83 FR 36727 - Cyber Security Incident Reporting Reliability Standards
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission Federal Register Volume 83, Issue 147 (July 31, 2018)
Federal Energy Regulatory Commission
Federal Register Volume 83, Issue 147 (July 31, 2018)
| Page Range | 36727-36741 | |
| FR Document | 2018-16242 |
[Federal Register Volume 83, Number 147 (Tuesday, July 31, 2018)] [Rules and Regulations] [Pages 36727-36741] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2018-16242] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM18-2-000; Order No. 848] Cyber Security Incident Reporting Reliability Standards AGENCY: Federal Energy Regulatory Commission. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Federal Energy Regulatory Commission (Commission) directs the North American Electric Reliability Corporation (NERC) to develop and submit modifications to the NERC Reliability Standards to augment the mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the bulk electric system (BES). DATES: This rule will become effective October 1, 2018. FOR FURTHER INFORMATION CONTACT: Margaret Steiner (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6704, Margaret.Steiner@ferc.gov. Kevin Ryan (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6840, Kevin.Ryan@ferc.gov. SUPPLEMENTARY INFORMATION: Order No. 848--Final Rule (Issued July 19, 2018) 1. Pursuant to section 215(d)(5) of the Federal Power Act (FPA), the Commission directs the North American Electric Reliability Corporation (NERC) to develop and submit modifications to [[Page 36728]] the NERC Reliability Standards to augment the mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the BES.\1\ The Commission directs NERC to develop and submit modifications to the Reliability Standards to require the reporting of Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity's Electronic Security Perimeter (ESP) or associated Electronic Access Control or Monitoring Systems (EACMS).\2\ --------------------------------------------------------------------------- \1\ 16 U.S.C. 824o(d)(5). The NERC Glossary of Terms Used in NERC Reliability Standards (June 12, 2018) (NERC Glossary) defines a Cyber Security Incident as ``A malicious act or suspicious event that: Compromises, or was an attempt to compromise, the Electronic Security Perimeter or Physical Security Perimeter or, Disrupts, or was an attempt to disrupt, the operation of a BES Cyber System.'' \2\ The NERC Glossary defines ``ESP'' as ``[t]he logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.'' The NERC Glossary defines ``EACMS'' as ``Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.'' --------------------------------------------------------------------------- 2. In the NOPR, the Commission observed that Cyber Security Incidents are presently reported by responsible entities in accordance with Reliability Standard CIP-008-5 (Cyber Security--Incident Reporting and Response Planning).\3\ However, under the definition of Reportable Cyber Security Incident in Reliability Standard CIP-008-5, responsible entities must only report Cyber Security Incidents if they have ``compromised or disrupted one or more reliability tasks.'' The Commission explained that the current reporting threshold may understate the true scope of cyber-related threats facing the Bulk- Power System, particularly given the lack of any reportable incidents in 2015 and 2016. To improve awareness of existing and future cyber security threats and potential vulnerabilities, the Commission proposed to direct that NERC develop and submit modifications to the existing Reliability Standards to augment the reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the BES. --------------------------------------------------------------------------- \3\ Cyber Security Incident Reporting Reliability Standards, Notice of Proposed Rulemaking, 82 FR 61499 (Dec. 28, 2017), 161 FERC ] 61,291, P 1 (2017) (NOPR). --------------------------------------------------------------------------- 3. As discussed in detail below, the Commission adopts the NOPR proposal. The Commission's directive in this Final Rule consists of four elements intended to augment the current Cyber Security Incident reporting requirement: (1) Responsible entities must report Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity's ESP or associated EACMS; (2) required information in Cyber Security Incident reports should include certain minimum information to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information; (3) filing deadlines for Cyber Security Incident reports should be established once a compromise or disruption to reliable BES operation, or an attempted compromise or disruption, is identified by a responsible entity; and (4) Cyber Security Incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than the Commission, but the reports should also be sent to the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Further, NERC must file an annual, public, and anonymized summary of the reports with the Commission. 4. As discussed below, after considering the comments submitted in response to the NOPR, we conclude that the proposed directive to augment the current reporting requirement for Cyber Security Incidents is appropriate to carry out FPA section 215. As NERC recognizes in its NOPR comments, ``[b]roadening the mandatory reporting of Cyber Security Incidents would help enhance awareness of cyber security risks facing entities[,] . . . would create a more extensive baseline understanding of the nature of cyber security threats and vulnerabilities[,] . . . [and] is consistent with recommendations in NERC's 2017 State of Reliability Report.'' \4\ Our directive is intended to result in a measured broadening of the existing reporting requirement in Reliability Standard CIP-008-5, consistent with NERC's recommendation, rather than a wholesale change in cyber incident reporting that supplants or otherwise chills voluntary reporting, as some commenters maintain. Indeed, as NERC contends, we believe that the new ``baseline understanding, coupled with the additional context from voluntary reports received by the E-ISAC, [will] allow NERC and the E-ISAC to share that information broadly through the electric industry to better prepare entities to protect their critical infrastructure.'' \5\ --------------------------------------------------------------------------- \4\ NERC Comments at 4. \5\ Id. --------------------------------------------------------------------------- 5. We address in the discussion below concerns raised by commenters regarding elements of the Commission's directive and the burdens the directive might impose if NERC develops requirements that are overly broad. At the outset, we agree with NERC that ``because certain requirements in the CIP Reliability Standards already require entities to track data on compromises or attempts to compromise the ESP or EACMS, the additional burden to report that data appears reasonable.'' \6\ And we do not believe that complying with the augmented reporting requirements that we direct here would be any more burdensome to industry than the alternative, responding to a perpetual data or information request to collect the same information pursuant to Section 1600 of the NERC Rules of Procedure. To ensure that the burden is reasonable with respect to including EACMS in the augmented reporting requirement, NERC should develop requirements based on the function of the EACMS and the nature of the attempted compromise or successful intrusion. Similarly, as discussed below, NERC should develop reporting timelines for Cyber Security Incidents that are commensurate with the adverse or attempted adverse impact to the BES that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES.\7\ Prioritizing incident reporting will allow responsible entities to devote resources to reporting the most significant Cyber Security Incidents faster than less significant events. With this guidance, we believe that the standard drafting team, in the first instance, is in the best position to develop the specific elements of the directed Reliability Standard requirements. --------------------------------------------------------------------------- \6\ Id. at 8 (citing Reliability Standard CIP-005-5 (Cyber Security--Electronic Security Perimeter(s)) and Reliability Standard CIP-007-6 (Cyber Security--System Security Management)). \7\ The NERC Glossary defines BES Cyber System as ``[o]ne or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.'' Glossary of Terms Used in NERC Reliability Standards (NERC Glossary). Reliability Standard CIP-002-5.1a (Cyber Security System Categorization) provides a ``tiered'' approach to cybersecurity requirements, based on classifications of high, medium and low impact BES Cyber Systems. --------------------------------------------------------------------------- 6. We have considered comments submitted by NERC and others recommending that broadened Cyber Security Incident reporting should be implemented through a request for information or data pursuant to Section 1600 of the NERC Rules of Procedure instead of through Reliability Standard requirements. However, on balance, we [[Page 36729]] believe that broadened mandatory reporting pursuant to Reliability Standard requirements as opposed to a standing data request is more aligned with the seriousness and magnitude of the current threat environment, and more likely to improve awareness of existing and future cyber security threats and potential vulnerabilities. Four main reasons inform our decision. First, a new or modified Reliability Standard will ensure that the desired goals of our directive are met because the Commission will have the ability to review and ultimately approve the standard, as opposed to the opportunity for informal review that the Commission would have of a data request under ROP Section 1600. Second, the Commission has well-defined authority and processes under section 215(e) of the FPA to audit and enforce compliance with a Reliability Standard. Third, we do not anticipate that there will be a need to change the parameters of the Cyber Security Incident report for EACMS because the parameters that we direct below are based on five static functions of EACMS and are not technology specific, so the potential flexibility provided by a Section 1600 data request may not be significantly beneficial. Finally, collecting data through a Reliability Standard is consistent with existing practices; responsible entities are currently required to maintain the types of information that would lead to a reportable Cyber Security Incident pursuant to Reliability Standard CIP-007-6, Requirement R4.1. Nonetheless, should future events require an expedited change in data collection or should NERC desire to collect data outside the scope of the proposed Reliability Standard, NERC could then use the Section 1600 process to supplement information reported under a mandatory Reliability Standard. 7. Accordingly, pursuant to section 215(d)(5) of the FPA, we adopt the NOPR proposal and direct NERC to develop modifications to the Reliability Standards to include the mandatory reporting of Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity's ESP or associated EACMS, as well as modifications to specify the required information in Cyber Security Incident reports, their dissemination, and deadlines for filing reports. We direct NERC to submit the directed modifications within six-months of the effective date of this Final Rule. I. Background A. Section 215 and Mandatory Reliability Standards 8. Section 215 of the FPA requires a Commission-certified Electric Reliability Organization (ERO) to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently.\8\ Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO,\9\ and subsequently certified NERC.\10\ --------------------------------------------------------------------------- \8\ Id. \9\ Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, FERC Stats. & Regs. ] 31,204, order on reh'g, Order No. 672-A, FERC Stats. & Regs. ] 31,212 (2006). \10\ North American Electric Reliability Corp., 116 FERC ] 61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006), aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009). --------------------------------------------------------------------------- B. Notice of Proposed Rulemaking 9. On December 21, 2017, the Commission issued a NOPR proposing to direct that NERC develop enhanced Cyber Security Incident reporting requirements. Specifically, pursuant to section 215(d)(5) of the FPA, the NOPR proposed to direct NERC to develop modifications to the Reliability Standards to require the reporting of Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity's ESP or associated EACMS. The proposed directive was based in part on a lack of Reportable Cyber Security Incidents in 2015 and 2016, and NERC's assessment in the 2017 State of Reliability Report that ``[w]hile there were no reportable cyber security incidents during 2016 and therefore none that caused a loss of load, this does not necessarily suggest that the risk of a cyber security incident is low.'' \11\ In addition, the NOPR stated that it agreed with the recommendation by NERC in the 2017 State of Reliability Report to ``redefine reportable incidents to be more granular and include zero- consequence incidents that might be precursors to something more serious.'' \12\ --------------------------------------------------------------------------- \11\ NOPR, 161 FERC ] 61,291 at P 28 (citing 2017 NERC State of Reliability Report at 4). \12\ Id. P 29 (citing 2017 NERC State of Reliability Report at 4). --------------------------------------------------------------------------- 10. In justifying the proposed inclusion of ESPs and associated EACMS within the scope of the enhanced Cyber Security Incident requirement, the NOPR stated that the purpose of an ESP is to manage electronic access to BES Cyber Systems to support the protection of the BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.\13\ In addition, the NOPR explained that EACMS, which include, for example, firewalls, authentication servers, security event monitoring systems, intrusion detection systems and alerting systems, control electronic access into the ESP and play a significant role in the protection of high and medium impact BES Cyber Systems.\14\ The NOPR indicated further that, once an EACMS is compromised, an attacker could more easily enter the ESP and effectively control the BES Cyber System or Protected Cyber Asset. --------------------------------------------------------------------------- \13\ See id. P 33 (citing Reliability Standard CIP-005-5 (Cyber Security--Electronic Security Perimeter(s)). \14\ See id. (citing Reliability Standard CIP-002-5.1 (Cyber Security--BES Cyber System Categorization), Background at 6; Reliability Standard CIP-007-6 (Cyber Security--System Security Management), Background at 4). --------------------------------------------------------------------------- 11. The NOPR discussed the scope of the present Cyber Security Incident reporting requirement. The NOPR observed that Reliability Standard CIP-008-5, Requirement R1.2 currently requires that each responsible entity shall document one or more Cyber Security Incident Plan(s) with one or more processes to determine if an identified Cyber Security Incident is a Reportable Cyber Security Incident. And where a Cyber Security Incident is determined to qualify as a Reportable Cyber Security Incident, the NOPR explained that responsible entities are required to notify the E-ISAC with initial notification within one hour from the determination of a Reportable Cyber Security Incident. The NOPR stated, however, that the NERC Glossary defines a Reportable Cyber Security Incident as ``[a] Cyber Security Incident that has compromised or disrupted one or more reliability tasks of a functional entity.'' The NOPR indicated that the definition of Reportable Cyber Security Incident, insofar as it excludes unsuccessful attempts to compromise or disrupt a responsible entity's core activities, is thus more narrow than the definition of ``cybersecurity incident'' in FPA section 215(a)(8), which encompasses ``a malicious act or suspicious event that disrupts, or was an attempt to disrupt, the operation of those programmable electronic devices and communication networks including hardware, software and data that are essential to the reliable operation of the bulk power system.'' \15\ --------------------------------------------------------------------------- \15\ 16 U.S.C. 824o(a)(8). --------------------------------------------------------------------------- 12. The NOPR stated that altering the Cyber Security Incident reporting [[Page 36730]] threshold to require reporting of attempts to compromise, instead of only successful compromises, is consistent with information already logged by registered entities pursuant to current monitoring requirements in the Reliability Standards. The NOPR explained that Reliability Standard CIP-007-6, Requirement R4.1, mandates logging of detected successful login attempts, detected failed access attempts, and failed login attempts, and the Guidelines and Technical Basis for Requirement R4.1 states that events should be logged even if access attempts were blocked or otherwise unsuccessful.\16\ --------------------------------------------------------------------------- \16\ See Reliability Standard CIP-007-6 (Cyber Security--Systems Security Management), Requirement R4.1. --------------------------------------------------------------------------- 13. In addition to modifying the reporting threshold, the NOPR proposed to direct NERC to modify the Reliability Standards to specify the required information in Cyber Security Incident reports to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information, as well as the deadlines for submitting a report. Specifically, the NOPR proposed that the minimum set of attributes to be reported should include: (1) The functional impact, where possible, that the Cyber Security Incident achieved or attempted to achieve; (2) the attack vector used to achieve or attempt to achieve the Cyber Security Incident; and (3) the level of intrusion achieved or attempted by the Cyber Security Incident. The NOPR explained that knowledge of these attributes regarding a specific Cyber Security Incident will improve awareness of cyber threats to BES reliability. The NOPR also noted that the proposed attributes are the same as attributes already used by DHS for its multi-sector reporting and summarized by DHS in an annual report.\17\ --------------------------------------------------------------------------- \17\ NOPR, 161 FERC ] 61,291 at P 38 (citing 2016 ICS-CERT Year in Review, https://ics-cert.us-cert.gov/Year-Review-2016). --------------------------------------------------------------------------- 14. The NOPR also proposed to continue to require that Cyber Security Incident reports be sent to the E-ISAC instead of the Commission, but the NOPR proposed to require that such reports also be sent to ICS-CERT and that NERC file with the Commission an annual, public, and anonymized summary of such reports. 15. Finally, the NOPR sought comment on potential alternatives to modifying the mandatory reporting requirements in the NERC Reliability Standards. Specifically, the NOPR sought comment on whether a request for data or information pursuant to Section 1600 of the NERC Rules of Procedure would effectively address the reporting gap and current lack of awareness of cyber-related incidents among NERC, responsible entities and the Commission, and satisfy the goals of the proposed directive. II. Discussion 16. Pursuant to section 215(d)(5) of the FPA, we adopt the NOPR proposal and direct NERC to develop and submit modifications to the NERC Reliability Standards to augment current mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the BES. We direct NERC, subject to the discussion below, to develop and submit Reliability Standard requirements that: (1) Require responsible entities to report Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity's ESP or associated EACMS; (2) specify the required information in Cyber Security Incident reports; (3) establish deadlines for filing Cyber Security Incident reports that are commensurate with incident severity; and (4) require that Cyber Security Incident reports be sent to ICS-CERT, in addition to E-ISAC, and that NERC file with the Commission an annual, public, and anonymized summary of such reports. 17. Below, we discuss the following matters: (A) The need for broadened mandatory Cyber Security Incident reporting; (B) the threshold for a reportable Cyber Security Incident; (C) the appropriate procedural approach to augment Cyber Security Incident reporting, i.e., new or modified Reliability Standards versus a NERC data request to applicable entities; (D) the content and timing of Cyber Security Incident reports; and (E) other issues. A. Need for Broadened Mandatory Cyber Security Incident Reporting 1. NOPR 18. In the NOPR, the Commission indicated that cyber-related event reporting is currently addressed in Reliability Standard CIP-008-5, Requirement R1.2, which requires that each responsible entity shall document one or more Cyber Security Incident Plan(s) with one or more processes to determine if an identified Cyber Security Incident is a Reportable Cyber Security Incident. The NOPR noted that a Cyber Security Incident is defined in the NERC Glossary as: ``A malicious act or suspicious event that: (1) compromises, or was an attempt to compromise, the Electronic Security Perimeter or Physical Security Perimeter or (2) disrupts, or was an attempt to disrupt, the operation of a BES Cyber System.'' 19. The Commission further explained that where a cyber-related event is determined to qualify as a Reportable Cyber Security Incident, responsible entities are required to notify the E-ISAC with initial notification to be made within one hour from the determination of a Reportable Cyber Security Incident.\18\ However, the NOPR observed that a Reportable Cyber Security Incident is defined more narrowly in the NERC Glossary than a Cyber Security Incident because the former requires that the incident result in the compromise or disruption of one or more reliability tasks of a functional entity. As the Commission explained, in order for a cyber-related event to be considered reportable under the existing CIP Reliability Standards, it must compromise or disrupt a core activity (e.g., reliability task) of a responsible entity that is intended to maintain BES reliability.\19\ Therefore, under these definitions, unsuccessful attempts to compromise or disrupt a responsible entity's core activities are not subject to the current reporting requirements in Reliability Standard CIP-008-5 or elsewhere in the CIP Reliability Standards. --------------------------------------------------------------------------- \18\ See Reliability Standard CIP-008-5 (Cyber Security-- Incident Reporting and Response Planning), Requirement R1, Part 1.2. This requirement pertains to high impact BES Cyber Systems and medium impact BES Cyber Systems. \19\ The NERC Functional Model ``describes a set of Functions that are performed to ensure the reliability of the Bulk Electric System. Each Function consists of a set of related reliability Tasks. The Model assigns each Function to a functional entity, that is, the entity that performs the function. The Model also describes the interrelationships between that functional entity and other functional entities (that perform other Functions).'' NERC, Reliability Functional Model: Function Definitions and Functional Entities, Version 5 at 7 (November 2009), http://www.nerc.com/pa/Stand/Functional%20Model%20Archive%201/Functional_Model_V5_Final_2009Dec1.pdf. --------------------------------------------------------------------------- 20. The NOPR explained that recent NERC State of Reliability Reports indicate that there were no Reportable Cyber Security Incidents in 2015 and 2016. The NOPR also highlighted NERC's conclusion that ``[w]hile there were no reportable cyber security incidents during 2016 and therefore none that caused a loss of load, this does not necessarily suggest that the risk of a cyber security incident is low.'' \20\ The NOPR contrasted the results reported in the NERC reports with the 2016 annual summary of the Department of Energy's (DOE) Electric [[Page 36731]] Disturbance Reporting Form OE-417, which contained four cybersecurity incidents reported in 2016; two suspected cyber attacks and two actual cyber attacks.\21\ Moreover, the NOPR noted that ICS-CERT responded to fifty-nine cybersecurity incidents within the Energy Sector in 2016.\22\ --------------------------------------------------------------------------- \20\ 2017 NERC State of Reliability Report at 4. \21\ 2016 DOE Electric Disturbance Events (OE-417) Annual Summary Archives, https://www.oe.netl.doe.gov/OE417_annual_summary.aspx. \22\ ICS-CERT cybersecurity incident statistics for the Energy Sector combine statistics from the electric subsector and the oil and natural gas subsector. ICS-CERT does not break out the cybersecurity incidents that only impact the electric subsector. 2016 ICS-CERT Year in Review, https://ics-cert.us-cert.gov/Year-Review-2016. --------------------------------------------------------------------------- 21. Based on the comparison of information reported by NERC, DOE, and ICS-CERT, the NOPR concluded that the current reporting threshold in Reliability Standard CIP-008-5 may not reflect the true scope and scale of cyber-related threats facing responsible entities. In particular, the NOPR raised a concern that the disparity in the reporting of cyber-related incidents under existing reporting requirements, in particular the lack of any incidents reported to NERC in 2015 and 2016, suggests a gap in the current reporting requirements. The NOPR highlighted the fact that this concern is echoed in the 2017 NERC State of Reliability Report, which includes a recommendation that NERC and industry should ``redefine reportable incidents to be more granular and include zero-consequence incidents that might be precursors to something more serious.'' \23\ Agreeing with NERC's recommendation in the 2017 State of Reliability report, the NOPR proposed to direct NERC to address the apparent gap in cyber incident reporting. --------------------------------------------------------------------------- \23\ 2017 NERC State of Reliability Report at 4. --------------------------------------------------------------------------- 2. Comments 22. NERC supports improving the reporting of Cyber Security Incidents, stating that ``[b]roadening the mandatory reporting of Cyber Security Incidents would help enhance awareness of cyber security risks facing entities.'' \24\ NERC maintains that enhanced reporting ``would create a more extensive baseline understanding of the nature of cyber security threats and vulnerabilities.'' \25\ NERC notes that broadening the scope of Cyber Security Incident reporting ``is consistent with recommendations in NERC's 2017 State of Reliability Report.'' \26\ While NERC recognizes the need for enhanced Cyber Security Incident reporting, as discussed in the following sections, NERC does not support all aspects of the NOPR, including requiring enhanced cyber incident reporting through a modified Reliability Standard. --------------------------------------------------------------------------- \24\ NERC Comments at 4. \25\ Id. at 4. \26\ Id. at 4. --------------------------------------------------------------------------- 23. BPA, ITC, IRC, NYPSC, and NRG also support the NOPR proposal to direct NERC to address the gap in reporting Cyber Security Incidents. As noted by BPA, the current definition of Reportable Cyber Security Incident only addresses successful attempts to compromise or disrupt operations and, therefore, ``a broader definition of a Reportable Cyber Security incident is warranted'' because ``information about certain attempts to compromise will likely better assist the industry in preventing successful cyber attacks.'' \27\ BPA, ITC, and IRC raise concerns, however, regarding the risk of over-reporting. IRC states that the proposed requirement to report all attempts to compromise an ESP or associated EACMS ``needs further clarification.'' \28\ BPA states that any new reporting requirement ``must ensure that the information reported is useful and does not result in under and over reporting of information.'' \29\ NRG recommends that the term ``attempt'' should be clarified (i.e., as a more serious risk than a port scan) and ``should be provided in technical guidance or glossary definition relating to the context of [the] existing NERC glossary term: Cyber Security Incident.'' \30\ --------------------------------------------------------------------------- \27\ BPA Comments at 3. \28\ IRC Comments at 1. \29\ BPA Comments at 3. \30\ NRG Comments at 3. --------------------------------------------------------------------------- 24. EEI/NRECA, Trade Associations, APS, Chamber, EnergySec, Eversource, Idaho Power, and LPPC do not support the NOPR proposal to direct NERC to address the gap in reporting Cyber Security Incidents. EEI/NRECA, Trade Associations, and Chamber suggest that the Commission support existing voluntary reporting practices as opposed to mandating the reporting of Cyber Security Incidents through the CIP Reliability Standards. EEI/NRECA state that ``[s]ignificant resources from responsible entities and government are engaged in [. . .] partnerships'' to share threat and vulnerability information.\31\ EEI/ NRECA argue that ``[m]andating such sharing will overlap with these voluntary efforts and may harm the partnerships and ability of the programs to enhance cybersecurity for the electric grid.'' \32\ In addition, EEI/NRECA state that mandating Cyber Security Incident reporting ``may weaken the ability of electric companies to participate in these [voluntary reporting] programs by shifting their focus to compliance activity.'' \33\ Eversource states that the NOPR proposal would ``introduce new technical and administrative challenges that will likely impact responsible entities' ability to participate in existing voluntary threat information sharing programs.'' \34\ LPPC states that whatever action the Commission takes on Cyber Security Incident reporting, it ``must be done with an eye towards causing as little disruption to existing information sharing programs as possible.'' \35\ --------------------------------------------------------------------------- \31\ EEI/NRECA Comments at 12. \32\ Id. at 12. \33\ Id. at 14-15. \34\ Eversource Comments at 5. \35\ LPPC Comments at 4. --------------------------------------------------------------------------- 25. Trade Associations state that while improving Cyber Security Incident reporting is an appropriate objective, ``directing new or revised mandatory reliability standards is not the only tool that NERC and the Commission have for achieving that reliability objective.'' \36\ Trade Associations contend that, in light of the constantly evolving state of cyber security, ``the Commission should consider and utilize the most flexible tools to achieve its reliability goals without imposing undue burden on registered entities.'' \37\ --------------------------------------------------------------------------- \36\ APPA, et al. Comments at 3-4. \37\ Id. at 4. --------------------------------------------------------------------------- 26. APS states that while it ``supports the Commission's objectives expressed in the NOPR,'' it does not agree that modifying the CIP Reliability Standards is the appropriate solution.\38\ APS asserts that ``the reporting requirements that already exist under Form OE-417 meet the same objectives as the Commission is attempting to satisfy by requiring additional reporting under the CIP Standards as proposed in the NOPR.'' \39\ APS instead suggests that ``the Commission . . . direct NERC to modify the CIP Standards to include a requirement for Responsible Entities to submit copies of its Form OE-417 to the E-ISAC and ICS-CERT.'' \40\ --------------------------------------------------------------------------- \38\ APS Comments at 5. \39\ Id. at 7. \40\ Id. at 5. --------------------------------------------------------------------------- 27. EnergySec states that it is ``generally in agreement with the Commission's goal of increasing the frequency and detail of incident reporting,'' but raises concerns with the specifics of the NOPR proposal.\41\ EnergySec maintains that ```compromise' as used in the definition of Reportable Cybersecurity Incident does not necessarily imply harm.'' \42\ Therefore, EnergySec argues that ``an incident should be considered a `compromise' if an attacker has obtained [[Page 36732]] the ability to disrupt, even if no disruption occurs.'' \43\ EnergySec states further that it believes ``that a clarified understanding of the current definition of Reportable Cybersecurity Incident can sufficiently address the Commission's concerns'' since it ``can be construed to include certain non-impactful incidents, as well as incidents affecting [ESPs] and [EACMS].'' \44\ --------------------------------------------------------------------------- \41\ EnergySec Comments at 2. \42\ Id. at 2. \43\ Id. at 2. \44\ Id. at 3. --------------------------------------------------------------------------- 28. EnergySec also raises a concern that the NOPR proposal is too broad. EnergySec argues that determining incidents that might facilitate future cyber incidents ``would be highly subjective and could easily be construed to include systems and networks that are outside the scope of the Commission's authority.'' \45\ EnergySec notes that most failed login or access attempts are benign in nature and ``the volume of such events is orders of magnitude larger than what would be an appropriate volume for mandatory reporting.'' \46\ EnergySec states further that while it agrees that successful attacks against ESPs and EACMS should be reported, it does not support including attempted compromise in the reporting requirements since the ``[d]etermination of attempted compromise is highly subjective and it would therefore be difficult at best to clearly define within the standards a basis for such determinations.'' \47\ --------------------------------------------------------------------------- \45\ Id. at 3. \46\ Id. at 3. \47\ Id. at 3-4. --------------------------------------------------------------------------- 29. Eversource and Idaho Power do not support the NOPR proposal due to the anticipated increased burden that could result from increased mandatory reporting. Eversource states that ``expanding the amount of required information to be reported and increasing the number of recipients of the reports will create undue administrative burdens.'' \48\ In addition, Eversource contends that ``the meaning of an attempted compromise is currently undefined and may impose significant burdens on responsible entities to identify such attempts.'' \49\ Idaho Power states that even though ``additional reporting can provide some visibility into the types of threats that entities face, additional administrative burdens such as reporting requirements reduce the finite resources that entities have to monitor and defend their critical infrastructure.'' \50\ --------------------------------------------------------------------------- \48\ Eversource Comments at 1. \49\ Id. at 6. \50\ Idaho Power Comments at 2. --------------------------------------------------------------------------- 30. LPPC asserts that the NOPR proposal ``may yield a substantial quantity of unhelpful information and confusing analysis, while needlessly burdening Registered Entities.'' \51\ LPPC states that it supports NERC's request for flexibility in addressing enhanced Cyber Security Incident reporting and concludes that ``a technical conference may productively explore the nature and scope of the various programs that currently exist for information sharing regarding threats and the incremental value of any new requirements.'' \52\ Resilient Societies states that ``the modifications proposed to improve the reporting of cybersecurity incidents are unlikely to have any significant positive effect.'' \53\ Specifically, Resilient Societies states that the proposed reporting parameters are not broad enough because ``reporting of malware infection is not necessarily within thresholds set on other criteria, such as `compromise,' `breach,' `impact,' or `disruption.' '' \54\ Resilient Societies also suggests that the Commission convene a public technical conference. --------------------------------------------------------------------------- \51\ LPPC Comments at 1. \52\ Id. at 5-6. \53\ Resilient Societies Comments at 12. \54\ Id. at 10. --------------------------------------------------------------------------- 3. Commission Determination 31. We adopt the NOPR proposal and, pursuant to section 215(d)(5) of the FPA, direct NERC to develop and submit modifications to the Reliability Standards to augment the mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the BES. Comments submitted by NERC and others support our determination that enhanced reporting of Cyber Security Incidents will address an existing gap in Cyber Security Incident reporting and will provide useful information on existing and future cyber security risks, as well as provide entities with better visibility into malicious activity prior to an event occurring. As noted in NERC's comments, ``[b]roadening the mandatory reporting of Cyber Security Incidents would help enhance awareness of cyber security risks facing entities.'' \55\ Similarly, BPA agrees with the directive to include attempted compromises in an enhanced reporting regime, stating that ``information about certain attempts to compromise will likely better assist the industry in preventing successful cyber attacks.'' \56\ Moreover, while the record reflects differing views on whether broadened Cyber Security Incident reporting should be mandatory or voluntary, there is general agreement that improved reporting is an appropriate objective.\57\ --------------------------------------------------------------------------- \55\ NERC Comments at 4. \56\ BPA Comments at 3. \57\ See NERC Comments at 4, Trade Associations Comments at 3, APS Comments at 1, BPA Comments at 3, EnergySec Comments at 1, Idaho Power Comments at 2, ITC Comments at 5, IRC Comments at 1, NRG Comments at 2-3. --------------------------------------------------------------------------- 32. Some commenters contend that the directive to require mandatory reporting of Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity's ESP or associated EACMS is vague and requires clarification. Recognizing this concern, NERC states that ``[t]he challenge is to scope any additional mandatory reporting requirements in a manner that collects meaningful data about security risks without creating an unduly burdensome reporting requirement.'' \58\ While we address the threshold for a broadened reporting requirement issue in the next section, as a general matter, we agree with NERC that the scope of any new reporting requirement should be tailored to provide better information on cyber security threats and vulnerabilities without imposing an undue burden on responsible entities. Indeed, the NOPR proposal was not intended to be prescriptive or overly broad, but rather support NERC's efforts to enhance the reporting of Cyber Security Incidents as outlined in NERC's 2017 State of Reliability Report through the standards development process. --------------------------------------------------------------------------- \58\ NERC Comments at 3. --------------------------------------------------------------------------- 33. Some commenters assert that a broadened reporting requirement will overlap, duplicate or otherwise chill voluntary reporting programs, potentially diverting resources away from such programs. Other commenters, however, assert that voluntary reporting does not adequately address the gap identified in the NOPR because voluntary reporting and mandatory reporting under currently-effective Reliability Standard CIP-008-5 have not resulted in adequate reporting of cybersecurity threats to the BES.\59\ As Appelbaum notes, ``[w]ithout mandatory reporting scheme a degraded threat image will result.'' \60\ --------------------------------------------------------------------------- \59\ See id. at 4-5. \60\ Appelbaum Comments at 7. --------------------------------------------------------------------------- 34. Based on the record, we are not persuaded that our directive to augment current mandatory reporting requirements will adversely impact existing voluntary information sharing efforts. Instead, we agree with NERC's comment that the new ``baseline understanding [resulting from broadened mandatory reporting], coupled with the additional context from voluntary reports received by the E-ISAC, [will] allow NERC and the E- [[Page 36733]] ISAC to share that information broadly through the electric industry to better prepare entities to protect their critical infrastructure.'' \61\ Moreover, we do not anticipate that the incremental burden of the directed modifications will divert significant resources from other information sharing programs since responsible entities are already required to monitor and log successful login attempts, detected failed access attempts, and failed login attempts under Reliability Standard CIP-007-6, Requirement R4.1. Nor do we anticipate that the incremental burden of complying with the directed Reliability Standards modifications would be significantly more than the burden of responding to a standing data or information request under Section 1600. We also do not believe that broadened mandatory reporting is at cross-purposes with voluntary cybersecurity-related programs offered by DHS and other government agencies. We believe that voluntary programs that focus on cyber response and sharing of cyber threat information across industry are important initiatives that should be supported. However, the comments do not provide a compelling explanation why the broadening of mandatory reporting will supplant or inhibit voluntary programs. --------------------------------------------------------------------------- \61\ NERC Comments at 4. --------------------------------------------------------------------------- 35. While we agree with EnergySec that revisions to the current definition of Reportable Cyber Security Incident could address some aspects of our directive, a modified definition alone would not address the need to specify the required information in Cyber Security Incident reports to improve the quality of reporting and allow for ease of comparison, or establish deadlines for submitting a report to facilitate timely information sharing. Therefore, while we believe that a modified definition of Reportable Cyber Security Incident could address part of the Commission's concerns, additional modifications would be necessary to meet the full scope of our directive. 36. In addition, we do not agree with Resilient Societies that the detection of malware infecting a responsible entity's ESP or associated EACMS would fall outside the new reporting requirement. While Resilient Societies asserts that a malware infection would not meet the threshold of a compromise, breach, impact, or disruption, we believe that it would fall within the parameters of an attempted compromise. As discussed in the next section, however, we believe that it is appropriate for NERC to address the reporting threshold through the standards development process in order to weigh the diverse technical opinions on how to identify the appropriate assets and the level of attempted compromise that warrants reporting. Accordingly, we are not persuaded to convene a technical conference. Rather, persons interested in the development of appropriate detailed parameters of the augmented reporting requirements should participate in the NERC standards development process. 37. In sum, we conclude that the record supports our determination that directing NERC to develop and submit modifications to the Reliability Standards to require the reporting of Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity's ESP, as well as associated EACMS, is appropriate to carry out FPA section 215. Therefore, pursuant to FPA section 215(d)(5), we direct NERC to develop and submit modifications to the Reliability Standards to include the mandatory reporting of Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity's ESP or associated EACMS. As noted above, we direct NERC to submit the directed modifications within six-months of the effective date of this Final Rule. B. Threshold for a Reportable Cyber Security Incident 1. NOPR 38. The NOPR proposed to direct NERC to modify the Reliability Standards to include the mandatory reporting of Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity's ESP or associated EACMS. The NOPR explained that reporting attempts to compromise, instead of only successful compromises, is consistent with current monitoring requirements in Reliability Standard CIP-007-6, Requirement R4.1, which mandates logging of detected successful login attempts, detected failed access attempts and failed login attempts.\62\ In addition, the NOPR identified other reporting regimes that include attempts within the general definition of a ``cyber incident.'' Specifically, DHS defines a ``cyber incident'' as ``attempts (either failed or successful) to gain unauthorized access to a system or its data. . . .'' \63\ The E-ISAC defines a ``cyber incident'' as including unauthorized access through the electronic perimeter as well as ``a detected effort . . . without obvious success.'' \64\ And ICS-CERT defines a ``cyber incident'' as an ``occurrence that actually or potentially results in adverse consequences. . . .'' \65\ --------------------------------------------------------------------------- \62\ See Reliability Standard CIP-007-6 (Cyber Security--Systems Security Management), Requirement R4.1. \63\ See United States Computer Emergency Readiness Team (US- CERT) Incident Definition: https://www.us-cert.gov/government-users/compliance-and-reporting/incident-definition. \64\ See E-ISAC Incident Reporting Fact Sheet document: http://www.nerc.com/files/Incident-Reporting.pdf. \65\ See ICS-CERT Published ``Common Cyber Security Language'' document: https://ics-cert.us-cert.gov/sites/default/files/documents/Common%20Cyber%20Language_S508C.pdf. --------------------------------------------------------------------------- 39. As noted above, an ESP is defined in the NERC Glossary as the ``logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.'' The purpose of an ESP is to manage electronic access to BES Cyber Systems to support the protection of the BES Cyber Systems against compromise that could lead to misoperation or instability in the BES. The NOPR explained that since an ESP is intended to protect BES Cyber Systems, it is reasonable to establish the compromise of, or attempt to compromise, an ESP as the minimum reporting threshold. 40. In addition, the NOPR identified an ESP's associated EACMS as another threshold for a Reportable Cyber Security Incident. As explained in the NOPR, EACMS are defined in the NERC Glossary as ``Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.'' More specifically, EACMS include, for example, firewalls, authentication servers, security event monitoring systems, intrusion detection systems and alerting systems. 41. While the Commission proposed to include EACMS within the scope of the proposed directive, the Commission also sought comment on the possibility of excluding EACMS from the scope of the proposed directive. 2. Comments 42. NERC supports the NOPR proposal to limit the scope of Cyber Security Incident reporting to incidents that compromise or attempt to compromise a responsible entity's ESP or associated EACMS. NERC explains that any new reporting requirements ``need to be scoped in a manner that provides for meaningful reporting of cyber security risks but does not unduly burden entities.'' \66\ Specifically, NERC states: --------------------------------------------------------------------------- \66\ NERC Comments at 6. Because the ESP protects some of the most important Cyber Assets and the EACMS control or monitor access to those Cyber [[Page 36734]] Assets, NERC agrees that reporting on attempts to compromise these security measures would provide valuable data while also imposing a reasonable burden on entities given the limited traffic they should experience.\67\ --------------------------------------------------------------------------- \67\ Id. at 7. NERC notes that some EACMS devices ``may provide important early indicators of future compromise'' and, therefore, NERC states that it ``supports including EACMS in the reporting threshold in addition to the ESP and notes that logging attempts to compromise the ESP and some EACMS devices does not impose an unreasonable burden on entities.'' \68\ --------------------------------------------------------------------------- \68\ Id. at 8. --------------------------------------------------------------------------- 43. While NERC supports adopting the compromise or attempt to compromise a responsible entity's ESP or an EACMS associated with an ESP as a threshold for Cyber Security Incident reporting, NERC explains that ``there is still a need to refine the scope of the proposed directive to ensure that it would provide meaningful data without overburdening entities.'' \69\ Specifically, NERC states that there is a need to ``outline the parameters of an `attempt to compromise' in order to issue a precise data request.'' \70\ In particular, NERC states that it ``would consider the common understanding of adverse activities that are early indicators of compromise, such as campaigns against industrial control systems, to help refine the parameters.'' \71\ In addition, NERC notes that EACMS, as defined in the NERC Glossary, include a wide variety of devices that perform control and monitoring functions. NERC states further that it ``needs to consider whether to define the reporting threshold to differentiate between the various types of EACMS for reporting purposes.'' \72\ Therefore, NERC requests that the Commission provide flexibility in refining the threshold for Cyber Security Incident reporting. --------------------------------------------------------------------------- \69\ Id. at 9. \70\ Id. at 9. \71\ Id. at 9. \72\ Id. at 9. --------------------------------------------------------------------------- 44. Trade Associations, APS, BPA, EnergySec, Resilient Societies, IRC, ITC, and NYPSC generally support the reporting threshold proposed in the NOPR, but caution that any new or modified requirements should be properly scoped. Trade Associations state that the NOPR proposal ``is potentially overbroad and could result in unduly burdensome reporting requirements that reduce awareness of significant cyber threats.'' \73\ Trade Associations also contend that a new or revised Reliability Standard ``should not include the proposed generic threshold of reporting any incidents that compromise or attempt to compromise an ESP or EACMS.'' \74\ Instead, Trade Associations recommend that the Commission ``give NERC sufficient flexibility to define appropriate reporting thresholds for attempted compromises of an ESP or EACMS.'' \75\ --------------------------------------------------------------------------- \73\ APPA, et al. Comments at 5 (emphasis in original). \74\ Id. (emphasis in original). \75\ Id. at 5. --------------------------------------------------------------------------- 45. APS asserts that, given the differences among EACMS, it does not support the inclusion of all EACMS or the exclusion of all EACMS from an enhanced reporting requirement. APS states that while it ``concurs that the incidents impacting the ESP should certainly be in scope of reporting, it is concerned that the exclusion of EACMS (which includes [Electronic Access Points (EAP)]) results in a likely compromise scenario going unreported.'' \76\ Specifically, APS notes that ``a user's credentials to an Intermediate System, which includes/ can be classified as an EAP(s) and/or EACMS, could be compromised.'' \77\ APS contends that such a compromise would not implicate the ESP, but could impact or attempt to impact a BES Cyber Asset or System. APS states, however, that ``there are numerous EACMS for which a compromise scenario would not be critical or allow potential access to an ESP.'' \78\ Therefore, APS maintains that an evaluation of the functions of various EACMS is needed before they can be included in any reporting requirement. --------------------------------------------------------------------------- \76\ APS Comments at 9. \77\ Id. \78\ Id. --------------------------------------------------------------------------- 46. BPA states that a broader definition of a Reportable Cyber Security Incident is necessary since the current definition only addresses actual compromises. BPA avers that ``information about certain attempts to compromise will likely better assist the industry in preventing successful cyber attacks.'' \79\ BPA states that the current definition of a Cyber Security Incident is a good starting point for a revision since it includes attempts to compromise or disrupt. BPA cautions, however, that the current definition of Cyber Security Incident ``may be too broad and result in overreporting of information.'' \80\ --------------------------------------------------------------------------- \79\ BPA Comments at 3. \80\ Id. at 3. --------------------------------------------------------------------------- 47. EnergySec states that it ``generally agree[s] that successful attacks against ESPs and EACMS should be within the scope of reporting; [but] disagree[s] with the proposal to include attempted compromise in the reporting requirements.'' \81\ In addition, EnergySec suggests that monitoring-only systems be excluded from any reporting requirement, stating that ``[a]lthough compromise of monitoring systems could assist an attack, such a compromise would not directly permit access.'' \82\ Resilient Societies states that ``[e]xcluding [EACMS] from the Commission directive could exempt reporting of attempted compromises.'' \83\ IRC states that ``adding EACMS to the requirement for mandatory reporting would be beneficial, not only because of their role as a boundary point, but also because EACMS perform other roles that support the BES Cyber Systems.'' \84\ IRC cautions, however, that ``[w]ithout providing further definitions or criteria, the NOPR's proposal to require reporting of all `attempts to compromise' the ESP or EACMS is unclear and potentially unachievable.'' \85\ --------------------------------------------------------------------------- \81\ EnergySec Comments at 3-4. \82\ Id. at 4. \83\ Resilient Societies Comments at 14. \84\ IRC Comments at 5. \85\ Id. at 3-4. --------------------------------------------------------------------------- 48. While ITC generally supports the NOPR proposal, ITC ``requests that the Commission refrain from including unsuccessful attempts to compromise an ESP-associated EACMS in the revised definition of a Cyber Security Incident.'' \86\ ITC notes that responsible entity systems with publicly-visible IP addresses ``sustain a regular stream of denial of service attempts, phishing emails, attempted firewall breaches, untargeted and targeted malware, and other common cybersecurity threats for which countermeasures are well-established and which pose a miniscule chance of success.'' \87\ ITC states that including ``attempted compromises of ESP-associated EACMS would appear to require reporting for a sizeable number of these common events.'' \88\ Therefore, ITC states that while it ``supports expanding the definition of Reportable Cyber Incidents to include incidents that compromise, or attempt to compromise, a responsible entity's ESP, ITC would urge the Commission to direct NERC to include only actual breaches of a responsible entity's ESP-associated EACMS, and not attempted-but- unsuccessful compromises.'' \89\ NYPSC notes that ``[f]ailed cyber attacks occur on a continuous basis, all the time. . .'' and, therefore, ``[a] reporting requirement of every attempted security [[Page 36735]] attack may be overly burdensome for reporting entities.'' \90\ NYPSC ``suggests FERC consider developing clear criteria of the required reporting based on its review of the comments and recommendations from reporting entities.'' \91\ --------------------------------------------------------------------------- \86\ ITC Comments at 5. \87\ Id. at 5. \88\ Id. at 5. \89\ Id. at 5. \90\ NYPSC Comments at 5-6. \91\ Id. at 6. --------------------------------------------------------------------------- 49. Idaho Power states that ``additional reporting requirements do not increase cyber security.'' \92\ Idaho Power contends that ``additional administrative burdens such as reporting requirements reduce the finite resources that entities have to monitor and defend their critical infrastructure.'' \93\ In addition, Idaho Power states that EACMS ``should be excluded from any additional requirements and only BES Cyber Systems and associated devices should be included in any further reporting requirements.'' \94\ --------------------------------------------------------------------------- \92\ Idaho Power Comments at 2. \93\ Id. \94\ Id. --------------------------------------------------------------------------- 50. Other commenters support expanding the enhanced reporting requirement beyond what was proposed in the NOPR. NRG supports the NOPR proposal to direct NERC to develop modifications to the CIP Reliability Standards to improve the reporting of Cyber Security Incidents. NRG also supports including EACMS as a threshold for reporting. In addition, NRG ``recommends that the scope of the NOPR avoid limiting the requirement to High and Medium Impact BES Cyber Systems.'' \95\ Specifically, NRG notes that the NOPR proposal ``would limit the requirement to High and Medium Impact BES Cyber Systems as ESPs and EACMS are not required establishments at Low Impact BES Cyber Systems.'' \96\ Therefore, NRG states that ``any modification to the referenced CIP Reliability Standards should be applicable to all BES Cyber Systems with External Routable Communications.'' \97\ --------------------------------------------------------------------------- \95\ NRG Comments at 5. \96\ Id. at 2. \97\ Id. --------------------------------------------------------------------------- 51. Appelbaum supports the NOPR proposal to include the attempted or actual compromise of an ESP or EACMS in the mandatory reporting requirement. However, Appelbaum ``propose[s] the Commission consider adding Physical Security Perimeters and Physical Access Control Systems (PACS) as well.''\98\ Simon supports the NOPR proposal, but encourages the Commission to broaden the directive to include low impact BES Cyber Systems. Specifically, Simon states that ``[o]mission of mandatory reporting for the disruption, or an attempt to disrupt, the operation of electronic access controls for BES assets with low impact BES Cyber Systems leaves a large blind spot in the Commission's effort to learn of efforts to harm the reliable operation of the bulk electric system.'' \99\ Isologic does not support limiting Cyber Security Incident reporting to situations involving an entity's ESP or associated EACMS. Isologic states that ``there are few CIP standards for `secure perimeters' and for the mass of BES Low Impact Facilities, (substations), security is at the fence line, not in ESPs.'' \100\ --------------------------------------------------------------------------- \98\ Appelbaum Comments at 7. \99\ Simon Comments at 4. \100\ Isologic Comments at 7. --------------------------------------------------------------------------- 3. Commission Determination 52. The record in this proceeding supports establishing the compromise or attempted compromise of an ESP as the appropriate threshold for a Reportable Cyber Security incident. In addition, with exceptions, the comments support including EACMS associated with an ESP as part of the reporting threshold. As NERC notes, an ``ESP protects some of the most important Cyber Assets and the EACMS control or monitor access to those Cyber Assets.'' \101\ While we believe that ESPs and EACMS should be within the scope of a broadened reporting requirement, the comments, correctly in our view, point to the need to establish an appropriate scope for reporting. As NERC states, ``there is still a need to refine the scope of the proposed directive to ensure that it would provide meaningful data without overburdening entities.'' \102\ This concern is reflected in a number of comments, pointing to the need to identify the appropriate assets to monitor (for example, only EACMS associated with an ESP) and to clearly define an ``attempt to compromise.'' \103\ --------------------------------------------------------------------------- \101\ NERC Comments at 7. \102\ Id. at 9. \103\ See NERC Comments at 9, APPA, et al. Comments at 5, APS Comments at 9, BPA Comments at 3, EnergySec Comments at 3, IRC Comments at 3-4, ITC Comments at 5, NYPSC Comments at 6. --------------------------------------------------------------------------- 53. The comments generally support the view that NERC should have the flexibility to establish an appropriate reporting threshold. We recognize the need for a certain level of flexibility and believe that it is appropriate for NERC to address the specific reporting threshold through the standards development process. However, as discussed further below, we provide guidance on certain aspects of how NERC should identify EACMS for reporting purposes and what types of attempted compromise must be reported. 54. With regard to identifying EACMS for reporting purposes, NERC's reporting threshold should encompass the functions that various electronic access control and monitoring technologies provide. Those functions must include, at a minimum: (1) Authentication; (2) monitoring and logging; (3) access control; (4) interactive remote access; and (5) alerting.\104\ Reporting a malicious act or suspicious event that has compromised, or attempted to compromise, a responsible entity's EACMS that perform any of these five functions would meet the intended scope of the directive by improving awareness of existing and future cyber security threats and potential vulnerabilities. Since responsible entities are already required to monitor and log system activity under Reliability Standard CIP-007-6, the incremental burden of reporting of the compromise or attempted compromise of an EACMS that performs the identified functions should be limited, especially when compared to the benefit of the enhanced situational awareness that such reporting will provide. --------------------------------------------------------------------------- \104\ See NERC Glossary of Terms definition of EACMS. See also Reliability Standard CIP-006-6, Requirement R1.5 (Physical Security Plan) at 10 (``[i]ssue an alarm or alert in response to detected unauthorized access'' to certain High and Medium Impact BES Cyber Systems and associated EACMS); Reliability Standard CIP-007-6, Requirement R4.2 (Security Event Monitoring) at 16; and Reliability Standard CIP-007-6, Requirement R5.7 (System Access Control) at 25. --------------------------------------------------------------------------- 55. With regard to the definition of ``attempted compromise'' for reporting purposes, we consider attempted compromise to include an unauthorized access attempt or other confirmed suspicious activity. ITC raises a concern that including unsuccessful attempts to compromise an EACMS associated with an ESP would require reporting a significant number of events. We note, however, that limiting the reporting threshold to only EACMS that are associated with an ESP should limit the reporting burden since these assets should be located apart from the responsible entity's broader business IT networks. Moreover, as discussed in the next section, we also believe that a flexible reporting timeline that reflects the severity of a Cyber Security Incident could also help address the potential burden of reporting attempted compromises. 56. With regard to BPA's suggestion that a revised definition of Reportable Cyber Security Incident is necessary, as discussed above, revisions to the current definition of Reportable Cyber Security [[Page 36736]] Incident could address certain aspects of the NOPR proposal, although a modified definition alone would not address the need to specify the required information in cyber security incident reports to improve the quality of reporting and allow for ease of comparison, or establish deadlines for submitting a report to facilitate timely information sharing. Therefore, although we believe that a modified definition of Reportable Cyber Security Incident could address part of the Commission's concerns, additional modifications to the Reliability Standards would be necessary to meet the security objective of the directives discussed herein. 57. A number of commenters request that we expand the directive to include a broader scope of assets, including low impact BES Cyber Systems. However, we decline to expand the scope of Cyber Security Incident reporting beyond the ESP and associated EACMS at this time. The focus on ESPs and associated EACMS is intended to provide threat information on BES Cyber Systems that have the greatest impact on BES reliability while imposing a reasonable reporting burden on responsible entities. Nevertheless, the Commission could revisit this issue if there is demonstrated need for expanded Cyber Security Incident reporting. 58. Therefore, we adopt the NOPR proposal and conclude that the compromise, or attempt to compromise, a responsible entity's ESP or associated EACMS is a reasonable threshold for augmented Cyber Security Incident reporting. C. Appropriate Procedural Approach To Augment Cyber Security Incident Reporting 1. NOPR 59. The NOPR proposed to direct NERC to modify the CIP Reliability Standards to augment the mandatory reporting of Cyber Security Incidents, while also seeking comment on whether a request for data or information pursuant to Section 1600 of the NERC Rules of Procedure would effectively address the reporting gap. 2. Comments 60. While NERC supports broadened mandatory Cyber Security Incident reporting, NERC does not support the NOPR proposal to direct a modification to the Reliability Standards. Instead, NERC requests flexibility to determine the appropriate reporting procedure. Specifically, NERC proposes to ``use the [Rules of Procedure] Section 1600 process for gathering data used for system performance.'' \105\ NERC maintains that it has ``successfully shifted to using Section 1600 for other data collection efforts, such as the collection of reports on Protection System Misoperation.'' \106\ NERC explains further that the Section 1600 process would be used to ``supplement the existing voluntary reporting of cyber security threats to E-ISAC.'' \107\ --------------------------------------------------------------------------- \105\ NERC Comments at 10. \106\ Id. \107\ Id. --------------------------------------------------------------------------- 61. NERC states that the Section 1600 process ``provides many of the same benefits as Reliability Standards,'' such as stakeholder and Commission staff input.\108\ NERC also states that, similar to Reliability Standards, compliance with Section 1600 is mandatory. NERC explains that if a responsible entity does not respond to a Section 1600 data request, ``NERC has the authority under the [Rules of Procedure] to take such action as NERC deems appropriate to address a situation where a Rule of Procedure cannot practically be complied with or has been violated.'' \109\ NERC explains that the Section 1600 data request process provides the flexibility to revise or update the data request, if necessary, as well as ``the flexibility to determine the appropriate timeline for submitting the data.'' \110\ NERC states that while it may continue to use the Reliability Standards for data collection for evidence of compliance or to facilitate sharing of information between entities for BES operations, it ``has found the [Rules of Procedure] Section 1600 process to be effective for data collection to assess system performance.'' \111\ NERC cites a standing Section 1600 data request for entities to submit quarterly data on Protection System Misoperations as an example. --------------------------------------------------------------------------- \108\ Id. \109\ Id. at 11. \110\ Id. at 12-13. \111\ Id. at 12. --------------------------------------------------------------------------- 62. LPPC supports the use of the Section 1600 process to facilitate enhanced Cyber Security Incident reporting. LPPC states that it ``supports a more flexible approach to collection of actionable information through the data request process outlined in NERC ROP Section 1600.'' \112\ LPPC asserts that the data request approach offers flexibility that the standards development process does not. Specifically, LPPC states that ``compliance with a NERC data request is mandatory for applicable entities, while the data request procedures specified under [Rules of Procedure] Section 1600 also provide a more efficient process to update or revise a data request as needed to respond to rapidly-changing security threats.'' \113\ Finally, LPPC opines that ``it seems appropriate to remove the data collection process from the enforcement process associated with mandatory Reliability Standards.'' \114\ --------------------------------------------------------------------------- \112\ LPPC Comments at 6-7. \113\ Id. at 7. \114\ Id. --------------------------------------------------------------------------- 63. APS, BPA, Resilient Societies, IRC, and NRG oppose the use of the Section 1600 process to facilitate enhanced Cyber Security Incident reporting. APS asserts that a request for data pursuant to Section 1600 would not effectively address the reporting gap and current lack of awareness of cyber-related incidents. Specifically, APS argues that a data request would create an independent, redundant reporting obligation to NERC or a regional entity and would subject the provisions of reported information to the confidentiality and data sharing processes set forth in Rules of Procedure Section 1500, unnecessarily delaying sharing and distribution of information.\115\ APS states further that the Section 1600 process ``adds significant additional administrative burden for all involved entities, which is inefficient and unnecessary and presents a potential obstacle to the very sharing and distribution that is a critical part of the Commission's objectives set forth in the NOPR.'' \116\ --------------------------------------------------------------------------- \115\ APS Comments at 16. \116\ Id. at 16-17. --------------------------------------------------------------------------- 64. BPA comments that a data request is not an effective means of obtaining information about cyber security incidents. BPA explains that Section 1600 data requests ``are one time requests for existing data, and [. . .] not the appropriate vehicle for ensuring ongoing reporting necessary to make data about Cyber Security Incidents effective.'' \117\ Resilient Societies states that ``[e]xamination of NERC Rules of Procedure Section 1600 shows the intent of [the] rule is to facilitate one-time requests for data.'' \118\ Therefore, Resilient Societies asserts that the Section 1600 reporting procedures ``would be a poor fit for a standing order for data on cybersecurity incidents that occur continually.'' \119\ NRG opposes the use of the Section 1600 data request process asserting that a request for data or information would neither address the current lack of awareness of cyber-related incidents, nor satisfy the goals of the proposed directive. --------------------------------------------------------------------------- \117\ BPA Comments at 4. \118\ Resilient Societies Comments at 15. \119\ Id. --------------------------------------------------------------------------- 65. APS, as discussed above, suggests adopting the DOE Electric Disturbance [[Page 36737]] Events, Form OE-417 as the primary reporting tool for Cyber Security Events. EnergySec, for its part, suggests that the Commission could direct NERC to require entities to develop and implement an information sharing plan.\120\ According to EnergySec, such an approach should provide broad discretion to entities and ensure that compliance oversight efforts cannot result in second-guessing of decisions regarding which information to share, when, or with whom. IRC suggests, alternatively, that the Commission allow entities to comply with the reporting requirements by participating in the Cyber Risk Information Sharing program. IRC explains that the program allows entities to automatically report information to E-ISAC for analysis against classified information. IRC states that responsible entities that ``automatically report indicators of compromise through these systems will share information at machine speed, and this should be considered superior to manual reporting, which requires much slower decision- making.'' \121\ --------------------------------------------------------------------------- \120\ EnergySec Comments at 6. \121\ IRC Comments at 7. --------------------------------------------------------------------------- 3. Commission Determination 66. As discussed above, we adopt the NOPR proposal and direct NERC to develop modifications to the NERC Reliability Standards to improve mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the BES. We have considered the arguments raised in the comments for using Reliability Standards, Section 1600 information and data requests, and other vehicles to implement augmented Cyber Security Incident reporting. On balance, we conclude that broadened mandatory reporting pursuant to Reliability Standard requirements is more aligned with the seriousness and magnitude of the current threat environment and the more effective approach to improve awareness of existing and future cyber security threats and potential vulnerabilities. 67. First, the development of a Reliability Standard provides the Commission with an opportunity to review and ultimately approve a new or modified Reliability Standard, ensuring that the desired goals of the directive are met. Moreover, the Reliability Standards development process allows for the collaboration of industry experts in developing a draft standard and also gives interested entities broader opportunity to participate and comment on any proposal that is developed. In contrast, NERC's process for developing a Section 1600 data request provides for less stakeholder input and only informal review of a draft data request by Commission staff. Thus, in this circumstance, the standards development process is preferable for the development of augmented cyber incident reporting requirements that satisfy the scope of the Commission's directive. 68. Second, the development of a Reliability Standard provides better assurance of accurate, complete, and verifiable reporting of cyber security incidents. The Commission has well-defined authority and processes under section 215(e) of the FPA to audit and enforce compliance with a Reliability Standard. While NERC notes that a responsible entity must respond to a NERC Section 1600 data request, NERC cannot impose sanctions on registered entities who fail to respond to such data requests. Rather, a failure to comply would be a violation of the Commission's regulations,\122\ requiring a referral to the Commission for action. Such a process would be a departure from the clearly defined processes used to enforce compliance with the Reliability Standards. Moreover, it is unclear how NERC would even learn of such a failure since, unlike mandatory Reliability Standards, compliance with Section 1600 data requests are not subject to regular audit. Accordingly, given the importance of accurate, complete, and verifiable cyber security incident reporting, we find that the more robust and well-established compliance and enforcement processes associated with mandatory Reliability Standards are desirable in this instance. --------------------------------------------------------------------------- \122\ 18 CFR 39.2(b) (2017) (``All entities subject to the Commission's reliability jurisdiction . . . shall comply with applicable Reliability Standards, the Commission's regulations, and applicable Electric Reliability Organization and Regional Entity Rules made effective under this part.''). --------------------------------------------------------------------------- 69. Third, we are not persuaded by NERC's assertion that a Section 1600 data request is preferable in this instance because it allows for flexibility and faster modification should a need arise for future revisions to the collection of cyber incident reporting data. We do not anticipate that there would be a need to change the parameters of the event report, given that the anticipated reporting requirements should not be technology-specific, but rather, broad enough to capture basic data even as the nature of cyber security incidents evolve. Specifically, the NOPR proposed that the minimum set of attributes to be reported should include: (1) The functional impact, where possible to determine, that the Cyber Security Incident achieved or attempted to achieve; (2) the attack vector that was used to achieve or attempted to achieve the Cyber Security Incident; and (3) the level of intrusion that was achieved or attempted as a result of the Cyber Security Incident. Since these attributes are general in nature and not technology specific, they would not need to be refined as the underlying cyber threats evolve, nor would they need to be refined quickly. 70. In a similar vein, the assets (i.e., EACMS) subject to the enhanced reporting requirements should be identified based on function, as opposed to a specific technology that could require a modification in the reporting requirements should the underlying technology change. As discussed above, those functions must include, at a minimum: (1) Authentication; (2) monitoring and logging; (3) access control; (4) interactive remote access; and (5) alerting. Finally, since the level of attempted compromise that warrants reporting should reflect unauthorized access attempts and other confirmed suspicious activity, we do not anticipate that a modification would be required in the future. Nevertheless, should the situation demand a more timely change in data collection or should NERC desire to collect additional information that is outside the scope of the proposed Reliability Standard, NERC could use the Section 1600 data request process to supplement information reported under a mandatory Reliability Standard. 71. Finally, requiring a data collection in a Reliability Standard is consistent with existing practices since responsible entities are currently required to maintain the types of information that would lead to a reportable Cyber Security Incident pursuant to Reliability Standard CIP-007-6, Requirement R4.1. 72. While we recognize that NERC could likely develop a Section 1600 data request more quickly than a mandatory Reliability Standard, given the potential complexity of considering reporting requirements for the various EACMS, we believe that the technical depth of a standard development process is more appropriate for this case. Although NERC states that it has successfully used ROP Section 1600 to collect data on system performance, in this circumstance the information being reported relates to threats and potential compromises that may require immediate or near-term action as opposed to retrospective reporting on Misoperations, as Section 1600 has been used. 73. We also do not support adopting the DOE Form OE-417 as the primary [[Page 36738]] reporting tool for reporting Cyber Security Incidents, as suggested by some commenters. The reporting criteria in our directive are distinguishable and more aligned with a risk management approach than the information requested in the DOE Form OE-417. Specifically, the DOE Form OE-417 has twelve generic criteria for filing a report to the DOE, of which only two reflect the criteria outlined in the NOPR proposal, which are discussed in the following section. The DOE Form OE-417 does not address factors such as attack vector, functional impact and level of intrusion. In addition, the definition of a ``Cyber Event'' in the DOE Form OE-417 filing instructions does not align with the definition of Cyber Security Incident in the NERC Glossary of Terms, let alone a Reportable Cyber Security Incident.\123\ Nor does the DOE Form OE-417 require reporting to E-ISAC or ICS-CERT as our directive requires. --------------------------------------------------------------------------- \123\ See Department of Energy Electric Emergency Incident and Disturbance Report--Form OE 417. Form OE-417 defines a Cyber Event as a disruption on the electrical system and/or communication system(s) caused by unauthorized access to computer software and communications systems or networks including hardware, software, and data. https://www.oe.netl.doe.gov/oe417.aspx. --------------------------------------------------------------------------- 74. In sum, we conclude that modifications to the NERC Reliability Standards to improve mandatory reporting of Cyber Security Incidents, including incidents that might facilitate subsequent efforts to harm the reliable operation of the BES, is the appropriate approach to improve Cyber Security Incident reporting. D. Content and Timing of a Cyber Security Incident Report 1. NOPR 75. The NOPR proposed to direct that NERC modify the CIP Reliability Standards to specify the required content in a Cyber Security Incident report. Specifically, the NOPR proposed that the minimum set of attributes to be reported should include: (1) The functional impact, where possible, that the Cyber Security Incident achieved or attempted to achieve; (2) the attack vector that was used to achieve or attempt to achieve the Cyber Security Incident; and (3) the level of intrusion that was achieved or attempted as a result of the Cyber Security Incident. The NOPR noted that the proposed attributes are the same as attributes already used by DHS for its multi-sector reporting and summarized by DHS in an annual report. The NOPR stated that specifying the required content should improve the quality of reporting by ensuring that basic information is provided; and allowing for ease of comparison across reports by ensuring that each report includes specified fields of information. The NOPR sought comment on the proposed attributes and, more generally, the appropriate content for Cyber Security Incident reporting to improve awareness of existing and future cyber security threats and potential vulnerabilities. 76. In addition, the NOPR proposed to direct NERC to establish requirements outlining deadlines for filing a report once a compromise or disruption to reliable BES operation, or an attempted compromise or disruption, is identified by a responsible entity. The NOPR stated that the reporting timeline should reflect the actual or potential threat to reliability, with more serious incidents reported in a more timely fashion. The NOPR explained that a reporting timeline that takes into consideration the severity of a Cyber Security Incident should minimize potential burdens on responsible entities. 77. The NOPR also proposed that the reports submitted under the enhanced mandatory reporting requirements would be provided to E-ISAC, similar to the current reporting scheme under Reliability Standard CIP- 008-5, as well as ICS-CERT or any successor organization. While the NOPR stated that the detailed incident report would not be submitted to the Commission, the NOPR proposed to direct NERC to file publicly an annual report reflecting the Cyber Security Incidents reported to NERC during the previous year. Specifically, the NOPR proposed to direct NERC to file annually an anonymized report providing an aggregated summary of the reported information, similar to the ICS-CERT annual report.\124\ --------------------------------------------------------------------------- \124\ NOPR, 161 FERC ] 61,291 at 42. --------------------------------------------------------------------------- 2. Comments 78. NERC supports the minimum set of reporting attributes proposed in the NOPR, stating that ``this level of detail regarding each reported Cyber Security Incident will not only help NERC understand the specific threat but also help NERC understand trends in threats over time.'' \125\ NERC also does not oppose either filing an annual, anonymized summary of the reports with the Commission, or submitting the reports of U.S.-based entities to the ICS-CERT in addition to E- ISAC. Finally, while NERC supports the concept of imposing a deadline for entities to submit full reports of Cyber Security Incidents, NERC requests flexibility to determine the appropriate timeframe. Specifically, NERC states that it ``will determine an appropriate deadline for reports so that NERC can use the data for awareness and early indicators of potential compromise but also consider whether reporting for historical analysis can provide insight to the trends and effectiveness of industry's security controls.'' \126\ --------------------------------------------------------------------------- \125\ NERC Comments at 14. \126\ Id. --------------------------------------------------------------------------- 79. ITC, IRC, and NRG support the minimum set of reporting attributes proposed in the NOPR. ITC states that the NOPR proposal reflects ``a reasonable set of baseline requirements for reporting.'' \127\ While ITC raises a concern that the collective information in a report could potentially lead to the identification of the reporting entity, ITC states that it ``will work within the NERC stakeholder and standards development process to ensure that the Standards submitted in response to the Commission's final rule are structured to preserve anonymity to the maximum extent practicable.'' \128\ IRC asserts that ``it will be beneficial for responsible entities to report indicators of compromise that are detected in potential cyberattacks against their systems in standard form.'' \129\ NRG recommends that mandatory reporting include: ``content Date, Time, Duration of Incident, Origination of the attack, threat vector, targeted system (or OS), vulnerability exploited, [and] method used to stop/prevent the attack.'' \130\ --------------------------------------------------------------------------- \127\ ITC Comments at 6. \128\ Id. \129\ IRC Comments at 7. \130\ NRG Comments at 5. --------------------------------------------------------------------------- 80. Appelbaum, APS, EnergySec, Resilient Societies, and Idaho Power raise concerns with the minimum set of reporting attributes proposed in the NOPR. According to Appelbaum, a count by category of asset, attack vector, and impact is sufficient for the mandatory reporting. APS contends that ``because each entity's network topology, architecture, applications, and other characteristics are different, any requirement to provide the functional impact and level of intrusion as part of reporting is of very low value and should not be included as mandatory attributes of reporting.'' \131\ --------------------------------------------------------------------------- \131\ APS Comments at 11-12. --------------------------------------------------------------------------- 81. APS, however, ``agrees that information regarding attack vectors could be more relevant, actionable information to be shared.'' \132\ EnergySec expresses concern that including the proposed set of reporting attributes as a requirement could be construed to require significant forensic and analysis efforts. Resilient Societies suggests that [[Page 36739]] the Commission leverage prior work done by the federal government as opposed to establishing new report content. Specifically, Resilient Societies suggests that the Commission adopt the US-CERT ``Federal Incident Notification Guidelines.'' Idaho Power states that a ``description of the event and the system(s) affected along with a fact pattern describing the situation and known information at the time the report is submitted should be sufficient.'' \133\ --------------------------------------------------------------------------- \132\ Id. at 12. \133\ Idaho Power Comments at 3. --------------------------------------------------------------------------- 82. With regard to the timing of reports, ITC questions whether an initial report of a Cyber Security Incident would have to be submitted to ICS-CERT as well as E-ISAC. ITC opines that ``the existing one-hour reporting requirement poses a significant compliance challenge, and that requiring that the initial report also be provided to ICS-CERT would be unworkable under that timeframe.'' \134\ IRC states that ``[t]he timeframe for completing a full report depends on the scale and scope of the investigation [and] FERC should consider requiring that reports be updated at a certain frequency until the full report is complete.'' \135\ IRC recommends a 90-day update requirement until a report is finalized. NRG recommends that Cyber Security Incident reports should be submitted after existing industry processes have been followed relating to Incident Reporting and Response Plans. In addition, NRG recommends that the Commission consider directing NERC to file a quarterly report in addition to the annual report. --------------------------------------------------------------------------- \134\ ITC Comments at 7. \135\ IRC Comments at 8. --------------------------------------------------------------------------- 83. APS recommends aligning the timing of any mandatory reporting obligations with the timing dictated in Form OE-417. APS contends that reporting events that ``could, but didn't, cause harm to the BES and/or facilitate subsequent efforts to harm . . . should be far enough removed from the incident to not divert resources from incident response and to ensure that enough details are known about the incident to provide an accurate, thorough report.\136\ --------------------------------------------------------------------------- \136\ APS Comments at 13. --------------------------------------------------------------------------- 84. EnergySec agrees that clear timelines should be included in any new mandatory Cyber Security Incident requirements. EnergySec further comments that the timelines should factor in the severity of the incident and the level of effort required to complete an investigation. Resilient Societies offers that ``[i]n an ideal world, reporting of cybersecurity incidents would take place at machine speed'' and suggests that the Commission ``allow and preferably require automated reporting, at least for an initial report.'' \137\ Idaho Power states that, should the Commission require timelines for reporting, it should ensure that an entity has adequate time to analyze each event before the reporting deadline. --------------------------------------------------------------------------- \137\ Resilient Societies Comments at 15. --------------------------------------------------------------------------- 85. Lasky supports entities being required to report Cyber Security Incidents to both E-ISAC and ICS-CERT, and states that ``it would be prudent to report all incidents to the United States Cyber Emergency Response Team (US-CERT)'' as well.\138\ --------------------------------------------------------------------------- \138\ Lasky Comments at 1. --------------------------------------------------------------------------- 3. Commission Determination 86. As discussed below, we adopt the NOPR proposal on minimum reporting attributes and timing, in response to the commenters' concerns, but we also leave discretion to NERC to develop the reporting timelines in the standards development process by considering several factors so that the timelines provide for notice based upon the severity of the event and the risk to BES reliability, with updates to follow initial reports. 87. The comments generally support the proposed minimum set of reporting attributes. For example, NERC supports the proposed content for a Cyber Security Incident report, while requesting flexibility to determine the appropriate reporting timeframe. As noted by ITC, the NOPR proposal reflects ``a reasonable set of baseline requirements for reporting.'' \139\ Certain comments do raise concerns with the proposed reporting attributes, especially in the case of attempts versus actual compromises. --------------------------------------------------------------------------- \139\ ITC Comments at 6. --------------------------------------------------------------------------- 88. In our view, a new or revised Cyber Security Incident report should include, at a minimum, the information outlined in the NOPR proposal, where available. Specifically, the minimum set of attributes to be reported should include: (1) The functional impact, where possible, that the Cyber Security Incident achieved or attempted to achieve; (2) the attack vector that was used to achieve or attempted to achieve the Cyber Security Incident; and (3) the level of intrusion that was achieved or attempted or as a result of the Cyber Security Incident. In addition, we agree that any reporting requirement should not take away from efforts to mitigate a potential compromise. 89. With regard to timing, we conclude that NERC should establish reporting timelines for when the responsible entity must submit Cyber Security Incident reports to the E-ISAC and ICS-CERT based on a risk impact assessment and incident prioritization approach to incident reporting.\140\ This approach would establish reporting timelines that are commensurate with the adverse impact to the BES that loss, compromise, or misuse of those BES Cyber Systems could have on the reliable operation of the BES. Higher risk incidents, such as detecting malware within the ESP and associated EACMS or an incident that disrupted one or more reliability tasks, could trigger the report to be submitted to the E-ISAC and ICS-CERT within a more urgent timeframe, such as within one hour, similar to the current reporting deadline in Reliability Standard CIP-008-5.\141\ For lower risk incidents, such as the detection of attempts at unauthorized access to the responsible entity's ESP or associated EACMS, an initial reporting timeframe between eight and twenty-four hours would provide an early indication of potential cyber attacks.\142\ For situations where a responsible entity identifies other suspicious activity associated with an ESP or associated EACMS, a monthly report could, as NERC states, assist in the analysis of trends in activity over time.\143\ --------------------------------------------------------------------------- \140\ Similar to the Cyber Incident Severity Schema in DHS's National Cyber Incident Response Plan, Annex D (Reporting Incidents to the Federal Government) at 41 (2016), https://www.us-cert.gov/sites/default/files/ncirp/National_Cyber_Incident_Response_Plan.pdf. \141\ An example of incident categories is the Chairman of the Joint Chiefs of Staff Manual, Cyber Incident Handling Program, Enclosure B, Appendix A to Enclosure B (Cyber Incident and Reportable Cyber Event Categorization) (2012), http://www.jcs.mil/Portals/36/Documents/Library/Manuals/m651001.pdf?ver=2016-02-05-175710-897. \142\ See Department of Energy Electric Emergency Incident and Disturbance Report, Form OE-417 (six-hour reporting deadline for cyber events that could potentially impact electric power system reliability) found at: https://www.oe.netl.doe.gov/docs/OE417_Form_05312021.pdf; Nuclear Regulatory Commission Regulatory Guide 5.71 (four-hour reporting deadline for cyber events that could have caused an adverse impact) found at: https://www.nrc.gov/docs/ML0903/ML090340159.pdf; see also Reliability Standard EOP-004-3 (Event Reporting), Requirement R2 (requiring a report within twenty- four hours for an events that impact or may impact BES reliability). \143\ See NERC Comments at 14. --------------------------------------------------------------------------- 90. With regard to the appropriate recipients for Cyber Security Incident reports, we determine that the reports should be provided to E-ISAC, similar to the current reporting scheme under Reliability Standard CIP-008-5, as well as ICS-CERT or its successor.\144\ [[Page 36740]] Reporting directly to E-ISAC and ICS-CERT will result in cyber threat information being provided to the organizations best suited to analyze and, to the extent necessary, timely inform responsible entities of cyber threats. In addition, reporting directly to E-ISAC and ICS-CERT addresses the concerns discussed above regarding the confidentiality of reported Cyber Security Incident information. We also find that it is reasonable for NERC to file annually an anonymized report providing an aggregated summary of the reported information, similar to the ICS-CERT annual report. The annual report will provide the Commission, NERC, and the public a better understanding of any Cyber Security Incidents that occurred during the prior year without releasing information on specific responsible entities or Cyber Security Events. --------------------------------------------------------------------------- \144\ The DHS ICS-CERT is undergoing a reorganization and rebranding effort. In the event that ICS-CERT no longer exists, its successor will assume the role as incident report recipient. --------------------------------------------------------------------------- 91. Therefore, we conclude that the minimum set of attributes to be reported should include: (1) The functional impact, where possible, that the Cyber Security Incident achieved or attempted to achieve; (2) the attack vector that was used to achieve or attempted to achieve the Cyber Security Incident; and (3) the level of intrusion that was achieved or attempted or as a result of the Cyber Security Incident. NERC may augment the list should it determine that additional information would benefit situational awareness of cyber threats. As discussed above, we also conclude that NERC should establish a reporting timeline that provides for notice based upon the severity of the event and the risk to BES reliability, with updates to follow initial reports. We also support the adoption of an online reporting tool to streamline reporting and reduce burdens on responsible entities to the extent the option is available.\145\ --------------------------------------------------------------------------- \145\ An online reporting tool will streamline the effort and allow for direct input into a database for a faster turnaround to those that may need to know about the information. For example, see https://www.us-cert.gov/forms/report. --------------------------------------------------------------------------- E. Other Issues 1. Comments 92. NYPSC supports the NOPR proposal, but notes that if the Commission adopts the NOPR proposal, ``the only additional information that state entities would gain is an annual compilation of incidents reported to federal entities.'' \146\ NYPSC claims that an annual report would not provide states with sufficient information on a timely basis so that they can ensure that corrective actions can be taken. Therefore, NYPSC argues that appropriate state entities should also be provided with the cyber reporting information when it is filed with the ``federal authorities.'' --------------------------------------------------------------------------- \146\ NYPSC Comments at 4-5. --------------------------------------------------------------------------- 93. Microsoft raises a concern that the NOPR proposal is not clear as to whether the modified CIP Reliability Standards would apply to responsible entities that use a commercial cloud service to operate cloud-based BES Cyber Systems. Specifically, Microsoft requests that the Commission ``confirm that cloud service providers that provide services to Registered Entities are not required to register with NERC based on their provision of [cloud-based] services, and . . . are not responsible for compliance with the CIP Reliability Standards.'' \147\ Microsoft asserts that clarifying the status of cloud service providers is important to foster technical innovation. --------------------------------------------------------------------------- \147\ Microsoft Comments at 1. --------------------------------------------------------------------------- 2. Commission Determination 94. While we appreciate NYPSC's interest in receiving Cyber Security Incident reports when reported to E-ISAC and ICS-CERT, state entities will have access to the same information that is reported to the Commission (i.e., the annual, anonymized summary). Should a state entity determine that it requires additional information from a responsible entity under its jurisdiction, the state entity can work within its own jurisdiction to procure additional information. Our directive is intended to enhance the quality of information received by E-ISAC and ICS-CERT, and directing additional sharing with state entities is outside the scope of this proceeding. 95. We decline to grant Microsoft's requested clarification regarding the potential registration status of cloud service providers because it is outside the scope of this proceeding. Specifically, Microsoft's requested clarification addresses a question regarding registration of cloud service providers under the NERC functional model, as opposed to the specifics of enhanced Cyber Security Incident reporting. The purpose of this proceeding is not to make a determination regarding the registration status of cloud service providers and we have not received input from other interested entities. III. Information Collection Statement 96. The FERC-725 information collection requirements contained in this Final Rule are subject to review by the Office of Management and Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 1995.\148\ OMB's regulations require approval of certain information collection requirements imposed by agency rules.\149\ Upon approval of a collection of information, OMB will assign an OMB control number and expiration date. Respondents subject to the filing requirements of this rule will not be penalized for failing to respond to these collections of information unless the collections of information display a valid OMB control number. The Commission solicits comments on the Commission's need for this information, whether the information will have practical utility, the accuracy of the burden estimates, ways to enhance the quality, utility, and clarity of the information to be collected or retained, and any suggested methods for minimizing respondents' burden, including the use of automated information techniques. --------------------------------------------------------------------------- \148\ 44 U.S.C. 3507(d) (2012). \149\ 5 CFR 1320.11 (2017). --------------------------------------------------------------------------- 97. The Commission will submit these proposed reporting requirements to OMB for its review and approval under section 3507(d) of the PRA because the Final Rule results in nonsubstantive/non- material changes in paperwork burden. The Final Rule directs NERC to make Cyber Security reporting changes across all applicable Reliability Standards. These proposed changes will be covered by the FERC-725 information collection (Certification of Electric Reliability Organization; Procedures for Electric Reliability Standards) [OMB Control No. 1902-0225]). FERC-725 includes the ERO's overall responsibility for developing Reliability Standards to include any Reliability Standards that relate to Cyber Security Incident reporting. There will be no change to the Public Reporting Burden as it affects the FERC-725 information collection. 98. Comments are solicited on the Commission's need for the information proposed to be reported, whether the information will have practical utility, ways to enhance the quality, utility, and clarity of the information to be collected, and any suggested methods for minimizing the respondent's burden, including the use of automated information techniques. 99. Internal review: The Commission has reviewed the approved changes and has determined that the changes are necessary to ensure the reliability and integrity of the Nation's Bulk-Power System. 100. Interested persons may obtain information on the reporting requirements by contacting the [[Page 36741]] following: Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426 [Attention: Ellen Brown, Office of the Executive Director, email: DataClearance@ferc.gov, phone: (202) 502-8663, fax: (202) 273-0873]. 101. For submitting comments concerning the collection(s) of information and the associated burden estimate(s), please send your comments to the Commission, and to the Office of Management and Budget, Office of Information and Regulatory Affairs, 725 17th Street NW, Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission, phone: (202) 395-8528, fax: (202) 395-7285]. For security reasons, comments to OMB should be submitted by email to: oira_submission@omb.eop.gov. Comments submitted to OMB should include Docket Number RM18-2-000 and OMB Control Number 1902-0225. IV. Regulatory Flexibility Act Analysis 102. The Regulatory Flexibility Act of 1980 (RFA) \150\ generally requires a description and analysis of final rules that will have significant economic impact on a substantial number of small entities. --------------------------------------------------------------------------- \150\ 5 U.S.C. 601-612. --------------------------------------------------------------------------- 103. By only proposing to direct NERC, the Commission-certified ERO, to develop modified Reliability Standards for Cyber Security Incident reporting, this Final Rule will not have a significant or substantial impact on entities other than NERC. Therefore, the Commission certifies that this Final Rule will not have a significant economic impact on a substantial number of small entities. 104. Any Reliability Standards proposed by NERC in compliance with this rulemaking will be considered by the Commission in future proceedings. As part of any future proceedings, the Commission will make determinations pertaining to the Regulatory Flexibility Act based on the content of the Reliability Standards proposed by NERC. V. Environmental Analysis 105. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment.\151\ The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended.\152\ The actions proposed herein to augment current reporting requirements fall within this categorical exclusion in the Commission's regulations. --------------------------------------------------------------------------- \151\ Regulations Implementing the National Environmental Policy Act of 1969, Order No. 486, FERC Stats. & Regs. ] 30,783 (1987). \152\ 18 CFR 380.4(a)(2)(ii) (2017). --------------------------------------------------------------------------- VI. Document Availability 106. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the internet through the Commission's Home Page (http://www.ferc.gov) and in the Commission's Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE, Room 2A, Washington, DC 20426. 107. From the Commission's Home Page on the internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number of this document, excluding the last three digits, in the docket number field. User assistance is available for eLibrary and the Commission's website during normal business hours from the Commission's Online Support at (202) 502-6652 (toll free at 1-866-208- 3676) or email at ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502-8371, TTY (202) 502-8659. Email the Public Reference Room at public.referenceroom@ferc.gov. VII. Effective Date and Congressional Notification 108. The Final Rule is effective October 1, 2018. The Commission has determined that this Final Rule imposes no substantial effect upon either NERC or NERC registered entities \153\ and, with the concurrence of the Administrator of the Office of Information and Regulatory Affairs of OMB, that this rule is not a ``major rule'' as defined in section 351 of the Small Business Regulatory Enforcement Fairness Act of 1996. This Final Rule is being submitted to the Senate, House, and Government Accountability Office. --------------------------------------------------------------------------- \153\ 5 U.S.C 804(3)c. --------------------------------------------------------------------------- By the Commission. Issued: July 19, 2018. Nathaniel J. Davis, Sr., Deputy Secretary. Note: The following appendix will not appear in the Code of Federal Regulations. Appendix Commenters Jonathan Appelbaum (Appelbaum) American Public Power Association, Electricity Consumers Resource Council, and Transmission Access Policy Study Group (Trade Associations) Applied Control Solutions (ACS) Arizona Public Service Company (APS) Bonneville Power Administration (BPA) Edison Electric Institute and National Rural Electric Cooperative Association (EEI/NRECA) Douglas E. Ellsworth (Ellsworth) Energy Sector Security Consortium (EnergySec) Eversource Energy Service Company (Eversource) Foundation for Resilient Societies (Resilient Societies) Frank Gaffney (Gaffney) Idaho Power Company (Idaho Power) International Transmission Company (ITC) ISO/RTO Council (IRC) Isologic LLC (Isologic) Jerry Ladd (Ladd) Large Public Power Council (LPPC) Mary D. Lasky (Lasky) Michael Mabee (Mabee) Garland T. McCoy (McCoy) Microsoft Corporation (Microsoft) New York Public Service Commission (NYPSC) North American Electric Reliability Corporation (NERC) NRG Energy (NRG) Fred Reitman (Reitman) Preston L. Schleinkofer (Schleinkofer) Mark S. Simon (Simon) Karen Testerman (Testerman) U.S. Chamber of Commerce (Chamber) [FR Doc. 2018-16242 Filed 7-30-18; 8:45 am] BILLING CODE 6717-01-P
![36728 Federal Register / Vol. 83, No. 147 / Tuesday, July 31, 2018 / Rules and Regulations
the NERC Reliability Standards to Cyber Security Incidents that regarding elements of the Commission’s
augment the mandatory reporting of compromise, or attempt to compromise, directive and the burdens the directive
Cyber Security Incidents, including a responsible entity’s ESP or associated might impose if NERC develops
incidents that might facilitate EACMS; (2) required information in requirements that are overly broad. At
subsequent efforts to harm the reliable Cyber Security Incident reports should the outset, we agree with NERC that
operation of the BES.1 The Commission include certain minimum information to ‘‘because certain requirements in the
directs NERC to develop and submit improve the quality of reporting and CIP Reliability Standards already
modifications to the Reliability allow for ease of comparison by require entities to track data on
Standards to require the reporting of ensuring that each report includes compromises or attempts to compromise
Cyber Security Incidents that specified fields of information; (3) filing the ESP or EACMS, the additional
compromise, or attempt to compromise, deadlines for Cyber Security Incident burden to report that data appears
a responsible entity’s Electronic reports should be established once a reasonable.’’ 6 And we do not believe
Security Perimeter (ESP) or associated compromise or disruption to reliable that complying with the augmented
Electronic Access Control or Monitoring BES operation, or an attempted reporting requirements that we direct
Systems (EACMS).2 compromise or disruption, is identified here would be any more burdensome to
2. In the NOPR, the Commission by a responsible entity; and (4) Cyber industry than the alternative,
observed that Cyber Security Incidents Security Incident reports should responding to a perpetual data or
are presently reported by responsible continue to be sent to the Electricity information request to collect the same
entities in accordance with Reliability Information Sharing and Analysis information pursuant to Section 1600 of
Standard CIP–008–5 (Cyber Security— Center (E–ISAC), rather than the the NERC Rules of Procedure. To ensure
Incident Reporting and Response Commission, but the reports should also that the burden is reasonable with
Planning).3 However, under the be sent to the Department of Homeland respect to including EACMS in the
definition of Reportable Cyber Security Security (DHS) Industrial Control augmented reporting requirement,
Incident in Reliability Standard CIP– Systems Cyber Emergency Response NERC should develop requirements
008–5, responsible entities must only Team (ICS–CERT). Further, NERC must based on the function of the EACMS
report Cyber Security Incidents if they file an annual, public, and anonymized and the nature of the attempted
have ‘‘compromised or disrupted one or summary of the reports with the compromise or successful intrusion.
more reliability tasks.’’ The Commission Commission. Similarly, as discussed below, NERC
explained that the current reporting 4. As discussed below, after should develop reporting timelines for
threshold may understate the true scope considering the comments submitted in Cyber Security Incidents that are
of cyber-related threats facing the Bulk- response to the NOPR, we conclude that commensurate with the adverse or
Power System, particularly given the the proposed directive to augment the attempted adverse impact to the BES
lack of any reportable incidents in 2015 current reporting requirement for Cyber that loss, compromise, or misuse of
and 2016. To improve awareness of Security Incidents is appropriate to those BES Cyber Systems could have on
existing and future cyber security carry out FPA section 215. As NERC the reliable operation of the BES.7
threats and potential vulnerabilities, the recognizes in its NOPR comments, Prioritizing incident reporting will
Commission proposed to direct that ‘‘[b]roadening the mandatory reporting allow responsible entities to devote
NERC develop and submit of Cyber Security Incidents would help resources to reporting the most
modifications to the existing Reliability enhance awareness of cyber security significant Cyber Security Incidents
Standards to augment the reporting of risks facing entities[,] . . . would create
faster than less significant events. With
Cyber Security Incidents, including a more extensive baseline
this guidance, we believe that the
incidents that might facilitate understanding of the nature of cyber
standard drafting team, in the first
subsequent efforts to harm the reliable security threats and vulnerabilities[,]
instance, is in the best position to
operation of the BES. . . . [and] is consistent with
3. As discussed in detail below, the develop the specific elements of the
recommendations in NERC’s 2017 State
Commission adopts the NOPR proposal. directed Reliability Standard
of Reliability Report.’’ 4 Our directive is
The Commission’s directive in this requirements.
intended to result in a measured
Final Rule consists of four elements 6. We have considered comments
broadening of the existing reporting
intended to augment the current Cyber submitted by NERC and others
requirement in Reliability Standard
Security Incident reporting requirement: CIP–008–5, consistent with NERC’s recommending that broadened Cyber
(1) Responsible entities must report recommendation, rather than a Security Incident reporting should be
wholesale change in cyber incident implemented through a request for
1 16 U.S.C. 824o(d)(5). The NERC Glossary of
reporting that supplants or otherwise information or data pursuant to Section
Terms Used in NERC Reliability Standards (June 12, chills voluntary reporting, as some 1600 of the NERC Rules of Procedure
2018) (NERC Glossary) defines a Cyber Security
commenters maintain. Indeed, as NERC instead of through Reliability Standard
Incident as ‘‘A malicious act or suspicious event
that: Compromises, or was an attempt to contends, we believe that the new requirements. However, on balance, we
compromise, the Electronic Security Perimeter or ‘‘baseline understanding, coupled with 6 Id. at 8 (citing Reliability Standard CIP–005–5
Physical Security Perimeter or, Disrupts, or was an
attempt to disrupt, the operation of a BES Cyber the additional context from voluntary (Cyber Security—Electronic Security Perimeter(s))
System.’’ reports received by the E–ISAC, [will] and Reliability Standard CIP–007–6 (Cyber
2 The NERC Glossary defines ‘‘ESP’’ as ‘‘[t]he allow NERC and the E–ISAC to share Security—System Security Management)).
logical border surrounding a network to which BES 7 The NERC Glossary defines BES Cyber System
that information broadly through the
Cyber Systems are connected using a routable as ‘‘[o]ne or more BES Cyber Assets logically
protocol.’’ The NERC Glossary defines ‘‘EACMS’’ as electric industry to better prepare grouped by a responsible entity to perform one or
daltland on DSKBBV9HB2PROD with RULES
‘‘Cyber Assets that perform electronic access control entities to protect their critical more reliability tasks for a functional entity.’’
or electronic access monitoring of the Electronic infrastructure.’’ 5 Glossary of Terms Used in NERC Reliability
Security Perimeter(s) or BES Cyber Systems. This 5. We address in the discussion below Standards (NERC Glossary). Reliability Standard
includes Intermediate Systems.’’ CIP–002–5.1a (Cyber Security System
3 Cyber Security Incident Reporting Reliability
concerns raised by commenters Categorization) provides a ‘‘tiered’’ approach to
Standards, Notice of Proposed Rulemaking, 82 FR cybersecurity requirements, based on classifications
4 NERC Comments at 4.
61499 (Dec. 28, 2017), 161 FERC ¶ 61,291, P 1 of high, medium and low impact BES Cyber
(2017) (NOPR). 5 Id. Systems.
VerDate Sep<11>2014 16:21 Jul 30, 2018 Jkt 244001 PO 00000 Frm 00006 Fmt 4700 Sfmt 4700 E:\FR\FM\31JYR1.SGM 31JYR1](https://thefederalregister.org/doc/83_FR_36874/page/2.svg)
![Federal Register / Vol. 83, No. 147 / Tuesday, July 31, 2018 / Rules and Regulations 36729
believe that broadened mandatory I. Background electronic access to BES Cyber Systems
reporting pursuant to Reliability to support the protection of the BES
A. Section 215 and Mandatory
Standard requirements as opposed to a Cyber Systems against compromise that
Reliability Standards could lead to misoperation or instability
standing data request is more aligned
with the seriousness and magnitude of 8. Section 215 of the FPA requires a in the BES.13 In addition, the NOPR
the current threat environment, and Commission-certified Electric explained that EACMS, which include,
more likely to improve awareness of Reliability Organization (ERO) to for example, firewalls, authentication
existing and future cyber security develop mandatory and enforceable servers, security event monitoring
threats and potential vulnerabilities. Reliability Standards, subject to systems, intrusion detection systems
Commission review and approval. and alerting systems, control electronic
Four main reasons inform our decision.
Reliability Standards may be enforced access into the ESP and play a
First, a new or modified Reliability
by the ERO, subject to Commission significant role in the protection of high
Standard will ensure that the desired oversight, or by the Commission and medium impact BES Cyber
goals of our directive are met because independently.8 Pursuant to section 215 Systems.14 The NOPR indicated further
the Commission will have the ability to of the FPA, the Commission established that, once an EACMS is compromised,
review and ultimately approve the a process to select and certify an ERO,9 an attacker could more easily enter the
standard, as opposed to the opportunity and subsequently certified NERC.10 ESP and effectively control the BES
for informal review that the Commission Cyber System or Protected Cyber Asset.
would have of a data request under ROP B. Notice of Proposed Rulemaking 11. The NOPR discussed the scope of
Section 1600. Second, the Commission 9. On December 21, 2017, the the present Cyber Security Incident
has well-defined authority and Commission issued a NOPR proposing reporting requirement. The NOPR
processes under section 215(e) of the to direct that NERC develop enhanced observed that Reliability Standard CIP–
FPA to audit and enforce compliance Cyber Security Incident reporting 008–5, Requirement R1.2 currently
with a Reliability Standard. Third, we requirements. Specifically, pursuant to requires that each responsible entity
do not anticipate that there will be a section 215(d)(5) of the FPA, the NOPR shall document one or more Cyber
need to change the parameters of the proposed to direct NERC to develop Security Incident Plan(s) with one or
Cyber Security Incident report for modifications to the Reliability more processes to determine if an
EACMS because the parameters that we Standards to require the reporting of identified Cyber Security Incident is a
direct below are based on five static Cyber Security Incidents that Reportable Cyber Security Incident. And
functions of EACMS and are not compromise, or attempt to compromise, where a Cyber Security Incident is
a responsible entity’s ESP or associated determined to qualify as a Reportable
technology specific, so the potential
EACMS. The proposed directive was Cyber Security Incident, the NOPR
flexibility provided by a Section 1600
based in part on a lack of Reportable explained that responsible entities are
data request may not be significantly Cyber Security Incidents in 2015 and required to notify the E–ISAC with
beneficial. Finally, collecting data 2016, and NERC’s assessment in the initial notification within one hour from
through a Reliability Standard is 2017 State of Reliability Report that the determination of a Reportable Cyber
consistent with existing practices; ‘‘[w]hile there were no reportable cyber Security Incident. The NOPR stated,
responsible entities are currently security incidents during 2016 and however, that the NERC Glossary
required to maintain the types of therefore none that caused a loss of defines a Reportable Cyber Security
information that would lead to a load, this does not necessarily suggest Incident as ‘‘[a] Cyber Security Incident
reportable Cyber Security Incident that the risk of a cyber security incident that has compromised or disrupted one
pursuant to Reliability Standard CIP– is low.’’ 11 In addition, the NOPR stated or more reliability tasks of a functional
007–6, Requirement R4.1. Nonetheless, that it agreed with the recommendation entity.’’ The NOPR indicated that the
should future events require an by NERC in the 2017 State of Reliability definition of Reportable Cyber Security
expedited change in data collection or Report to ‘‘redefine reportable incidents Incident, insofar as it excludes
should NERC desire to collect data to be more granular and include zero- unsuccessful attempts to compromise or
outside the scope of the proposed consequence incidents that might be disrupt a responsible entity’s core
Reliability Standard, NERC could then precursors to something more activities, is thus more narrow than the
use the Section 1600 process to serious.’’ 12 definition of ‘‘cybersecurity incident’’ in
supplement information reported under 10. In justifying the proposed FPA section 215(a)(8), which
a mandatory Reliability Standard. inclusion of ESPs and associated encompasses ‘‘a malicious act or
EACMS within the scope of the suspicious event that disrupts, or was
7. Accordingly, pursuant to section enhanced Cyber Security Incident an attempt to disrupt, the operation of
215(d)(5) of the FPA, we adopt the requirement, the NOPR stated that the those programmable electronic devices
NOPR proposal and direct NERC to purpose of an ESP is to manage and communication networks including
develop modifications to the Reliability hardware, software and data that are
Standards to include the mandatory 8 Id.
essential to the reliable operation of the
reporting of Cyber Security Incidents 9 Rules Concerning Certification of the Electric
bulk power system.’’ 15
that compromise, or attempt to Reliability Organization; and Procedures for the
Establishment, Approval, and Enforcement of
12. The NOPR stated that altering the
compromise, a responsible entity’s ESP Electric Reliability Standards, Order No. 672, FERC Cyber Security Incident reporting
or associated EACMS, as well as Stats. & Regs. ¶ 31,204, order on reh’g, Order No.
modifications to specify the required 672–A, FERC Stats. & Regs. ¶ 31,212 (2006). 13 See id. P 33 (citing Reliability Standard CIP–
daltland on DSKBBV9HB2PROD with RULES
10 North American Electric Reliability Corp., 116 005–5 (Cyber Security—Electronic Security
information in Cyber Security Incident
FERC ¶ 61,062, order on reh’g and compliance, 117 Perimeter(s)).
reports, their dissemination, and FERC ¶ 61,126 (2006), aff’d sub nom. Alcoa, Inc. 14 See id. (citing Reliability Standard CIP–002–5.1
deadlines for filing reports. We direct v. FERC, 564 F.3d 1342 (D.C. Cir. 2009). (Cyber Security—BES Cyber System
NERC to submit the directed 11 NOPR, 161 FERC ¶ 61,291 at P 28 (citing 2017 Categorization), Background at 6; Reliability
modifications within six-months of the NERC State of Reliability Report at 4). Standard CIP–007–6 (Cyber Security—System
12 Id. P 29 (citing 2017 NERC State of Reliability Security Management), Background at 4).
effective date of this Final Rule. Report at 4). 15 16 U.S.C. 824o(a)(8).
VerDate Sep<11>2014 16:21 Jul 30, 2018 Jkt 244001 PO 00000 Frm 00007 Fmt 4700 Sfmt 4700 E:\FR\FM\31JYR1.SGM 31JYR1](https://thefederalregister.org/doc/83_FR_36874/page/3.svg)
![36730 Federal Register / Vol. 83, No. 147 / Tuesday, July 31, 2018 / Rules and Regulations
threshold to require reporting of Section 1600 of the NERC Rules of compromise, the Electronic Security
attempts to compromise, instead of only Procedure would effectively address the Perimeter or Physical Security Perimeter
successful compromises, is consistent reporting gap and current lack of or (2) disrupts, or was an attempt to
with information already logged by awareness of cyber-related incidents disrupt, the operation of a BES Cyber
registered entities pursuant to current among NERC, responsible entities and System.’’
monitoring requirements in the the Commission, and satisfy the goals of 19. The Commission further
Reliability Standards. The NOPR the proposed directive. explained that where a cyber-related
explained that Reliability Standard CIP– event is determined to qualify as a
007–6, Requirement R4.1, mandates II. Discussion Reportable Cyber Security Incident,
logging of detected successful login 16. Pursuant to section 215(d)(5) of responsible entities are required to
attempts, detected failed access the FPA, we adopt the NOPR proposal notify the E–ISAC with initial
attempts, and failed login attempts, and and direct NERC to develop and submit notification to be made within one hour
the Guidelines and Technical Basis for modifications to the NERC Reliability from the determination of a Reportable
Requirement R4.1 states that events Standards to augment current Cyber Security Incident.18 However, the
should be logged even if access attempts mandatory reporting of Cyber Security NOPR observed that a Reportable Cyber
were blocked or otherwise Incidents, including incidents that Security Incident is defined more
unsuccessful.16 might facilitate subsequent efforts to narrowly in the NERC Glossary than a
13. In addition to modifying the harm the reliable operation of the BES. Cyber Security Incident because the
reporting threshold, the NOPR proposed We direct NERC, subject to the former requires that the incident result
to direct NERC to modify the Reliability discussion below, to develop and in the compromise or disruption of one
Standards to specify the required submit Reliability Standard or more reliability tasks of a functional
information in Cyber Security Incident requirements that: (1) Require entity. As the Commission explained, in
reports to improve the quality of responsible entities to report Cyber order for a cyber-related event to be
reporting and allow for ease of Security Incidents that compromise, or considered reportable under the existing
comparison by ensuring that each report attempt to compromise, a responsible CIP Reliability Standards, it must
includes specified fields of information, entity’s ESP or associated EACMS; (2) compromise or disrupt a core activity
as well as the deadlines for submitting specify the required information in (e.g., reliability task) of a responsible
a report. Specifically, the NOPR Cyber Security Incident reports; (3) entity that is intended to maintain BES
proposed that the minimum set of establish deadlines for filing Cyber reliability.19 Therefore, under these
attributes to be reported should include: Security Incident reports that are definitions, unsuccessful attempts to
(1) The functional impact, where commensurate with incident severity; compromise or disrupt a responsible
possible, that the Cyber Security and (4) require that Cyber Security entity’s core activities are not subject to
Incident achieved or attempted to Incident reports be sent to ICS–CERT, in the current reporting requirements in
achieve; (2) the attack vector used to addition to E–ISAC, and that NERC file Reliability Standard CIP–008–5 or
achieve or attempt to achieve the Cyber with the Commission an annual, public, elsewhere in the CIP Reliability
Security Incident; and (3) the level of and anonymized summary of such Standards.
intrusion achieved or attempted by the reports. 20. The NOPR explained that recent
Cyber Security Incident. The NOPR 17. Below, we discuss the following NERC State of Reliability Reports
explained that knowledge of these matters: (A) The need for broadened indicate that there were no Reportable
attributes regarding a specific Cyber mandatory Cyber Security Incident Cyber Security Incidents in 2015 and
Security Incident will improve reporting; (B) the threshold for a 2016. The NOPR also highlighted
awareness of cyber threats to BES reportable Cyber Security Incident; (C) NERC’s conclusion that ‘‘[w]hile there
reliability. The NOPR also noted that the appropriate procedural approach to were no reportable cyber security
the proposed attributes are the same as augment Cyber Security Incident incidents during 2016 and therefore
attributes already used by DHS for its reporting, i.e., new or modified none that caused a loss of load, this
multi-sector reporting and summarized Reliability Standards versus a NERC does not necessarily suggest that the risk
by DHS in an annual report.17 data request to applicable entities; (D) of a cyber security incident is low.’’ 20
14. The NOPR also proposed to the content and timing of Cyber Security The NOPR contrasted the results
continue to require that Cyber Security Incident reports; and (E) other issues. reported in the NERC reports with the
Incident reports be sent to the E–ISAC 2016 annual summary of the
instead of the Commission, but the A. Need for Broadened Mandatory Department of Energy’s (DOE) Electric
NOPR proposed to require that such Cyber Security Incident Reporting
reports also be sent to ICS–CERT and 18 See Reliability Standard CIP–008–5 (Cyber
1. NOPR Security—Incident Reporting and Response
that NERC file with the Commission an
18. In the NOPR, the Commission Planning), Requirement R1, Part 1.2. This
annual, public, and anonymized requirement pertains to high impact BES Cyber
summary of such reports. indicated that cyber-related event Systems and medium impact BES Cyber Systems.
15. Finally, the NOPR sought reporting is currently addressed in 19 The NERC Functional Model ‘‘describes a set
comment on potential alternatives to Reliability Standard CIP–008–5, of Functions that are performed to ensure the
modifying the mandatory reporting Requirement R1.2, which requires that reliability of the Bulk Electric System. Each
Function consists of a set of related reliability
requirements in the NERC Reliability each responsible entity shall document Tasks. The Model assigns each Function to a
Standards. Specifically, the NOPR one or more Cyber Security Incident functional entity, that is, the entity that performs
sought comment on whether a request Plan(s) with one or more processes to the function. The Model also describes the
interrelationships between that functional entity
for data or information pursuant to determine if an identified Cyber
daltland on DSKBBV9HB2PROD with RULES
and other functional entities (that perform other
Security Incident is a Reportable Cyber Functions).’’ NERC, Reliability Functional Model:
16 See Reliability Standard CIP–007–6 (Cyber
Security Incident. The NOPR noted that Function Definitions and Functional Entities,
Security—Systems Security Management), a Cyber Security Incident is defined in Version 5 at 7 (November 2009), http://
Requirement R4.1. www.nerc.com/pa/Stand/Functional%20Model
17 NOPR, 161 FERC ¶ 61,291 at P 38 (citing 2016 the NERC Glossary as: ‘‘A malicious act %20Archive%201/Functional_Model_V5_Final_
ICS–CERT Year in Review, https://ics-cert.us- or suspicious event that: (1) 2009Dec1.pdf.
cert.gov/Year-Review-2016). compromises, or was an attempt to 20 2017 NERC State of Reliability Report at 4.
VerDate Sep<11>2014 16:21 Jul 30, 2018 Jkt 244001 PO 00000 Frm 00008 Fmt 4700 Sfmt 4700 E:\FR\FM\31JYR1.SGM 31JYR1](https://thefederalregister.org/doc/83_FR_36874/page/4.svg)
![Federal Register / Vol. 83, No. 147 / Tuesday, July 31, 2018 / Rules and Regulations 36731
Disturbance Reporting Form OE–417, discussed in the following sections, these [voluntary reporting] programs by
which contained four cybersecurity NERC does not support all aspects of the shifting their focus to compliance
incidents reported in 2016; two NOPR, including requiring enhanced activity.’’ 33 Eversource states that the
suspected cyber attacks and two actual cyber incident reporting through a NOPR proposal would ‘‘introduce new
cyber attacks.21 Moreover, the NOPR modified Reliability Standard. technical and administrative challenges
noted that ICS–CERT responded to fifty- 23. BPA, ITC, IRC, NYPSC, and NRG that will likely impact responsible
nine cybersecurity incidents within the also support the NOPR proposal to entities’ ability to participate in existing
Energy Sector in 2016.22 direct NERC to address the gap in voluntary threat information sharing
21. Based on the comparison of reporting Cyber Security Incidents. As programs.’’ 34 LPPC states that whatever
information reported by NERC, DOE, noted by BPA, the current definition of action the Commission takes on Cyber
and ICS–CERT, the NOPR concluded Reportable Cyber Security Incident only Security Incident reporting, it ‘‘must be
that the current reporting threshold in addresses successful attempts to done with an eye towards causing as
Reliability Standard CIP–008–5 may not compromise or disrupt operations and, little disruption to existing information
reflect the true scope and scale of cyber- therefore, ‘‘a broader definition of a sharing programs as possible.’’ 35
related threats facing responsible Reportable Cyber Security incident is 25. Trade Associations state that
entities. In particular, the NOPR raised warranted’’ because ‘‘information about while improving Cyber Security
a concern that the disparity in the certain attempts to compromise will Incident reporting is an appropriate
reporting of cyber-related incidents likely better assist the industry in objective, ‘‘directing new or revised
under existing reporting requirements, preventing successful cyber attacks.’’ 27 mandatory reliability standards is not
in particular the lack of any incidents BPA, ITC, and IRC raise concerns, the only tool that NERC and the
reported to NERC in 2015 and 2016, however, regarding the risk of over- Commission have for achieving that
suggests a gap in the current reporting reporting. IRC states that the proposed reliability objective.’’ 36 Trade
requirements. The NOPR highlighted requirement to report all attempts to Associations contend that, in light of the
the fact that this concern is echoed in compromise an ESP or associated constantly evolving state of cyber
the 2017 NERC State of Reliability EACMS ‘‘needs further clarification.’’ 28 security, ‘‘the Commission should
Report, which includes a BPA states that any new reporting consider and utilize the most flexible
recommendation that NERC and requirement ‘‘must ensure that the tools to achieve its reliability goals
industry should ‘‘redefine reportable information reported is useful and does without imposing undue burden on
incidents to be more granular and not result in under and over reporting registered entities.’’ 37
include zero-consequence incidents that of information.’’ 29 NRG recommends 26. APS states that while it ‘‘supports
might be precursors to something more that the term ‘‘attempt’’ should be the Commission’s objectives expressed
serious.’’ 23 Agreeing with NERC’s clarified (i.e., as a more serious risk than in the NOPR,’’ it does not agree that
recommendation in the 2017 State of a port scan) and ‘‘should be provided in modifying the CIP Reliability Standards
Reliability report, the NOPR proposed to technical guidance or glossary is the appropriate solution.38 APS
direct NERC to address the apparent gap definition relating to the context of [the] asserts that ‘‘the reporting requirements
in cyber incident reporting. existing NERC glossary term: Cyber that already exist under Form OE–417
Security Incident.’’ 30 meet the same objectives as the
2. Comments Commission is attempting to satisfy by
24. EEI/NRECA, Trade Associations,
22. NERC supports improving the APS, Chamber, EnergySec, Eversource, requiring additional reporting under the
reporting of Cyber Security Incidents, Idaho Power, and LPPC do not support CIP Standards as proposed in the
stating that ‘‘[b]roadening the the NOPR proposal to direct NERC to NOPR.’’ 39 APS instead suggests that
mandatory reporting of Cyber Security address the gap in reporting Cyber ‘‘the Commission . . . direct NERC to
Incidents would help enhance Security Incidents. EEI/NRECA, Trade modify the CIP Standards to include a
awareness of cyber security risks facing Associations, and Chamber suggest that requirement for Responsible Entities to
entities.’’ 24 NERC maintains that the Commission support existing submit copies of its Form OE–417 to the
enhanced reporting ‘‘would create a voluntary reporting practices as E–ISAC and ICS–CERT.’’ 40
more extensive baseline understanding opposed to mandating the reporting of 27. EnergySec states that it is
of the nature of cyber security threats Cyber Security Incidents through the ‘‘generally in agreement with the
and vulnerabilities.’’ 25 NERC notes that CIP Reliability Standards. EEI/NRECA Commission’s goal of increasing the
broadening the scope of Cyber Security state that ‘‘[s]ignificant resources from frequency and detail of incident
Incident reporting ‘‘is consistent with reporting,’’ but raises concerns with the
responsible entities and government are
recommendations in NERC’s 2017 State specifics of the NOPR proposal.41
engaged in [. . .] partnerships’’ to share
of Reliability Report.’’ 26 While NERC EnergySec maintains that
threat and vulnerability information.31
recognizes the need for enhanced Cyber ‘‘‘compromise’ as used in the definition
EEI/NRECA argue that ‘‘[m]andating
Security Incident reporting, as of Reportable Cybersecurity Incident
such sharing will overlap with these
does not necessarily imply harm.’’ 42
voluntary efforts and may harm the
21 2016 DOE Electric Disturbance Events (OE– Therefore, EnergySec argues that ‘‘an
partnerships and ability of the programs
417) Annual Summary Archives, https:// incident should be considered a
to enhance cybersecurity for the electric
www.oe.netl.doe.gov/OE417_annual_ ‘compromise’ if an attacker has obtained
summary.aspx. grid.’’ 32 In addition, EEI/NRECA state
22 ICS–CERT cybersecurity incident statistics for that mandating Cyber Security Incident 33 Id. at 14–15.
the Energy Sector combine statistics from the reporting ‘‘may weaken the ability of 34 Eversource Comments at 5.
electric subsector and the oil and natural gas
electric companies to participate in 35 LPPC Comments at 4.
daltland on DSKBBV9HB2PROD with RULES
subsector. ICS–CERT does not break out the
36 APPA, et al. Comments at 3–4.
cybersecurity incidents that only impact the electric
27 BPA Comments at 3. 37 Id. at 4.
subsector. 2016 ICS–CERT Year in Review, https://
ics-cert.us-cert.gov/Year-Review-2016. 28 IRC Comments at 1. 38 APS Comments at 5.
23 2017 NERC State of Reliability Report at 4. 29 BPA Comments at 3. 39 Id. at 7.
24 NERC Comments at 4. 30 NRG Comments at 3. 40 Id. at 5.
25 Id. at 4. 31 EEI/NRECA Comments at 12. 41 EnergySec Comments at 2.
26 Id. at 4. 32 Id. at 12. 42 Id. at 2.
VerDate Sep<11>2014 16:21 Jul 30, 2018 Jkt 244001 PO 00000 Frm 00009 Fmt 4700 Sfmt 4700 E:\FR\FM\31JYR1.SGM 31JYR1](https://thefederalregister.org/doc/83_FR_36874/page/5.svg)
![36732 Federal Register / Vol. 83, No. 147 / Tuesday, July 31, 2018 / Rules and Regulations
the ability to disrupt, even if no quantity of unhelpful information and that improved reporting is an
disruption occurs.’’ 43 EnergySec states confusing analysis, while needlessly appropriate objective.57
further that it believes ‘‘that a clarified burdening Registered Entities.’’ 51 LPPC 32. Some commenters contend that
understanding of the current definition states that it supports NERC’s request the directive to require mandatory
of Reportable Cybersecurity Incident for flexibility in addressing enhanced reporting of Cyber Security Incidents
can sufficiently address the Cyber Security Incident reporting and that compromise, or attempt to
Commission’s concerns’’ since it ‘‘can concludes that ‘‘a technical conference compromise, a responsible entity’s ESP
be construed to include certain non- may productively explore the nature or associated EACMS is vague and
impactful incidents, as well as incidents and scope of the various programs that requires clarification. Recognizing this
affecting [ESPs] and [EACMS].’’ 44 currently exist for information sharing concern, NERC states that ‘‘[t]he
28. EnergySec also raises a concern regarding threats and the incremental challenge is to scope any additional
that the NOPR proposal is too broad. value of any new requirements.’’ 52 mandatory reporting requirements in a
EnergySec argues that determining Resilient Societies states that ‘‘the manner that collects meaningful data
incidents that might facilitate future modifications proposed to improve the about security risks without creating an
cyber incidents ‘‘would be highly reporting of cybersecurity incidents are unduly burdensome reporting
subjective and could easily be construed unlikely to have any significant positive requirement.’’ 58 While we address the
to include systems and networks that effect.’’ 53 Specifically, Resilient threshold for a broadened reporting
are outside the scope of the Societies states that the proposed requirement issue in the next section, as
Commission’s authority.’’ 45 EnergySec reporting parameters are not broad a general matter, we agree with NERC
notes that most failed login or access enough because ‘‘reporting of malware that the scope of any new reporting
attempts are benign in nature and ‘‘the infection is not necessarily within requirement should be tailored to
volume of such events is orders of thresholds set on other criteria, such as provide better information on cyber
magnitude larger than what would be an ‘compromise,’ ‘breach,’ ‘impact,’ or security threats and vulnerabilities
appropriate volume for mandatory ‘disruption.’ ’’ 54 Resilient Societies also without imposing an undue burden on
reporting.’’ 46 EnergySec states further suggests that the Commission convene a responsible entities. Indeed, the NOPR
that while it agrees that successful public technical conference. proposal was not intended to be
attacks against ESPs and EACMS should prescriptive or overly broad, but rather
3. Commission Determination support NERC’s efforts to enhance the
be reported, it does not support
including attempted compromise in the 31. We adopt the NOPR proposal and, reporting of Cyber Security Incidents as
reporting requirements since the pursuant to section 215(d)(5) of the outlined in NERC’s 2017 State of
‘‘[d]etermination of attempted FPA, direct NERC to develop and Reliability Report through the standards
compromise is highly subjective and it submit modifications to the Reliability development process.
Standards to augment the mandatory 33. Some commenters assert that a
would therefore be difficult at best to
reporting of Cyber Security Incidents, broadened reporting requirement will
clearly define within the standards a
including incidents that might facilitate overlap, duplicate or otherwise chill
basis for such determinations.’’ 47
subsequent efforts to harm the reliable voluntary reporting programs,
29. Eversource and Idaho Power do
operation of the BES. Comments potentially diverting resources away
not support the NOPR proposal due to
submitted by NERC and others support from such programs. Other commenters,
the anticipated increased burden that
our determination that enhanced however, assert that voluntary reporting
could result from increased mandatory
reporting of Cyber Security Incidents does not adequately address the gap
reporting. Eversource states that
will address an existing gap in Cyber identified in the NOPR because
‘‘expanding the amount of required
Security Incident reporting and will voluntary reporting and mandatory
information to be reported and reporting under currently-effective
increasing the number of recipients of provide useful information on existing
and future cyber security risks, as well Reliability Standard CIP–008–5 have not
the reports will create undue resulted in adequate reporting of
administrative burdens.’’ 48 In addition, as provide entities with better visibility
into malicious activity prior to an event cybersecurity threats to the BES.59 As
Eversource contends that ‘‘the meaning Appelbaum notes, ‘‘[w]ithout
of an attempted compromise is currently occurring. As noted in NERC’s
comments, ‘‘[b]roadening the mandatory mandatory reporting scheme a degraded
undefined and may impose significant threat image will result.’’ 60
burdens on responsible entities to reporting of Cyber Security Incidents
would help enhance awareness of cyber 34. Based on the record, we are not
identify such attempts.’’ 49 Idaho Power persuaded that our directive to augment
states that even though ‘‘additional security risks facing entities.’’ 55
Similarly, BPA agrees with the directive current mandatory reporting
reporting can provide some visibility requirements will adversely impact
into the types of threats that entities to include attempted compromises in an
enhanced reporting regime, stating that existing voluntary information sharing
face, additional administrative burdens efforts. Instead, we agree with NERC’s
such as reporting requirements reduce ‘‘information about certain attempts to
compromise will likely better assist the comment that the new ‘‘baseline
the finite resources that entities have to understanding [resulting from
monitor and defend their critical industry in preventing successful cyber
attacks.’’ 56 Moreover, while the record broadened mandatory reporting],
infrastructure.’’ 50 coupled with the additional context
30. LPPC asserts that the NOPR reflects differing views on whether
broadened Cyber Security Incident from voluntary reports received by the
proposal ‘‘may yield a substantial E–ISAC, [will] allow NERC and the E–
reporting should be mandatory or
43 Id. at 2. voluntary, there is general agreement
daltland on DSKBBV9HB2PROD with RULES
57 See NERC Comments at 4, Trade Associations
44 Id. at 3. Comments at 3, APS Comments at 1, BPA
45 Id. at 3. 51 LPPC Comments at 1. Comments at 3, EnergySec Comments at 1, Idaho
46 Id. at 3. 52 Id. at 5–6. Power Comments at 2, ITC Comments at 5, IRC
47 Id. at 3–4. 53 Resilient Societies Comments at 12. Comments at 1, NRG Comments at 2–3.
48 Eversource Comments at 1. 54 Id. at 10. 58 NERC Comments at 3.
49 Id. at 6. 55 NERC Comments at 4. 59 See id. at 4–5.
50 Idaho Power Comments at 2. 56 BPA Comments at 3. 60 Appelbaum Comments at 7.
VerDate Sep<11>2014 16:21 Jul 30, 2018 Jkt 244001 PO 00000 Frm 00010 Fmt 4700 Sfmt 4700 E:\FR\FM\31JYR1.SGM 31JYR1](https://thefederalregister.org/doc/83_FR_36874/page/6.svg)
![36734 Federal Register / Vol. 83, No. 147 / Tuesday, July 31, 2018 / Rules and Regulations
Assets, NERC agrees that reporting on revised Reliability Standard ‘‘should not compromise in the reporting
attempts to compromise these security include the proposed generic threshold requirements.’’ 81 In addition, EnergySec
measures would provide valuable data while of reporting any incidents that suggests that monitoring-only systems
also imposing a reasonable burden on entities
given the limited traffic they should
compromise or attempt to compromise be excluded from any reporting
experience.67 an ESP or EACMS.’’ 74 Instead, Trade requirement, stating that ‘‘[a]lthough
Associations recommend that the compromise of monitoring systems
NERC notes that some EACMS Commission ‘‘give NERC sufficient could assist an attack, such a
devices ‘‘may provide important early flexibility to define appropriate compromise would not directly permit
indicators of future compromise’’ and, reporting thresholds for attempted access.’’ 82 Resilient Societies states that
therefore, NERC states that it ‘‘supports compromises of an ESP or EACMS.’’ 75 ‘‘[e]xcluding [EACMS] from the
including EACMS in the reporting 45. APS asserts that, given the Commission directive could exempt
threshold in addition to the ESP and differences among EACMS, it does not reporting of attempted compromises.’’ 83
notes that logging attempts to support the inclusion of all EACMS or IRC states that ‘‘adding EACMS to the
compromise the ESP and some EACMS the exclusion of all EACMS from an requirement for mandatory reporting
devices does not impose an enhanced reporting requirement. APS would be beneficial, not only because of
unreasonable burden on entities.’’ 68 states that while it ‘‘concurs that the their role as a boundary point, but also
43. While NERC supports adopting
incidents impacting the ESP should because EACMS perform other roles that
the compromise or attempt to
certainly be in scope of reporting, it is support the BES Cyber Systems.’’ 84 IRC
compromise a responsible entity’s ESP
concerned that the exclusion of EACMS cautions, however, that ‘‘[w]ithout
or an EACMS associated with an ESP as
(which includes [Electronic Access providing further definitions or criteria,
a threshold for Cyber Security Incident
Points (EAP)]) results in a likely the NOPR’s proposal to require
reporting, NERC explains that ‘‘there is
still a need to refine the scope of the compromise scenario going reporting of all ‘attempts to
proposed directive to ensure that it unreported.’’ 76 Specifically, APS notes compromise’ the ESP or EACMS is
would provide meaningful data without that ‘‘a user’s credentials to an unclear and potentially
overburdening entities.’’ 69 Specifically, Intermediate System, which includes/ unachievable.’’ 85
NERC states that there is a need to can be classified as an EAP(s) and/or 48. While ITC generally supports the
‘‘outline the parameters of an ‘attempt to EACMS, could be compromised.’’ 77 NOPR proposal, ITC ‘‘requests that the
compromise’ in order to issue a precise APS contends that such a compromise Commission refrain from including
data request.’’ 70 In particular, NERC would not implicate the ESP, but could unsuccessful attempts to compromise an
states that it ‘‘would consider the impact or attempt to impact a BES Cyber ESP-associated EACMS in the revised
common understanding of adverse Asset or System. APS states, however, definition of a Cyber Security
activities that are early indicators of that ‘‘there are numerous EACMS for Incident.’’ 86 ITC notes that responsible
compromise, such as campaigns against which a compromise scenario would entity systems with publicly-visible IP
industrial control systems, to help refine not be critical or allow potential access addresses ‘‘sustain a regular stream of
the parameters.’’ 71 In addition, NERC to an ESP.’’ 78 Therefore, APS maintains denial of service attempts, phishing
notes that EACMS, as defined in the that an evaluation of the functions of emails, attempted firewall breaches,
NERC Glossary, include a wide variety various EACMS is needed before they untargeted and targeted malware, and
of devices that perform control and can be included in any reporting other common cybersecurity threats for
monitoring functions. NERC states requirement. which countermeasures are well-
further that it ‘‘needs to consider 46. BPA states that a broader established and which pose a miniscule
whether to define the reporting definition of a Reportable Cyber chance of success.’’ 87 ITC states that
threshold to differentiate between the Security Incident is necessary since the including ‘‘attempted compromises of
various types of EACMS for reporting current definition only addresses actual ESP-associated EACMS would appear to
purposes.’’ 72 Therefore, NERC requests compromises. BPA avers that require reporting for a sizeable number
that the Commission provide flexibility ‘‘information about certain attempts to of these common events.’’ 88 Therefore,
in refining the threshold for Cyber compromise will likely better assist the ITC states that while it ‘‘supports
Security Incident reporting. industry in preventing successful cyber expanding the definition of Reportable
44. Trade Associations, APS, BPA, attacks.’’ 79 BPA states that the current Cyber Incidents to include incidents
EnergySec, Resilient Societies, IRC, ITC, definition of a Cyber Security Incident that compromise, or attempt to
and NYPSC generally support the is a good starting point for a revision compromise, a responsible entity’s ESP,
reporting threshold proposed in the since it includes attempts to ITC would urge the Commission to
NOPR, but caution that any new or compromise or disrupt. BPA cautions, direct NERC to include only actual
modified requirements should be however, that the current definition of breaches of a responsible entity’s ESP-
properly scoped. Trade Associations Cyber Security Incident ‘‘may be too associated EACMS, and not attempted-
state that the NOPR proposal ‘‘is broad and result in overreporting of but-unsuccessful compromises.’’ 89
potentially overbroad and could result information.’’ 80 NYPSC notes that ‘‘[f]ailed cyber attacks
in unduly burdensome reporting 47. EnergySec states that it ‘‘generally occur on a continuous basis, all the
requirements that reduce awareness of agree[s] that successful attacks against time. . .’’ and, therefore, ‘‘[a] reporting
significant cyber threats.’’ 73 Trade ESPs and EACMS should be within the requirement of every attempted security
Associations also contend that a new or scope of reporting; [but] disagree[s] with
the proposal to include attempted 81 EnergySec Comments at 3–4.
67 Id. 82 Id. at 4.
at 7.
daltland on DSKBBV9HB2PROD with RULES
68 Id. at 8. 74 Id. (emphasis in original). 83 Resilient Societies Comments at 14.
69 Id. at 9. 75 Id. at 5. 84 IRC Comments at 5.
70 Id. at 9. 76 APS Comments at 9. 85 Id. at 3–4.
71 Id. at 9. 77 Id. 86 ITC Comments at 5.
72 Id. at 9. 78 Id. 87 Id. at 5.
73 APPA, et al. Comments at 5 (emphasis in 79 BPA Comments at 3. 88 Id. at 5.
original). 80 Id. at 3. 89 Id. at 5.
VerDate Sep<11>2014 16:21 Jul 30, 2018 Jkt 244001 PO 00000 Frm 00012 Fmt 4700 Sfmt 4700 E:\FR\FM\31JYR1.SGM 31JYR1](https://thefederalregister.org/doc/83_FR_36874/page/8.svg)
![Federal Register / Vol. 83, No. 147 / Tuesday, July 31, 2018 / Rules and Regulations 36735
attack may be overly burdensome for reporting for the disruption, or an attempted compromise must be
reporting entities.’’ 90 NYPSC ‘‘suggests attempt to disrupt, the operation of reported.
FERC consider developing clear criteria electronic access controls for BES assets 54. With regard to identifying EACMS
of the required reporting based on its with low impact BES Cyber Systems for reporting purposes, NERC’s
review of the comments and leaves a large blind spot in the reporting threshold should encompass
recommendations from reporting Commission’s effort to learn of efforts to the functions that various electronic
entities.’’ 91 harm the reliable operation of the bulk access control and monitoring
49. Idaho Power states that electric system.’’ 99 Isologic does not technologies provide. Those functions
‘‘additional reporting requirements do support limiting Cyber Security Incident must include, at a minimum: (1)
not increase cyber security.’’ 92 Idaho reporting to situations involving an Authentication; (2) monitoring and
Power contends that ‘‘additional entity’s ESP or associated EACMS. logging; (3) access control; (4)
administrative burdens such as Isologic states that ‘‘there are few CIP interactive remote access; and (5)
reporting requirements reduce the finite standards for ‘secure perimeters’ and for alerting.104 Reporting a malicious act or
resources that entities have to monitor the mass of BES Low Impact Facilities, suspicious event that has compromised,
and defend their critical (substations), security is at the fence or attempted to compromise, a
infrastructure.’’ 93 In addition, Idaho line, not in ESPs.’’ 100 responsible entity’s EACMS that
Power states that EACMS ‘‘should be perform any of these five functions
excluded from any additional 3. Commission Determination would meet the intended scope of the
requirements and only BES Cyber 52. The record in this proceeding directive by improving awareness of
Systems and associated devices should supports establishing the compromise or existing and future cyber security
be included in any further reporting attempted compromise of an ESP as the threats and potential vulnerabilities.
requirements.’’ 94 appropriate threshold for a Reportable Since responsible entities are already
50. Other commenters support required to monitor and log system
Cyber Security incident. In addition,
expanding the enhanced reporting activity under Reliability Standard CIP–
with exceptions, the comments support
requirement beyond what was proposed 007–6, the incremental burden of
including EACMS associated with an
in the NOPR. NRG supports the NOPR reporting of the compromise or
ESP as part of the reporting threshold.
proposal to direct NERC to develop attempted compromise of an EACMS
As NERC notes, an ‘‘ESP protects some
modifications to the CIP Reliability that performs the identified functions
of the most important Cyber Assets and
Standards to improve the reporting of should be limited, especially when
the EACMS control or monitor access to
Cyber Security Incidents. NRG also compared to the benefit of the enhanced
those Cyber Assets.’’ 101 While we
supports including EACMS as a situational awareness that such
threshold for reporting. In addition, believe that ESPs and EACMS should be
reporting will provide.
NRG ‘‘recommends that the scope of the within the scope of a broadened 55. With regard to the definition of
NOPR avoid limiting the requirement to reporting requirement, the comments, ‘‘attempted compromise’’ for reporting
High and Medium Impact BES Cyber correctly in our view, point to the need purposes, we consider attempted
Systems.’’ 95 Specifically, NRG notes to establish an appropriate scope for compromise to include an unauthorized
that the NOPR proposal ‘‘would limit reporting. As NERC states, ‘‘there is still access attempt or other confirmed
the requirement to High and Medium a need to refine the scope of the suspicious activity. ITC raises a concern
Impact BES Cyber Systems as ESPs and proposed directive to ensure that it that including unsuccessful attempts to
EACMS are not required establishments would provide meaningful data without compromise an EACMS associated with
at Low Impact BES Cyber Systems.’’ 96 overburdening entities.’’ 102 This an ESP would require reporting a
Therefore, NRG states that ‘‘any concern is reflected in a number of significant number of events. We note,
modification to the referenced CIP comments, pointing to the need to however, that limiting the reporting
Reliability Standards should be identify the appropriate assets to threshold to only EACMS that are
applicable to all BES Cyber Systems monitor (for example, only EACMS associated with an ESP should limit the
with External Routable associated with an ESP) and to clearly reporting burden since these assets
Communications.’’ 97 define an ‘‘attempt to compromise.’’ 103 should be located apart from the
51. Appelbaum supports the NOPR 53. The comments generally support responsible entity’s broader business IT
proposal to include the attempted or the view that NERC should have the networks. Moreover, as discussed in the
actual compromise of an ESP or EACMS flexibility to establish an appropriate next section, we also believe that a
in the mandatory reporting requirement. reporting threshold. We recognize the flexible reporting timeline that reflects
However, Appelbaum ‘‘propose[s] the need for a certain level of flexibility and the severity of a Cyber Security Incident
Commission consider adding Physical believe that it is appropriate for NERC could also help address the potential
Security Perimeters and Physical Access to address the specific reporting burden of reporting attempted
Control Systems (PACS) as well.’’98 threshold through the standards compromises.
Simon supports the NOPR proposal, but development process. However, as 56. With regard to BPA’s suggestion
encourages the Commission to broaden discussed further below, we provide that a revised definition of Reportable
the directive to include low impact BES guidance on certain aspects of how Cyber Security Incident is necessary, as
Cyber Systems. Specifically, Simon NERC should identify EACMS for discussed above, revisions to the current
states that ‘‘[o]mission of mandatory reporting purposes and what types of definition of Reportable Cyber Security
90 NYPSC Comments at 5–6. 104 See NERC Glossary of Terms definition of
99 SimonComments at 4.
91 Id. at 6. EACMS. See also Reliability Standard CIP–006–6,
daltland on DSKBBV9HB2PROD with RULES
100 Isologic
Comments at 7.
92 Idaho Power Comments at 2.
101 NERC Comments at 7.
Requirement R1.5 (Physical Security Plan) at 10
93 Id. (‘‘[i]ssue an alarm or alert in response to detected
102 Id. at 9.
94 Id. unauthorized access’’ to certain High and Medium
103 See NERC Comments at 9, APPA, et al.
95 NRG Comments at 5.
Impact BES Cyber Systems and associated EACMS);
Comments at 5, APS Comments at 9, BPA Reliability Standard CIP–007–6, Requirement R4.2
96 Id. at 2.
Comments at 3, EnergySec Comments at 3, IRC (Security Event Monitoring) at 16; and Reliability
97 Id.
Comments at 3–4, ITC Comments at 5, NYPSC Standard CIP–007–6, Requirement R5.7 (System
98 Appelbaum Comments at 7. Comments at 6. Access Control) at 25.
VerDate Sep<11>2014 16:21 Jul 30, 2018 Jkt 244001 PO 00000 Frm 00013 Fmt 4700 Sfmt 4700 E:\FR\FM\31JYR1.SGM 31JYR1](https://thefederalregister.org/doc/83_FR_36874/page/9.svg)
![36736 Federal Register / Vol. 83, No. 147 / Tuesday, July 31, 2018 / Rules and Regulations
Incident could address certain aspects system performance.’’ 105 NERC data request as needed to respond to
of the NOPR proposal, although a maintains that it has ‘‘successfully rapidly-changing security threats.’’ 113
modified definition alone would not shifted to using Section 1600 for other Finally, LPPC opines that ‘‘it seems
address the need to specify the required data collection efforts, such as the appropriate to remove the data
information in cyber security incident collection of reports on Protection collection process from the enforcement
reports to improve the quality of System Misoperation.’’ 106 NERC process associated with mandatory
reporting and allow for ease of explains further that the Section 1600 Reliability Standards.’’ 114
comparison, or establish deadlines for process would be used to ‘‘supplement 63. APS, BPA, Resilient Societies,
submitting a report to facilitate timely the existing voluntary reporting of cyber IRC, and NRG oppose the use of the
information sharing. Therefore, security threats to E–ISAC.’’ 107 Section 1600 process to facilitate
although we believe that a modified 61. NERC states that the Section 1600 enhanced Cyber Security Incident
definition of Reportable Cyber Security process ‘‘provides many of the same reporting. APS asserts that a request for
Incident could address part of the benefits as Reliability Standards,’’ such data pursuant to Section 1600 would
Commission’s concerns, additional as stakeholder and Commission staff not effectively address the reporting gap
modifications to the Reliability input.108 NERC also states that, similar and current lack of awareness of cyber-
Standards would be necessary to meet to Reliability Standards, compliance related incidents. Specifically, APS
the security objective of the directives with Section 1600 is mandatory. NERC argues that a data request would create
discussed herein. explains that if a responsible entity does an independent, redundant reporting
57. A number of commenters request not respond to a Section 1600 data obligation to NERC or a regional entity
that we expand the directive to include request, ‘‘NERC has the authority under and would subject the provisions of
a broader scope of assets, including low the [Rules of Procedure] to take such reported information to the
impact BES Cyber Systems. However, action as NERC deems appropriate to confidentiality and data sharing
we decline to expand the scope of Cyber address a situation where a Rule of processes set forth in Rules of Procedure
Security Incident reporting beyond the Procedure cannot practically be Section 1500, unnecessarily delaying
ESP and associated EACMS at this time. complied with or has been violated.’’ 109 sharing and distribution of
The focus on ESPs and associated NERC explains that the Section 1600 information.115 APS states further that
EACMS is intended to provide threat data request process provides the the Section 1600 process ‘‘adds
information on BES Cyber Systems that flexibility to revise or update the data significant additional administrative
have the greatest impact on BES request, if necessary, as well as ‘‘the burden for all involved entities, which
reliability while imposing a reasonable flexibility to determine the appropriate is inefficient and unnecessary and
reporting burden on responsible timeline for submitting the data.’’ 110 presents a potential obstacle to the very
entities. Nevertheless, the Commission NERC states that while it may continue sharing and distribution that is a critical
could revisit this issue if there is to use the Reliability Standards for data part of the Commission’s objectives set
demonstrated need for expanded Cyber collection for evidence of compliance or forth in the NOPR.’’ 116
Security Incident reporting. to facilitate sharing of information 64. BPA comments that a data request
58. Therefore, we adopt the NOPR between entities for BES operations, it is not an effective means of obtaining
proposal and conclude that the ‘‘has found the [Rules of Procedure] information about cyber security
compromise, or attempt to compromise, Section 1600 process to be effective for incidents. BPA explains that Section
a responsible entity’s ESP or associated data collection to assess system 1600 data requests ‘‘are one time
EACMS is a reasonable threshold for performance.’’ 111 NERC cites a standing requests for existing data, and [. . .] not
augmented Cyber Security Incident Section 1600 data request for entities to the appropriate vehicle for ensuring
reporting. submit quarterly data on Protection ongoing reporting necessary to make
System Misoperations as an example. data about Cyber Security Incidents
C. Appropriate Procedural Approach To
62. LPPC supports the use of the effective.’’ 117 Resilient Societies states
Augment Cyber Security Incident
Section 1600 process to facilitate that ‘‘[e]xamination of NERC Rules of
Reporting
enhanced Cyber Security Incident Procedure Section 1600 shows the
1. NOPR reporting. LPPC states that it ‘‘supports intent of [the] rule is to facilitate one-
59. The NOPR proposed to direct a more flexible approach to collection of time requests for data.’’ 118 Therefore,
NERC to modify the CIP Reliability actionable information through the data Resilient Societies asserts that the
Standards to augment the mandatory request process outlined in NERC ROP Section 1600 reporting procedures
reporting of Cyber Security Incidents, Section 1600.’’ 112 LPPC asserts that the ‘‘would be a poor fit for a standing order
while also seeking comment on whether data request approach offers flexibility for data on cybersecurity incidents that
a request for data or information that the standards development process occur continually.’’ 119 NRG opposes the
pursuant to Section 1600 of the NERC does not. Specifically, LPPC states that use of the Section 1600 data request
Rules of Procedure would effectively ‘‘compliance with a NERC data request process asserting that a request for data
address the reporting gap. is mandatory for applicable entities, or information would neither address
while the data request procedures the current lack of awareness of cyber-
2. Comments specified under [Rules of Procedure] related incidents, nor satisfy the goals of
60. While NERC supports broadened Section 1600 also provide a more the proposed directive.
mandatory Cyber Security Incident efficient process to update or revise a 65. APS, as discussed above, suggests
reporting, NERC does not support the adopting the DOE Electric Disturbance
105 NERC Comments at 10.
NOPR proposal to direct a modification
daltland on DSKBBV9HB2PROD with RULES
106 Id. 113 Id. at 7.
to the Reliability Standards. Instead, 107 Id. 114 Id.
NERC requests flexibility to determine 108 Id. 115 APS Comments at 16.
the appropriate reporting procedure. 109 Id. at 11. 116 Id. at 16–17.
Specifically, NERC proposes to ‘‘use the 110 Id. at 12–13. 117 BPA Comments at 4.
[Rules of Procedure] Section 1600 111 Id. at 12. 118 Resilient Societies Comments at 15.
process for gathering data used for 112 LPPC Comments at 6–7. 119 Id.
VerDate Sep<11>2014 16:21 Jul 30, 2018 Jkt 244001 PO 00000 Frm 00014 Fmt 4700 Sfmt 4700 E:\FR\FM\31JYR1.SGM 31JYR1](https://thefederalregister.org/doc/83_FR_36874/page/10.svg)
![36738 Federal Register / Vol. 83, No. 147 / Tuesday, July 31, 2018 / Rules and Regulations
reporting tool for reporting Cyber provided; and allowing for ease of Specifically, NERC states that it ‘‘will
Security Incidents, as suggested by some comparison across reports by ensuring determine an appropriate deadline for
commenters. The reporting criteria in that each report includes specified reports so that NERC can use the data
our directive are distinguishable and fields of information. The NOPR sought for awareness and early indicators of
more aligned with a risk management comment on the proposed attributes potential compromise but also consider
approach than the information and, more generally, the appropriate whether reporting for historical analysis
requested in the DOE Form OE–417. content for Cyber Security Incident can provide insight to the trends and
Specifically, the DOE Form OE–417 has reporting to improve awareness of effectiveness of industry’s security
twelve generic criteria for filing a report existing and future cyber security controls.’’ 126
to the DOE, of which only two reflect threats and potential vulnerabilities. 79. ITC, IRC, and NRG support the
the criteria outlined in the NOPR 76. In addition, the NOPR proposed to minimum set of reporting attributes
proposal, which are discussed in the direct NERC to establish requirements proposed in the NOPR. ITC states that
following section. The DOE Form OE– outlining deadlines for filing a report the NOPR proposal reflects ‘‘a
417 does not address factors such as once a compromise or disruption to reasonable set of baseline requirements
attack vector, functional impact and reliable BES operation, or an attempted for reporting.’’ 127 While ITC raises a
level of intrusion. In addition, the compromise or disruption, is identified concern that the collective information
definition of a ‘‘Cyber Event’’ in the by a responsible entity. The NOPR in a report could potentially lead to the
DOE Form OE–417 filing instructions stated that the reporting timeline should identification of the reporting entity,
does not align with the definition of reflect the actual or potential threat to ITC states that it ‘‘will work within the
Cyber Security Incident in the NERC reliability, with more serious incidents NERC stakeholder and standards
Glossary of Terms, let alone a reported in a more timely fashion. The development process to ensure that the
Reportable Cyber Security Incident.123 NOPR explained that a reporting Standards submitted in response to the
Nor does the DOE Form OE–417 require timeline that takes into consideration Commission’s final rule are structured
reporting to E–ISAC or ICS–CERT as our the severity of a Cyber Security Incident to preserve anonymity to the maximum
directive requires. should minimize potential burdens on extent practicable.’’ 128 IRC asserts that
74. In sum, we conclude that responsible entities. ‘‘it will be beneficial for responsible
modifications to the NERC Reliability 77. The NOPR also proposed that the entities to report indicators of
Standards to improve mandatory reports submitted under the enhanced compromise that are detected in
reporting of Cyber Security Incidents, mandatory reporting requirements potential cyberattacks against their
including incidents that might facilitate would be provided to E–ISAC, similar to systems in standard form.’’ 129 NRG
subsequent efforts to harm the reliable the current reporting scheme under recommends that mandatory reporting
operation of the BES, is the appropriate Reliability Standard CIP–008–5, as well include: ‘‘content Date, Time, Duration
approach to improve Cyber Security as ICS–CERT or any successor of Incident, Origination of the attack,
Incident reporting. organization. While the NOPR stated threat vector, targeted system (or OS),
that the detailed incident report would vulnerability exploited, [and] method
D. Content and Timing of a Cyber
not be submitted to the Commission, the used to stop/prevent the attack.’’ 130
Security Incident Report
NOPR proposed to direct NERC to file 80. Appelbaum, APS, EnergySec,
1. NOPR publicly an annual report reflecting the Resilient Societies, and Idaho Power
75. The NOPR proposed to direct that Cyber Security Incidents reported to raise concerns with the minimum set of
NERC modify the CIP Reliability NERC during the previous year. reporting attributes proposed in the
Standards to specify the required Specifically, the NOPR proposed to NOPR. According to Appelbaum, a
content in a Cyber Security Incident direct NERC to file annually an count by category of asset, attack vector,
report. Specifically, the NOPR proposed anonymized report providing an and impact is sufficient for the
that the minimum set of attributes to be aggregated summary of the reported mandatory reporting. APS contends that
reported should include: (1) The information, similar to the ICS–CERT ‘‘because each entity’s network
functional impact, where possible, that annual report.124 topology, architecture, applications, and
the Cyber Security Incident achieved or 2. Comments other characteristics are different, any
attempted to achieve; (2) the attack requirement to provide the functional
vector that was used to achieve or 78. NERC supports the minimum set
impact and level of intrusion as part of
attempt to achieve the Cyber Security of reporting attributes proposed in the
reporting is of very low value and
Incident; and (3) the level of intrusion NOPR, stating that ‘‘this level of detail
should not be included as mandatory
that was achieved or attempted as a regarding each reported Cyber Security
attributes of reporting.’’ 131
result of the Cyber Security Incident. Incident will not only help NERC
81. APS, however, ‘‘agrees that
The NOPR noted that the proposed understand the specific threat but also
information regarding attack vectors
attributes are the same as attributes help NERC understand trends in threats
could be more relevant, actionable
already used by DHS for its multi-sector over time.’’ 125 NERC also does not
information to be shared.’’ 132 EnergySec
reporting and summarized by DHS in an oppose either filing an annual,
expresses concern that including the
annual report. The NOPR stated that anonymized summary of the reports
proposed set of reporting attributes as a
specifying the required content should with the Commission, or submitting the
requirement could be construed to
improve the quality of reporting by reports of U.S.-based entities to the ICS–
require significant forensic and analysis
ensuring that basic information is CERT in addition to E–ISAC. Finally,
efforts. Resilient Societies suggests that
while NERC supports the concept of
daltland on DSKBBV9HB2PROD with RULES
123 See Department of Energy Electric Emergency imposing a deadline for entities to 126 Id.
Incident and Disturbance Report—Form OE 417. submit full reports of Cyber Security 127 ITC Comments at 6.
Form OE–417 defines a Cyber Event as a disruption Incidents, NERC requests flexibility to 128 Id.
on the electrical system and/or communication
system(s) caused by unauthorized access to
determine the appropriate timeframe. 129 IRC Comments at 7.
130 NRG Comments at 5.
computer software and communications systems or
124 NOPR, 161 FERC ¶ 61,291 at 42. 131 APS Comments at 11–12.
networks including hardware, software, and data.
https://www.oe.netl.doe.gov/oe417.aspx. 125 NERC Comments at 14. 132 Id. at 12.
VerDate Sep<11>2014 16:21 Jul 30, 2018 Jkt 244001 PO 00000 Frm 00016 Fmt 4700 Sfmt 4700 E:\FR\FM\31JYR1.SGM 31JYR1](https://thefederalregister.org/doc/83_FR_36874/page/12.svg)
![Federal Register / Vol. 83, No. 147 / Tuesday, July 31, 2018 / Rules and Regulations 36739
the Commission leverage prior work would take place at machine speed’’ and reporting timelines for when the
done by the federal government as suggests that the Commission ‘‘allow responsible entity must submit Cyber
opposed to establishing new report and preferably require automated Security Incident reports to the E–ISAC
content. Specifically, Resilient Societies reporting, at least for an initial and ICS–CERT based on a risk impact
suggests that the Commission adopt the report.’’ 137 Idaho Power states that, assessment and incident prioritization
US–CERT ‘‘Federal Incident should the Commission require approach to incident reporting.140 This
Notification Guidelines.’’ Idaho Power timelines for reporting, it should ensure approach would establish reporting
states that a ‘‘description of the event that an entity has adequate time to timelines that are commensurate with
and the system(s) affected along with a analyze each event before the reporting the adverse impact to the BES that loss,
fact pattern describing the situation and deadline. compromise, or misuse of those BES
known information at the time the 85. Lasky supports entities being Cyber Systems could have on the
report is submitted should be required to report Cyber Security reliable operation of the BES. Higher
sufficient.’’ 133 Incidents to both E–ISAC and ICS– risk incidents, such as detecting
82. With regard to the timing of CERT, and states that ‘‘it would be malware within the ESP and associated
reports, ITC questions whether an initial prudent to report all incidents to the EACMS or an incident that disrupted
report of a Cyber Security Incident United States Cyber Emergency one or more reliability tasks, could
would have to be submitted to ICS– Response Team (US–CERT)’’ as well.138 trigger the report to be submitted to the
CERT as well as E–ISAC. ITC opines E–ISAC and ICS–CERT within a more
that ‘‘the existing one-hour reporting 3. Commission Determination
urgent timeframe, such as within one
requirement poses a significant 86. As discussed below, we adopt the hour, similar to the current reporting
compliance challenge, and that NOPR proposal on minimum reporting deadline in Reliability Standard CIP–
requiring that the initial report also be attributes and timing, in response to the 008–5.141 For lower risk incidents, such
provided to ICS–CERT would be commenters’ concerns, but we also as the detection of attempts at
unworkable under that timeframe.’’ 134 leave discretion to NERC to develop the unauthorized access to the responsible
IRC states that ‘‘[t]he timeframe for reporting timelines in the standards entity’s ESP or associated EACMS, an
completing a full report depends on the development process by considering initial reporting timeframe between
scale and scope of the investigation several factors so that the timelines eight and twenty-four hours would
[and] FERC should consider requiring provide for notice based upon the provide an early indication of potential
that reports be updated at a certain severity of the event and the risk to BES cyber attacks.142 For situations where a
frequency until the full report is reliability, with updates to follow initial responsible entity identifies other
complete.’’ 135 IRC recommends a 90- reports. suspicious activity associated with an
day update requirement until a report is 87. The comments generally support ESP or associated EACMS, a monthly
finalized. NRG recommends that Cyber the proposed minimum set of reporting report could, as NERC states, assist in
Security Incident reports should be attributes. For example, NERC supports the analysis of trends in activity over
submitted after existing industry the proposed content for a Cyber time.143
processes have been followed relating to Security Incident report, while 90. With regard to the appropriate
Incident Reporting and Response Plans. requesting flexibility to determine the recipients for Cyber Security Incident
In addition, NRG recommends that the appropriate reporting timeframe. As reports, we determine that the reports
Commission consider directing NERC to noted by ITC, the NOPR proposal should be provided to E–ISAC, similar
file a quarterly report in addition to the reflects ‘‘a reasonable set of baseline to the current reporting scheme under
annual report. requirements for reporting.’’ 139 Certain Reliability Standard CIP–008–5, as well
83. APS recommends aligning the comments do raise concerns with the as ICS–CERT or its successor.144
timing of any mandatory reporting proposed reporting attributes, especially
obligations with the timing dictated in in the case of attempts versus actual 140 Similar to the Cyber Incident Severity Schema
Form OE–417. APS contends that compromises. in DHS’s National Cyber Incident Response Plan,
reporting events that ‘‘could, but didn’t, 88. In our view, a new or revised Annex D (Reporting Incidents to the Federal
Cyber Security Incident report should Government) at 41 (2016), https://www.us-cert.gov/
cause harm to the BES and/or facilitate sites/default/files/ncirp/National_Cyber_Incident_
subsequent efforts to harm . . . should include, at a minimum, the information Response_Plan.pdf.
be far enough removed from the outlined in the NOPR proposal, where 141 An example of incident categories is the
incident to not divert resources from available. Specifically, the minimum set Chairman of the Joint Chiefs of Staff Manual, Cyber
incident response and to ensure that of attributes to be reported should Incident Handling Program, Enclosure B, Appendix
A to Enclosure B (Cyber Incident and Reportable
enough details are known about the include: (1) The functional impact, Cyber Event Categorization) (2012), http://
incident to provide an accurate, where possible, that the Cyber Security www.jcs.mil/Portals/36/Documents/Library/
thorough report.136 Incident achieved or attempted to Manuals/m651001.pdf?ver=2016-02-05-175710-897.
84. EnergySec agrees that clear achieve; (2) the attack vector that was 142 See Department of Energy Electric Emergency
used to achieve or attempted to achieve Incident and Disturbance Report, Form OE–417
timelines should be included in any (six-hour reporting deadline for cyber events that
new mandatory Cyber Security Incident the Cyber Security Incident; and (3) the could potentially impact electric power system
requirements. EnergySec further level of intrusion that was achieved or reliability) found at: https://www.oe.netl.doe.gov/
comments that the timelines should attempted or as a result of the Cyber docs/OE417_Form_05312021.pdf; Nuclear
Security Incident. In addition, we agree Regulatory Commission Regulatory Guide 5.71
factor in the severity of the incident and (four-hour reporting deadline for cyber events that
the level of effort required to complete that any reporting requirement should could have caused an adverse impact) found at:
an investigation. Resilient Societies not take away from efforts to mitigate a https://www.nrc.gov/docs/ML0903/
daltland on DSKBBV9HB2PROD with RULES
offers that ‘‘[i]n an ideal world, potential compromise. ML090340159.pdf; see also Reliability Standard
89. With regard to timing, we EOP–004–3 (Event Reporting), Requirement R2
reporting of cybersecurity incidents (requiring a report within twenty-four hours for an
conclude that NERC should establish events that impact or may impact BES reliability).
133 IdahoPower Comments at 3. 143 See NERC Comments at 14.
134 ITC Comments at 7. 137 Resilient
Societies Comments at 15. 144 The DHS ICS–CERT is undergoing a
135 IRC Comments at 8. 138 Lasky Comments at 1. reorganization and rebranding effort. In the event
136 APS Comments at 13. 139 ITC Comments at 6. Continued
VerDate Sep<11>2014 16:21 Jul 30, 2018 Jkt 244001 PO 00000 Frm 00017 Fmt 4700 Sfmt 4700 E:\FR\FM\31JYR1.SGM 31JYR1](https://thefederalregister.org/doc/83_FR_36874/page/13.svg)
![36740 Federal Register / Vol. 83, No. 147 / Tuesday, July 31, 2018 / Rules and Regulations
Reporting directly to E–ISAC and ICS– Therefore, NYPSC argues that Paperwork Reduction Act of 1995.148
CERT will result in cyber threat appropriate state entities should also be OMB’s regulations require approval of
information being provided to the provided with the cyber reporting certain information collection
organizations best suited to analyze and, information when it is filed with the requirements imposed by agency
to the extent necessary, timely inform ‘‘federal authorities.’’ rules.149 Upon approval of a collection
responsible entities of cyber threats. In 93. Microsoft raises a concern that the of information, OMB will assign an
addition, reporting directly to E–ISAC NOPR proposal is not clear as to OMB control number and expiration
and ICS–CERT addresses the concerns whether the modified CIP Reliability date. Respondents subject to the filing
discussed above regarding the Standards would apply to responsible requirements of this rule will not be
confidentiality of reported Cyber entities that use a commercial cloud penalized for failing to respond to these
Security Incident information. We also service to operate cloud-based BES collections of information unless the
find that it is reasonable for NERC to file Cyber Systems. Specifically, Microsoft collections of information display a
annually an anonymized report requests that the Commission ‘‘confirm valid OMB control number. The
providing an aggregated summary of the that cloud service providers that Commission solicits comments on the
reported information, similar to the provide services to Registered Entities Commission’s need for this information,
ICS–CERT annual report. The annual are not required to register with NERC whether the information will have
report will provide the Commission, based on their provision of [cloud- practical utility, the accuracy of the
NERC, and the public a better based] services, and . . . are not burden estimates, ways to enhance the
understanding of any Cyber Security responsible for compliance with the CIP quality, utility, and clarity of the
Incidents that occurred during the prior Reliability Standards.’’ 147 Microsoft information to be collected or retained,
year without releasing information on asserts that clarifying the status of cloud and any suggested methods for
specific responsible entities or Cyber service providers is important to foster minimizing respondents’ burden,
Security Events. technical innovation. including the use of automated
91. Therefore, we conclude that the information techniques.
2. Commission Determination
minimum set of attributes to be reported 97. The Commission will submit these
should include: (1) The functional 94. While we appreciate NYPSC’s proposed reporting requirements to
impact, where possible, that the Cyber interest in receiving Cyber Security OMB for its review and approval under
Security Incident achieved or attempted Incident reports when reported to E– section 3507(d) of the PRA because the
to achieve; (2) the attack vector that was ISAC and ICS–CERT, state entities will Final Rule results in nonsubstantive/
used to achieve or attempted to achieve have access to the same information that non-material changes in paperwork
the Cyber Security Incident; and (3) the is reported to the Commission (i.e., the burden. The Final Rule directs NERC to
level of intrusion that was achieved or annual, anonymized summary). Should make Cyber Security reporting changes
attempted or as a result of the Cyber a state entity determine that it requires across all applicable Reliability
Security Incident. NERC may augment additional information from a Standards. These proposed changes will
the list should it determine that responsible entity under its jurisdiction, be covered by the FERC–725
additional information would benefit the state entity can work within its own information collection (Certification of
situational awareness of cyber threats. jurisdiction to procure additional Electric Reliability Organization;
As discussed above, we also conclude information. Our directive is intended Procedures for Electric Reliability
that NERC should establish a reporting to enhance the quality of information Standards) [OMB Control No. 1902–
timeline that provides for notice based received by E–ISAC and ICS–CERT, and 0225]). FERC–725 includes the ERO’s
upon the severity of the event and the directing additional sharing with state overall responsibility for developing
risk to BES reliability, with updates to entities is outside the scope of this Reliability Standards to include any
follow initial reports. We also support proceeding. Reliability Standards that relate to Cyber
the adoption of an online reporting tool 95. We decline to grant Microsoft’s Security Incident reporting. There will
to streamline reporting and reduce requested clarification regarding the be no change to the Public Reporting
burdens on responsible entities to the potential registration status of cloud Burden as it affects the FERC–725
extent the option is available.145 service providers because it is outside information collection.
the scope of this proceeding. 98. Comments are solicited on the
E. Other Issues
Specifically, Microsoft’s requested Commission’s need for the information
1. Comments clarification addresses a question proposed to be reported, whether the
92. NYPSC supports the NOPR regarding registration of cloud service information will have practical utility,
proposal, but notes that if the providers under the NERC functional ways to enhance the quality, utility, and
Commission adopts the NOPR proposal, model, as opposed to the specifics of clarity of the information to be
‘‘the only additional information that enhanced Cyber Security Incident collected, and any suggested methods
state entities would gain is an annual reporting. The purpose of this for minimizing the respondent’s burden,
compilation of incidents reported to proceeding is not to make a including the use of automated
federal entities.’’ 146 NYPSC claims that determination regarding the registration information techniques.
an annual report would not provide status of cloud service providers and we 99. Internal review: The Commission
states with sufficient information on a have not received input from other has reviewed the approved changes and
timely basis so that they can ensure that interested entities. has determined that the changes are
corrective actions can be taken. necessary to ensure the reliability and
III. Information Collection Statement
integrity of the Nation’s Bulk-Power
daltland on DSKBBV9HB2PROD with RULES
that ICS–CERT no longer exists, its successor will 96. The FERC–725 information System.
assume the role as incident report recipient. collection requirements contained in 100. Interested persons may obtain
145 An online reporting tool will streamline the
this Final Rule are subject to review by information on the reporting
effort and allow for direct input into a database for the Office of Management and Budget
a faster turnaround to those that may need to know
requirements by contacting the
about the information. For example, see https:// (OMB) under section 3507(d) of the
www.us-cert.gov/forms/report. 148 44 U.S.C. 3507(d) (2012).
146 NYPSC Comments at 4–5. 147 Microsoft Comments at 1. 149 5 CFR 1320.11 (2017).
VerDate Sep<11>2014 16:21 Jul 30, 2018 Jkt 244001 PO 00000 Frm 00018 Fmt 4700 Sfmt 4700 E:\FR\FM\31JYR1.SGM 31JYR1](https://thefederalregister.org/doc/83_FR_36874/page/14.svg)
![Federal Register / Vol. 83, No. 147 / Tuesday, July 31, 2018 / Rules and Regulations 36741
following: Federal Energy Regulatory are rules that are clarifying, corrective, Appendix Commenters
Commission, 888 First Street NE, or procedural or that do not Jonathan Appelbaum (Appelbaum)
Washington, DC 20426 [Attention: Ellen substantially change the effect of the American Public Power Association,
Brown, Office of the Executive Director, regulations being amended.152 The Electricity Consumers Resource Council,
email: DataClearance@ferc.gov, phone: actions proposed herein to augment and Transmission Access Policy Study
(202) 502–8663, fax: (202) 273–0873]. current reporting requirements fall Group (Trade Associations)
101. For submitting comments within this categorical exclusion in the Applied Control Solutions (ACS)
concerning the collection(s) of Commission’s regulations. Arizona Public Service Company (APS)
Bonneville Power Administration (BPA)
information and the associated burden VI. Document Availability Edison Electric Institute and National Rural
estimate(s), please send your comments Electric Cooperative Association (EEI/
to the Commission, and to the Office of 106. In addition to publishing the full NRECA)
Management and Budget, Office of text of this document in the Federal Douglas E. Ellsworth (Ellsworth)
Information and Regulatory Affairs, 725 Register, the Commission provides all Energy Sector Security Consortium
17th Street NW, Washington, DC 20503 interested persons an opportunity to (EnergySec)
[Attention: Desk Officer for the Federal view and/or print the contents of this Eversource Energy Service Company
document via the internet through the (Eversource)
Energy Regulatory Commission, phone:
Commission’s Home Page (http:// Foundation for Resilient Societies (Resilient
(202) 395–8528, fax: (202) 395–7285]. Societies)
For security reasons, comments to OMB www.ferc.gov) and in the Commission’s
Frank Gaffney (Gaffney)
should be submitted by email to: oira_ Public Reference Room during normal Idaho Power Company (Idaho Power)
submission@omb.eop.gov. Comments business hours (8:30 a.m. to 5:00 p.m. International Transmission Company (ITC)
submitted to OMB should include Eastern time) at 888 First Street NE, ISO/RTO Council (IRC)
Docket Number RM18–2–000 and OMB Room 2A, Washington, DC 20426. Isologic LLC (Isologic)
Control Number 1902–0225. 107. From the Commission’s Home Jerry Ladd (Ladd)
Page on the internet, this information is Large Public Power Council (LPPC)
IV. Regulatory Flexibility Act Analysis available on eLibrary. The full text of Mary D. Lasky (Lasky)
this document is available on eLibrary Michael Mabee (Mabee)
102. The Regulatory Flexibility Act of Garland T. McCoy (McCoy)
1980 (RFA) 150 generally requires a in PDF and Microsoft Word format for
Microsoft Corporation (Microsoft)
description and analysis of final rules viewing, printing, and/or downloading. New York Public Service Commission
that will have significant economic To access this document in eLibrary, (NYPSC)
impact on a substantial number of small type the docket number of this North American Electric Reliability
entities. document, excluding the last three Corporation (NERC)
103. By only proposing to direct digits, in the docket number field. User NRG Energy (NRG)
assistance is available for eLibrary and Fred Reitman (Reitman)
NERC, the Commission-certified ERO, to
the Commission’s website during Preston L. Schleinkofer (Schleinkofer)
develop modified Reliability Standards Mark S. Simon (Simon)
for Cyber Security Incident reporting, normal business hours from the
Karen Testerman (Testerman)
this Final Rule will not have a Commission’s Online Support at (202) U.S. Chamber of Commerce (Chamber)
significant or substantial impact on 502–6652 (toll free at 1–866–208–3676)
[FR Doc. 2018–16242 Filed 7–30–18; 8:45 am]
entities other than NERC. Therefore, the or email at ferconlinesupport@ferc.gov,
BILLING CODE 6717–01–P
Commission certifies that this Final or the Public Reference Room at (202)
Rule will not have a significant 502–8371, TTY (202) 502–8659. Email
economic impact on a substantial the Public Reference Room at
public.referenceroom@ferc.gov. POSTAL REGULATORY COMMISSION
number of small entities.
104. Any Reliability Standards VII. Effective Date and Congressional 39 CFR Part 3020
proposed by NERC in compliance with Notification
this rulemaking will be considered by [Docket Nos. MC2010–21 and CP2010–36]
the Commission in future proceedings. 108. The Final Rule is effective
October 1, 2018. The Commission has Update to Product Lists
As part of any future proceedings, the
Commission will make determinations determined that this Final Rule imposes
AGENCY: Postal Regulatory Commission.
pertaining to the Regulatory Flexibility no substantial effect upon either NERC
or NERC registered entities 153 and, with ACTION: Final rule.
Act based on the content of the
Reliability Standards proposed by the concurrence of the Administrator of SUMMARY: The Commission is updating
NERC. the Office of Information and Regulatory the product lists. This action reflects a
Affairs of OMB, that this rule is not a publication policy adopted by
V. Environmental Analysis ‘‘major rule’’ as defined in section 351 Commission order. The referenced
105. The Commission is required to of the Small Business Regulatory policy assumes periodic updates. The
prepare an Environmental Assessment Enforcement Fairness Act of 1996. This updates are identified in the body of
or an Environmental Impact Statement Final Rule is being submitted to the this document. The product lists, which
for any action that may have a Senate, House, and Government are re-published in its entirety, include
significant adverse effect on the human Accountability Office. these updates.
environment.151 The Commission has By the Commission. DATES: Effective Date: July 31, 2018. For
categorically excluded certain actions Issued: July 19, 2018. applicability dates, see SUPPLEMENTARY
from this requirement as not having a Nathaniel J. Davis, Sr., INFORMATION.
daltland on DSKBBV9HB2PROD with RULES
significant effect on the human Deputy Secretary. FOR FURTHER INFORMATION CONTACT:
environment. Included in the exclusion David A. Trissell, General Counsel, at
Note: The following appendix will not
150 5 appear in the Code of Federal Regulations. 202–789–6800.
U.S.C. 601–612.
151 Regulations Implementing the National SUPPLEMENTARY INFORMATION:
Environmental Policy Act of 1969, Order No. 486, 152 18 CFR 380.4(a)(2)(ii) (2017). Applicability Dates: April 2, 2018,
FERC Stats. & Regs. ¶ 30,783 (1987). 153 5 U.S.C 804(3)c. First-Class Package Service Contract 92
VerDate Sep<11>2014 16:21 Jul 30, 2018 Jkt 244001 PO 00000 Frm 00019 Fmt 4700 Sfmt 4700 E:\FR\FM\31JYR1.SGM 31JYR1](https://thefederalregister.org/doc/83_FR_36874/page/15.svg)
Document Created: 2018-11-06 10:29:35
Document Modified: 2018-11-06 10:29:35
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Rules and Regulations | |
| Action | Final rule. | |
| Dates | This rule will become effective October 1, 2018. | |
| Contact | Margaret Steiner (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6704, [email protected] | |
| FR Citation | 83 FR 36727 |
2024 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR