82 FR 61499 - Cyber Security Incident Reporting Reliability Standards
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission Federal Register Volume 82, Issue 248 (December 28, 2017)
Federal Energy Regulatory Commission
Federal Register Volume 82, Issue 248 (December 28, 2017)
| Page Range | 61499-61505 | |
| FR Document | 2017-28083 |
[Federal Register Volume 82, Number 248 (Thursday, December 28, 2017)] [Proposed Rules] [Pages 61499-61505] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2017-28083] �======================================================================== �Proposed Rules � Federal Register �________________________________________________________________________ � �This section of the FEDERAL REGISTER contains notices to the public of �the proposed issuance of rules and regulations. The purpose of these �notices is to give interested persons an opportunity to participate in �the rule making prior to the adoption of the final rules. � �======================================================================== � ��Federal Register / Vol. 82, No. 248 / Thursday, December 28, 2017 / Proposed Rules�� [[Page 61499]] DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 40 [Docket Nos. RM18-2-000 and AD17-9-000] Cyber Security Incident Reporting Reliability Standards AGENCY: Federal Energy Regulatory Commission, DOE. ACTION: Notice of proposed rulemaking. ----------------------------------------------------------------------- SUMMARY: The Federal Energy Regulatory Commission (Commission) proposes to direct the North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization, to develop and submit modifications to the NERC Reliability Standards to improve mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system. DATES: Comments are due February 26, 2018. ADDRESSES: Comments, identified by docket number, may be filed in the following ways:Electronic Filing through http://www.ferc.gov. Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format. Mail/Hand Delivery: Those unable to file electronically may mail or hand-deliver comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE, Washington, DC 20426. Instructions: For detailed instructions on submitting comments and additional information on the rulemaking process, see the Comment Procedures Section of this document. FOR FURTHER INFORMATION CONTACT: Margaret Scott (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6704, [email protected]. Kevin Ryan (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6840, [email protected]. SUPPLEMENTARY INFORMATION: 1. The Foundation for Resilient Societies filed a petition asking the Commission to require additional measures for malware detection, mitigation, removal and reporting. We decline to propose additional Reliability Standard measures at this time for malware detection, mitigation and removal, based on the scope of existing Reliability Standards, Commission-directed improvements already being developed and other ongoing efforts. However, we propose to direct broader reporting requirements. Currently, incidents must be reported only if they have ``compromised or disrupted one or more reliability tasks,'' and we propose to require reporting of certain incidents even before they have caused such harm or if they did not themselves cause any harm. 2. Specifically, pursuant to section 215(d)(5) of the Federal Power Act (FPA),\1\ the Commission proposes to direct the North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), to develop and submit modifications to the Critical Infrastructure Protection (CIP) Reliability Standards to improve the reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system. The proposed development of modified mandatory reporting requirements is intended to improve awareness of existing and future cyber security threats and potential vulnerabilities. We propose to continue having the reports go to the Electricity Information Sharing and Analysis Center (E-ISAC) instead of the Commission, but we propose to require that reports also be sent to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and that NERC file an annual, public, and anonymized summary of the reports. --------------------------------------------------------------------------- \1\ 16 U.S.C. 824o(d)(5). --------------------------------------------------------------------------- 3. The current reporting threshold for Cyber Security Incidents, as set forth in Reliability Standard CIP-008-5 (Cyber Security--Incident Reporting and Response Planning) together with the definition of Reportable Cyber Security Incident, may understate the true scope of cyber-related threats facing the Bulk-Power System. The reporting of cyber-related incidents, in particular the lack of any reported incidents in 2015 and 2016, suggests a gap in the current mandatory reporting requirements. This reporting gap may result in a lack of timely awareness for responsible entities subject to compliance with the CIP Reliability Standards, NERC, and the Commission. As discussed below, NERC's 2017 State of Reliability report echoed this concern in stating that the ``mandatory reporting process does not create an accurate picture of cyber security risk . . .'' \2\ --------------------------------------------------------------------------- \2\ NERC, 2017 State of Reliability Report at 4 (June 2017), http://www.nerc.com/pa/RAPA/PA/Performance%20Analysis%20DL/SOR_2017_MASTER_20170613.pdf. --------------------------------------------------------------------------- 4. To address this gap, pursuant to section 215(d)(5) of the FPA, the Commission proposes to direct NERC to develop modifications to the CIP Reliability Standards to include the mandatory reporting of Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity's Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS).\3\ Such modifications will enhance awareness for NERC, industry, the Commission, other federal and state entities, and interested stakeholders regarding existing or developing cyber security threats. In addition, we propose to direct NERC to modify the CIP Reliability Standards to specify the required information in Cyber Security Incident reports to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information. Finally, we propose to direct NERC to [[Page 61500]] modify the CIP Reliability Standards to establish a deadline for filing a report once a compromise or disruption to reliable bulk electric system operation, or an attempted compromise or disruption, is identified by a responsible entity. --------------------------------------------------------------------------- \3\ The NERC Glossary of Terms Used in NERC Reliability Standards (October 6, 2017) (NERC Glossary) defines ``ESP'' as ``[t]he logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.'' The NERC Glossary defines ``EACMS'' as ``Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.'' --------------------------------------------------------------------------- I. Background A. Section 215 and Mandatory Reliability Standards 5. Section 215 of the FPA requires a Commission-certified ERO to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently.\4\ Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO,\5\ and subsequently certified NERC.\6\ --------------------------------------------------------------------------- \4\ 16 U.S.C. 824o(e). \5\ Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, FERC Stats. & Regs. ] 31,204 (cross-referenced at 114 FERC ] 61,104), order on reh'g, Order No. 672-A, FERC Stats. & Regs. ] 31,212 (cross-referenced at 114 FERC ] 61,328) (2006). \6\ North American Electric Reliability Corp., 116 FERC ] 61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006), aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (DC Cir. 2009). --------------------------------------------------------------------------- B. Foundation for Resilient Societies' Petition 6. On January 13, 2017, the Foundation for Resilient Societies (Resilient Societies) filed a petition requesting that the Commission initiate a rulemaking to require an enhanced Reliability Standard for malware detection, reporting, mitigation and removal from the Bulk- Power System.\7\ Resilient Societies stated that the Bulk-Power System is increasingly at risk from malware. Resilient Societies also maintained that current mandatory and voluntary reporting methods underreport the actual annual rate of occurrence of cybersecurity incidents in the U.S. electric grid. --------------------------------------------------------------------------- \7\ Resilient Societies' filings and responsive comments are available on the Commission's eLibrary document retrieval system in Docket No. AD17-9-000. --------------------------------------------------------------------------- 7. In support of its petition, Resilient Societies asserted that evidence in the public domain shows that electric grids in the U.S. and critical infrastructure that depends upon reliable power are increasingly at risk from malware, resulting in a threat of widespread, long-term blackouts. Resilient Societies asserted that Bulk-Power System assets are interconnected with the public internet, which could allow foreign adversaries to implant malware in electric utility computer systems. Resilient Societies stated that malware can infect high, medium, and low impact BES Cyber Systems,\8\ and, once inserted, can be a pathway for cyber-attackers.\9\ Resilient Societies further stated that an infected low impact BES Cyber System can serve as an entry point from where an adversary can attack medium and high impact BES Cyber Systems. Resilient Societies asserted that a ``simultaneous cyberattack on many low impact assets may cause greater impact than an attack on a single high impact asset.'' \10\ --------------------------------------------------------------------------- \8\ Reliability Standard CIP-002-5.1a (Cyber Security System Categorization) provides a ``tiered'' approach to cybersecurity requirements, based on classifications of high, medium and low impact BES Cyber Systems. \9\ BES Cyber System is defined by NERC as ``[o]ne or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.'' NERC Glossary. The acronym BES refers to the bulk electric system. \10\ Resilient Societies Petition at 2-3. --------------------------------------------------------------------------- 8. Resilient Societies alleged that it has found gaps relating to malware protection requirements in the current Commission-approved CIP Reliability Standards. In particular, Resilient Societies maintained that the ESP concept, used in the CIP Reliability Standards, suffers from several fundamental flaws. Specifically, Resilient Societies asserted that: (1) Cyber attacks on systems outside the ESP can take down systems within it; (2) passwords and other user credentials associated with BES Cyber Systems may be stored on systems outside the ESP; and (3) Electronic Access Points that control access to systems within the ESP may be breached. Resilient Societies also raised a concern that there is currently no required reporting of malware infections, both inside and outside the ESP.\11\ --------------------------------------------------------------------------- \11\ Id. at 10-12. --------------------------------------------------------------------------- 9. Based on its analysis, Resilient Societies offered several suggestions for the essential components of an enhanced malware Reliability Standard and what the technical elements of an enhanced malware standard might include. The essentials identified by Resilient Societies include: (1) Malware detection; (2) malware reporting (regardless of whether reliability tasks of a functional entity have been compromised or disrupted); (3) malware mitigation; and (4) mandatory malware removal. Resilient Societies also provided a list of possible technical elements for an enhanced malware Reliability Standard.\12\ --------------------------------------------------------------------------- \12\ Id. at 14-15. --------------------------------------------------------------------------- 10. In support of its request for an enhanced Reliability Standard for malware reporting, Resilient Societies asserted that current mandatory and voluntary cybersecurity incident reporting methodologies are not representative of the actual annual rate of occurrence of cybersecurity incidents in the U.S. electric grid. Resilient Societies cited NERC's State of Reliability Reports for 2014 and 2015, noting that NERC identified only three Reportable Cyber Security Incidents in 2014 and zero Reportable Cyber Security Incidents in 2015. In addition, Resilient Societies observed that according to Department of Energy (DOE) Disturbance Reports (OE-417), there were three reported cybersecurity incidents in 2014, zero in 2015, and two in 2016. Finally, Resilient Societies stated that in contrast to the number of cybersecurity incidents reported through NERC and DOE Form OE-417, ICS- CERT responded to 79 cybersecurity incidents in 2014 and 46 cybersecurity incidents in 2015.\13\ --------------------------------------------------------------------------- \13\ Id. at 8-9. --------------------------------------------------------------------------- 11. On February 17, 2017, Resilient Societies filed supplemental comments that included an appendix containing a February 10, 2017 Department of Homeland Security (DHS) Report, ``Enhanced Analysis of GRIZZLY STEPPE Activity,'' which, Resilient Societies alleged, ``provides independent validation of the need for a mandatory standard to detect, report, mitigate, and remove identified malware from the Bulk Power System.'' \14\ --------------------------------------------------------------------------- \14\ Resilient Societies Supplemental Comments at 4. --------------------------------------------------------------------------- Comments on Petition 12. The Commission received five sets of comments in response to Resilient Societies' petition. Among the commenters, NERC, Trade Associations \15\ and International Transmission Company (ITC) stated that the Commission should not act on Resilient Societies' petition, claiming that the issues raised therein are adequately addressed in the currently-effective CIP Reliability Standards or are, in response to outstanding Commission directives, the subject of ongoing standards projects. The other two commenters, Kaspersky Lab, and David Bardin, supported Resilient Societies' petition to better address the detection, reporting and mitigation of malware. --------------------------------------------------------------------------- \15\ American Public Power Association, Edison Electric Institute, Electricity Consumers Resource Council, Electric Power Supply Association, Large Public Power Council, National Rural Electric Cooperative Association, and Transmission Access Policy Study Group. --------------------------------------------------------------------------- 13. NERC opposed Resilient Societies' petition because, NERC asserted, [[Page 61501]] existing CIP Reliability Standards, current standard development activity and other cyber security efforts adequately address the threats, vulnerabilities and risks associated with malware detailed in the Resilient Societies' petition. Accordingly, NERC concluded that a new Reliability Standard to address malware detection, reporting, mitigation and removal is not necessary at this time.\16\ With regard to the Commission-approved CIP Reliability Standards, NERC stated that several existing requirements require responsible entities to implement protections to address the threat of malware.\17\ NERC identified seven currently-effective CIP requirements that it alleged address the risks associated with malware.\18\ --------------------------------------------------------------------------- \16\ NERC Comments at 1-2. \17\ Id. at 2. \18\ Id. at 5-6. --------------------------------------------------------------------------- 14. With regard to current standard development activity, NERC observed that modifications to the CIP Reliability Standards being developed in response to Commission Order Nos. 822 and 829 will further mitigate the risks posed by malware.\19\ Specifically, NERC stated that the modifications under development in response to Order No. 822 address malware protections for assets containing low impact BES Cyber Systems and protections for communication links and sensitive data communicated between bulk electric system control centers. In particular, NERC identified proposed Reliability Standard CIP-003-7 and stated that the proposed Reliability Standard clarifies electronic access controls and mitigates the introduction of malicious code from transient devices for assets containing low impact BES Cyber Systems.\20\ --------------------------------------------------------------------------- \19\ Revised Critical Infrastructure Protection Reliability Standards, Order No. 822, 154 FERC ] 61,037, reh'g denied, Order No. 822-A, 156 FERC ] 61,052 (2016); Revised Critical Infrastructure Protection Reliability Standards, Order No. 829, 156 FERC ] 61,050 (2016). \20\ NERC Comments at 8. On October 19, 2017, the Commission issued a notice of proposed rulemaking proposing to approve proposed Reliability Standard CIP-003-7. See Revised Critical Infrastructure Protection Reliability Standard CIP-003-7--Cyber Security--Security Management Controls, Notice of Proposed Rulemaking, 82 FR 49,541 (October 26, 2017), 161 FERC ] 61,047 (2017). --------------------------------------------------------------------------- 15. NERC stated that proposed Reliability Standard CIP-013-1 (Cyber Security--Supply Chain Risk Management), developed in response to Order No. 829, requires responsible entities to, among other things, implement at least one process to verify the integrity and authenticity of certain software and firmware and implement at least one process to control vendor remote access to high and medium impact BES Cyber Systems.\21\ For low impact BES Cyber Systems, NERC explained that the proposed Reliability Standard requires responsible entities to have at least one cyber security policy that addresses integrity and authenticity of software and hardware and to adopt controls for vendor- initiated remote access. NERC states that this proposed Reliability Standard shows NERC and industry ``are taking significant steps in addressing the risks posed by malware campaigns targeting supply chain vendors.'' \22\ --------------------------------------------------------------------------- \21\ On September 26, 2017, NERC submitted proposed Reliability Standards CIP-013-1, CIP-005-6 and CIP-010-3 for Commission approval. NERC's filing is available on the Commission's eLibrary document retrieval system in Docket No. RM17-13-000 and on the NERC website, www.nerc.com. \22\ NERC Comments at 9. --------------------------------------------------------------------------- 16. With regard to other ongoing cyber security efforts, NERC noted the activities of the E-ISAC. Specifically, NERC stated that, through the E-ISAC, NERC has ``fostered an information sharing culture that promotes a proactive approach towards identification of malware, pooling of resources to combat malware, and sharing of best practices based on lessons learned, among other things.'' \23\ In addition, NERC maintained that it facilitates industry information sharing in two other ways: NERC Alerts and the activities of the Critical Infrastructure Protection Committee (CIPC). NERC concluded that these activities promote necessary information sharing of cyber security threats and help foster the type of incident reporting requested in Resilient Societies' petition.\24\ --------------------------------------------------------------------------- \23\ Id. \24\ Id. at 12-13. --------------------------------------------------------------------------- 17. While acknowledging the validity of concerns regarding the threat malware poses to the bulk electric system, ITC asserted that Resilient Societies' conclusion that existing CIP Reliability Standards contain gaps with respect to malware defense is inaccurate. ITC stated that, contrary to Resilient Societies' conclusions, the lack of specific malware-related controls in the CIP Reliability Standards ``reflects a critically important objectives-based approach which the Commission has intentionally adopted.'' \25\ ITC explained that the existing CIP Reliability Standards ``collectively mandate robust and effective malware security measures, through both direct security measures that thwart malware attacks, and through complementary measures, such as personnel training against social engineering attacks.'' \26\ ITC concluded that the specific controls in Resilient Societies' requests that the Commission mandate are duplicative, unnecessary and/or overly and unreasonably burdensome, and would make the bulk electric system less reliable and more vulnerable compared to the existing protections.\27\ --------------------------------------------------------------------------- \25\ ITC Comments at 2-3. \26\ Id. at 3. \27\ Id. at 2-3. --------------------------------------------------------------------------- 18. Trade Associations stated that the risks raised in Resilient Societies' petition are addressed under the current CIP Reliability Standards and in ongoing Commission dockets and standards development efforts. Trade Associations observed that Reliability Standard CIP-007- 6, Requirement R3 is the primary existing Reliability Standard addressing the risks posed by malware. Trade Associations explained that the Reliability Standard requires responsible entities to deter, detect, or prevent malicious code; mitigate the threat of detected malicious code; and have a process to update signatures or patterns associated with malicious code. Trade Associations asserted that other relevant requirements are spread throughout the currently-effective CIP Reliability Standards, including Reliability Standards CIP-005-5, Requirement R1 (Electronic Security Perimeter); CIP-005-5, Requirement R2 (Protections for Interactive Remote Access); CIP-007-6, Requirement R1 (limiting and protecting accessible ports); and CIP-007-6, Requirement R2 (patch management required to detect software vulnerabilities).\28\ --------------------------------------------------------------------------- \28\ Trade Associations Comments at 5-6. --------------------------------------------------------------------------- 19. In addition, Trade Associations noted recently-approved new CIP Reliability Standards addressing transient devices associated with high and medium impact BES Cyber Systems, as well as the Commission's directive in Order No. 822 for the development of similar protections for low impact BES Cyber Systems. Trade Associations also identified the Commission's directives in Order No. 829 relating to cybersecurity risks posed by vendors as open initiatives that will help protect against the introduction of malware into BES Cyber Systems.\29\ --------------------------------------------------------------------------- \29\ Id. at 7. --------------------------------------------------------------------------- 20. Kaspersky Lab supported the development of an enhanced Reliability Standard for malware detection, reporting, mitigation and removal. Kaspersky Lab stated that the current CIP Reliability Standards ``do not sufficiently address malware protection as a critical component in securing BES Cyber Assets and Systems.'' \30\ Kaspersky Lab offered a list of reasons why it believes that electric utilities face [[Page 61502]] an increased risk of being infiltrated by malware, highlighting, among other issues, that information concerning exploitable vulnerabilities is increasingly becoming public. Kaspersky Lab noted that it recognizes that the CIP Reliability Standards ``strive to address the complex cyber and physical security needs of the [bulk electric system]'' and that cybersecurity standards ``must be flexible and not overly prescriptive to address threats as they evolve,'' but it states that the current CIP Reliability Standards only address malware protection ``in a cursory fashion.'' \31\ --------------------------------------------------------------------------- \30\ Kaspersky Lab Comments at 1. \31\ Id. at 2. --------------------------------------------------------------------------- 21. David Bardin supported the goals in Resilient Societies' petition and suggested that the Commission initiate one or more proceedings to facilitate a conversation on malware protections. In support of his position, Bardin presented a list of questions that could be raised in such discussions.\32\ --------------------------------------------------------------------------- \32\ Bardin Comments at 1. --------------------------------------------------------------------------- C. NERC 2017 State of Reliability Report 22. In June 2017, NERC published the 2017 NERC State of Reliability Report which, among other things, indicates that there were no Reportable Cyber Security Incidents in 2016. The report also lists ``key findings'' regarding reliability performance observed over the previous year and recommendations for improvements. Key Finding 4 of the report addresses the reporting of Cyber Security Incidents. In particular, NERC states that the current ``mandatory reporting process does not create an accurate picture of cyber security risk since most of the cyber threats detected by the electricity industry manifest themselves in . . . email, websites, smart phone applications . . . rather than the control system environment where impacts could cause loss of load and result in a mandatory report.'' \33\ Based on that finding, the report includes a recommendation that NERC and industry should ``redefine reportable incidents to be more granular and include zero-consequence incidents that might be precursors to something more serious.'' \34\ --------------------------------------------------------------------------- \33\ 2017 NERC State of Reliability Report at 4. \34\ Id. --------------------------------------------------------------------------- II. Discussion 23. Pursuant to section 215(d)(5) of the FPA, the Commission proposes to direct NERC to develop modifications to the CIP Reliability Standards to address the Commission's concerns regarding mandatory reporting requirements. Based on our review of the comments received in response to Resilient Societies' petition, however, we conclude that the current Commission-approved CIP Reliability Standards, ongoing NERC efforts to address open Commission directives, and other industry efforts have addressed or will address the malware detection and mitigation issues raised by Resilient Societies. For example, provisions of currently effective Reliability Standards, including CIP- 005-5 and CIP-007-6, address malware detection and mitigation. Ongoing efforts described by NERC and other commenters, such as the development of a supply chain risk management standard, should also address malware concerns. Thus, the Commission declines to act on this aspect of the petition.\35\ --------------------------------------------------------------------------- \35\ While the Commission proposes that NERC develop modifications to the NERC Reliability Standards under section 215(d)(5) of the FPA in Docket No. RM18-2-000, we exercise our discretion to terminate the proceeding in Docket No. AD17-9-000. --------------------------------------------------------------------------- 24. We believe that the current reporting threshold for Cyber Security Incidents, as set forth in the current definition of Reportable Cyber Security Incident, may not reflect the true scope of cyber-related threats facing the Bulk-Power System, consistent with NERC's view. Accordingly, pursuant to section 215(d)(5) of the FPA, the Commission proposes to direct that NERC develop modifications to the CIP Reliability Standards to improve the mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system, to improve awareness of existing and future cyber security threats and potential vulnerabilities. 25. Below, we discuss the following elements of the proposed directive: (A) Cyber Security Incident reporting threshold; (B) information in Cyber Security Incident reports; and (C) timing of Cyber Security Incident reports. A. Cyber Security Incident Reporting Threshold 26. Cyber-related event reporting is currently addressed in Reliability Standard CIP-008-5, Requirement R1, Part 1.2, which requires that each responsible entity shall document one or more Cyber Security Incident Plan(s) with one or more processes to determine if an identified Cyber Security Incident is a Reportable Cyber Security Incident. Where a cyber-related event is determined to qualify as a Reportable Cyber Security Incident, responsible entities are required to notify the E-ISAC with initial notification to be made within one hour from the determination of a Reportable Cyber Security Incident.\36\ --------------------------------------------------------------------------- \36\ See Reliability Standard CIP-008-5 (Cyber Security-- Incident Reporting and Response Planning), Requirement R1, Part 1.2. This requirement pertains to high impact BES Cyber Systems and medium impact BES Cyber Systems. --------------------------------------------------------------------------- 27. A Cyber Security Incident is defined in the NERC Glossary as: A malicious act or suspicious event that: Compromises, or was an attempt to compromise, the Electronic Security Perimeter or Physical Security Perimeter or, Disrupts, or was an attempt to disrupt, the operation of a BES Cyber System. This is similar, but not identical, to the definition of a cybersecurity incident in FPA section 215, which is ``a malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communication networks including hardware, software and data that are essential to the reliable operation of the bulk power system.'' \37\ A Reportable Cyber Security Incident, however, is defined more narrowly in the NERC Glossary as ``[a] Cyber Security Incident that has compromised or disrupted one or more reliability tasks of a functional entity.'' Therefore, in order for a cyber-related event to be considered reportable under the existing CIP Reliability Standards, it must compromise or disrupt a core activity (e.g., a reliability task) of a responsible entity that is intended to maintain bulk electric system reliability.\38\ Under these definitions, unsuccessful attempts to compromise or disrupt a responsible entity's core activities are not subject to the current reporting requirements in Reliability Standard CIP-008-5. --------------------------------------------------------------------------- \37\ 16 U.S.C. 824o(a)(8). \38\ The NERC Functional Model ``describes a set of Functions that are performed to ensure the reliability of the Bulk Electric System. Each Function consists of a set of related reliability Tasks. The Model assigns each Function to a functional entity, that is, the entity that performs the function. The Model also describes the interrelationships between that functional entity and other functional entities (that perform other Functions).'' NERC, Reliability Functional Model: Function Definitions and Functional Entities, Version 5 at 7 (November 2009), http://www.nerc.com/pa/Stand/Functional%20Model%20Archive%201/Functional_Model_V5_Final_2009Dec1.pdf. --------------------------------------------------------------------------- 28. As discussed above, recent NERC State of Reliability Reports indicate that there were no Reportable Cyber Security Incidents in 2015 and 2016. As noted by NERC, ``[w]hile there were no reportable cyber security incidents during 2016 and therefore none that caused a loss of load, this does not necessarily suggest that the risk of a cyber security incident [[Page 61503]] is low.'' \39\ In contrast, the 2016 annual summary of DOE's Electric Disturbance Reporting Form OE-417 contained four cybersecurity incidents reported in 2016: Two suspected cyber attacks and two actual cyber attacks.\40\ Moreover, ICS-CERT responded to fifty-nine cybersecurity incidents within the Energy Sector in 2016.\41\ --------------------------------------------------------------------------- \39\ 2017 NERC State of Reliability Report at 4. \40\ 2016 DOE Electric Disturbance Events (OE-417) Annual Summary Archives, https://www.oe.netl.doe.gov/OE417_annual_summary.aspx. \41\ ICS-CERT cybersecurity incident statistics for the Energy Sector combine statistics from the electric subsector and the oil and natural gas subsector. ICS-CERT does not break out the cybersecurity incidents that only impact the electric subsector. 2016 ICS-CERT Year in Review, https://ics-cert.us-cert.gov/Year-Review-2016. --------------------------------------------------------------------------- 29. Based on this comparison, the current reporting threshold in Reliability Standard CIP-008-5 may not reflect the true scope and scale of cyber-related threats facing responsible entities. The disparity in the reporting of cyber-related incidents under existing reporting requirements, in particular the lack of any incidents reported to NERC in 2015 and 2016, suggests a gap in the current reporting requirements. We are concerned that this apparent reporting gap results in a lack of awareness for NERC, responsible entities, and the Commission. This concern is echoed in the 2017 NERC State of Reliability Report, which includes a recommendation that NERC and industry should ``redefine reportable incidents to be more granular and include zero-consequence incidents that might be precursors to something more serious.'' \42\ We agree with NERC's recommendation. The disparity highlights the need to improve the reporting obligation under the CIP Reliability Standards. --------------------------------------------------------------------------- \42\ 2017 NERC State of Reliability Report at 4. --------------------------------------------------------------------------- 30. The Commission proposes to direct NERC to address the gap in cyber-related incident reporting. Specifically, we propose to direct NERC to modify the CIP Reliability Standards to include the mandatory reporting of Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity's ESP or associated EACMS. Enhanced mandatory reporting of cyber-related incidents will provide better awareness to NERC, industry and the Commission regarding existing or developing cyber security threats. 31. Reporting of attempts to compromise, instead of only successful compromises, is consistent with current monitoring requirements. For example, Reliability Standard CIP-007-6, Requirement R4.1, mandates logging of detected successful login attempts, detected failed access attempts, and failed login attempts. Also, the Guidelines and Technical Basis for this requirement state that events should be logged even if access attempts were blocked or otherwise unsuccessful.\43\ --------------------------------------------------------------------------- \43\ See Reliability Standard CIP-007-6 (Cyber Security--Systems Security Management), Requirement R4, Part 1. --------------------------------------------------------------------------- 32. Similarly, DHS defines a ``cyber incident'' as ``attempts (either failed or successful) to gain unauthorized access to a system or its data . . . .'' \44\ The E-ISAC defines a ``cyber incident'' as including unauthorized access through the electronic perimeter as well as ``a detected effort . . . without obvious success.'' \45\ Also, ICS- CERT defines a ``cyber incident'' as an ``occurrence that actually or potentially results in adverse consequences . . . .'' \46\ --------------------------------------------------------------------------- \44\ See United States Computer Emergency Readiness Team (US- CERT) Incident Definition: https://www.us-cert.gov/government-users/compliance-and-reporting/incident-definition. \45\ See E-ISAC Incident Reporting Fact Sheet document: http://www.nerc.com/files/Incident-Reporting.pdf. \46\ See ICS-CERT Published ``Common Cyber Security Language'' document: https://ics-cert.us-cert.gov/About-Industrial-Control-Systems-Cyber-Emergency-Response-Team. --------------------------------------------------------------------------- 33. We propose to establish a compromise or an attempt to compromise a responsible entity's ESP or associated EACMS, due to their close association with ESPs, as the boundary point for a reportable Cyber Security Incident. An ESP is defined in the NERC Glossary as the ``logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.'' The purpose of an ESP is to manage electronic access to BES Cyber Systems to support the protection of the BES Cyber Systems against compromise that could lead to misoperation or instability in the bulk electric system.\47\ EACMS are defined in the NERC Glossary as ``Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.'' More specifically, EACMS include, for example, firewalls, authentication servers, security event monitoring systems, intrusion detection systems and alerting systems.\48\ Therefore, EACMS control electronic access into the ESP and play a significant role in the protection of high and medium impact BES Cyber Systems.\49\ Once an EACMS is compromised, an attacker could more easily enter the ESP and effectively control the BES Cyber System or Protected Cyber Asset. --------------------------------------------------------------------------- \47\ See Reliability Standard CIP-005-5 (Cyber Security-- Electronic Security Perimeter(s)). \48\ See Reliability Standard CIP-002-5.1 (Cyber Security--BES Cyber System Categorization), Background at 6; Reliability Standard CIP-007-6 (Cyber Security--System Security Management), Background at 4. \49\ See Reliability Standard CIP-002-5.1a (Cyber Security--BES Cyber System Categorization), Background at 5-6 (``BES Cyber Systems have associated Cyber Assets, which, if compromised, pose a threat to the BES Cyber System by virtue of: (a) Their location within the Electronic Security Perimeter (Protected Cyber Assets), or (b) the security control function they perform (Electronic Access Control or Monitoring Systems and Physical Access Control Systems''). --------------------------------------------------------------------------- 34. Since an ESP is intended to protect BES Cyber Systems and EACMS are intended to control electronic access into an ESP, we believe it is reasonable to establish the compromise of, or attempt to compromise, an ESP or its associated EACMS as the minimum reporting threshold. 35. In sum, pursuant to section 215(d)(5) of the FPA, we propose to direct NERC to develop modifications to the CIP Reliability Standards described above to improve the reporting of Cyber Security Incidents, including incidents that did not cause any harm but could facilitate subsequent efforts to harm the reliable operation of the bulk electric system. The Commission seeks comment on this proposal. 36. In addition, the Commission seeks comment on whether to exclude EACMS from any Commission directive and, instead, establish the compromise, or attempt to compromise, an ESP as the minimum reporting threshold. The Commission also seeks comment on potential alternatives to modifying the mandatory reporting requirements in the NERC Reliability Standards. Specifically, we seek comment on whether a request for data or information pursuant to Section 1600 of the NERC Rules of Procedure would effectively address the reporting gap and current lack of awareness of cyber-related incidents, discussed above, among NERC, responsible entities and the Commission, and satisfy the goals of the proposed directive. B. Content of Cyber Security Incident Reports 37. Currently-effective Reliability Standard CIP-008-5, Requirement R1, Part 1.2 requires that a responsible entity provide an initial notification of a Reportable Cyber Security Incident to the E-ISAC within one hour of the determination that a Cyber Security Incident is reportable, unless prohibited by law. The initial notification may be made by phone call, email, or through [[Page 61504]] a Web-based notice.\50\ Reliability Standard CIP-008-5 does not specify the content of a report. --------------------------------------------------------------------------- \50\ See Reliability Standard CIP-008-5 (Cyber Security-- Incident Reporting and Response Planning), Guidelines and Technical Basis at 19. --------------------------------------------------------------------------- 38. The Commission proposes to direct that NERC modify the CIP Reliability Standards to specify the required content in a Cyber Security Incident report. We propose that the minimum set of attributes to be reported should include: (1) The functional impact, when identifiable, that the Cyber Security Incident achieved or attempted to achieve; (2) the attack vector that was used to achieve or attempted to achieve the Cyber Security Incident; and (3) the level of intrusion that was achieved or attempted as a result of the Cyber Security Incident. Knowledge of these attributes regarding a specific Cyber Security Incident will improve awareness of cyber threats to bulk electric system reliability. These attributes are the same as attributes already used by DHS for its multi-sector reporting and summarized by DHS in an annual report.\51\ Specifying the required content should improve the quality of reporting by ensuring that basic information is provided and allows for ease of comparison across reports by ensuring that each report includes specified fields of information. --------------------------------------------------------------------------- \51\ 2016 ICS-CERT Year in Review, https://ics-cert.us-cert.gov/Year-Review-2016. --------------------------------------------------------------------------- 39. Functional impact is a measure of the actual, ongoing impact to the organization, the affected BES Cyber System(s), and the responsible entity's ability to protect and/or operate the affected BES Cyber System(s) to ensure reliable bulk electric system operations. In many cases, such as scans and probes by attackers or a successfully defended attack, there is little or no impact on the responsible entity as a result of the incident. The attack vector is the method used by the attacker to exploit a vulnerability, such as a phishing attack for user credentials or a virus designed to exploit a known vulnerability. The level of intrusion reflects the extent of the penetration into a responsible entity's ESP, EACMS as applicable, or BES Cyber Systems within the ESP, that was achieved as a result of the Cyber Security Incident. 40. The Commission seeks comment on this proposal and, more generally, the appropriate content for Cyber Security Incident reporting to improve awareness of existing and future cyber security threats and potential vulnerabilities. C. Timing of Cyber Security Incident Reports 41. In addition to addressing the specific content for Cyber Security Incident reports, the Commission proposes that NERC establish requirements outlining deadlines for filing a report once a compromise or disruption to reliable bulk electric system operation, or an attempted compromise or disruption, is identified by a responsible entity. While currently-effective Reliability Standard CIP-008-5, Requirement R1, Part 1.2 requires that a responsible entity provide an initial notification of a Reportable Cyber Security Incident to the E- ISAC within one hour of the determination that a Cyber Security Incident is reportable, unless prohibited by law, the Reliability Standard ``does not require a specific timeframe for completing the full report.'' \52\ The reporting timeline should reflect the actual or potential threat to reliability, with more serious incidents reported in a more timely fashion. A reporting timeline that takes into consideration the severity of a Cyber Security Incident should minimize potential burdens on responsible entities. The intent of this directive is to provide NERC with the information necessary to maintain awareness regarding cyber threats to bulk electric system reliability. We propose that the reports submitted under the enhanced mandatory reporting requirements would be provided to E-ISAC, similar to the current reporting scheme, as well as ICS-CERT. The detailed incident reporting would not be submitted to the Commission. --------------------------------------------------------------------------- \52\ See Reliability Standard CIP-008-5 (Cyber Security-- Incident Reporting and Response Planning), Guidelines and Technical Basis at 19. --------------------------------------------------------------------------- 42. The Commission and others will also benefit from enhanced Cyber Security Incident reporting as we continue to evaluate the effectiveness of the CIP Reliability Standards. Currently, NERC identifies the number of Reportable Cyber Security Incidents in its annual State of Reliability report. In that regard, however, we propose to direct NERC to file publicly an annual report reflecting the Cyber Security Incidents reported to NERC during the previous year. Specifically, we propose to direct NERC to file annually an anonymized report providing an aggregated summary of the reported information. We believe that the ICS-CERT annual report, which includes pie charts reflecting the energy sector's cybersecurity incidents by level of intrusion, threat vector and functional impact, would be a reasonable model for what NERC reports to the Commission.\53\ --------------------------------------------------------------------------- \53\ ICS-CERT, https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_IR_Pie_Chart_FY2016_S508C.pdf. --------------------------------------------------------------------------- 43. The Commission seeks comment on the appropriate timing for Cyber Security Incident reporting to better ensure timely sharing of information and thereby enhance situational awareness. In addition, the Commission seeks comment on the proposal to direct NERC to file an annual report with the Commission. III. Information Collection Statement 44. The Paperwork Reduction Act (PRA) requires each federal agency to seek and obtain approval from the Office of Management and Budget (OMB) before undertaking a collection of information directed to ten or more persons, or contained in a rule of general applicability. OMB's implementing regulations require approval of certain information collection requirements imposed by agency rules.\54\ Upon approval of a collection(s) of information, OMB will assign an OMB control number and an expiration date. Respondents subject to the filing requirements of an agency rule will not be penalized for failing to respond to these collections of information unless the collections of information display a valid OMB control number. --------------------------------------------------------------------------- \54\ See 5 CFR 1320. --------------------------------------------------------------------------- 45. The Commission is submitting these proposed reporting requirements to OMB for its review and approval under section 3507(d) of the PRA. Comments are solicited on the Commission's need for the information proposed to be reported, whether the information will have practical utility, ways to enhance the quality, utility, and clarity of the information to be collected, and any suggested methods for minimizing the respondent's burden, including the use of automated information techniques. 46. The Public Reporting Burden and cost related to the proposed rule in Docket No. RM18-2-000 are covered by, and already included in, the existing FERC-725, Certification of Electric Reliability Organization; Procedures for Electric Reliability Standards (OMB Control No. 1902-0225). FERC-725 includes the ERO's overall responsibility for developing Reliability Standards, such as any Reliability Standards that relate to Cyber Security Incident reporting. 47. Internal review: The Commission has reviewed the proposed changes and has determined that the changes are [[Page 61505]] necessary to ensure the reliability and integrity of the Nation's Bulk- Power System. 48. Interested persons may obtain information on the reporting requirements by contacting: Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426 [Attention: Ellen Brown, Office of the Executive Director, email: [email protected], Phone: (202) 502-8663, fax: (202) 273-0873]. Comments on the requirements of this rule may also be sent to the Office of Information and Regulatory Affairs, Office of Management and Budget, Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission]. For security reasons, comments should be sent by email to OMB at [email protected]. Please refer to OMB Control No. 1902-0225 and FERC-725 in your submission. IV. Environmental Analysis 49. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment.\55\ The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended.\56\ The actions proposed herein fall within this categorical exclusion in the Commission's regulations. --------------------------------------------------------------------------- \55\ Regulations Implementing the National Environmental Policy Act of 1969, Order No. 486, FERC Stats. & Regs. ] 30,783 (1987) (cross-referenced at 41 FERC ] 61,284). \56\ 18 CFR 380.4(a)(2)(ii). --------------------------------------------------------------------------- V. Regulatory Flexibility Act Analysis 50. The Regulatory Flexibility Act of 1980 (RFA) \57\ generally requires a description and analysis of proposed rules that will have significant economic impact on a substantial number of small entities. --------------------------------------------------------------------------- \57\ 5 U.S.C. 601-612. --------------------------------------------------------------------------- 51. By only proposing to direct NERC, the Commission-certified ERO, to develop modified Reliability Standards for Cyber Security Incident reporting, this Notice of Proposed Rulemaking will not have a significant or substantial impact on entities other than NERC. Therefore, the Commission certifies that this Notice of Proposed Rulemaking will not have a significant economic impact on a substantial number of small entities. 52. Any Reliability Standards proposed by NERC in compliance with this rulemaking will be considered by the Commission in future proceedings. As part of any future proceedings, the Commission will make determinations pertaining to the Regulatory Flexibility Act based on the content of the Reliability Standards proposed by NERC. VI. Comment Procedures 53. The Commission invites interested persons to submit comments on the matters and issues proposed in this notice to be adopted, including any related matters or alternative proposals that commenters may wish to discuss. Comments are due February 26, 2018. Comments must refer to Docket No. RM18-2-000, and must include the commenter's name, the organization they represent, if applicable, and address. 54. The Commission encourages comments to be filed electronically via the eFiling link on the Commission's website at http://www.ferc.gov. The Commission accepts most standard word processing formats. Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format. Commenters filing electronically do not need to make a paper filing. 55. Commenters that are not able to file comments electronically must send an original of their comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE, Washington, DC 20426. 56. All comments will be placed in the Commission's public files and may be viewed, printed, or downloaded remotely as described in the Document Availability section below. Commenters on this proposal are not required to serve copies of their comments on other commenters. VII. Document Availability 57. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the internet through the Commission's Home Page (http://www.ferc.gov) and in the Commission's Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE, Room 2A, Washington, DC 20426. 58. From the Commission's Home Page on the internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number of this document, excluding the last three digits, in the docket number field. 59. User assistance is available for eLibrary and the Commission's website during normal business hours from the Commission's Online Support at 202-502-6652 (toll free at 1-866-208-3676) or email at [email protected], or the Public Reference Room at (202) 502- 8371, TTY (202) 502-8659. Email the Public Reference Room at [email protected]. By direction of the Commission. Issued: December 21, 2017. Nathaniel J. Davis, Sr., Deputy Secretary. [FR Doc. 2017-28083 Filed 12-27-17; 8:45 am] BILLING CODE 6717-01-P
![61499
Proposed Rules Federal Register
Vol. 82, No. 248
Thursday, December 28, 2017
This section of the FEDERAL REGISTER First Street NE, Washington, DC and anonymized summary of the
contains notices to the public of the proposed 20426, (202) 502–6704, reports.
issuance of rules and regulations. The margaret.scott@ferc.gov. 3. The current reporting threshold for
purpose of these notices is to give interested Cyber Security Incidents, as set forth in
persons an opportunity to participate in the Kevin Ryan (Legal Information), Office
Reliability Standard CIP–008–5 (Cyber
rule making prior to the adoption of the final of the General Counsel, Federal
Security—Incident Reporting and
rules. Energy Regulatory Commission, 888
Response Planning) together with the
First Street NE, Washington, DC
definition of Reportable Cyber Security
20426, (202) 502–6840, kevin.ryan@
DEPARTMENT OF ENERGY Incident, may understate the true scope
ferc.gov. of cyber-related threats facing the Bulk-
Federal Energy Regulatory SUPPLEMENTARY INFORMATION: Power System. The reporting of cyber-
Commission related incidents, in particular the lack
1. The Foundation for Resilient of any reported incidents in 2015 and
Societies filed a petition asking the 2016, suggests a gap in the current
18 CFR Part 40
Commission to require additional mandatory reporting requirements. This
[Docket Nos. RM18–2–000 and AD17–9–000] measures for malware detection, reporting gap may result in a lack of
mitigation, removal and reporting. We timely awareness for responsible
Cyber Security Incident Reporting decline to propose additional Reliability entities subject to compliance with the
Reliability Standards Standard measures at this time for CIP Reliability Standards, NERC, and
AGENCY: Federal Energy Regulatory malware detection, mitigation and the Commission. As discussed below,
Commission, DOE. removal, based on the scope of existing NERC’s 2017 State of Reliability report
ACTION: Notice of proposed rulemaking.
Reliability Standards, Commission- echoed this concern in stating that the
directed improvements already being ‘‘mandatory reporting process does not
SUMMARY: The Federal Energy developed and other ongoing efforts. create an accurate picture of cyber
Regulatory Commission (Commission) However, we propose to direct broader security risk . . .’’ 2
proposes to direct the North American reporting requirements. Currently, 4. To address this gap, pursuant to
Electric Reliability Corporation (NERC), incidents must be reported only if they section 215(d)(5) of the FPA, the
the Commission-certified Electric have ‘‘compromised or disrupted one or Commission proposes to direct NERC to
Reliability Organization, to develop and more reliability tasks,’’ and we propose develop modifications to the CIP
submit modifications to the NERC to require reporting of certain incidents Reliability Standards to include the
Reliability Standards to improve even before they have caused such harm mandatory reporting of Cyber Security
mandatory reporting of Cyber Security or if they did not themselves cause any Incidents that compromise, or attempt
Incidents, including incidents that harm. to compromise, a responsible entity’s
might facilitate subsequent efforts to 2. Specifically, pursuant to section Electronic Security Perimeter (ESP) or
harm the reliable operation of the bulk 215(d)(5) of the Federal Power Act associated Electronic Access Control or
electric system. (FPA),1 the Commission proposes to Monitoring Systems (EACMS).3 Such
DATES: Comments are due February 26, direct the North American Electric modifications will enhance awareness
2018. Reliability Corporation (NERC), the for NERC, industry, the Commission,
ADDRESSES: Comments, identified by Commission-certified Electric other federal and state entities, and
docket number, may be filed in the Reliability Organization (ERO), to interested stakeholders regarding
following ways: develop and submit modifications to the existing or developing cyber security
• Electronic Filing through http:// Critical Infrastructure Protection (CIP) threats. In addition, we propose to
www.ferc.gov. Documents created Reliability Standards to improve the direct NERC to modify the CIP
electronically using word processing reporting of Cyber Security Incidents, Reliability Standards to specify the
software should be filed in native including incidents that might facilitate required information in Cyber Security
applications or print-to-PDF format and subsequent efforts to harm the reliable Incident reports to improve the quality
not in a scanned format. operation of the bulk electric system. of reporting and allow for ease of
• Mail/Hand Delivery: Those unable The proposed development of modified comparison by ensuring that each report
to file electronically may mail or hand- mandatory reporting requirements is includes specified fields of information.
deliver comments to: Federal Energy intended to improve awareness of Finally, we propose to direct NERC to
Regulatory Commission, Secretary of the existing and future cyber security 2 NERC, 2017 State of Reliability Report at 4 (June
Commission, 888 First Street NE, threats and potential vulnerabilities. We 2017), http://www.nerc.com/pa/RAPA/PA/
Washington, DC 20426. propose to continue having the reports Performance%20Analysis%20DL/SOR_2017_
Instructions: For detailed instructions go to the Electricity Information Sharing MASTER_20170613.pdf.
sradovich on DSK3GMQ082PROD with PROPOSALS
on submitting comments and additional and Analysis Center (E–ISAC) instead of 3 The NERC Glossary of Terms Used in NERC
information on the rulemaking process, the Commission, but we propose to Reliability Standards (October 6, 2017) (NERC
Glossary) defines ‘‘ESP’’ as ‘‘[t]he logical border
see the Comment Procedures Section of require that reports also be sent to the surrounding a network to which BES Cyber Systems
this document. Industrial Control Systems Cyber are connected using a routable protocol.’’ The NERC
FOR FURTHER INFORMATION CONTACT: Emergency Response Team (ICS–CERT) Glossary defines ‘‘EACMS’’ as ‘‘Cyber Assets that
and that NERC file an annual, public, perform electronic access control or electronic
Margaret Scott (Technical Information), access monitoring of the Electronic Security
Office of Electric Reliability, Federal Perimeter(s) or BES Cyber Systems. This includes
Energy Regulatory Commission, 888 1 16 U.S.C. 824o(d)(5). Intermediate Systems.’’
VerDate Sep<11>2014 17:11 Dec 27, 2017 Jkt 244001 PO 00000 Frm 00001 Fmt 4702 Sfmt 4702 E:\FR\FM\28DEP1.SGM 28DEP1](https://thefederalregister.org/doc/82_FR_61747/page/1.svg)
![61500 Federal Register / Vol. 82, No. 248 / Thursday, December 28, 2017 / Proposed Rules
modify the CIP Reliability Standards to adversaries to implant malware in malware reporting, Resilient Societies
establish a deadline for filing a report electric utility computer systems. asserted that current mandatory and
once a compromise or disruption to Resilient Societies stated that malware voluntary cybersecurity incident
reliable bulk electric system operation, can infect high, medium, and low reporting methodologies are not
or an attempted compromise or impact BES Cyber Systems,8 and, once representative of the actual annual rate
disruption, is identified by a responsible inserted, can be a pathway for cyber- of occurrence of cybersecurity incidents
entity. attackers.9 Resilient Societies further in the U.S. electric grid. Resilient
stated that an infected low impact BES Societies cited NERC’s State of
I. Background Cyber System can serve as an entry Reliability Reports for 2014 and 2015,
A. Section 215 and Mandatory point from where an adversary can noting that NERC identified only three
Reliability Standards attack medium and high impact BES Reportable Cyber Security Incidents in
Cyber Systems. Resilient Societies 2014 and zero Reportable Cyber
5. Section 215 of the FPA requires a
asserted that a ‘‘simultaneous Security Incidents in 2015. In addition,
Commission-certified ERO to develop
cyberattack on many low impact assets Resilient Societies observed that
mandatory and enforceable Reliability
may cause greater impact than an attack according to Department of Energy
Standards, subject to Commission
on a single high impact asset.’’ 10 (DOE) Disturbance Reports (OE–417),
review and approval. Reliability 8. Resilient Societies alleged that it
Standards may be enforced by the ERO, there were three reported cybersecurity
has found gaps relating to malware incidents in 2014, zero in 2015, and two
subject to Commission oversight, or by protection requirements in the current
the Commission independently.4 in 2016. Finally, Resilient Societies
Commission-approved CIP Reliability stated that in contrast to the number of
Pursuant to section 215 of the FPA, the Standards. In particular, Resilient
Commission established a process to cybersecurity incidents reported
Societies maintained that the ESP through NERC and DOE Form OE–417,
select and certify an ERO,5 and concept, used in the CIP Reliability
subsequently certified NERC.6 ICS–CERT responded to 79
Standards, suffers from several cybersecurity incidents in 2014 and 46
B. Foundation for Resilient Societies’ fundamental flaws. Specifically, cybersecurity incidents in 2015.13
Petition Resilient Societies asserted that: (1) 11. On February 17, 2017, Resilient
Cyber attacks on systems outside the Societies filed supplemental comments
6. On January 13, 2017, the
ESP can take down systems within it; that included an appendix containing a
Foundation for Resilient Societies (2) passwords and other user credentials
(Resilient Societies) filed a petition February 10, 2017 Department of
associated with BES Cyber Systems may Homeland Security (DHS) Report,
requesting that the Commission initiate be stored on systems outside the ESP;
a rulemaking to require an enhanced ‘‘Enhanced Analysis of GRIZZLY
and (3) Electronic Access Points that STEPPE Activity,’’ which, Resilient
Reliability Standard for malware control access to systems within the ESP
detection, reporting, mitigation and Societies alleged, ‘‘provides
may be breached. Resilient Societies independent validation of the need for
removal from the Bulk-Power System.7 also raised a concern that there is
Resilient Societies stated that the Bulk- a mandatory standard to detect, report,
currently no required reporting of mitigate, and remove identified malware
Power System is increasingly at risk malware infections, both inside and
from malware. Resilient Societies also from the Bulk Power System.’’ 14
outside the ESP.11
maintained that current mandatory and 9. Based on its analysis, Resilient Comments on Petition
voluntary reporting methods Societies offered several suggestions for 12. The Commission received five sets
underreport the actual annual rate of the essential components of an of comments in response to Resilient
occurrence of cybersecurity incidents in enhanced malware Reliability Standard Societies’ petition. Among the
the U.S. electric grid. and what the technical elements of an
7. In support of its petition, Resilient commenters, NERC, Trade
enhanced malware standard might Associations 15 and International
Societies asserted that evidence in the include. The essentials identified by
public domain shows that electric grids Transmission Company (ITC) stated that
Resilient Societies include: (1) Malware the Commission should not act on
in the U.S. and critical infrastructure detection; (2) malware reporting
that depends upon reliable power are Resilient Societies’ petition, claiming
(regardless of whether reliability tasks of that the issues raised therein are
increasingly at risk from malware, a functional entity have been
resulting in a threat of widespread, long- adequately addressed in the currently-
compromised or disrupted); (3) malware effective CIP Reliability Standards or
term blackouts. Resilient Societies mitigation; and (4) mandatory malware
asserted that Bulk-Power System assets are, in response to outstanding
removal. Resilient Societies also Commission directives, the subject of
are interconnected with the public provided a list of possible technical
internet, which could allow foreign ongoing standards projects. The other
elements for an enhanced malware two commenters, Kaspersky Lab, and
Reliability Standard.12 David Bardin, supported Resilient
4 16 U.S.C. 824o(e). 10. In support of its request for an
5 Rules Concerning Certification of the Electric Societies’ petition to better address the
enhanced Reliability Standard for
Reliability Organization; and Procedures for the detection, reporting and mitigation of
Establishment, Approval, and Enforcement of
8 Reliability Standard CIP–002–5.1a (Cyber
malware.
Electric Reliability Standards, Order No. 672, FERC 13. NERC opposed Resilient Societies’
Stats. & Regs. ¶ 31,204 (cross-referenced at 114 Security System Categorization) provides a ‘‘tiered’’
FERC ¶ 61,104), order on reh’g, Order No. 672–A, approach to cybersecurity requirements, based on petition because, NERC asserted,
sradovich on DSK3GMQ082PROD with PROPOSALS
FERC Stats. & Regs. ¶ 31,212 (cross-referenced at classifications of high, medium and low impact BES
114 FERC ¶ 61,328) (2006). Cyber Systems. 13 Id. at 8–9.
6 North American Electric Reliability Corp., 116 9 BES Cyber System is defined by NERC as ‘‘[o]ne 14 Resilient Societies Supplemental Comments at
FERC ¶ 61,062, order on reh’g and compliance, 117 or more BES Cyber Assets logically grouped by a 4.
FERC ¶ 61,126 (2006), aff’d sub nom. Alcoa, Inc. responsible entity to perform one or more reliability 15 American Public Power Association, Edison
v. FERC, 564 F.3d 1342 (DC Cir. 2009). tasks for a functional entity.’’ NERC Glossary. The Electric Institute, Electricity Consumers Resource
7 Resilient Societies’ filings and responsive acronym BES refers to the bulk electric system. Council, Electric Power Supply Association, Large
10 Resilient Societies Petition at 2–3.
comments are available on the Commission’s Public Power Council, National Rural Electric
11 Id. at 10–12.
eLibrary document retrieval system in Docket No. Cooperative Association, and Transmission Access
AD17–9–000. 12 Id. at 14–15. Policy Study Group.
VerDate Sep<11>2014 17:11 Dec 27, 2017 Jkt 244001 PO 00000 Frm 00002 Fmt 4702 Sfmt 4702 E:\FR\FM\28DEP1.SGM 28DEP1](https://thefederalregister.org/doc/82_FR_61747/page/2.svg)
![61502 Federal Register / Vol. 82, No. 248 / Thursday, December 28, 2017 / Proposed Rules
an increased risk of being infiltrated by Societies’ petition, however, we determination of a Reportable Cyber
malware, highlighting, among other conclude that the current Commission- Security Incident.36
issues, that information concerning approved CIP Reliability Standards, 27. A Cyber Security Incident is
exploitable vulnerabilities is ongoing NERC efforts to address open defined in the NERC Glossary as:
increasingly becoming public. Commission directives, and other A malicious act or suspicious event
Kaspersky Lab noted that it recognizes industry efforts have addressed or will that:
that the CIP Reliability Standards address the malware detection and • Compromises, or was an attempt to
‘‘strive to address the complex cyber mitigation issues raised by Resilient compromise, the Electronic Security
and physical security needs of the [bulk Societies. For example, provisions of Perimeter or Physical Security Perimeter
electric system]’’ and that cybersecurity currently effective Reliability Standards, or,
standards ‘‘must be flexible and not including CIP–005–5 and CIP–007–6, • Disrupts, or was an attempt to
overly prescriptive to address threats as address malware detection and disrupt, the operation of a BES Cyber
they evolve,’’ but it states that the mitigation. Ongoing efforts described by System.
current CIP Reliability Standards only NERC and other commenters, such as This is similar, but not identical, to the
address malware protection ‘‘in a the development of a supply chain risk definition of a cybersecurity incident in
cursory fashion.’’ 31 management standard, should also FPA section 215, which is ‘‘a malicious
21. David Bardin supported the goals address malware concerns. Thus, the act or suspicious event that disrupts, or
in Resilient Societies’ petition and Commission declines to act on this was an attempt to disrupt, the operation
suggested that the Commission initiate aspect of the petition.35 of those programmable electronic
one or more proceedings to facilitate a 24. We believe that the current devices and communication networks
conversation on malware protections. In reporting threshold for Cyber Security including hardware, software and data
support of his position, Bardin Incidents, as set forth in the current that are essential to the reliable
presented a list of questions that could definition of Reportable Cyber Security operation of the bulk power system.’’ 37
be raised in such discussions.32 Incident, may not reflect the true scope A Reportable Cyber Security Incident,
C. NERC 2017 State of Reliability Report of cyber-related threats facing the Bulk- however, is defined more narrowly in
Power System, consistent with NERC’s the NERC Glossary as ‘‘[a] Cyber
22. In June 2017, NERC published the view. Accordingly, pursuant to section Security Incident that has compromised
2017 NERC State of Reliability Report 215(d)(5) of the FPA, the Commission or disrupted one or more reliability
which, among other things, indicates proposes to direct that NERC develop tasks of a functional entity.’’ Therefore,
that there were no Reportable Cyber modifications to the CIP Reliability in order for a cyber-related event to be
Security Incidents in 2016. The report Standards to improve the mandatory considered reportable under the existing
also lists ‘‘key findings’’ regarding reporting of Cyber Security Incidents, CIP Reliability Standards, it must
reliability performance observed over including incidents that might facilitate compromise or disrupt a core activity
the previous year and recommendations subsequent efforts to harm the reliable (e.g., a reliability task) of a responsible
for improvements. Key Finding 4 of the operation of the bulk electric system, to entity that is intended to maintain bulk
report addresses the reporting of Cyber improve awareness of existing and electric system reliability.38 Under these
Security Incidents. In particular, NERC future cyber security threats and definitions, unsuccessful attempts to
states that the current ‘‘mandatory potential vulnerabilities. compromise or disrupt a responsible
reporting process does not create an 25. Below, we discuss the following entity’s core activities are not subject to
accurate picture of cyber security risk elements of the proposed directive: (A) the current reporting requirements in
since most of the cyber threats detected Cyber Security Incident reporting Reliability Standard CIP–008–5.
by the electricity industry manifest threshold; (B) information in Cyber 28. As discussed above, recent NERC
themselves in . . . email, websites, Security Incident reports; and (C) timing State of Reliability Reports indicate that
smart phone applications . . . rather of Cyber Security Incident reports. there were no Reportable Cyber Security
than the control system environment Incidents in 2015 and 2016. As noted by
where impacts could cause loss of load A. Cyber Security Incident Reporting NERC, ‘‘[w]hile there were no reportable
and result in a mandatory report.’’ 33 Threshold cyber security incidents during 2016
Based on that finding, the report 26. Cyber-related event reporting is and therefore none that caused a loss of
includes a recommendation that NERC currently addressed in Reliability load, this does not necessarily suggest
and industry should ‘‘redefine Standard CIP–008–5, Requirement R1, that the risk of a cyber security incident
reportable incidents to be more granular Part 1.2, which requires that each
and include zero-consequence incidents responsible entity shall document one 36 See Reliability Standard CIP–008–5 (Cyber
that might be precursors to something or more Cyber Security Incident Plan(s) Security—Incident Reporting and Response
more serious.’’ 34 with one or more processes to determine
Planning), Requirement R1, Part 1.2. This
requirement pertains to high impact BES Cyber
II. Discussion if an identified Cyber Security Incident Systems and medium impact BES Cyber Systems.
is a Reportable Cyber Security Incident. 37 16 U.S.C. 824o(a)(8).
23. Pursuant to section 215(d)(5) of
Where a cyber-related event is 38 The NERC Functional Model ‘‘describes a set
the FPA, the Commission proposes to of Functions that are performed to ensure the
determined to qualify as a Reportable
direct NERC to develop modifications to reliability of the Bulk Electric System. Each
Cyber Security Incident, responsible Function consists of a set of related reliability
the CIP Reliability Standards to address
entities are required to notify the Tasks. The Model assigns each Function to a
sradovich on DSK3GMQ082PROD with PROPOSALS
the Commission’s concerns regarding
E–ISAC with initial notification to be functional entity, that is, the entity that performs
mandatory reporting requirements. the function. The Model also describes the
made within one hour from the
Based on our review of the comments interrelationships between that functional entity
received in response to Resilient and other functional entities (that perform other
35 While the Commission proposes that NERC Functions).’’ NERC, Reliability Functional Model:
31 Id.
develop modifications to the NERC Reliability Function Definitions and Functional Entities,
at 2. Standards under section 215(d)(5) of the FPA in Version 5 at 7 (November 2009), http://
32 Bardin Comments at 1.
Docket No. RM18–2–000, we exercise our discretion www.nerc.com/pa/Stand/Functional
33 2017 NERC State of Reliability Report at 4.
to terminate the proceeding in Docket No. AD17– %20Model%20Archive%201/Functional_Model_
34 Id. 9–000. V5_Final_2009Dec1.pdf.
VerDate Sep<11>2014 17:11 Dec 27, 2017 Jkt 244001 PO 00000 Frm 00004 Fmt 4702 Sfmt 4702 E:\FR\FM\28DEP1.SGM 28DEP1](https://thefederalregister.org/doc/82_FR_61747/page/4.svg)
![Federal Register / Vol. 82, No. 248 / Thursday, December 28, 2017 / Proposed Rules 61505
necessary to ensure the reliability and 52. Any Reliability Standards viewing, printing, and/or downloading.
integrity of the Nation’s Bulk-Power proposed by NERC in compliance with To access this document in eLibrary,
System. this rulemaking will be considered by type the docket number of this
48. Interested persons may obtain the Commission in future proceedings. document, excluding the last three
information on the reporting As part of any future proceedings, the digits, in the docket number field.
requirements by contacting: Federal Commission will make determinations 59. User assistance is available for
Energy Regulatory Commission, 888 pertaining to the Regulatory Flexibility eLibrary and the Commission’s website
First Street NE, Washington, DC 20426 Act based on the content of the during normal business hours from the
[Attention: Ellen Brown, Office of the Reliability Standards proposed by Commission’s Online Support at 202–
Executive Director, email: NERC. 502–6652 (toll free at 1–866–208–3676)
DataClearance@ferc.gov, Phone: (202) or email at ferconlinesupport@ferc.gov,
502–8663, fax: (202) 273–0873]. VI. Comment Procedures
or the Public Reference Room at (202)
Comments on the requirements of this 53. The Commission invites interested 502–8371, TTY (202) 502–8659. Email
rule may also be sent to the Office of persons to submit comments on the the Public Reference Room at
Information and Regulatory Affairs, matters and issues proposed in this public.referenceroom@ferc.gov.
Office of Management and Budget, notice to be adopted, including any
By direction of the Commission.
Washington, DC 20503 [Attention: Desk related matters or alternative proposals
Officer for the Federal Energy that commenters may wish to discuss. Issued: December 21, 2017.
Regulatory Commission]. For security Comments are due February 26, 2018. Nathaniel J. Davis, Sr.,
reasons, comments should be sent by Comments must refer to Docket No. Deputy Secretary.
email to OMB at oira_submission@ RM18–2–000, and must include the [FR Doc. 2017–28083 Filed 12–27–17; 8:45 am]
omb.eop.gov. Please refer to OMB commenter’s name, the organization BILLING CODE 6717–01–P
Control No. 1902–0225 and FERC–725 they represent, if applicable, and
in your submission. address.
54. The Commission encourages DEPARTMENT OF THE TREASURY
IV. Environmental Analysis
comments to be filed electronically via
49. The Commission is required to the eFiling link on the Commission’s 31 CFR Part 148
prepare an Environmental Assessment website at http://www.ferc.gov. The
or an Environmental Impact Statement Commission accepts most standard RIN 1505–AC57
for any action that may have a word processing formats. Documents
significant adverse effect on the human Qualified Financial Contracts
created electronically using word Recordkeeping Related to Orderly
environment.55 The Commission has processing software should be filed in
categorically excluded certain actions Liquidation Authority
native applications or print-to-PDF
from this requirement as not having a format and not in a scanned format. AGENCY: Department of the Treasury.
significant effect on the human Commenters filing electronically do not ACTION: Proposed rule.
environment. Included in the exclusion need to make a paper filing.
are rules that are clarifying, corrective, 55. Commenters that are not able to SUMMARY: The Secretary of the Treasury
or procedural or that do not file comments electronically must send (the ‘‘Secretary’’), as Chairperson of the
substantially change the effect of the an original of their comments to: Financial Stability Oversight Council, is
regulations being amended.56 The Federal Energy Regulatory Commission, proposing, in consultation with the
actions proposed herein fall within this Secretary of the Commission, 888 First Federal Deposit Insurance Corporation
categorical exclusion in the Street NE, Washington, DC 20426. (the ‘‘FDIC’’), an amendment to the
Commission’s regulations. 56. All comments will be placed in regulation implementing the qualified
V. Regulatory Flexibility Act Analysis the Commission’s public files and may financial contract (‘‘QFC’’)
be viewed, printed, or downloaded recordkeeping requirements of the
50. The Regulatory Flexibility Act of remotely as described in the Document Dodd-Frank Wall Street Reform and
1980 (RFA) 57 generally requires a Availability section below. Commenters Consumer Protection Act (the ‘‘Dodd-
description and analysis of proposed on this proposal are not required to Frank Act’’ or the ‘‘Act’’) that would
rules that will have significant serve copies of their comments on other extend the compliance dates of the
economic impact on a substantial commenters. regulation.
number of small entities.
51. By only proposing to direct NERC, VII. Document Availability DATES: Written comments must be
the Commission-certified ERO, to 57. In addition to publishing the full received by January 29, 2018.
develop modified Reliability Standards text of this document in the Federal ADDRESSES: Submit comments
for Cyber Security Incident reporting, Register, the Commission provides all electronically through the Federal
this Notice of Proposed Rulemaking will interested persons an opportunity to eRulemaking Portal: http://
not have a significant or substantial view and/or print the contents of this www.regulations.gov, or by mail (if hard
impact on entities other than NERC. document via the internet through the copy, preferably an original and two
Therefore, the Commission certifies that Commission’s Home Page (http:// copies) to: The Treasury Department,
this Notice of Proposed Rulemaking will www.ferc.gov) and in the Commission’s Attn: Qualified Financial Contracts
not have a significant economic impact Public Reference Room during normal Recordkeeping Comments, 1500
sradovich on DSK3GMQ082PROD with PROPOSALS
on a substantial number of small business hours (8:30 a.m. to 5:00 p.m. Pennsylvania Avenue NW, Washington,
entities. Eastern time) at 888 First Street NE, DC 20220. Because paper mail in the
Room 2A, Washington, DC 20426. Washington, DC area may be subject to
55 Regulations Implementing the National
58. From the Commission’s Home delay, it is recommended that comments
Environmental Policy Act of 1969, Order No. 486,
FERC Stats. & Regs. ¶ 30,783 (1987) (cross-
Page on the internet, this information is be submitted electronically. Please
referenced at 41 FERC ¶ 61,284). available on eLibrary. The full text of include your name, affiliation, address,
56 18 CFR 380.4(a)(2)(ii). this document is available on eLibrary email address, and telephone number in
57 5 U.S.C. 601–612. in PDF and Microsoft Word format for your comment. Comments will be
VerDate Sep<11>2014 17:11 Dec 27, 2017 Jkt 244001 PO 00000 Frm 00007 Fmt 4702 Sfmt 4702 E:\FR\FM\28DEP1.SGM 28DEP1](https://thefederalregister.org/doc/82_FR_61747/page/7.svg)
Document Created: 2017-12-28 00:43:42
Document Modified: 2017-12-28 00:43:42
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Proposed Rules | |
| Action | Notice of proposed rulemaking. | |
| Dates | Comments are due February 26, 2018. | |
| Contact | Margaret Scott (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6704, [email protected] Kevin Ryan (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6840, [email protected] | |
| FR Citation | 82 FR 61499 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR