82 FR 49541 - Revised Critical Infrastructure Protection Reliability Standard CIP-003-7-Cyber Security-Security Management Controls
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission Federal Register Volume 82, Issue 206 (October 26, 2017)
Federal Energy Regulatory Commission
Federal Register Volume 82, Issue 206 (October 26, 2017)
| Page Range | 49541-49549 | |
| FR Document | 2017-23287 |
[Federal Register Volume 82, Number 206 (Thursday, October 26, 2017)] [Proposed Rules] [Pages 49541-49549] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2017-23287] �======================================================================== �Proposed Rules � Federal Register �________________________________________________________________________ � �This section of the FEDERAL REGISTER contains notices to the public of �the proposed issuance of rules and regulations. The purpose of these �notices is to give interested persons an opportunity to participate in �the rule making prior to the adoption of the final rules. � �======================================================================== � ��Federal Register / Vol. 82, No. 206 / Thursday, October 26, 2017 / Proposed Rules�� [[Page 49541]] DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM17-11-000] Revised Critical Infrastructure Protection Reliability Standard CIP-003-7--Cyber Security--Security Management Controls AGENCY: Federal Energy Regulatory Commission, DOE. ACTION: Notice of proposed rulemaking. ----------------------------------------------------------------------- SUMMARY: The Federal Energy Regulatory Commission (Commission) proposes to approve Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security--Security Management Controls), submitted by the North American Electric Reliability Corporation (NERC). Proposed Reliability Standard CIP-003-7 improves upon the current Commission-approved CIP Reliability Standards by clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems; adopting mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems; and requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. In addition, the Commission proposes to direct NERC to develop certain modifications to the NERC Reliability Standards to provide clear, objective criteria for electronic access controls for low impact BES Cyber Systems; and address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices. DATES: Comments are due December 26, 2017. ADDRESSES: Comments, identified by docket number, may be filed in the following ways:Electronic Filing through http://www.ferc.gov. Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format. Mail/Hand Delivery: Those unable to file electronically may mail or hand-deliver comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE., Washington, DC 20426. Instructions: For detailed instructions on submitting comments and additional information on the rulemaking process, see the Comment Procedures section of this document. FOR FURTHER INFORMATION CONTACT: Matthew Dale (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-6826, [email protected], Kevin Ryan (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-6840, [email protected]. SUPPLEMENTARY INFORMATION: 1. Pursuant to section 215 of the Federal Power Act (FPA),\1\ the Commission proposes to approve Critical Infrastructure Protection (CIP) Reliability Standard CIP-003-7 (Cyber Security--Security Management Controls). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted proposed Reliability Standard CIP-003-7 in response to directives in Order No. 822.\2\ The Commission also proposes to approve the associated violation risk factors and violation severity levels, implementation plan and effective dates proposed by NERC. In addition, the Commission proposes to approve the modified definitions of Transient Cyber Asset and Removable Media as well as the retirement of the definitions for Low Impact External Routable Connectivity (LERC) and Low Impact Electronic Access Point (LEAP) in the NERC Glossary of Terms Used in NERC Reliability Standards (NERC Glossary). Further, the Commission proposes to approve the retirement of Reliability Standard CIP-003-6. --------------------------------------------------------------------------- \1\ 16 U.S.C. 824o (2012). \2\ Revised Critical Infrastructure Protection Reliability Standards, Order No. 822, 154 FERC ] 61,037, reh'g denied, Order No. 822-A, 156 FERC ] 61,052 (2016). --------------------------------------------------------------------------- 2. Proposed Reliability Standard CIP-003-7 is designed to mitigate the cybersecurity risks to bulk electric system facilities, systems, and equipment, which, if destroyed, degraded, or otherwise rendered unavailable as a result of a cybersecurity incident, would affect the reliable operation of the bulk electric system.\3\ As discussed below, the Commission proposes to determine that proposed Reliability Standard CIP-003-7 is just, reasonable, not unduly discriminatory or preferential, and in the public interest and addresses the directives in Order No. 822 by: 1. Clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems; \4\ and 2. adopting mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems. In addition, by requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances for low impact BES Cyber Systems, the proposed Reliability Standard aligns the treatment of low impact BES Cyber Systems with that of high and medium impact BES Cyber Systems, which currently include a requirement for declaring and responding to CIP Exceptional Circumstances. Accordingly, we propose to approve proposed Reliability Standard CIP-003-7 because the proposed modifications improve the base-line cybersecurity posture of responsible entities compared to the current Commission-approved CIP Reliability Standards. --------------------------------------------------------------------------- \3\ See NERC Petition at 2. \4\ NERC defines ``BES Cyber System'' as one or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity. --------------------------------------------------------------------------- 3. In addition, pursuant to FPA section 215(d)(5), the Commission proposes to direct NERC to develop certain modifications to the CIP Reliability Standards. As discussed below, while proposed Reliability Standard CIP-003-7 improves electronic access control for low impact BES Cyber Systems and enhances security controls for transient electronic [[Page 49542]] devices used at low impact BES Cyber Systems, we propose to direct that NERC modify Reliability Standard CIP-003-7 to: 1. Provide clear, objective criteria for electronic access controls for low impact BES Cyber Systems; and 2. address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices. We believe that modifications addressing these two concerns will address potential gaps and improve the cyber security posture of responsible entities that must comply with the CIP standards. I. Background A. Section 215 and Mandatory Reliability Standards 4. Section 215 of the FPA requires a Commission-certified ERO to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently.\5\ Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO,\6\ and subsequently certified NERC.\7\ --------------------------------------------------------------------------- \5\ 16 U.S.C. 824o(e) (2012). \6\ Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, FERC Stats. & Regs. ] 31,204, order on reh'g, Order No. 672-A, FERC Stats. & Regs. ] 31,212 (2006). \7\ North American Electric Reliability Corp., 116 FERC ] 61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006), aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009). --------------------------------------------------------------------------- B. Order No. 822 5. The Commission approved the ``Version 1'' CIP standards in January 2008, and subsequently acted on revised versions of the CIP standards.\8\ On January 21, 2016, in Order No. 822, the Commission approved seven CIP Reliability Standards: CIP-003-6 (Security Management Controls), CIP-004-6 (Personnel and Training), CIP-006-6 (Physical Security of BES Cyber Systems), CIP-007-6 (Systems Security Management), CIP-009-6 (Recovery Plans for BES Cyber Systems), CIP-010- 2 (Configuration Change Management and Vulnerability Assessments), and CIP-011-2 (Information Protection). The Commission determined that the Reliability Standards under consideration at that time were an improvement over the prior iteration of the CIP Reliability Standards and addressed the directives in Order No. 791 by, among other things, addressing in an equally effective and efficient manner the need for a NERC Glossary definition for the term ``communication networks'' and providing controls to address the risks posed by transient electronic devices (e.g., thumb drives and laptop computers) used at high and medium impact BES Cyber Systems.\9\ --------------------------------------------------------------------------- \8\ Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC ] 61,040, order on reh'g, Order No. 706-A, 123 FERC ] 61,174 (2008), order on clarification, Order No. 706-B, 126 FERC ] 61,229 (2009), order on clarification, Order No. 706-C, 127 FERC ] 61,273 (2009). \9\ Order No. 822, 154 FERC ] 61,037 at P 17; see also Version 5 Critical Infrastructure Protection Reliability Standards, Order No. 791, 78 FR 72755 (Dec. 3, 2013), 145 FERC ] 61,160 (2013), order on clarification and reh'g, Order No. 791-A, 146 FERC ] 61,188 (2014). --------------------------------------------------------------------------- 6. In addition, in Order No. 822, pursuant to section 215(d)(5) of the FPA, the Commission directed NERC, inter alia, to: 1. Develop modifications to the LERC definition to eliminate ambiguity surrounding the term ``direct'' as it is used in the LERC definition; and 2. develop modifications to the CIP Reliability Standards to provide mandatory protection for transient electronic devices used at low impact BES Cyber Systems.\10\ --------------------------------------------------------------------------- \10\ Order No. 822, 154 FERC ] 61,037 at P 18. --------------------------------------------------------------------------- C. NERC Petition 7. On March 3, 2017, NERC submitted a petition seeking approval of Reliability Standard CIP-003-7 and the associated violation risk factors and violation severity levels, implementation plan and effective dates. NERC states that proposed Reliability Standard CIP- 003-7 satisfies the criteria set forth in Order No. 672 that the Commission applies when reviewing a proposed Reliability Standard.\11\ NERC also sought approval of revisions to NERC Glossary definitions for the terms Removable Media and Transient Cyber Asset, as well as the retirement of the NERC Glossary definitions of LERC and LEAP. In addition, NERC proposed the retirement of Commission-approved Reliability Standard CIP-003-6. --------------------------------------------------------------------------- \11\ See NERC Petition at 2 (citing Order No. 672, FERC Stats. & Regs. ] 31,204 at PP 262, 321-337); id. at Exhibit D (Order No. 672 Criteria). --------------------------------------------------------------------------- 8. NERC states that proposed Reliability Standard CIP-003-7 improves upon the existing protections that apply to low impact BES Cyber Systems. NERC avers that the proposed modifications address the Commission's directives from Order No. 822 by: 1. Clarifying electronic access control requirements applicable to low impact BES Cyber Systems; and 2. adding requirements for the protection of transient electronic devices used for low impact BES Cyber Systems. In addition, while not required by Order No. 822, NERC proposes a CIP Exceptional Circumstances policy for low impact BES Cyber Systems. 9. In response to the Commission's directive to develop modifications to eliminate ambiguity surrounding the term ``direct'' as it is used in the LERC definition, NERC proposes to: 1. Retire the terms LERC and LEAP from the NERC Glossary; and 2. modify Section 3 of Attachment 1 to proposed Reliability Standard CIP-003-7 ``to more clearly delineate the circumstances under which Responsible Entities must establish access controls for low impact BES Cyber Systems.'' \12\ NERC states that the proposed revisions are designed to simplify the electronic access control requirements associated with low impact BES Cyber Systems in order to avoid ambiguities associated with the term ``direct.'' NERC explains that it recognized the ``added layer of unnecessary complexity'' introduced by distinguishing between ``direct'' and ``indirect'' access within the LERC definition and asserts that the proposed revisions will ``help ensure that Responsible Entities implement the required security controls effectively.'' \13\ --------------------------------------------------------------------------- \12\ Id. at 16. \13\ Id. at 16. --------------------------------------------------------------------------- 10. With regard to the Commission's directive to develop modifications to the CIP Reliability Standards to provide mandatory protection for transient electronic devices used at low impact BES Cyber Systems, NERC proposes to add a new section to Attachment 1 to proposed Reliability Standard CIP-003-7 to require responsible entities to include controls in their cyber security plans to mitigate the risk of the introduction of malicious code to low impact BES Cyber Systems that could result from the use of ``Transient Cyber Assets or Removable Media.'' Specifically, proposed Section 5 of Attachment 1 lists controls to be applied to Transient Cyber Assets and Removable Media that NERC contends ``will provide enhanced protections against the propagation of malware from transient devices.'' \14\ --------------------------------------------------------------------------- \14\ Id. at 26-27. --------------------------------------------------------------------------- 11. NERC also proposes a modification that was not directed by the Commission in Order No. 822. Namely, NERC proposes revisions in Requirement R1 of proposed Reliability Standard CIP-003-7 to require responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems.\15\ NERC [[Page 49543]] states that a number of requirements in the existing CIP Reliability Standards specify that responsible entities do not have to implement or continue implementing these requirements during a CIP Exceptional Circumstance in order to avoid hindering the entities' ability to timely and effectively respond to the CIP Exceptional Circumstance. NERC explains that since the proposed requirements relating to transient electronic devices used at low impact BES Cyber Systems include an exception for CIP Exceptional Circumstances, NERC is proposing to add a requirement for responsible entities to have a CIP Exceptional Circumstances policy that applies to low impact BES Cyber Systems, as it already requires for high and medium impact BES Cyber Systems.\16\ --------------------------------------------------------------------------- \15\ A CIP Exceptional Circumstance is defined in the NERC Glossary as a situation that involves or threatens to involve one or more of the following, or similar, conditions that impact safety or bulk electric system reliability: A risk of injury or death; a natural disaster; civil unrest; an imminent or existing hardware, software, or equipment failure; a Cyber Security Incident requiring emergency assistance; a response by emergency services; the enactment of a mutual assistance agreement; or an impediment of large scale workforce availability. Glossary of Terms Used in NERC Reliability Standards (August 1, 2017), http://www.nerc.com/files/glossary_of_terms.pdf. \16\ NERC Petition at 31-32. --------------------------------------------------------------------------- 12. NERC requests that proposed Reliability Standard CIP-003-7 and the revised definitions of Transient Cyber Asset and Removable Media become effective the first day of the first calendar quarter that is eighteen months after the effective date of the Commission's order approving the proposed Reliability Standard. II. Discussion 13. Pursuant to section 215(d)(2) of the FPA, we propose to approve Reliability Standard CIP-003-7 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. Proposed Reliability Standard CIP-003-7 largely addresses the Commission's directives in Order No. 822 and is an improvement over the current Commission-approved CIP Reliability Standards. Specifically, the modifications to Section 3 of Attachment 1 to Reliability Standard CIP- 003-7 clarify the obligations pertaining to electronic access control for low impact BES Cyber Systems. In addition, the modifications to Attachment 1 to Reliability Standard CIP-003-7 require mandatory security controls for transient electronic devices used at low impact BES Cyber Systems. We also propose to approve the new provision in Reliability Standard CIP-003-7, Requirement R1 requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. While Order No. 822 did not direct NERC to expand the scope of the CIP Exceptional Circumstances policy, the revision aligns the treatment of low impact BES Cyber Systems with that of high and medium impact BES Cyber Systems if and when a CIP Exceptional Circumstance occurs. 14. We also propose to approve the revisions to the NERC Glossary definitions of Transient Cyber Asset and Removable Media, as well as the retirement of the NERC Glossary definitions for LERC and LEAP since the proposed modifications to Reliability Standard CIP-003-7 obviate the need for the two terms. We further propose to approve the violation risk factor and violation severity level assignments associated with proposed Reliability Standard CIP-003-7 as well as NERC's proposed implementation plan and effective dates. 15. In addition, as discussed below, pursuant to section 215(d)(5) of the FPA, the Commission proposes to direct NERC to develop certain modifications to the CIP Reliability Standards. While proposed Reliability Standard CIP-003-7 improves electronic access control for low impact BES Cyber Systems and enhances security controls for transient electronic devices used at low impact BES Cyber Systems, we propose to direct that NERC modify Reliability Standard CIP-003-7 to: 1. Provide clear, objective criteria for electronic access controls for low impact BES Cyber Systems; and 2. address the need to mitigate the risk of malicious code that could result from third-party transient electronic devices. 16. Below, we discuss the following issues: A. Electronic access controls for low impact BES Cyber Systems; B. protection of transient electronic devices; C. proposed retirement and modification of definitions; D. NERC's proposed implementation plan and effective dates; and E. proposed violation severity level and violation risk factor assignments. A. Electronic Access Controls for Low Impact BES Cyber Systems Order No. 822 17. In Order No. 822, the Commission directed NERC to modify the LERC definition to eliminate ambiguity surrounding the term ``direct'' as it is used in the LERC definition.\17\ The Commission explained that the directive was intended to codify the clarification provided in NERC's NOPR comments, in which NERC referenced a statement in the Guidelines and Technical Basis section of Reliability Standard CIP-003- 6 that electronic access controls must be applied to low impact BES Cyber Systems unless responsible entities implement a ``complete security break'' between the external host (cyber asset) and any cyber asset(s) that may be used to pass communications to the low impact BES Cyber System.\18\ The Commission observed that ``a suitable means to address our concern is to modify the [LERC] definition consistent with the commentary in the Guidelines and Technical Basis section of CIP- 003-6.'' \19\ --------------------------------------------------------------------------- \17\ Order No. 822, 154 FERC ] 61,037 at P 73. \18\ Id. (citing NERC NOPR Comments at 31). \19\ Id. --------------------------------------------------------------------------- 18. In addition, the Commission explained that the directive was also intended to eliminate a loophole that would have allowed transitive connections to out-of-scope cyber assets (e.g., serial devices) to go unprotected under the LERC definition.\20\ --------------------------------------------------------------------------- \20\ Id. (``NERC's clarification on this issue resolves many of the concerns raised by EnergySec, APS, and SPP RE regarding the proposed definition, as a complete security break would not appear to permit transitive connections through one or more out of scope cyber assets to go unprotected under the definition, and would appear to require the assets to maintain `separate conversations' as suggested by SPP RE.''). --------------------------------------------------------------------------- NERC Petition 19. In its Petition, NERC proposes to: 1. Retire the terms LERC and LEAP from the NERC Glossary; and 2. modify Section 3 of Attachment 1 to Reliability Standard CIP-003-7 ``to more clearly delineate the circumstances under which Responsible Entities must establish access controls for low impact BES Cyber Systems.'' \21\ NERC states that the proposed revisions are designed to simplify the electronic access control requirements associated with low impact BES Cyber Systems in order to avoid ambiguities associated with the term ``direct.'' NERC states further that it recognized the ``added layer of unnecessary complexity'' introduced by distinguishing between ``direct'' and ``indirect'' access within the LERC definition and asserts that the proposed revisions will ``help ensure that Responsible Entities implement the required security controls effectively.'' \22\ --------------------------------------------------------------------------- \21\ NERC Petition at 16. \22\ Id. --------------------------------------------------------------------------- 20. NERC states that proposed Reliability Standard CIP-003-7 would require responsible entities to implement electronic access controls for any communication, direct or indirect (i.e., communications through an intermediary device where no direct connection is present), between a low [[Page 49544]] impact BES Cyber System and an outside Cyber Asset that uses a routable protocol when entering or leaving the asset containing the low impact BES Cyber System. NERC asserts that the proposed revisions to Section 3 of Attachment 1 to proposed Reliability Standard CIP-003-7 improve the clarity of the electronic access requirements and focus responsible entities ``on the security objective of controlling electronic access to permit only necessary inbound and outbound electronic access to low impact BES Cyber Systems.'' \23\ --------------------------------------------------------------------------- \23\ Id. at 17. --------------------------------------------------------------------------- 21. NERC explains that Section 3.1 of Attachment 1 to proposed Reliability Standard CIP-003-7 is composed of three basic elements: 1. Identifying routable protocol communications from outside the asset containing the low impact BES Cyber System; 2. determining necessary inbound and outbound electronic access; and 3. implementing electronic access controls to permit only necessary inbound and outbound electronic access to the low impact BES Cyber System. 22. With regard to the first element, NERC states that Section 3.1 of Attachment 1 defines the circumstances where communications require electronic access controls. The three characteristics are: 1. The communication is between the low impact BES Cyber System and a Cyber Asset outside the asset containing low impact BES Cyber System(s); 2. the communication uses a routable protocol when entering or leaving the asset containing the low impact BES Cyber System(s); and 3. the communication is not used for time-sensitive protection or control functions between intelligent electronic devices. NERC states further that each of the three characteristics were included in the original LERC definition.\24\ --------------------------------------------------------------------------- \24\ Id. at 18. --------------------------------------------------------------------------- 23. NERC asserts that the first characteristic helps to properly focus the electronic access controls in light of ``the wide array of low impact BES Cyber Systems and the risk-based approach to protecting different types of BES Cyber Systems.'' \25\ NERC explains that, whether a ``Responsible Entity uses a logical border as a demarcation point or some other understanding of what is inside or outside the asset, [the responsible entity] would have to provide a reasonable justification for its determination.'' \26\ On the second characteristic, NERC states that routable communications present increased risks to the security of BES Cyber Systems and require additional protections. Therefore, communications with a low impact BES Cyber System involving routable connections require protections to address the risk of uncontrolled communications. With regard to the third characteristic, NERC explains that the exclusion of communications for time-sensitive protection and control functions is intended to avoid precluding the functionality of time-sensitive reliability enhancing functions. NERC states, however, that an entity invoking this exclusion may have to demonstrate that applying electronic access controls would introduce latency that would negatively impact functionality.\27\ --------------------------------------------------------------------------- \25\ Id. at 19. \26\ Id. \27\ Id. at 20. --------------------------------------------------------------------------- 24. According to NERC, the second characteristic of Section 3.1 of Attachment 1 provides that responsible entities may permit only necessary inbound and outbound electronic access to low impact BES Cyber Systems as determined by the responsible entity. NERC explains that Section 3.1 does not specify a bright line as to what constitutes ``necessary inbound and outbound access'' due to ``the wide array of assets containing low impact BES Cyber Systems and the myriad of reasons a Responsible Entity may need to allow electronic access to and from a low impact BES Cyber Systems.'' \28\ NERC maintains that responsible entities ``have the flexibility to identify the necessary electronic access to meet their business and operational needs.'' \29\ --------------------------------------------------------------------------- \28\ Id. at 21-22. \29\ Id. at 22. --------------------------------------------------------------------------- 25. NERC explains that ``a Responsible Entity must document the necessity of its inbound and outbound electronic access permissions and provide justification of the need for such access'' in order to demonstrate compliance with Section 3.1 of Attachment 1.\30\ NERC states that absent a documented, reasonable justification, the ERO may find that the responsible entity was not in compliance with Section 3.1. NERC asserts that the purpose of the phrase ``as determined by the Responsible Entity'' in Section 3.1 is to indicate that the determination whether electronic access is necessary is to be made in the first instance by the responsible entity based on the facts and circumstances of each case. NERC states further that that the phrase ``as determined by the Responsible Entity'' does not limit the ERO's ability to engage in effective compliance oversight. Specifically, NERC contends that the ERO has the authority to review the documented justification for permitting electronic access and to determine whether it represents a reasonable exercise of discretion in light of the overall reliability objective.\31\ --------------------------------------------------------------------------- \30\ Id. \31\ Id. at 22-23. --------------------------------------------------------------------------- 26. In support of its position, NERC cites the draft Reliability Standard Audit Worksheet (RSAW) for proposed Reliability Standard CIP- 003-7, which provides the following language in the Note to Auditor section for Requirement R2: The entity must document its determination as to what is necessary inbound and outbound electronic access and provide justification of the business need for such access. Once this determination has been made and documented, the audit team's professional judgment cannot override the determination made by the Responsible Entity.\32\ --------------------------------------------------------------------------- \32\ Id. at 22, n.42. NERC also provides a list of Commission-approved CIP Reliability Standards where the phrase ``as determined by the Responsible Entity'' or similar language is used. NERC states that in all circumstances where the phrase ``as determined by the Responsible Entity'' or similar language is used, ``the ERO has the authority to evaluate the reasonableness of the Responsible Entity's determination when assessing compliance to ensure it is consistent with the reliability objective of the requirement. To interpret this language otherwise would be inconsistent with NERC's statutory obligation to engage in meaningful compliance oversight . . .'' \33\ --------------------------------------------------------------------------- \33\ Id. at 23-24. NERC also indicates, id at n.42, that Footnote 1 of the draft RSAW states that ``[w]hile the information included in this RSAW provides some of the methodology that NERC has elected to use to assess compliance with the requirements of the Reliability Standard, this document should not be treated as a substitute for the Reliability Standard or viewed as additional Reliability Standard requirements. In all cases, the Regional Entity should rely on the language contained in the Reliability Standard itself, and not on the language contained in the RSAW, to determine compliance with the Reliability Standard.'' Draft RSAW, http://www.nerc.com/pa/Stand/Project%20201602%20Modifications%20to%20CIP%20Standards%20DL/RSAW_CIP-003-7(i)_v2_Clean_01202017.pdf. --------------------------------------------------------------------------- Commission Proposal 27. The Commission proposes to approve Reliability Standard CIP- 003-7 because, as discussed above, the proposed Reliability Standard largely addresses the directives in Order No. 822 and is an improvement over the current Commission-approved CIP Reliability Standards. However, NERC's proposed revisions to Reliability Standard CIP-003-7 regarding the LERC [[Page 49545]] directive and electronic access controls for low impact BES Cyber Systems raise certain issues. In Order No. 822, the Commission directed NERC to develop modifications to the LERC definition to eliminate ambiguity surrounding the term ``direct'' as it is used in the definition. The directive was based on the concern that responsible entities could avoid adopting adequate electronic access protections for low impact BES Cyber Systems by simply installing a device, such as a laptop or protocol converter, in front of the BES Cyber System to ``break'' the direct routable connection. As the Commission noted in Order No. 822, the desired clarification could have been made by including the security concepts from the Guidelines and Technical Basis section of Reliability Standard CIP-003-6 in the definition.\34\ Instead, NERC's proposal comprehensively revises a responsible entity's obligations under Requirement R2 through the revisions to Attachment 1 by deleting the term LERC and giving responsible entities significantly more deference in determining how they construct the electronic access protections for low impact BES Cyber Systems. --------------------------------------------------------------------------- \34\ See Order No. 822, 154 FERC ] 61,037 at P 73. --------------------------------------------------------------------------- 28. We are concerned that the proposed revisions may not provide adequate electronic access controls for low impact BES Cyber Systems. Specifically, proposed Reliability Standard CIP-003-7 does not provide clear, objective criteria or measures to assess compliance by independently confirming that the access control strategy adopted by a responsible entity would reasonably meet the security objective of permitting only ``necessary inbound and outbound electronic access'' to its low impact BES Cyber Systems. 29. Section 3.1 of Attachment 1 to proposed Reliability Standard CIP-003-7 does not appear to contain clear criteria or objective measures to determine whether the electronic access control strategy chosen by the responsible entity would be effective for a given low impact BES Cyber System to permit only necessary inbound and outbound connections. In order to ensure an objective and consistently-applied requirement, the electronic access control plan required in Attachment 1 should require the responsible entity to articulate its access control strategy for a particular set of low impact BES Cyber Systems and provide a technical rationale rooted in security principles explaining how that strategy will reasonably restrict electronic access. Attachment 1 should also outline basic security principles in order to provide clear, objective criteria or measures to assist in assessing compliance. Without such a requirement, auditors will not necessarily have adequate information to assess the reasonableness of the responsible entity's decision with respect to how the responsible entity identified necessary communications or restricted electronic access to specific low impact BES Cyber Systems. And absent such information, it is possible that an auditor could assess a violation where an entity adequately protected its low impact BES Cyber Systems or fail to recognize a situation where additional protections are necessary to meet the security objective of the standard. 30. As the Commission stated in Order No. 672, there ``should be a clear criterion or measure of whether an entity is in compliance with a proposed Reliability Standard. It should contain or be accompanied by an objective measure of compliance so that it can be enforced and so that enforcement can be applied in a consistent and non-preferential manner.'' \35\ The Commission reiterated this point in Order No. 791, stating that ``the absence of objective criteria to evaluate the controls chosen by responsible entities for Low Impact assets introduces an unacceptable level of ambiguity and potential inconsistency into the compliance process, and creates an unnecessary gap in reliability.'' \36\ The Commission also observed that ``ambiguity will make it difficult for registered entities to develop, and NERC and the regions to objectively evaluate, the effectiveness of procedures developed to implement'' the Reliability Standard.\37\ --------------------------------------------------------------------------- \35\ Rules Concerning Certification of the Electric Reliability Organization and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, FERC Stats. & Regs. ] 31,204, at P 327 (2006). \36\ Order No. 791, 145 FERC ] 61,160 at P 108. \37\ Id. --------------------------------------------------------------------------- 31. As a possible model, the electronic access control requirements that are applied to medium and high impact BES Cyber systems provide a number of criteria that can be used to assess the sufficiency of a responsible entity's electronic access control strategy. For medium and high impact BES Cyber Systems, auditors use the following criteria to review whether the access control strategy is reasonable: 1. Whether the electronic access was granted through an authorized and monitored electronic access point (Reliability Standard CIP-005-5, Requirement R1); 2. whether the electronic access granted to individuals/devices was evaluated based on need (Reliability Standard CIP-005-5, Requirement R1.3); 3. whether the entity has mechanisms to enforce authentication of users with electronic access (Reliability Standard CIP-007-6, Requirement R5); and 4. whether the responsible entity routinely uses strong passwords and manages password changes (Reliability Standard CIP-007-6, Requirement R5). Absent similar criteria in the low impact electronic access control plan that are appropriately tailored to the risks posed by low impact BES Cyber Systems, responsible entities may adopt electronic access controls that do not meet the overarching security objective of restricting inbound and outbound electronic access. 32. Therefore, pursuant to section 215(d)(5) of the FPA, we propose to direct NERC to develop modifications to Reliability Standard CIP- 003-7 to provide clear, objective criteria for electronic access controls for low impact BES Cyber Systems consistent with the above discussion. The Commission seeks comment on this proposal. B. Protection of Transient Electronic Devices Order No. 822 33. In Order No. 822, the Commission directed NERC to develop modifications to provide mandatory protection for transient electronic devices used at low impact BES Cyber Systems based on the risk posed to bulk electric system reliability. The Commission stated that such modifications ``will provide an important enhancement to the security posture of the bulk electric system by reinforcing the defense-in-depth nature of the CIP Reliability Standards at all impact levels.'' \38\ The Commission also stated that the proposed modifications should be designed to effectively address the risks posed by transient electronic devices used at low impact BES Cyber Systems ``in a manner that is consistent with the risk-based approach reflected in the CIP version 5 Standards.'' \39\ --------------------------------------------------------------------------- \38\ Order No. 822, 154 FERC ] 61,037 at P 32 (emphasis in original). \39\ Id. --------------------------------------------------------------------------- NERC Petition 34. In its Petition, NERC proposes to add a new section to Attachment 1 to proposed Reliability Standard CIP-003-7 to require responsible entities to include controls in their cyber security plans to mitigate the risk of the introduction of malicious code to low impact BES Cyber Systems through the [[Page 49546]] use of ``Transient Cyber Assets or Removable Media.'' Specifically, proposed Section 5 of Attachment 1 lists controls to be applied to Transient Cyber Assets and Removable Media that NERC states ``will provide enhanced protections against the propagation of malware from transient devices.'' \40\ --------------------------------------------------------------------------- \40\ Id. at 26-27. --------------------------------------------------------------------------- 35. NERC states that the language in proposed Section 5 to Attachment 1 parallels the language in Attachment 1 to Reliability Standard CIP-010-2, which addresses mitigation of the risks of the introduction of malicious code to high and medium impact BES Cyber Systems through the use of Transient Cyber Assets or Removable Media. NERC states further that, as in Reliability Standard CIP-010-2, proposed Section 5 distinguishes between Transient Cyber Assets managed by a responsible entity and those managed by a third-party; the distinction arising because of a responsible entity's lack of control over Transient Cyber Assets managed by a third-party. NERC explains that the proposed controls for Removable Media do not distinguish between the responsible entity-managed assets and third-party managed assets due to the functionality of Removable Media. NERC provides the example of a thumb drive that can be scanned prior to use regardless of which party manages the asset.\41\ --------------------------------------------------------------------------- \41\ Id. at 28. --------------------------------------------------------------------------- 36. NERC explains that proposed Section 5 of Attachment 1 requires responsible entities to meet the security objectives ``by implementing the controls that the Responsible Entity determines necessary to meet its affirmative obligation to mitigate the risks of the introduction of malicious code.'' \42\ NERC states that the approach reflected in Section 5 provides the flexibility to implement the controls that best suit the needs and characteristics of a responsible entity's organization. NERC explains further that ``the Responsible Entity must demonstrate that its selected controls were designed to meet the security objective to mitigate the risk of the introduction of malicious code.'' \43\ --------------------------------------------------------------------------- \42\ Id. \43\ Id. at 29. --------------------------------------------------------------------------- 37. NERC outlines certain distinctions between proposed Section 5 of Attachment 1 to proposed Reliability Standard CIP-003-7 and Attachment 1 to Reliability Standard CIP-010-2. Specifically, NERC states that proposed Section 5 does not include requirements relating to authorization or software vulnerabilities, as are contained in Attachment 1 to Reliability Standard CIP-010-2. NERC explains that this difference is consistent with the risk-based approach of the CIP Reliability Standards and ``the underlying principle of concentrating limited industry resources on protecting those BES Cyber Systems with greater risk to the BES.'' NERC states that Section 5 focuses on the risk associated with the introduction of malicious code.\44\ --------------------------------------------------------------------------- \44\ NERC Petition at 29. --------------------------------------------------------------------------- 38. In addition, NERC states that proposed Section 5 to Attachment 1 does not include language requiring a responsible entity to determine whether additional mitigation actions are necessary where a third party manages a Transient Cyber Asset, nor does it include language requiring a responsible entity to implement additional mitigation actions in such situations. NERC states that it nonetheless expects ``that if another party's processes and practices for protecting its Transient Cyber Assets do not provide reasonable assurance that they are designed to effectively meet the security objective of mitigating the introduction of malicious code, the Responsible Entity must take additional steps to meet the stated objective.'' \45\ NERC explains that if a third party's practices and policies do not provide reasonable assurance that the Transient Cyber Assets would be protected from malicious code, ``simply reviewing those policies and procedures without taking other steps to mitigate the risks of introduction of malicious code may not constitute compliance.'' \46\ --------------------------------------------------------------------------- \45\ Id. at 29-30. \46\ Id. at 30. --------------------------------------------------------------------------- Commission Proposal 39. NERC's proposed modifications in Reliability Standard CIP-003- 7, Requirement R2, Attachment 1, Section 5 that include malware detection and prevention controls for responsible entity-managed Transient Cyber Assets and Removable Media should improve the cybersecurity posture of responsibility entities compared to currently- effective Reliability Standard CIP-003-6. The revisions in Section 5.2, however, do not address one aspect of the reliability gap identified in Order No. 822 regarding low impact BES Cyber Systems. Specifically, as noted above, proposed Reliability Standard CIP-003-7 does not explicitly require mitigation of the introduction of malicious code from third-party managed Transient Cyber Assets, even if the responsible entity determines that the third-party's policies and procedures are inadequate.\47\ While the proposed Reliability Standard does not explicitly require mitigation of the introduction of malicious code from third-party managed Transient Cyber Assets, NERC states that the failure to mitigate this risk ``may not constitute compliance.'' \48\ NERC's statement suggests that, with regard to low impact BES Cyber Systems, the proposed requirement lacks an obligation for a responsible entity to correct any deficiencies that are discovered during a review of third-party Transient Cyber Asset management practices. Indeed, the parallel provision for high and medium impact BES Cyber Systems specifies that ``Responsible Entities shall determine whether any additional mitigation actions are necessary and implement such actions prior to connecting the Transient Cyber Asset.'' \49\ Yet, such language obligating mitigation action is not proposed for low impact BES Cyber Assets. --------------------------------------------------------------------------- \47\ See NERC Petition at 29-30. \48\ Id. at 30. \49\ Reliability Standard CIP-010-2 (Cyber Security-- Configuration Change Management and Vulnerability Assessments), Requirement R4, Attachment 1, Section 2.3. In contrast, the obligations to ``review'' methods used by third-parties to detect and prevent malware are similar for lower, medium and high impact BES Cyber Assets. Cf. CIP-010-2, Attachment 1, Sections 2.1 and 2.2; and proposed CIP-010-3, Attachment 1, Section 3.2. --------------------------------------------------------------------------- 40. The proposed Reliability Standard may, therefore, contain a reliability gap where a responsible entity contracts with a third-party but fails to mitigate potential deficiencies discovered in the third- party's malicious code detection and prevention practices prior to a Transient Cyber Asset being connected to a low impact BES Cyber System. That is because the proposed Reliability Standard does not contain: 1. A requirement for the responsible entity to mitigate any malicious code found during the third-party review(s); or 2. a requirement that the responsible entity take reasonable steps to mitigate the risks of third party malicious code on their systems, if an arrangement cannot be made for the third-party to do so. Without these obligations, we are concerned that responsible entities could, without compliance consequences, simply accept the risk of deficient third-party transient electronic device management practices.\50\ Moreover, the requirement to ``review'' methods used by third-parties to detect and prevent malware may fail to convey the necessary next steps that a responsible entity should take.\51\ --------------------------------------------------------------------------- \50\ See Order No. 706, 122 FERC ] 61,040 at P 150 (rejecting the concept of acceptance of risk in the CIP Reliability Standards). \51\ See Order No. 791, 145 FERC ] 61,160 at P 108. --------------------------------------------------------------------------- [[Page 49547]] 41. Therefore, pursuant to section 215(d)(5) of the FPA, we propose to direct that NERC develop modifications to proposed Reliability Standard CIP-003-7 to address the need to mitigate the risk of malicious code that could result from third-party Transient Cyber Assets consistent with the above discussion. The Commission seeks comment on this proposal. C. Proposed NERC Glossary Definitions 42. Proposed Reliability Standard CIP-003-7 includes two revised definitions for inclusion in the NERC Glossary. Specifically, NERC proposes to revise the definitions of Transient Cyber Asset and Removable Media in order to accommodate the use of the terms at all impact levels. NERC explains that the original definitions include references to concepts or requirements associated only with high and medium impact BES Cyber Systems and the definitions were modified to avoid confusion because protections for Transient Electronic Devices will now be extended to low impact BES Cyber Systems.\52\ --------------------------------------------------------------------------- \52\ NERC Petition at 30. --------------------------------------------------------------------------- 43. In addition, NERC proposes to retire the definitions of LERC and LEAP. NERC states that the proposed retirement of the NERC Glossary terms LERC and LEAP accords with the proposed modifications to Section 3 of Attachment 1 to proposed Reliability Standard CIP-003-7 and is intended to simplify the electronic access control requirements for low impact BES Cyber Systems by avoiding the ambiguities associated with the term ``direct.'' NERC explains further that it ``recognized that distinguishing between `direct' and `indirect' electronic access within the LERC definition added a layer of unnecessary complexity.'' \53\ --------------------------------------------------------------------------- \53\ Id. at 16. --------------------------------------------------------------------------- 44. We propose to approve the revised definitions of Transient Cyber Asset and Removable Media, as well as the retirement of the definitions of LERC and LEAP. D. Implementation Plan and Effective Dates 45. NERC requests an effective date for proposed Reliability Standard CIP-003-7 and the revised definitions of Transient Cyber Asset and Removable Media on the first day of the first calendar quarter that is eighteen months after the effective date of the Commission's order approving the proposed Reliability Standard. NERC explains that the proposed implementation plan does not alter the previously-approved compliance dates for Reliability Standard CIP-003-6 other than the compliance date for Reliability Standard CIP-003-6, Requirement R2, Attachment 1, Sections 2 and 3, which would be replaced with the effective date for proposed Reliability Standard CIP-003-7. NERC also proposes that the retirement of Reliability Standard CIP-003-6 and the associated definitions become effective on the effective date of proposed Reliability Standard CIP-003-7.\54\ --------------------------------------------------------------------------- \54\ Id., Exhibit C (Implementation Plan). --------------------------------------------------------------------------- 46. We propose to approve NERC's implementation plan for proposed Reliability Standard CIP-003-7, as described above. E. Violation Risk Factor/Violation Severity Level Assignments 47. NERC requests approval of two violation risk factors and violation severity levels assigned to proposed Reliability Standard CIP-003-7. Specifically, NERC requests approval of violation risk factor and violation severity level assignments associated with Requirements R1 and R2 of Reliability Standard CIP-003-7.\55\ We propose to accept these violation risk factors and violation severity levels. --------------------------------------------------------------------------- \55\ Id., Exhibit F (Analysis of Violation Risk Factors and Violation Severity Levels). --------------------------------------------------------------------------- III. Information Collection Statement 48. The FERC-725B information collection requirements contained in this proposed rule are subject to review by the Office of Management and Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 1995.\56\ OMB's regulations require approval of certain information collection requirements imposed by agency rules.\57\ Upon approval of a collection of information, OMB will assign an OMB control number and expiration date. Respondents subject to the filing requirements of this rule will not be penalized for failing to respond to these collections of information unless the collections of information display a valid OMB control number. The Commission solicits comments on the Commission's need for this information, whether the information will have practical utility, the accuracy of the burden estimates, ways to enhance the quality, utility, and clarity of the information to be collected or retained, and any suggested methods for minimizing respondents' burden, including the use of automated information techniques. --------------------------------------------------------------------------- \56\ 44 U.S.C. 3507(d) (2012). \57\ 5 CFR 1320.11 (2017). --------------------------------------------------------------------------- 49. The Commission bases its paperwork burden estimates on the changes in paperwork burden presented by the proposed revision to CIP Reliability Standard CIP-003-7 as compared to the current Commission- approved Reliability Standard CIP-003-6. The Commission has already addressed the burden of implementing Reliability Standard CIP-003- 6.\58\ As discussed above, the immediate rulemaking addresses three areas of modification to the CIP Reliability Standards: 1. Clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems; 2. adopting mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems; and 3. requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. --------------------------------------------------------------------------- \58\ See Order No. 822, 154 FERC ] 61,037 at PP 84-88. --------------------------------------------------------------------------- 50. The NERC Compliance Registry, as of September 2017, identifies approximately 1,320 U.S. entities that are subject to mandatory compliance with Reliability Standards. Of this total, we estimate that 1,100 entities will face an increased paperwork burden under proposed Reliability Standard CIP 003-7, estimating that a majority of these entities will have one or more low impact BES Cyber Systems. Based on these assumptions, we estimate the following reporting burden: [[Page 49548]] RM17-11-000 NOPR [Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards] -------------------------------------------------------------------------------------------------------------------------------------------------------- Annual number of Total Cost per Number of responses number of Average burden & cost per Total annual burden hours & respondent respondents per responses response \59\ (4) total annual cost (3) * (4) ($) (5) / (1) respondent (1) * (2) = = (5) (1) (2) (3) -------------------------------------------------------------------------------------------------------------------------------------------------------- Create low impact TCA assets plan (one- 1,100 1 1,100 20 hrs.; $1,680............. 6,875 hrs.; $1,848,000..... $1,680 time) \60\. Updates and reviews of low impact TCA 1,100 \62\ 300 330,000 1.5 hrs. \63\; $126......... 495,000 hrs.; $41,580,000.. 37,800 assets (ongoing) \61\. Update/modify documentation to remove 1,100 1 1,100 20 hrs.; $1,680............. 6,875 hrs.; $1,848,000..... 1,680 LERC and LEAP (one-time) \60\. Update paperwork for access control 1,100 1 1,100 20 hrs.; $1,680............. 6,875 hrs.; $1,848,000..... 1,680 implementation in Section 2 \64\ and Section 3 \65\ (ongoing) \61\. -------------------------------------------------------------------------------------------------------------- Total (one-time) \60\................ ........... ........... 2,200 ............................ 13,750 hrs.; $3,696,000 ........... -------------------------------------------------------------------------------------------------------------- Total (ongoing) \61\................. ........... ........... 331,100 ............................ 501,875 hrs.; $43,428,000.. ........... -------------------------------------------------------------------------------------------------------------------------------------------------------- 51. The following shows the annual cost burden for each group, based on the burden hours in the table above: --------------------------------------------------------------------------- \59\ The loaded hourly wage figure (includes benefits) is based on the average of three occupational categories for 2016 found on the Bureau of Labor Statistics Web site (http://www.bls.gov/oes/current/naics2_22.htm): Legal (Occupation Code: 23-0000): $143.68. Electrical Engineer (Occupation Code: 17-2071): $68.12. Office and Administrative Support (Occupation Code: 43-0000): $40.89 ($143.68 + $68.12 + $40.89) / 3 = $84.23. The figure is rounded to $84.00 for use in calculating wage figures in this NOPR. \60\ This one-time burden applies in Year One only. \61\ This ongoing burden applies in Year 2 and beyond. \62\ We estimate that each entity will perform 25 updates per month. 25 updates *12 months = 300 updates (i.e. responses) per year. \63\ The 1.5 hours of burden per response is comprised of three sub-categories: Updates to managed low TCA assets: 15 minutes (0.25 hours) per response. Updates to unmanaged low TCA assets: 60 minutes (1 hour) per response. Reviews of low TCA applicable controls: 15 minutes (0.25 hours) per response. \64\ Physical Security Controls. \65\ Electronic Access Controls. Year 1: $3,696,000. Years 2 and 3: $43,428,000. The paperwork burden estimate includes costs associated with the initial development of a policy to address requirements relating to: 1. Clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems; 2. adopting mandatory security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems) used at low impact BES Cyber Systems; and 3. requiring responsible entities to have a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. Further, the estimate reflects the assumption that costs incurred in year 1 will pertain to policy development, while costs in years 2 and 3 will reflect the burden associated with maintaining logs and other records to demonstrate ongoing compliance. 52. Title: Mandatory Reliability Standards, Revised Critical Infrastructure Protection Reliability Standards Action: Proposed Collection FERC-725B. OMB Control No.: 1902-0248. Respondents: Businesses or other for-profit institutions; not-for- profit institutions. Frequency of Responses: On Occasion. Necessity of the Information: This proposed rule proposes to approve the requested modifications to Reliability Standards pertaining to critical infrastructure protection. As discussed above, the Commission proposes to approve NERC's proposed revised CIP Reliability Standard CIP-003-7 pursuant to section 215(d)(2) of the FPA because it improves upon the currently-effective suite of cyber security CIP Reliability Standards. Internal Review: The Commission has reviewed the proposed Reliability Standards and made a determination that its action is necessary to implement section 215 of the FPA. 53. Interested persons may obtain information on the reporting requirements by contacting the following: Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426 [Attention: Ellen Brown, Office of the Executive Director, email: [email protected], phone: (202) 502-8663, fax: (202) 273-0873]. 54. For submitting comments concerning the collection(s) of information and the associated burden estimate(s), please send your comments to the Commission, and to the Office of Management and Budget, Office of Information and Regulatory Affairs, Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission, phone: (202) 395-4638, fax: (202) 395-7285]. For security reasons, comments to OMB should be submitted by email to: [email protected]. Comments submitted to OMB should include Docket Number RM17-11-000 and OMB Control Number 1902-0248. IV. Regulatory Flexibility Act Analysis 55. The Regulatory Flexibility Act of 1980 (RFA) generally requires a description and analysis of proposed rules that will have significant economic impact on a substantial number of small entities.\66\ The Small Business Administration's (SBA) Office of Size Standards develops the numerical definition of a small business.\67\ The SBA revised its size standard for electric utilities (effective January 22, 2014) to a standard based on the number of employees, including affiliates (from the prior standard based on megawatt hour sales).\68\ Proposed Reliability Standard CIP-003-7 is expected to impose an additional burden on 1,100 entities \69\ (reliability coordinators, generator operators, generator owners, interchange coordinators or authorities, transmission operators, balancing authorities, [[Page 49549]] transmission owners, and certain distribution providers). --------------------------------------------------------------------------- \66\ 5 U.S.C. 601-12 (2012). \67\ 13 CFR 121.101 (2017). \68\ SBA Final Rule on ``Small Business Size Standards: Utilities,'' 78 FR 77343 (Dec. 23, 2013). \69\ Public utilities may fall under one of several different categories, each with a size threshold based on the company's number of employees, including affiliates, the parent company, and subsidiaries. For the analysis in this NOPR, we are using a 500 employee threshold due to each affected entity falling within the role of Electric Bulk Power Transmission and Control (NAISC Code: 221121). --------------------------------------------------------------------------- 56. Of the 1,100 affected entities discussed above, we estimate that approximately 857 or 78 percent \70\ of the affected entities are small. As discussed above, proposed Reliability Standard CIP-003-7 enhances reliability by providing criteria against which NERC and the Commission can evaluate the sufficiency of an entity's electronic access controls for low impact BES Cyber systems, as well as improved security controls for transient electronic devices (e.g., thumb drives, laptop computers, and other portable devices frequently connected to and disconnected from systems). We estimate that each of the 857 small entities to whom the proposed modifications to Reliability Standard CIP-003-7 applies will incur one-time costs of approximately $3,360 per entity to implement this standard, as well as the ongoing paperwork burden reflected in the Information Collection Statement (approximately $39,480 per year per entity). We do not consider the estimated costs for these 857 small entities to be a significant economic impact. --------------------------------------------------------------------------- \70\ 77.95 percent. --------------------------------------------------------------------------- 57. Based on the above analysis, we propose to certify that the proposed Reliability Standard will not have a significant economic impact on a substantial number of small entities. V. Environmental Analysis 58. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment.\71\ The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended.\72\ The actions proposed herein fall within this categorical exclusion in the Commission's regulations. --------------------------------------------------------------------------- \71\ Regulations Implementing the National Environmental Policy Act of 1969, Order No. 486, FERC Stats. & Regs. ] 30,783 (1987). \72\ 18 CFR 380.4(a)(2)(ii) (2017). --------------------------------------------------------------------------- VI. Comment Procedures 59. The Commission invites interested persons to submit comments on the matters and issues proposed in this notice to be adopted, including any related matters or alternative proposals that commenters may wish to discuss. Comments are due December 26, 2017. Comments must refer to Docket No. RM17-11-000, and must include the commenter's name, the organization they represent, if applicable, and address. 60. The Commission encourages comments to be filed electronically via the eFiling link on the Commission's Web site at http://www.ferc.gov. The Commission accepts most standard word processing formats. Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format. Commenters filing electronically do not need to make a paper filing. 61. Commenters that are not able to file comments electronically must send an original of their comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE., Washington, DC 20426. 62. All comments will be placed in the Commission's public files and may be viewed, printed, or downloaded remotely as described in the Document Availability section below. Commenters on this proposal are not required to serve copies of their comments on other commenters. VII. Document Availability 63. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the Internet through the Commission's Home Page (http://www.ferc.gov) and in the Commission's Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE., Room 2A, Washington, DC 20426. 64. From the Commission's Home Page on the Internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number of this document, excluding the last three digits, in the docket number field. 65. User assistance is available for eLibrary and the Commission's Web site during normal business hours from the Commission's Online Support at 202-502-6652 (toll free at 1-866-208-3676) or email at [email protected], or the Public Reference Room at (202) 502- 8371, TTY (202) 502-8659. Email the Public Reference Room at [email protected]. By direction of the Commission. Issued October 19, 2017. Nathaniel J. Davis, Sr., Deputy Secretary. [FR Doc. 2017-23287 Filed 10-25-17; 8:45 am] BILLING CODE 6717-01-P
![49541
Proposed Rules Federal Register
Vol. 82, No. 206
Thursday, October 26, 2017
This section of the FEDERAL REGISTER ADDRESSES: Comments, identified by NERC Reliability Standards (NERC
contains notices to the public of the proposed docket number, may be filed in the Glossary). Further, the Commission
issuance of rules and regulations. The following ways: proposes to approve the retirement of
purpose of these notices is to give interested • Electronic Filing through http:// Reliability Standard CIP–003–6.
persons an opportunity to participate in the www.ferc.gov. Documents created 2. Proposed Reliability Standard CIP–
rule making prior to the adoption of the final electronically using word processing 003–7 is designed to mitigate the
rules.
software should be filed in native cybersecurity risks to bulk electric
applications or print-to-PDF format and system facilities, systems, and
DEPARTMENT OF ENERGY not in a scanned format. equipment, which, if destroyed,
• Mail/Hand Delivery: Those unable degraded, or otherwise rendered
Federal Energy Regulatory to file electronically may mail or hand- unavailable as a result of a cybersecurity
Commission deliver comments to: Federal Energy incident, would affect the reliable
Regulatory Commission, Secretary of the operation of the bulk electric system.3
18 CFR Part 40 Commission, 888 First Street NE., As discussed below, the Commission
Washington, DC 20426. proposes to determine that proposed
Instructions: For detailed instructions Reliability Standard CIP–003–7 is just,
[Docket No. RM17–11–000] on submitting comments and additional reasonable, not unduly discriminatory
Revised Critical Infrastructure information on the rulemaking process, or preferential, and in the public
Protection Reliability Standard CIP– see the Comment Procedures section of interest and addresses the directives in
003–7—Cyber Security—Security this document. Order No. 822 by: 1. Clarifying the
Management Controls FOR FURTHER INFORMATION CONTACT: obligations pertaining to electronic
Matthew Dale (Technical Information), access control for low impact BES Cyber
AGENCY: Federal Energy Regulatory Office of Electric Reliability, Federal Systems; 4 and 2. adopting mandatory
Commission, DOE. Energy Regulatory Commission, 888 security controls for transient electronic
ACTION: Notice of proposed rulemaking. First Street NE., Washington, DC 20426, devices (e.g., thumb drives, laptop
(202) 502–6826, matthew.dale@ferc.gov, computers, and other portable devices
SUMMARY: The Federal Energy Kevin Ryan (Legal Information), Office frequently connected to and
Regulatory Commission (Commission) of the General Counsel, Federal Energy disconnected from systems) used at low
proposes to approve Critical Regulatory Commission, 888 First Street impact BES Cyber Systems. In addition,
Infrastructure Protection (CIP) NE., Washington, DC 20426, (202) 502– by requiring responsible entities to have
Reliability Standard CIP–003–7 (Cyber 6840, kevin.ryan@ferc.gov. a policy for declaring and responding to
Security—Security Management SUPPLEMENTARY INFORMATION: CIP Exceptional Circumstances for low
Controls), submitted by the North 1. Pursuant to section 215 of the impact BES Cyber Systems, the
American Electric Reliability Federal Power Act (FPA),1 the proposed Reliability Standard aligns the
Corporation (NERC). Proposed Commission proposes to approve treatment of low impact BES Cyber
Reliability Standard CIP–003–7 Critical Infrastructure Protection (CIP) Systems with that of high and medium
improves upon the current Commission- Reliability Standard CIP–003–7 (Cyber impact BES Cyber Systems, which
approved CIP Reliability Standards by Security—Security Management currently include a requirement for
clarifying the obligations pertaining to Controls). The North American Electric declaring and responding to CIP
electronic access control for low impact Reliability Corporation (NERC), the Exceptional Circumstances.
BES Cyber Systems; adopting Commission-certified Electric Accordingly, we propose to approve
mandatory security controls for Reliability Organization (ERO), proposed Reliability Standard CIP–003–
transient electronic devices (e.g., thumb submitted proposed Reliability Standard 7 because the proposed modifications
drives, laptop computers, and other CIP–003–7 in response to directives in improve the base-line cybersecurity
portable devices frequently connected to Order No. 822.2 The Commission also posture of responsible entities compared
and disconnected from systems) used at proposes to approve the associated to the current Commission-approved
low impact BES Cyber Systems; and violation risk factors and violation CIP Reliability Standards.
requiring responsible entities to have a severity levels, implementation plan 3. In addition, pursuant to FPA
policy for declaring and responding to and effective dates proposed by NERC. section 215(d)(5), the Commission
CIP Exceptional Circumstances related In addition, the Commission proposes to proposes to direct NERC to develop
to low impact BES Cyber Systems. In approve the modified definitions of certain modifications to the CIP
addition, the Commission proposes to Transient Cyber Asset and Removable Reliability Standards. As discussed
direct NERC to develop certain Media as well as the retirement of the below, while proposed Reliability
modifications to the NERC Reliability definitions for Low Impact External Standard CIP–003–7 improves
ethrower on DSK3G9T082PROD with PROPOSALS
Standards to provide clear, objective Routable Connectivity (LERC) and Low electronic access control for low impact
criteria for electronic access controls for Impact Electronic Access Point (LEAP) BES Cyber Systems and enhances
low impact BES Cyber Systems; and in the NERC Glossary of Terms Used in security controls for transient electronic
address the need to mitigate the risk of
malicious code that could result from 1 16U.S.C. 824o (2012). 3 See NERC Petition at 2.
2 Revised Critical Infrastructure Protection 4 NERC defines ‘‘BES Cyber System’’ as one or
third-party transient electronic devices.
Reliability Standards, Order No. 822, 154 FERC ¶ more BES Cyber Assets logically grouped by a
DATES: Comments are due December 26, 61,037, reh’g denied, Order No. 822–A, 156 FERC responsible entity to perform one or more reliability
2017. ¶ 61,052 (2016). tasks for a functional entity.
VerDate Sep<11>2014 16:45 Oct 25, 2017 Jkt 244001 PO 00000 Frm 00001 Fmt 4702 Sfmt 4702 E:\FR\FM\26OCP1.SGM 26OCP1](https://thefederalregister.org/doc/82_FR_49747/page/1.svg)
![Federal Register / Vol. 82, No. 206 / Thursday, October 26, 2017 / Proposed Rules 49543
states that a number of requirements in Exceptional Circumstances related to in the Guidelines and Technical Basis
the existing CIP Reliability Standards low impact BES Cyber Systems. While section of Reliability Standard CIP–003–
specify that responsible entities do not Order No. 822 did not direct NERC to 6 that electronic access controls must be
have to implement or continue expand the scope of the CIP Exceptional applied to low impact BES Cyber
implementing these requirements Circumstances policy, the revision Systems unless responsible entities
during a CIP Exceptional Circumstance aligns the treatment of low impact BES implement a ‘‘complete security break’’
in order to avoid hindering the entities’ Cyber Systems with that of high and between the external host (cyber asset)
ability to timely and effectively respond medium impact BES Cyber Systems if and any cyber asset(s) that may be used
to the CIP Exceptional Circumstance. and when a CIP Exceptional to pass communications to the low
NERC explains that since the proposed Circumstance occurs. impact BES Cyber System.18 The
requirements relating to transient 14. We also propose to approve the Commission observed that ‘‘a suitable
electronic devices used at low impact revisions to the NERC Glossary means to address our concern is to
BES Cyber Systems include an definitions of Transient Cyber Asset and modify the [LERC] definition consistent
exception for CIP Exceptional Removable Media, as well as the with the commentary in the Guidelines
Circumstances, NERC is proposing to retirement of the NERC Glossary and Technical Basis section of CIP–003–
add a requirement for responsible definitions for LERC and LEAP since the 6.’’ 19
entities to have a CIP Exceptional proposed modifications to Reliability 18. In addition, the Commission
Circumstances policy that applies to Standard CIP–003–7 obviate the need explained that the directive was also
low impact BES Cyber Systems, as it for the two terms. We further propose to intended to eliminate a loophole that
already requires for high and medium approve the violation risk factor and would have allowed transitive
impact BES Cyber Systems.16 violation severity level assignments connections to out-of-scope cyber assets
12. NERC requests that proposed associated with proposed Reliability (e.g., serial devices) to go unprotected
Reliability Standard CIP–003–7 and the Standard CIP–003–7 as well as NERC’s under the LERC definition.20
revised definitions of Transient Cyber proposed implementation plan and
NERC Petition
Asset and Removable Media become effective dates.
effective the first day of the first 15. In addition, as discussed below, 19. In its Petition, NERC proposes to:
calendar quarter that is eighteen months pursuant to section 215(d)(5) of the 1. Retire the terms LERC and LEAP from
after the effective date of the FPA, the Commission proposes to direct the NERC Glossary; and 2. modify
Commission’s order approving the NERC to develop certain modifications Section 3 of Attachment 1 to Reliability
proposed Reliability Standard. to the CIP Reliability Standards. While Standard CIP–003–7 ‘‘to more clearly
proposed Reliability Standard CIP–003– delineate the circumstances under
II. Discussion 7 improves electronic access control for which Responsible Entities must
13. Pursuant to section 215(d)(2) of low impact BES Cyber Systems and establish access controls for low impact
the FPA, we propose to approve enhances security controls for transient BES Cyber Systems.’’ 21 NERC states that
Reliability Standard CIP–003–7 as just, electronic devices used at low impact the proposed revisions are designed to
reasonable, not unduly discriminatory BES Cyber Systems, we propose to simplify the electronic access control
or preferential, and in the public direct that NERC modify Reliability requirements associated with low
interest. Proposed Reliability Standard Standard CIP–003–7 to: 1. Provide clear, impact BES Cyber Systems in order to
CIP–003–7 largely addresses the objective criteria for electronic access avoid ambiguities associated with the
Commission’s directives in Order No. controls for low impact BES Cyber term ‘‘direct.’’ NERC states further that
822 and is an improvement over the Systems; and 2. address the need to it recognized the ‘‘added layer of
current Commission-approved CIP mitigate the risk of malicious code that unnecessary complexity’’ introduced by
Reliability Standards. Specifically, the could result from third-party transient distinguishing between ‘‘direct’’ and
modifications to Section 3 of electronic devices. ‘‘indirect’’ access within the LERC
Attachment 1 to Reliability Standard 16. Below, we discuss the following definition and asserts that the proposed
CIP–003–7 clarify the obligations issues: A. Electronic access controls for revisions will ‘‘help ensure that
pertaining to electronic access control low impact BES Cyber Systems; B. Responsible Entities implement the
for low impact BES Cyber Systems. In protection of transient electronic required security controls
addition, the modifications to devices; C. proposed retirement and effectively.’’ 22
Attachment 1 to Reliability Standard modification of definitions; D. NERC’s 20. NERC states that proposed
CIP–003–7 require mandatory security proposed implementation plan and Reliability Standard CIP–003–7 would
controls for transient electronic devices effective dates; and E. proposed require responsible entities to
used at low impact BES Cyber Systems. violation severity level and violation implement electronic access controls for
We also propose to approve the new risk factor assignments. any communication, direct or indirect
provision in Reliability Standard CIP– (i.e., communications through an
003–7, Requirement R1 requiring A. Electronic Access Controls for Low intermediary device where no direct
responsible entities to have a policy for Impact BES Cyber Systems Order No. connection is present), between a low
declaring and responding to CIP 822
17. In Order No. 822, the Commission 18 Id. (citing NERC NOPR Comments at 31).
19 Id.
or similar, conditions that impact safety or bulk directed NERC to modify the LERC
20 Id. (‘‘NERC’s clarification on this issue resolves
electric system reliability: A risk of injury or death; definition to eliminate ambiguity
ethrower on DSK3G9T082PROD with PROPOSALS
a natural disaster; civil unrest; an imminent or many of the concerns raised by EnergySec, APS,
existing hardware, software, or equipment failure;
surrounding the term ‘‘direct’’ as it is and SPP RE regarding the proposed definition, as
a Cyber Security Incident requiring emergency used in the LERC definition.17 The a complete security break would not appear to
assistance; a response by emergency services; the Commission explained that the directive permit transitive connections through one or more
enactment of a mutual assistance agreement; or an was intended to codify the clarification out of scope cyber assets to go unprotected under
impediment of large scale workforce availability. the definition, and would appear to require the
Glossary of Terms Used in NERC Reliability
provided in NERC’s NOPR comments, assets to maintain ‘separate conversations’ as
Standards (August 1, 2017), http://www.nerc.com/ in which NERC referenced a statement suggested by SPP RE.’’).
files/glossary_of_terms.pdf. 21 NERC Petition at 16.
16 NERC Petition at 31–32. 17 Order No. 822, 154 FERC ¶ 61,037 at P 73. 22 Id.
VerDate Sep<11>2014 16:45 Oct 25, 2017 Jkt 244001 PO 00000 Frm 00003 Fmt 4702 Sfmt 4702 E:\FR\FM\26OCP1.SGM 26OCP1](https://thefederalregister.org/doc/82_FR_49747/page/3.svg)
![49544 Federal Register / Vol. 82, No. 206 / Thursday, October 26, 2017 / Proposed Rules
impact BES Cyber System and an to the security of BES Cyber Systems that the ERO has the authority to review
outside Cyber Asset that uses a routable and require additional protections. the documented justification for
protocol when entering or leaving the Therefore, communications with a low permitting electronic access and to
asset containing the low impact BES impact BES Cyber System involving determine whether it represents a
Cyber System. NERC asserts that the routable connections require protections reasonable exercise of discretion in light
proposed revisions to Section 3 of to address the risk of uncontrolled of the overall reliability objective.31
Attachment 1 to proposed Reliability communications. With regard to the 26. In support of its position, NERC
Standard CIP–003–7 improve the clarity third characteristic, NERC explains that cites the draft Reliability Standard
of the electronic access requirements the exclusion of communications for Audit Worksheet (RSAW) for proposed
and focus responsible entities ‘‘on the time-sensitive protection and control Reliability Standard CIP–003–7, which
security objective of controlling functions is intended to avoid provides the following language in the
electronic access to permit only precluding the functionality of time- Note to Auditor section for Requirement
necessary inbound and outbound sensitive reliability enhancing R2:
electronic access to low impact BES functions. NERC states, however, that an The entity must document its
Cyber Systems.’’ 23 entity invoking this exclusion may have determination as to what is necessary
21. NERC explains that Section 3.1 of to demonstrate that applying electronic inbound and outbound electronic access and
Attachment 1 to proposed Reliability access controls would introduce latency provide justification of the business need for
Standard CIP–003–7 is composed of that would negatively impact such access. Once this determination has
three basic elements: 1. Identifying functionality.27 been made and documented, the audit team’s
routable protocol communications from 24. According to NERC, the second professional judgment cannot override the
characteristic of Section 3.1 of determination made by the Responsible
outside the asset containing the low
Attachment 1 provides that responsible Entity.32
impact BES Cyber System; 2.
determining necessary inbound and entities may permit only necessary NERC also provides a list of
outbound electronic access; and 3. inbound and outbound electronic access Commission-approved CIP Reliability
implementing electronic access controls to low impact BES Cyber Systems as Standards where the phrase ‘‘as
to permit only necessary inbound and determined by the responsible entity. determined by the Responsible Entity’’
outbound electronic access to the low NERC explains that Section 3.1 does not or similar language is used. NERC states
impact BES Cyber System. specify a bright line as to what that in all circumstances where the
22. With regard to the first element, constitutes ‘‘necessary inbound and phrase ‘‘as determined by the
NERC states that Section 3.1 of outbound access’’ due to ‘‘the wide Responsible Entity’’ or similar language
Attachment 1 defines the circumstances array of assets containing low impact is used, ‘‘the ERO has the authority to
where communications require BES Cyber Systems and the myriad of evaluate the reasonableness of the
electronic access controls. The three reasons a Responsible Entity may need Responsible Entity’s determination
characteristics are: to allow electronic access to and from a when assessing compliance to ensure it
low impact BES Cyber Systems.’’ 28 is consistent with the reliability
1. The communication is between the low
NERC maintains that responsible objective of the requirement. To
impact BES Cyber System and a Cyber Asset
outside the asset containing low impact BES entities ‘‘have the flexibility to identify interpret this language otherwise would
Cyber System(s); the necessary electronic access to meet be inconsistent with NERC’s statutory
2. the communication uses a routable their business and operational obligation to engage in meaningful
protocol when entering or leaving the asset needs.’’ 29 compliance oversight . . .’’ 33
containing the low impact BES Cyber 25. NERC explains that ‘‘a
System(s); and Responsible Entity must document the Commission Proposal
3. the communication is not used for time- necessity of its inbound and outbound 27. The Commission proposes to
sensitive protection or control functions electronic access permissions and approve Reliability Standard CIP–003–7
between intelligent electronic devices. provide justification of the need for because, as discussed above, the
NERC states further that each of the such access’’ in order to demonstrate proposed Reliability Standard largely
three characteristics were included in compliance with Section 3.1 of addresses the directives in Order No.
the original LERC definition.24 Attachment 1.30 NERC states that absent 822 and is an improvement over the
23. NERC asserts that the first a documented, reasonable justification, current Commission-approved CIP
characteristic helps to properly focus the ERO may find that the responsible Reliability Standards. However, NERC’s
the electronic access controls in light of entity was not in compliance with proposed revisions to Reliability
‘‘the wide array of low impact BES Section 3.1. NERC asserts that the Standard CIP–003–7 regarding the LERC
Cyber Systems and the risk-based purpose of the phrase ‘‘as determined by
approach to protecting different types of the Responsible Entity’’ in Section 3.1 is 31 Id. at 22–23.
BES Cyber Systems.’’ 25 NERC explains to indicate that the determination 32 Id. at 22, n.42.
33 Id. at 23–24. NERC also indicates, id at n.42,
that, whether a ‘‘Responsible Entity uses whether electronic access is necessary is
that Footnote 1 of the draft RSAW states that
a logical border as a demarcation point to be made in the first instance by the ‘‘[w]hile the information included in this RSAW
or some other understanding of what is responsible entity based on the facts and provides some of the methodology that NERC has
inside or outside the asset, [the circumstances of each case. NERC states elected to use to assess compliance with the
responsible entity] would have to further that that the phrase ‘‘as requirements of the Reliability Standard, this
document should not be treated as a substitute for
provide a reasonable justification for its determined by the Responsible Entity’’
ethrower on DSK3G9T082PROD with PROPOSALS
the Reliability Standard or viewed as additional
determination.’’ 26 On the second does not limit the ERO’s ability to Reliability Standard requirements. In all cases, the
characteristic, NERC states that routable engage in effective compliance Regional Entity should rely on the language
communications present increased risks oversight. Specifically, NERC contends contained in the Reliability Standard itself, and not
on the language contained in the RSAW, to
23 Id.
determine compliance with the Reliability
at 17. 27 Id. at 20. Standard.’’ Draft RSAW, http://www.nerc.com/pa/
24 Id. at 18. 28 Id. at 21–22. Stand/Project%20201602%20Modifications%20to
25 Id. at 19. 29 Id. at 22.
%20CIP%20Standards%20DL/RSAW_CIP-003-7(i)_
26 Id. 30 Id. v2_Clean_01202017.pdf.
VerDate Sep<11>2014 16:45 Oct 25, 2017 Jkt 244001 PO 00000 Frm 00004 Fmt 4702 Sfmt 4702 E:\FR\FM\26OCP1.SGM 26OCP1](https://thefederalregister.org/doc/82_FR_49747/page/4.svg)
![49548 Federal Register / Vol. 82, No. 206 / Thursday, October 26, 2017 / Proposed Rules
RM17–11–000 NOPR
[Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards]
Annual Total num-
number of Cost per
Number of ber of re- Average burden & cost Total annual burden
responses respondent
respondents sponses per response 59 hours & total annual cost
per re- ($)
(1) (1) * (2) = (4) (3) * (4) = (5) (5) ÷ (1)
spondent (3)
(2)
Create low impact TCA assets plan (one-time) 60 ... 1,100 1 1,100 20 hrs.; $1,680 ............... 6,875 hrs.; $1,848,000 ... $1,680
Updates and reviews of low impact TCA assets 1,100 62 300 330,000 1.5 hrs. 63; $126 ............. 495,000 hrs.; 37,800
(ongoing) 61. $41,580,000.
Update/modify documentation to remove LERC 1,100 1 1,100 20 hrs.; $1,680 ............... 6,875 hrs.; $1,848,000 ... 1,680
and LEAP (one-time) 60.
Update paperwork for access control implementa- 1,100 1 1,100 20 hrs.; $1,680 ............... 6,875 hrs.; $1,848,000 ... 1,680
tion in Section 2 64 and Section 3 65 (ongoing) 61.
Total (one-time) 60 ............................................. .................... .................... 2,200 ........................................ 13,750 hrs.; $3,696,000 ....................
Total (ongoing) 61 .............................................. .................... .................... 331,100 ........................................ 501,875 hrs.; ....................
$43,428,000.
51. The following shows the annual policy development, while costs in Information and Regulatory Affairs,
cost burden for each group, based on the years 2 and 3 will reflect the burden Washington, DC 20503 [Attention: Desk
burden hours in the table above: associated with maintaining logs and Officer for the Federal Energy
• Year 1: $3,696,000. other records to demonstrate ongoing Regulatory Commission, phone: (202)
• Years 2 and 3: $43,428,000. compliance. 395–4638, fax: (202) 395–7285]. For
• The paperwork burden estimate 52. Title: Mandatory Reliability security reasons, comments to OMB
includes costs associated with the initial Standards, Revised Critical should be submitted by email to: oira_
development of a policy to address Infrastructure Protection Reliability submission@omb.eop.gov. Comments
requirements relating to: 1. Clarifying Standards submitted to OMB should include
the obligations pertaining to electronic Action: Proposed Collection FERC–
Docket Number RM17–11–000 and
access control for low impact BES Cyber 725B.
OMB Control No.: 1902–0248. OMB Control Number 1902–0248.
Systems; 2. adopting mandatory security
controls for transient electronic devices Respondents: Businesses or other for- IV. Regulatory Flexibility Act Analysis
(e.g., thumb drives, laptop computers, profit institutions; not-for-profit
and other portable devices frequently institutions. 55. The Regulatory Flexibility Act of
connected to and disconnected from Frequency of Responses: On 1980 (RFA) generally requires a
systems) used at low impact BES Cyber Occasion. description and analysis of proposed
Systems; and 3. requiring responsible Necessity of the Information: This rules that will have significant
entities to have a policy for declaring proposed rule proposes to approve the economic impact on a substantial
and responding to CIP Exceptional requested modifications to Reliability number of small entities.66 The Small
Circumstances related to low impact Standards pertaining to critical Business Administration’s (SBA) Office
BES Cyber Systems. Further, the infrastructure protection. As discussed of Size Standards develops the
estimate reflects the assumption that above, the Commission proposes to numerical definition of a small
costs incurred in year 1 will pertain to approve NERC’s proposed revised CIP
business.67 The SBA revised its size
Reliability Standard CIP–003–7
standard for electric utilities (effective
59 The loaded hourly wage figure (includes pursuant to section 215(d)(2) of the FPA
January 22, 2014) to a standard based on
benefits) is based on the average of three because it improves upon the currently-
occupational categories for 2016 found on the effective suite of cyber security CIP the number of employees, including
Bureau of Labor Statistics Web site (http://
Reliability Standards. affiliates (from the prior standard based
www.bls.gov/oes/current/naics2_22.htm): on megawatt hour sales).68 Proposed
Legal (Occupation Code: 23–0000): $143.68. Internal Review: The Commission has
Electrical Engineer (Occupation Code: 17–2071): reviewed the proposed Reliability Reliability Standard CIP–003–7 is
$68.12. Standards and made a determination expected to impose an additional
Office and Administrative Support (Occupation that its action is necessary to implement burden on 1,100 entities 69 (reliability
Code: 43–0000): $40.89 ($143.68 + $68.12 + $40.89) coordinators, generator operators,
÷ 3 = $84.23. The figure is rounded to $84.00 for
section 215 of the FPA.
use in calculating wage figures in this NOPR. 53. Interested persons may obtain generator owners, interchange
60 This one-time burden applies in Year One only. information on the reporting coordinators or authorities, transmission
61 This ongoing burden applies in Year 2 and requirements by contacting the operators, balancing authorities,
beyond. following: Federal Energy Regulatory 66 5U.S.C. 601–12 (2012).
62 We estimate that each entity will perform 25
Commission, 888 First Street NE., 67 13CFR 121.101 (2017).
updates per month. 25 updates *12 months = 300
updates (i.e. responses) per year. Washington, DC 20426 [Attention: Ellen 68 SBA Final Rule on ‘‘Small Business Size
63 The 1.5 hours of burden per response is Brown, Office of the Executive Director, Standards: Utilities,’’ 78 FR 77343 (Dec. 23, 2013).
ethrower on DSK3G9T082PROD with PROPOSALS
comprised of three sub-categories: email: DataClearance@ferc.gov, phone: 69 Public utilities may fall under one of several
Updates to managed low TCA assets: 15 minutes (202) 502–8663, fax: (202) 273–0873]. different categories, each with a size threshold
(0.25 hours) per response. 54. For submitting comments based on the company’s number of employees,
Updates to unmanaged low TCA assets: 60 concerning the collection(s) of including affiliates, the parent company, and
minutes (1 hour) per response. subsidiaries. For the analysis in this NOPR, we are
Reviews of low TCA applicable controls: 15
information and the associated burden
using a 500 employee threshold due to each
minutes (0.25 hours) per response. estimate(s), please send your comments affected entity falling within the role of Electric
64 Physical Security Controls. to the Commission, and to the Office of Bulk Power Transmission and Control (NAISC
65 Electronic Access Controls. Management and Budget, Office of Code: 221121).
VerDate Sep<11>2014 18:24 Oct 25, 2017 Jkt 244001 PO 00000 Frm 00008 Fmt 4702 Sfmt 4702 E:\FR\FM\26OCP1.SGM 26OCP1](https://thefederalregister.org/doc/82_FR_49747/page/8.svg)
![Federal Register / Vol. 82, No. 206 / Thursday, October 26, 2017 / Proposed Rules 49549
transmission owners, and certain Comments must refer to Docket No. Issued October 19, 2017.
distribution providers). RM17–11–000, and must include the Nathaniel J. Davis, Sr.,
56. Of the 1,100 affected entities commenter’s name, the organization Deputy Secretary.
discussed above, we estimate that they represent, if applicable, and [FR Doc. 2017–23287 Filed 10–25–17; 8:45 am]
approximately 857 or 78 percent 70 of address. BILLING CODE 6717–01–P
the affected entities are small. As 60. The Commission encourages
discussed above, proposed Reliability comments to be filed electronically via
Standard CIP–003–7 enhances the eFiling link on the Commission’s
reliability by providing criteria against DEPARTMENT OF THE TREASURY
Web site at http://www.ferc.gov. The
which NERC and the Commission can
Commission accepts most standard Internal Revenue Service
evaluate the sufficiency of an entity’s
word processing formats. Documents
electronic access controls for low
created electronically using word 26 CFR Part 1
impact BES Cyber systems, as well as
processing software should be filed in
improved security controls for transient [REG–134247–16]
native applications or print-to-PDF
electronic devices (e.g., thumb drives,
format and not in a scanned format. RIN 1545–BN73
laptop computers, and other portable
Commenters filing electronically do not
devices frequently connected to and
need to make a paper filing. Revision of Regulations Under Chapter
disconnected from systems). We
estimate that each of the 857 small 61. Commenters that are not able to 3 Regarding Withholding of Tax on
entities to whom the proposed file comments electronically must send Certain U.S. Source Income Paid to
modifications to Reliability Standard an original of their comments to: Foreign Persons; Correction
CIP–003–7 applies will incur one-time Federal Energy Regulatory Commission, AGENCY: Internal Revenue Service (IRS),
costs of approximately $3,360 per entity Secretary of the Commission, 888 First Treasury.
to implement this standard, as well as Street NE., Washington, DC 20426.
ACTION: Notice of proposed rulemaking;
the ongoing paperwork burden reflected 62. All comments will be placed in correction.
in the Information Collection Statement the Commission’s public files and may
(approximately $39,480 per year per be viewed, printed, or downloaded SUMMARY: This document corrects a
entity). We do not consider the remotely as described in the Document correction to a notice of proposed
estimated costs for these 857 small Availability section below. Commenters rulemaking (REG–134247–16) that was
entities to be a significant economic on this proposal are not required to published in the Federal Register on
impact. serve copies of their comments on other Friday, September 15, 2017. The notice
57. Based on the above analysis, we commenters. of proposed rulemaking, published on
propose to certify that the proposed January 6, 2017, under section 1441 of
Reliability Standard will not have a VII. Document Availability
the Internal Revenue Code of 1986
significant economic impact on a (Code), relates to withholding of tax on
substantial number of small entities. 63. In addition to publishing the full
text of this document in the Federal certain U.S. source income paid to
V. Environmental Analysis Register, the Commission provides all foreign persons and requirements for
58. The Commission is required to interested persons an opportunity to certain claims for refund or credit of
prepare an Environmental Assessment view and/or print the contents of this income tax made by foreign persons.
or an Environmental Impact Statement document via the Internet through the DATES: The correction published on
for any action that may have a Commission’s Home Page (http:// September 15, 2017 (82 FR 43314), is
significant adverse effect on the human www.ferc.gov) and in the Commission’s corrected as of October 26, 2017 and is
environment.71 The Commission has Public Reference Room during normal applicable beginning January 6, 2017.
categorically excluded certain actions business hours (8:30 a.m. to 5:00 p.m. FOR FURTHER INFORMATION CONTACT:
from this requirement as not having a Eastern time) at 888 First Street NE., Kamela Nelan at (202) 317- 6942 (not a
significant effect on the human Room 2A, Washington, DC 20426. toll-free number).
environment. Included in the exclusion 64. From the Commission’s Home SUPPLEMENTARY INFORMATION:
are rules that are clarifying, corrective, Page on the Internet, this information is
or procedural or that do not available on eLibrary. The full text of Background
substantially change the effect of the this document is available on eLibrary The notice of proposed rulemaking
regulations being amended.72 The in PDF and Microsoft Word format for (REG–134247–16) that is the subject of
actions proposed herein fall within this viewing, printing, and/or downloading. this correction is under section 1441 of
categorical exclusion in the To access this document in eLibrary, the Code.
Commission’s regulations. type the docket number of this
Need for Correction
VI. Comment Procedures document, excluding the last three
digits, in the docket number field. As published, the notice of proposed
59. The Commission invites interested rulemaking (REG–134247–16) contains
persons to submit comments on the 65. User assistance is available for
eLibrary and the Commission’s Web site an error which may prove to be
matters and issues proposed in this misleading and needs to be corrected.
notice to be adopted, including any during normal business hours from the
Commission’s Online Support at 202–
ethrower on DSK3G9T082PROD with PROPOSALS
related matters or alternative proposals Correction of Publication
that commenters may wish to discuss. 502–6652 (toll free at 1–866–208–3676)
Accordingly, the notice of proposed
Comments are due December 26, 2017. or email at ferconlinesupport@ferc.gov,
rulemaking published at 82 FR 43314,
or the Public Reference Room at (202)
September 15, 2017, is corrected as
70 77.95percent. 502–8371, TTY (202) 502–8659. Email
follows:
71 RegulationsImplementing the National the Public Reference Room at
Environmental Policy Act of 1969, Order No. 486, On page 43314, in the third column,
public.referenceroom@ferc.gov.
FERC Stats. & Regs. ¶ 30,783 (1987). under the heading ‘‘Correction of
72 18 CFR 380.4(a)(2)(ii) (2017). By direction of the Commission. Publication’’, in the fourth line, the
VerDate Sep<11>2014 16:45 Oct 25, 2017 Jkt 244001 PO 00000 Frm 00009 Fmt 4702 Sfmt 4702 E:\FR\FM\26OCP1.SGM 26OCP1](https://thefederalregister.org/doc/82_FR_49747/page/9.svg)
Document Created: 2018-10-25 10:15:38
Document Modified: 2018-10-25 10:15:38
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Proposed Rules | |
| Action | Notice of proposed rulemaking. | |
| Dates | Comments are due December 26, 2017. | |
| Contact | Matthew Dale (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-6826, [email protected], Kevin Ryan (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-6840, [email protected] | |
| FR Citation | 82 FR 49541 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR