``application whitelisting'' for BES Cyber Systems in Control Centers. A. Isolation of Transmission Operator Control Centers From the Internet 8. In response to the Ukraine incident, the Alert recommended that: [o]rganizations should isolate [industrial control system] networks from any untrusted networks, especially the Internet. All unused ports should be locked down and all unused services turned off. If a defined business requirement or control function exists, only allow real-time connectivity to external networks. If one-way communication can accomplish a task, use optical separation (`data diode'). If bidirectional communication is necessary, then use a single open port over a restricted network path. 9. Commission-approved Reliability Standard CIP-007-6, Requirement R1 (Ports and Services), Part 1.1 requires, where technically feasible, unused logical ports to be disabled.\9\ In addition, Reliability Standard CIP-007-6, Requirement R1, Part 1.2 requires protection of physical ports against unnecessary use.\10\ These requirements therefore address the Alert's recommendation that ``[a]ll unused ports should be locked down and all unused services turned off.'' --------------------------------------------------------------------------- \9\ Logical ports are connection points where two applications communicate to identify different applications or processes running on a cyber asset. \10\ A physical port serves as an interface or connection between a cyber asset and another cyber asset, or peripheral device, using a physical medium such as a cable. --------------------------------------------------------------------------- 10. The current CIP Reliability Standards do not require isolation between the Internet and BES Cyber Systems in Control Centers performing transmission operator functions through use of physical (hardware) or logical (software) means. Although BES Cyber Systems are protected by electronic security perimeters and the disabling of unused logical ports, BES Cyber Systems are permitted, within the scope of the current CIP Reliability Standards, to route, or connect, to the Internet.\11\ Requiring physical separation between the Internet and cyber systems in Control Centers performing transmission operator functions would require data connections to Control Centers or other facilities owned by transmission operators over dedicated data lines owned or leased by the transmission operator, rather than allowing communications over the [[Page 49643]] Internet.\12\ Logical separation, in some contexts, can achieve a similar objective through different means. --------------------------------------------------------------------------- \11\ NERC defines an electronic security perimeter as ``the logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.'' NERC Glossary at 39. \12\ See Alert at Mitigation Section; see also Department of Homeland Security, Seven Steps to Effectively Defend Industrial Control Systems at 3. --------------------------------------------------------------------------- 11. The Commission seeks comment on whether the CIP Reliability Standards should be modified to require isolation between the Internet and BES Cyber Systems in Control Centers performing the functions of a transmission operator. In addition, the Commission seeks comment on the operational impact to the Bulk-Power System if BES Cyber Systems were isolated from the Internet in all Control Centers performing transmission operator functions. Specifically, the Commission seeks comment on what, if any, reliability issues might arise from such a requirement. For example, would requiring isolation prevent an activity required by another Reliability Standard? If isolation is required, is logical isolation preferable to physical isolation (or vice versa) and, if so, why? The Commission also seeks comment on whether and how such a requirement might affect a transmission operator's communications with its reliability coordinator or other applicable entities required under the Reliability Standard. Finally, if isolation is not required, are there communications with these Control Centers for which the use of one-way data diodes would be reliable and appropriate? B. Application Whitelisting for BES Cyber Systems in Control Centers 12. Application whitelisting is a computer administration practice used to prevent unauthorized programs from running.\13\ The purpose is primarily to protect computers and networks from harmful applications, and, to a lesser extent, to prevent unnecessary demand for computer resources. The ``whitelist'' is a list of applications granted permission to run by the user or an administrator. Whitelisting works best when applied to static cyber systems.\14\ --------------------------------------------------------------------------- \13\ See Alert at Mitigation Section. \14\ Id. --------------------------------------------------------------------------- 13. In response to the Ukraine incident, the Alert recommended that: asset owners take defensive measures by leveraging best practices to minimize the risk from similar malicious cyber activity. Application Whitelisting (AWL) can detect and prevent attempted execution of malware uploaded by malicious actors. The static nature of some systems, such as database servers and HMI computers, make these ideal candidates to run AWL. Operators are encouraged to work with their vendors to baseline and calibrate AWL deployments. Similarly, a December 2015 document by DHS identifies application whitelisting as the first of seven strategies to defend industrial control systems and states that this strategy would have ``potentially mitigated'' 38 percent of ICS-CERT Fiscal Year 2014 and 2015 incidents, more than any of the other strategies.\15\ While the NERC Guidelines and Technical Basis document associated with Reliability Standard CIP- 007-6, Requirement R3 identifies application whitelisting as an option for mitigating malicious cyber activity, its use is not mandatory.\16\ The Guidelines and Technical Basis discussion in Reliability Standard CIP-007-6 explains: --------------------------------------------------------------------------- \15\ Seven Steps to Effectively Defend Industrial Control Systems at 1. \16\ Reliability Standard CIP-007-6, Requirement R3 provides that ``[e]ach Responsible Entity shall implement one or more documented process(es) that collectively include each of the applicable requirement parts in CIP-007-6 Table R3--Malicious Code Prevention'' and lists application whitelisting as an option. In addition, the CIP Reliability Standards require a combination of ensuring that an individual's privileges are the minimum necessary to perform their work function (i.e., ``least privilege'') and anti- malware (i.e., ``blacklisting''). See, e.g., Reliability Standard CIP-004-6, Requirement R4 and Guidelines and Technical Basis; Reliability Standard CIP-007-6, Requirement R3. Due to the wide range of equipment comprising the BES Cyber Systems and the wide variety of vulnerability and capability of that equipment to malware as well as the constantly evolving threat and resultant tools and controls, it is not practical within the standard to prescribe how malware is to be addressed on each Cyber Asset. Rather, the Responsible Entity determines on a BES Cyber System basis, which Cyber Assets have susceptibility to malware intrusions and documents their plans and processes for addressing those risks and provides evidence that they follow those plans and processes. There are numerous options available including traditional antivirus solutions for common operating systems, white- listing solutions, network isolation techniques, Intrusion Detection/Prevention (IDS/IPS) solutions, etc.\17\ --------------------------------------------------------------------------- \17\ Reliability Standard CIP-007-6, Guidelines and Technical Basis, at 4. 14. While application whitelisting is identified above as one available option, the Ukraine incident and the subsequent Alert raise the question of whether application whitelisting should be required. Application whitelisting could be a more effective mitigation tool than other mitigation measures because whitelisting allows only software applications and processes that are reviewed and tested before use in the system network. By knowing all installed applications, the security professional can set the application whitelisting program to know the application is approved; all unapproved applications will trigger an alert. 15. The Commission seeks comment on whether the CIP Reliability Standards should be modified to require application whitelisting for all BES Cyber Systems in Control Centers. Is application whitelisting appropriate for all such systems? If not, are there certain devices or components on such systems for which it is appropriate? In addition, the Commission seeks comment on the operational impact, including potential reliability concerns, for each approach. III. Comment Procedures 16. The Commission invites interested persons to submit comments, and other information on the matters, issues and specific questions identified in this notice. Comments are due September 26, 2016. Comments must refer to Docket No. RM16-18-000, and must include the commenter's name, the organization they represent, if applicable, and their address in their comments. 17. The Commission encourages comments to be filed electronically via the eFiling link on the Commission's Web site at http://www.ferc.gov. The Commission accepts most standard word processing formats. Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format. Commenters filing electronically do not need to make a paper filing. 18. Commenters that are not able to file comments electronically must send an original of their comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE., Washington, DC 20426. 19. All comments will be placed in the Commission's public files and may be viewed, printed, or downloaded remotely as described in the Document Availability section below. Commenters on this proposal are not required to serve copies of their comments on other commenters. IV. Document Availability 20. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the Internet through FERC's Home Page (http://www.ferc.gov) and in FERC's Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE., Room 2A, Washington, DC 20426. 21. From FERC's Home Page on the Internet, this information is available on [[Page 49644]] eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number excluding the last three digits of this document in the docket number field. 22. User assistance is available for eLibrary and the FERC's Web site during normal business hours from FERC Online Support at 202-502- 6652 (toll free at 1-866-208-3676) or email at [email protected], or the Public Reference Room at (202) 502- 8371, TTY (202) 502-8659. Email the Public Reference Room at [email protected]. By direction of the Commission. Issued: July 21, 2016. Kimberly D. Bose, Secretary. [FR Doc. 2016-17854 Filed 7-27-16; 8:45 am] BILLING CODE 6717-01-P
![Federal Register / Vol. 81, No. 145 / Thursday, July 28, 2016 / Notices 49641
Energy Regulatory Commission, 888 who file a motion to intervene in processing software should be filed in
First Street NE., Washington, DC 20426. accordance with the Commission’s native applications or print-to-PDF
The first page of any filing should Rules may become a party to the format and not in a scanned format, at
include docket number P–2426–049. proceeding. Any comments, protests, or http://www.ferc.gov/docs-filing/
The Commission’s Rules of Practice motions to intervene must be received efiling.asp.
and Procedure require all intervenors on or before the specified comment date • Mail/Hand Delivery: Those unable
filing documents with the Commission for the particular application. to file electronically must mail or hand
to serve a copy of that document on o. Filing and Service of Documents: deliver comments to: Federal Energy
each person whose name appears on the Any filing must (1) bear in all capital Regulatory Commission, Secretary of the
official service list for the project. letters the title ‘‘COMMENTS’’, Commission, 888 First Street NE.,
Further, if an intervenor files comments ‘‘PROTEST’’, or ‘‘MOTION TO Washington, DC 20426.
or documents with the Commission INTERVENE’’ as applicable; (2) set forth Instructions: For detailed instructions
relating to the merits of an issue that in the heading the name of the applicant on submitting comments and additional
may affect the responsibilities of a and the project number of the information on the rulemaking process,
particular resource agency, they must application to which the filing see the Comment Procedures Section of
also serve a copy of the document on responds; (3) furnish the name, address, this document.
that resource agency. and telephone number of the person FOR FURTHER INFORMATION CONTACT:
k. Description of Request: California commenting, protesting or intervening; David DeFalaise (Technical
Department of Water Resources requests and (4) otherwise comply with the Information), Office of Electric
Commission approval of a proposed requirements of 18 CFR 385.2001 Reliability, Federal Energy Regulatory
recreation plan for the project. The through 385.2005. All comments, Commission, 888 First Street NE.,
recreation plan provides a detailed motions to intervene, or protests must Washington, DC 20426, (202) 502–
description of all existing recreation set forth their evidentiary basis. Any 8180, David.DeFalaise@ferc.gov
amenities and facilities in the filing made by an intervenor must be Robert T. Stroh (Legal Information),
immediate vicinity of Pyramid Lake, accompanied by proof of service on all Office of the General Counsel, Federal
Silverwood Lake, and Quail Lake, persons listed in the service list Energy Regulatory Commission, 888
which are components of the project. prepared by the Commission in this First Street NE., Washington, DC
The recreation plan also includes proceeding, in accordance with 18 CFR 20426, (202) 502–8473, Robert.Stroh@
visitation data, concessionaire reports, 385.2010. ferc.gov
and site plan drawings. SUPPLEMENTARY INFORMATION:
l. Locations of the Application: A Dated: July 22, 2016.
1. In this Notice of Inquiry, pursuant
copy of the application is available for Kimberly D. Bose,
to section 215 of the Federal Power Act
inspection and reproduction at the Secretary.
(FPA),1 the Commission seeks comment
Commission’s Public Reference Room, [FR Doc. 2016–17859 Filed 7–27–16; 8:45 am] on the need for, and possible effects of,
located at 888 First Street NE., Room BILLING CODE 6717–01–P modifications to the Critical
2A, Washington, DC 20426, or by calling
Infrastructure Protection (CIP)
(202) 502–8371. This filing may also be
Reliability Standards regarding the
viewed on the Commission’s Web site at DEPARTMENT OF ENERGY cybersecurity of Control Centers used to
http://www.ferc.gov using the
Federal Energy Regulatory monitor and control the bulk electric
‘‘eLibrary’’ link. Enter the docket
Commission system in real time.2 Cyber systems are
number excluding the last three digits in
used extensively for the operation and
the docket number field to access the [Docket No. RM16–18–000] maintenance of interconnected
document. You may also register online
transmission networks.3 A 2015
at http://www.ferc.gov/docs-filing/ Cyber Systems in Control Centers
esubscription.asp to be notified via 1 16 U.S.C. 824o. Section 215(a)(3) of the FPA
email of new filings and issuances AGENCY: Federal Energy Regulatory
defines ‘‘Reliability Standard’’ to include ‘‘. . .
related to this or other pending projects. Commission, Department of Energy. requirements for the operation of existing bulk-
For assistance, call 1–866–208–3676 or ACTION: Notice of Inquiry. power system facilities, including cybersecurity
protection . . .’’
email FERCOnlineSupport@ferc.gov, for
TTY, call (202) 502–8659. A copy is also SUMMARY: In this Notice of Inquiry, the 2 NERC defines ‘‘Control Center’’ as ‘‘[o]ne or
Federal Energy Regulatory Commission more facilities hosting operating personnel that
available for inspection and monitor and control the Bulk Electric System (BES)
reproduction at the address in item (h) seeks comment on possible in realtime to perform the reliability tasks,
above. Agencies may obtain copies of modifications to the Critical including their associated data centers . . . .’’ NERC
the application directly from the Infrastructure Protection Reliability Glossary of Terms Used in Reliability Standards
Standards regarding the cybersecurity of (May 17, 2016) at 33 (NERC Glossary).
applicant. 3 Cyber systems are referred to as ‘‘BES Cyber
m. Individuals desiring to be included Control Centers used to monitor and
Systems’’ in the CIP Reliability Standards. The
on the Commission’s mailing list should control the bulk electric system in real NERC Glossary defines BES Cyber Systems as ‘‘One
so indicate by writing to the Secretary time. or more BES Cyber Assets logically grouped by a
DATES: Comments are due September responsible entity to perform one or more reliability
of the Commission. tasks for a functional entity.’’ NERC Glossary at 15.
n. Comments, Protests, or Motions to 26, 2016. The NERC Glossary defines ‘‘BES Cyber Asset’’ as
Intervene: Anyone may submit ADDRESSES: You may submit comments, ‘‘A Cyber Asset that if rendered unavailable,
comments, a protest, or a motion to identified by docket number and in degraded, or misused would, within 15 minutes of
its required operation, misoperation, or non-
Lhorne on DSK30JT082PROD with NOTICES
intervene in accordance with the accordance with the requirements operation, adversely impact one or more Facilities,
requirements of Rules of Practice and posted on the Commission’s Web site, systems, or equipment, which, if destroyed,
Procedure, 18 CFR 385.210, .211, .214, http://www.ferc.gov. Comments may be degraded, or otherwise rendered unavailable when
respectively. In determining the submitted by any of the following needed, would affect the reliable operation of the
Bulk Electric System. Redundancy of affected
appropriate action to take, the methods: Facilities, systems, and equipment shall not be
Commission will consider all protests or • Agency Web site: Documents considered when determining adverse impact. Each
other comments filed, but only those created electronically using word Continued
VerDate Sep<11>2014 14:44 Jul 27, 2016 Jkt 238001 PO 00000 Frm 00024 Fmt 4703 Sfmt 4703 E:\FR\FM\28JYN1.SGM 28JYN1](https://thefederalregister.org/doc/81_FR_49786/page/1.svg)
![49642 Federal Register / Vol. 81, No. 145 / Thursday, July 28, 2016 / Notices
cyberattack on the electric grid in acknowledged incidents to result in performing transmission operator
Ukraine is an example of how cyber power outages.’’ 6 functions; and (2) ‘‘application
systems used to operate and maintain 5. On February 25, 2016, the U.S. whitelisting’’ for BES Cyber Systems in
interconnected networks, unless Department of Homeland Security Control Centers.
adequately protected, may be vulnerable (DHS) Industrial Control Systems Cyber
Emergency Response Team issued an A. Isolation of Transmission Operator
to cyberattack. While certain controls in Control Centers From the Internet
the CIP Reliability Standards may ‘‘Alert’’ in response to the Ukraine
reduce the risk of such attacks,4 the incident.7 The Alert stated that the 8. In response to the Ukraine incident,
Commission seeks comment on whether cyberattack was sophisticated and well the Alert recommended that:
additional controls should be required. planned. The Alert reported that the
cyberattacks at each company occurred [o]rganizations should isolate [industrial
2. Specifically, as discussed below, within 30 minutes of each other and control system] networks from any untrusted
the Commission seeks comment on affected multiple central and regional networks, especially the Internet. All unused
possible modifications to the CIP facilities. The Alert also explained that ports should be locked down and all unused
Reliability Standards—and any services turned off. If a defined business
during the cyberattacks:
potential impacts on the operation of requirement or control function exists, only
malicious remote operation of the breakers allow real-time connectivity to external
the Bulk-Power System resulting from was conducted by multiple external humans networks. If one-way communication can
such modifications—to address the using either existing remote administration accomplish a task, use optical separation
following matters: (1) Separation tools at the operating system level or remote (‘data diode’). If bidirectional communication
between the Internet and BES Cyber industrial control system (ICS) client is necessary, then use a single open port over
Systems in Control Centers performing software via virtual private network (VPN) a restricted network path.
transmission operator functions; and (2) connections. The companies believe that the
actors acquired legitimate credentials prior to 9. Commission-approved Reliability
computer administration practices that
the cyber-attack to facilitate remote access.
prevent unauthorized programs from Standard CIP–007–6, Requirement R1
running, referred to as ‘‘application In addition, the Alert reported that the (Ports and Services), Part 1.1 requires,
whitelisting,’’ for cyber systems in affected companies indicated that the where technically feasible, unused
Control Centers. attackers wiped some systems at the logical ports to be disabled.9 In
conclusion of the cyberattack, which addition, Reliability Standard CIP–007–
I. Background erased selected files, rendering systems 6, Requirement R1, Part 1.2 requires
inoperable. protection of physical ports against
3. On January 28, 2008, the 6. In response to the Ukraine incident,
Commission approved an initial set of unnecessary use.10 These requirements
the Alert recommended the following therefore address the Alert’s
eight CIP Reliability Standards key examples of best practice mitigation
pertaining to cybersecurity.5 In recommendation that ‘‘[a]ll unused
strategies: ports should be locked down and all
addition, the Commission directed
procurement and licensing of trusted unused services turned off.’’
NERC to develop certain modifications hardware and software systems; knowing
to the CIP Reliability Standards. Since who and what is on your network through
10. The current CIP Reliability
2008, the CIP Reliability Standards have hardware and software asset management Standards do not require isolation
undergone multiple revisions to address automation; on time patching of systems; and between the Internet and BES Cyber
Commission directives and respond to strategic technology refresh.8 Systems in Control Centers performing
emerging cybersecurity issues. transmission operator functions through
II. Request for Comments
use of physical (hardware) or logical
4. On December 23, 2015, three 7. The Commission seeks comment on (software) means. Although BES Cyber
regional electric power distribution whether to modify the CIP Reliability Systems are protected by electronic
companies in Ukraine experienced a Standards to better secure Control security perimeters and the disabling of
cyberattack resulting in power outages Centers from cyberattacks. The unused logical ports, BES Cyber
that affected at least 225,000 customers. Commission also seeks comment on the Systems are permitted, within the scope
An analysis conducted by a team from potential consequences or of the current CIP Reliability Standards,
the Electricity Information Sharing and complications arising from to route, or connect, to the Internet.11
Analysis Center (E–ISAC) and SANS implementing such modifications. In Requiring physical separation between
Industrial Control Systems (SANS ICS) response to lessons learned from the the Internet and cyber systems in
observed that ‘‘the cyber attacks in Alert and analyses of the Ukraine Control Centers performing
Ukraine are the first publicly incident, the Commission seeks transmission operator functions would
comment on whether to modify the CIP require data connections to Control
BES Cyber Asset is included in one or more BES Reliability Standards to require: (1) Centers or other facilities owned by
Cyber Systems.’’ Id. Separation between the Internet and
4 See, e.g., Reliability Standard CIP–005–5 transmission operators over dedicated
(Electronic Security Perimeter(s)), Requirement R2,
BES Cyber Systems in Control Centers data lines owned or leased by the
which protects against unauthorized interactive transmission operator, rather than
6 E–ISAC, Analysis of the Cyber Attack on the
remote access; Reliability Standard CIP–006–6 allowing communications over the
(Physical Security of BES Cyber Systems), Ukrainian Power Grid (March 18, 2016) at 3, http://
Requirement R2, which protects against www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_
unauthorized physical access and Reliability SANS_Ukraine_DUC_18Mar2016.pdf. 9 Logical ports are connection points where two
Standard CIP–007–6 (System Security 7 See Department of Homeland Security, Alert applications communicate to identify different
Management), Requirement R3, which protects (IR–ALERT–H–16–056–01) Cyber-Attack Against applications or processes running on a cyber asset.
Lhorne on DSK30JT082PROD with NOTICES
against malware. Ukrainian Critical Infrastructure (February 25, 10 A physical port serves as an interface or
5 Mandatory Reliability Standards for Critical 2016) (Alert), https://ics-cert.us-cert.gov/alerts/IR- connection between a cyber asset and another cyber
Infrastructure Protection, Order No. 706, 122 FERC ALERT-H-16-056-01. asset, or peripheral device, using a physical
¶ 61,040, denying reh’g and granting clarification, 8 Id. at Mitigation Section. By ‘‘strategic medium such as a cable.
Order No. 706–A, 123 FERC ¶ 61,174 (2008), order technology refresh,’’ the Alert referred to the benefit 11 NERC defines an electronic security perimeter
on clarification, Order No. 706–B, 126 FERC of replacing legacy cyber systems that no longer as ‘‘the logical border surrounding a network to
¶ 61,229 (2009), order denying clarification, Order receive security patches and, as a result, might not which BES Cyber Systems are connected using a
No. 706–C, 127 FERC ¶ 61,273 (2009). be secure. routable protocol.’’ NERC Glossary at 39.
VerDate Sep<11>2014 14:44 Jul 27, 2016 Jkt 238001 PO 00000 Frm 00025 Fmt 4703 Sfmt 4703 E:\FR\FM\28JYN1.SGM 28JYN1](https://thefederalregister.org/doc/81_FR_49786/page/2.svg)
![Federal Register / Vol. 81, No. 145 / Thursday, July 28, 2016 / Notices 49643
Internet.12 Logical separation, in some Similarly, a December 2015 document application is approved; all unapproved
contexts, can achieve a similar objective by DHS identifies application applications will trigger an alert.
through different means. whitelisting as the first of seven 15. The Commission seeks comment
11. The Commission seeks comment strategies to defend industrial control on whether the CIP Reliability
on whether the CIP Reliability systems and states that this strategy Standards should be modified to require
Standards should be modified to require would have ‘‘potentially mitigated’’ 38 application whitelisting for all BES
isolation between the Internet and BES percent of ICS–CERT Fiscal Year 2014 Cyber Systems in Control Centers. Is
Cyber Systems in Control Centers and 2015 incidents, more than any of application whitelisting appropriate for
performing the functions of a the other strategies.15 While the NERC all such systems? If not, are there certain
transmission operator. In addition, the Guidelines and Technical Basis devices or components on such systems
Commission seeks comment on the document associated with Reliability for which it is appropriate? In addition,
operational impact to the Bulk-Power Standard CIP–007–6, Requirement R3 the Commission seeks comment on the
System if BES Cyber Systems were identifies application whitelisting as an operational impact, including potential
isolated from the Internet in all Control option for mitigating malicious cyber reliability concerns, for each approach.
Centers performing transmission activity, its use is not mandatory.16 The III. Comment Procedures
operator functions. Specifically, the Guidelines and Technical Basis
discussion in Reliability Standard CIP– 16. The Commission invites interested
Commission seeks comment on what, if
007–6 explains: persons to submit comments, and other
any, reliability issues might arise from
information on the matters, issues and
such a requirement. For example, would Due to the wide range of equipment
specific questions identified in this
requiring isolation prevent an activity comprising the BES Cyber Systems and the
wide variety of vulnerability and capability notice. Comments are due September
required by another Reliability
of that equipment to malware as well as the 26, 2016. Comments must refer to
Standard? If isolation is required, is
constantly evolving threat and resultant tools Docket No. RM16–18–000, and must
logical isolation preferable to physical
and controls, it is not practical within the include the commenter’s name, the
isolation (or vice versa) and, if so, why?
standard to prescribe how malware is to be organization they represent, if
The Commission also seeks comment on addressed on each Cyber Asset. Rather, the applicable, and their address in their
whether and how such a requirement Responsible Entity determines on a BES comments.
might affect a transmission operator’s Cyber System basis, which Cyber Assets have 17. The Commission encourages
communications with its reliability susceptibility to malware intrusions and
comments to be filed electronically via
coordinator or other applicable entities documents their plans and processes for
addressing those risks and provides evidence the eFiling link on the Commission’s
required under the Reliability Standard.
that they follow those plans and processes. Web site at http://www.ferc.gov. The
Finally, if isolation is not required, are
There are numerous options available Commission accepts most standard
there communications with these
including traditional antivirus solutions for word processing formats. Documents
Control Centers for which the use of
common operating systems, white-listing created electronically using word
one-way data diodes would be reliable solutions, network isolation techniques, processing software should be filed in
and appropriate? Intrusion Detection/Prevention (IDS/IPS) native applications or print-to-PDF
B. Application Whitelisting for BES solutions, etc.17 format and not in a scanned format.
Cyber Systems in Control Centers 14. While application whitelisting is Commenters filing electronically do not
identified above as one available option, need to make a paper filing.
12. Application whitelisting is a the Ukraine incident and the subsequent 18. Commenters that are not able to
computer administration practice used Alert raise the question of whether file comments electronically must send
to prevent unauthorized programs from application whitelisting should be an original of their comments to:
running.13 The purpose is primarily to required. Application whitelisting could Federal Energy Regulatory Commission,
protect computers and networks from be a more effective mitigation tool than Secretary of the Commission, 888 First
harmful applications, and, to a lesser other mitigation measures because Street NE., Washington, DC 20426.
extent, to prevent unnecessary demand whitelisting allows only software 19. All comments will be placed in
for computer resources. The ‘‘whitelist’’ applications and processes that are the Commission’s public files and may
is a list of applications granted reviewed and tested before use in the be viewed, printed, or downloaded
permission to run by the user or an system network. By knowing all remotely as described in the Document
administrator. Whitelisting works best installed applications, the security Availability section below. Commenters
when applied to static cyber systems.14 professional can set the application on this proposal are not required to
13. In response to the Ukraine whitelisting program to know the serve copies of their comments on other
incident, the Alert recommended that: commenters.
15 Seven Steps to Effectively Defend Industrial
asset owners take defensive measures by IV. Document Availability
leveraging best practices to minimize the risk Control Systems at 1.
from similar malicious cyber activity. 16 Reliability Standard CIP–007–6, Requirement 20. In addition to publishing the full
Application Whitelisting (AWL) can detect R3 provides that ‘‘[e]ach Responsible Entity shall text of this document in the Federal
implement one or more documented process(es)
and prevent attempted execution of malware that collectively include each of the applicable
Register, the Commission provides all
uploaded by malicious actors. The static requirement parts in CIP–007–6 Table R3— interested persons an opportunity to
nature of some systems, such as database Malicious Code Prevention’’ and lists application view and/or print the contents of this
servers and HMI computers, make these ideal whitelisting as an option. In addition, the CIP document via the Internet through
candidates to run AWL. Operators are Reliability Standards require a combination of
FERC’s Home Page (http://
encouraged to work with their vendors to ensuring that an individual’s privileges are the
Lhorne on DSK30JT082PROD with NOTICES
baseline and calibrate AWL deployments. minimum necessary to perform their work function www.ferc.gov) and in FERC’s Public
(i.e., ‘‘least privilege’’) and anti-malware (i.e., Reference Room during normal business
‘‘blacklisting’’). See, e.g., Reliability Standard CIP– hours (8:30 a.m. to 5:00 p.m. Eastern
12 See Alert at Mitigation Section; see also
004–6, Requirement R4 and Guidelines and
Department of Homeland Security, Seven Steps to Technical Basis; Reliability Standard CIP–007–6,
time) at 888 First Street NE., Room 2A,
Effectively Defend Industrial Control Systems at 3. Requirement R3. Washington, DC 20426.
13 See Alert at Mitigation Section. 17 Reliability Standard CIP–007–6, Guidelines 21. From FERC’s Home Page on the
14 Id. and Technical Basis, at 4. Internet, this information is available on
VerDate Sep<11>2014 14:44 Jul 27, 2016 Jkt 238001 PO 00000 Frm 00026 Fmt 4703 Sfmt 4703 E:\FR\FM\28JYN1.SGM 28JYN1](https://thefederalregister.org/doc/81_FR_49786/page/3.svg)
![49644 Federal Register / Vol. 81, No. 145 / Thursday, July 28, 2016 / Notices
eLibrary. The full text of this document waiver of certain obligations imposed DEPARTMENT OF ENERGY
is available on eLibrary in PDF and on Tri-State and the Participating
Microsoft Word format for viewing, Members under Sections 292.303(a) and Federal Energy Regulatory
printing, and/or downloading. To access 292.303(b) of the Commission’s Commission
this document in eLibrary, type the regulations, all as more fully explained
docket number excluding the last three [Project No. 14680–002]
in the petition.
digits of this document in the docket
number field. Any person desiring to intervene or to Water Street Land, LLC; Notice of
22. User assistance is available for protest this filing must file in Application Tendered for Filing With
eLibrary and the FERC’s Web site during accordance with Rules 211 and 214 of the Commission and Soliciting
normal business hours from FERC the Commission’s Rules of Practice and Additional Study Requests
Online Support at 202–502–6652 (toll Procedure (18 CFR 385.211and
Take notice that the following
free at 1–866–208–3676) or email at 385.214). Protests will be considered by
hydroelectric application has been filed
ferconlinesupport@ferc.gov, or the the Commission in determining the with the Commission and is available
Public Reference Room at (202) 502– appropriate action to be taken, but will for public inspection.
8371, TTY (202) 502–8659. Email the not serve to make protestants parties to a. Type of Application: Exemption
Public Reference Room at the proceeding. Any person wishing to from Licensing.
public.referenceroom@ferc.gov. become a party must file a notice of b. Project No.: 14680–002.
By direction of the Commission. intervention or motion to intervene, as c. Date filed: July 13, 2016.
Issued: July 21, 2016. appropriate. Such notices, motions, or d. Applicant: Water Street Land, LLC.
Kimberly D. Bose, protests must be filed on or before the e. Name of Project: Natick Pond Dam
Secretary. comment date. Anyone filing a motion Hydroelectric Project.
[FR Doc. 2016–17854 Filed 7–27–16; 8:45 am] to intervene or protest must serve a copy f. Location: On the Pawtuxet River, in
BILLING CODE 6717–01–P
of that document on the Petitioner. the Towns of Warwick and West
The Commission encourages Warwick, in Kent County, Rhode Island.
electronic submission of protests and No federal lands would be occupied by
DEPARTMENT OF ENERGY interventions in lieu of paper using the project works or located within the
‘‘eFiling’’ link at http://www.ferc.gov. project boundary.
Federal Energy Regulatory g. Filed Pursuant to: Public Utility
Commission Persons unable to file electronically
Regulatory Policies Act of 1978, 16
should submit an original and 5 copies
[Docket Nos. EL16–101–000] U.S.C. 2705, 2708 (2012), amended by
of the protest or intervention to the
the Hydropower Regulatory Efficiency
Federal Energy Regulatory Commission, Act of 2013, Pub. L. 113–23, 127 Stat.
Tri-State Generation and Transmission
888 First Street NE., Washington, DC 493 (2013).
Association, Inc.; Notice of Petition for
Partial Waiver 20426. h. Applicant Contact: Mr. Rob Cioe,
This filing is accessible online at Water Street Land, LLC, P.O. Box 358,
July 20, 2016. http://www.ferc.gov, using the North Kingstown, Rhode Island 02852;
Take notice that on July 15, 2016, ‘‘eLibrary’’ link and is available for (480) 797–3077.
pursuant to section 292.402 of the review in the Commission’s Public i. FERC Contact: John Ramer, (202)
Federal Energy Regulatory 502–8969, john.ramer@ferc.gov.
Reference Room in Washington, DC.
Commission’s (Commission) Rules of j. Cooperating agencies: Federal, state,
Practice and Procedure,1 Tri-State There is an ‘‘eSubscription’’ link on the
Web site that enables subscribers to local, and tribal agencies with
Generation and Transmission jurisdiction and/or special expertise
Association, Inc. (Tri-State) on behalf of receive email notification when a
document is added to a subscribed with respect to environmental issues
itself and its electric distribution that wish to cooperate in the
cooperative member-owners docket(s). For assistance with any FERC
Online service, please email preparation of the environmental
(collectively, the Participating document should follow the
Members),2 filed a petition for partial FERCOnlineSupport@ferc.gov, or call
(866) 208–3676 (toll free). For TTY, call instructions for filing such requests
described in item l below. Cooperating
1 18 CFR 292.402. (202) 502–8659.
2 Tri-State’s member owners joining in this
agencies should note the Commission’s
petition are Big Horn Rural Electric Company,
Comment Date: 5:00 p.m. Eastern time policy that agencies that cooperate in
Carbon Power and Light, Inc., Central New Mexico on August 5, 2016. the preparation of the environmental
Electric Cooperative, Inc., Chimney Rock Public document cannot also intervene. See, 94
Power District, Continental Divide Electric
Dated: July 20, 2016.
Cooperative, Inc., Garland Light and Power Kimberly D. Bose,
FERC ¶ 61,076 (2001).
Company, High Plains Power, Inc., High West k. Pursuant to section 4.32(b)(7) of 18
Secretary.
Energy, Inc., Highline Electric Association, Jemez CFR of the Commission’s regulations, if
Mountains Electric Cooperative, Inc., K.C. Electric [FR Doc. 2016–17858 Filed 7–27–16; 8:45 am] any resource agency, Indian Tribe, or
Association, Inc., The Midwest Electric Cooperative
Corporation, Mora-San Miguel Electric Cooperative,
BILLING CODE 6717–01–P person believes that an additional
Inc., Morgan County Rural Electric Association, scientific study should be conducted in
Mountain Parks Electric, Inc., Mountain View order to form an adequate factual basis
Electric Association, Inc., Niobrara Electric for a complete analysis of the
Association, Inc., Northern Rio Arriba Electric
Lhorne on DSK30JT082PROD with NOTICES
Cooperative, Inc., Otero County Electric
application on its merit, the resource
Cooperative, Inc., Panhandle Rural Electric agency, Indian Tribe, or person must file
Membership Association, Roosevelt Public Power a request for a study with the
District, San Luis Valley Rural Electric Cooperative, Commission not later than 60 days from
Inc., Sierra Electric Cooperative, Inc., Socorm
Electric Cooperative, Inc., Southeast Colorado Inc., Wheatland Rural Electric Association, Inc., the date of filing of the application, and
Power Association, Southwestern Electric Wyrulec Company, and Y–W Electric Association, serve a copy of the request on the
Cooperative, Inc., Springer Electric Cooperative, Inc. applicant.
VerDate Sep<11>2014 14:44 Jul 27, 2016 Jkt 238001 PO 00000 Frm 00027 Fmt 4703 Sfmt 4703 E:\FR\FM\28JYN1.SGM 28JYN1](https://thefederalregister.org/doc/81_FR_49786/page/4.svg)
Document Created: 2016-07-28 01:47:50
Document Modified: 2016-07-28 01:47:50
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice of Inquiry. | |
| Dates | Comments are due September 26, 2016. | |
| Contact | David DeFalaise (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-8180, [email protected] | |
| FR Citation | 81 FR 49641 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR