83 FR 53992 - Supply Chain Risk Management Reliability Standards
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission Federal Register Volume 83, Issue 208 (October 26, 2018)
Federal Energy Regulatory Commission
Federal Register Volume 83, Issue 208 (October 26, 2018)
| Page Range | 53992-54005 | |
| FR Document | 2018-23201 |
[Federal Register Volume 83, Number 208 (Friday, October 26, 2018)] [Rules and Regulations] [Pages 53992-54005] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2018-23201] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM17-13-000; Order No. 850] Supply Chain Risk Management Reliability Standards AGENCY: Federal Energy Regulatory Commission, DOE. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Federal Energy Regulatory Commission (Commission) approves supply chain risk management Reliability Standards CIP-013-1 (Cyber Security--Supply Chain Risk Management), CIP-005-6 (Cyber Security-- Electronic Security Perimeter(s)) and CIP-010-3 (Cyber Security-- Configuration Change Management and Vulnerability Assessments) submitted by the North American Electric Reliability Corporation (NERC). In addition, the Commission directs NERC to develop and submit modifications to the supply chain risk management Reliability Standards so that the scope of the Reliability Standards include Electronic Access Control and Monitoring Systems. DATES: This rule is effective December 26, 2018. FOR FURTHER INFORMATION CONTACT: Simon Slobodnik (Technical Information) Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6707, [email protected]. Patricia Eke (Technical Information) Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-8388, [email protected]. Kevin Ryan (Legal Information) Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6840, [email protected]. SUPPLEMENTARY INFORMATION: Before Commissioners: Cheryl A. LaFleur, Neil Chatterjee, and Richard Glick. 1. Pursuant to section 215(d)(2) of the Federal Power Act (FPA), the Commission approves supply chain risk management Reliability Standards CIP-013-1 (Cyber Security--Supply Chain Risk Management), CIP-005-6 (Cyber Security--Electronic Security Perimeter(s)) and CIP- 010-3 (Cyber Security--Configuration Change Management and Vulnerability Assessments).\1\ The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted the supply chain risk management Reliability Standards for approval in response to a Commission directive in Order No. 829.\2\ As discussed below, we approve the supply chain risk management Reliability Standards as they are responsive to Order No. 829 and improve the electric industry's cybersecurity posture by requiring that entities mitigate certain cybersecurity risks associated with the supply chain for BES Cyber Systems.\3\ --------------------------------------------------------------------------- \1\ 16 U.S.C. 824o(d)(2). \2\ Revised Critical Infrastructure Protection Reliability Standards, Order No. 829, 156 FERC ] 61,050, at P 43 (2016). \3\ BES Cyber System is defined as ``[o]ne or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.'' Glossary of Terms Used in NERC Reliability Standards (NERC Glossary), http://www.nerc.com/files/glossary_of_terms.pdf. The acronym BES refers to the bulk electric system. --------------------------------------------------------------------------- [[Page 53993]] 2. The Commission has previously explained that the global supply chain affords significant benefits to customers, including low cost, interoperability, rapid innovation, and a variety of product features and choice.\4\ Despite these benefits, the global supply chain creates opportunities for adversaries to directly or indirectly affect the management or operations of companies with potential risks to end users. Supply chain risks include insertion of counterfeits or malicious software, unauthorized production, tampering, or theft, as well as poor manufacturing and development practices. Based on the record in this proceeding, we conclude that the supply chain risk management Reliability Standards largely address these supply chain cybersecurity risks as set out within the scope of Order No. 829. Among other things, the supply chain risk management Reliability Standards are forward-looking and objective-based and require each affected entity to develop and implement a plan that includes security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations.\5\ Consistent with Order No. 829, the Reliability Standards focus on the following four security objectives: (1) Software integrity and authenticity; (2) vendor remote access protections; (3) information system planning; and (4) vendor risk management and procurement controls. --------------------------------------------------------------------------- \4\ Revised Critical Infrastructure Protection Reliability Standards, Notice of Proposed Rulemaking, 152 FERC ] 61,054, at PP 61-62 (2015). \5\ Order No. 829, 156 FERC ] 61,050 at P 2. --------------------------------------------------------------------------- 3. The Commission also approves the supply chain risk management Reliability Standards' associated violation risk factors and violation severity levels. Regarding the Reliability Standards' implementation plan and effective date, we approve NERC's proposed implementation period of 18 months following the effective date of a Commission order. The NOPR proposed to reduce the implementation period to 12 months.\6\ However, as discussed below, the NOPR comments provide sufficient justification for adopting the 18-month implementation period proposed by NERC. Specifically, the comments clarify that technical upgrades are likely necessary to meet the Reliability Standards' security objectives, which could involve longer time-horizon capital budgets and planning cycles. --------------------------------------------------------------------------- \6\ Supply Chain Risk Management Reliability Standards, Notice of Proposed Rulemaking, 83 FR 3433 (January 25, 2018), 162 FERC ] 61,044 (2018) (NOPR). --------------------------------------------------------------------------- 4. While the supply chain risk management Reliability Standards address the Commission's directive in Order No. 829, we determine that there remains a significant cybersecurity risk associated with the supply chain for BES Cyber Systems because the approved Reliability Standards do not address Electronic Access Control and Monitoring Systems (EACMS).\7\ As we observed in the NOPR, it is widely recognized that the types of access and monitoring functions that are included within NERC's definition of EACMS, such as firewalls, are integral to protecting industrial control systems.\8\ Moreover, as stated in Order No. 848, EACMS, which include, for example, firewalls, authentication servers, security event monitoring systems, intrusion detection systems and alerting systems, control electronic access into Electronic Security Perimeters (ESP), play a significant role in the protection of high and medium impact BES Cyber Systems.\9\ Once an EACMS is compromised, an attacker could more easily enter the ESP and effectively control the BES Cyber System or Protected Cyber Asset.\10\ For example, the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) identifies firewalls as ``the first line of defense within an ICS network environment'' that ``keep the intruder out while allowing the authorized passage of data necessary to run the organization.'' \11\ ICS-CERT further explains that firewalls ``act as sentinels, or gatekeepers, between zones . . . [and] [w]hen properly configured, they will only let essential traffic cross security boundaries[,] . . . [i]f they are not properly configured, they could easily pass unauthorized or malicious users or content.'' \12\ Accordingly, if EACMS are compromised, that could adversely affect the reliable operation of associated BES Cyber Systems.\13\ Given the significant role that EACMS play in the protection scheme for medium and high impact BES Cyber Systems, we determine that EACMS should be within the scope of the supply chain risk management Reliability Standards to provide minimum protection against supply chain attack vectors. --------------------------------------------------------------------------- \7\ EACMS are defined as ``Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.'' NERC Glossary. Reliability Standard CIP-002- 5.1a (Cyber Security -- BES Cyber System Categorization) states that examples of EACMS include ``Electronic Access Points, Intermediate Systems, authentication servers (e.g., RADIUS servers, Active Directory servers, Certificate Authorities), security event monitoring systems, and intrusion detection systems.'' Reliability Standard CIP-002-5.1a (Cyber Security -- BES Cyber System Categorization) Section A.6 at 6. \8\ NOPR, 162 FERC ] 61,044 at P 37. \9\ Cyber Security Incident Reporting Reliability Standards, Order No. 848, 164 FERC ] 61,033, at P 10 (2018). ESP is defined as ``[t]he logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol.'' NERC Glossary. \10\ Order No. 848, 164 FERC ] 61,033 at P 10. \11\ ICS-CERT, Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies at 23, https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf. \12\ Id. \13\ NOPR, 162 FERC ] 61,044 at P 37. --------------------------------------------------------------------------- 5. To address this gap, pursuant to section 215(d)(5) of the FPA,\14\ the Commission directs NERC to develop modifications to include EACMS associated with medium and high impact BES Cyber Systems within the scope of the supply chain risk management Reliability Standards.\15\ We direct NERC to submit the directed modifications within 24 months of the effective date of this final rule. --------------------------------------------------------------------------- \14\ 16 U.S.C. 824o(d)(5). \15\ Reliability Standard CIP-002-5.1a (Cyber Security System Categorization) provides a ``tiered'' approach to cybersecurity requirements, based on classifications of high, medium and low impact BES Cyber Systems. --------------------------------------------------------------------------- 6. Further, the NERC proposal does not address Physical Access Control Systems (PACS) \16\ and Protected Cyber Assets (PCA),\17\ with the exception of the modifications in Reliability Standard CIP-005-6, which apply to PCAs. We remain concerned that the exclusion of these components may leave a gap in the supply chain risk management Reliability Standards. Nevertheless, in contrast to EACMS, we believe that more study is necessary to determine the impact of PACS and PCAs in the context of the supply chain risk management Reliability Standards. [[Page 53994]] We distinguish among EACMS and the other Cyber Assets because compromise of PACS and PCAs are less likely. For example, a compromise of a PACS, which would potentially grant an attacker physical access to a BES Cyber System or PCA, is less likely since physical access is also required. In addition, PCAs typically become vulnerable to remote compromise only once EACMS have been compromised. Thus, we accept NERC's commitment to evaluate the cybersecurity supply chain risks presented by PACS and PCAs in the study of cybersecurity supply chain risks directed by the NERC Board of Trustees (BOT) in its resolutions of August 10, 2017.\18\ The Commission further directs NERC to file the BOT-directed final report with the Commission upon its completion.\19\ --------------------------------------------------------------------------- \16\ PACS are defined as ``Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers.'' NERC Glossary. Reliability Standard CIP-002-5.1a states that examples include ``authentication servers, card systems, and badge control systems.''Id. \17\ PCAs are defined as ``[o]ne or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same [Electronic Security Perimeter].'' NERC Glossary. Reliability Standard CIP-002-5.1a states that examples include, to the extent they are within the Electronic Security Perimeter, ``file servers, ftp servers, time servers, LAN switches, networked printers, digital fault recorders, and emission monitoring systems.'' Id. \18\ NERC Board of Trustees, Proposed Additional Resolutions for Agenda Item 9.a: Cyber Security--Supply Chain Risk Management--CIP- 005-6, CIP-010-3, and CIP-013-1 (August 10, 2017). \19\ As discussed later in this final rule, the NOPR proposed to direct NERC to file the BOT-directed interim report, due 12 months from the date of the BOT resolutions, as well as the final report, which is due 18 months from the date of the BOT resolutions. On September 7, 2018, NERC filed the BOT-directed interim report in this docket. --------------------------------------------------------------------------- I. Background A. Section 215 and Mandatory Reliability Standards 7. Section 215 of the FPA requires a Commission-certified ERO to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently.\20\ Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO,\21\ and subsequently certified NERC.\22\ --------------------------------------------------------------------------- \20\ 16 U.S.C. 824o(e). \21\ Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, FERC Stats. & Regs. ] 31,204, order on reh'g, Order No. 672-A, FERC Stats. & Regs. ] 31,212 (2006). \22\ North American Electric Reliability Corp., 116 FERC ] 61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006), aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009). --------------------------------------------------------------------------- B. Order No. 829 8. In Order No. 829, the Commission directed NERC to develop a new or modified Reliability Standard that addresses supply chain risk management for industrial control system hardware, software and computing and networking services associated with bulk electric system operations.\23\ Specifically, the Commission directed NERC to develop a forward-looking, objective-based Reliability Standard that would require responsible entities to develop and implement a plan with supply chain management security controls focused on four security objectives: (1) Software integrity and authenticity; (2) vendor remote access; (3) information system planning; and (4) vendor risk management and procurement controls.\24\ --------------------------------------------------------------------------- \23\ Order No. 829, 156 FERC ] 61,050 at P 43. \24\ Id. P 45. --------------------------------------------------------------------------- 9. The Commission explained that verification of software integrity and authenticity is intended to reduce the likelihood that an attacker could exploit legitimate vendor patch management processes to deliver compromised software updates or patches to a BES Cyber System.\25\ For vendor remote access, the Commission stated that the objective is intended to address the threat that vendor credentials could be stolen and used to access a BES Cyber System without the responsible entity's knowledge, as well as the threat that a compromise at a trusted vendor could traverse over an unmonitored connection into a responsible entity's BES Cyber System.\26\ As to information system planning, Order No. 829 indicated that the objective is intended to address the risk that responsible entities could unintentionally plan to procure and install unsecure equipment or software within their information systems, or could unintentionally fail to anticipate security issues that may arise due to their network architecture or during technology and vendor transitions.\27\ For vendor risk management and procurement controls, the Commission explained that this objective is intended to address the risk that responsible entities could enter into contracts with vendors that pose significant risks to the responsible entities' information systems, as well as the risk that products procured by a responsible entity fail to meet minimum security criteria. This objective also addresses the risk that a compromised vendor would not provide adequate notice and related incident response to responsible entities with whom that vendor is connected.\28\ --------------------------------------------------------------------------- \25\ Id. P 49. \26\ Id. P 52. \27\ Id. P 57. \28\ Id. P 60. --------------------------------------------------------------------------- 10. Order No. 829 stated that while responsible entities should be required to develop and implement a plan, NERC need not impose any specific controls or ``one-size-fits-all'' requirements.\29\ In addition, the Commission stated that NERC's response to the Order No. 829 directive should respect the Commission's jurisdiction under FPA section 215 by only addressing the obligations of responsible entities and not by directly imposing any obligations on non-jurisdictional suppliers, vendors or other entities that provide products or services to responsible entities.\30\ --------------------------------------------------------------------------- \29\ Id. P 13. \30\ Id. P 21. --------------------------------------------------------------------------- C. NERC Petition and Proposed Reliability Standards 11. On September 26, 2017, NERC submitted for Commission approval proposed Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 and their associated violation risk factors and violation severity levels, implementation plan, and effective date.\31\ NERC states that the purpose of the Reliability Standards is to enhance the cybersecurity posture of the electric industry by requiring responsible entities to take additional actions to address cybersecurity risks associated with the supply chain for BES Cyber Systems. NERC explains that the Reliability Standards are designed to augment the existing controls required in the currently-effective CIP Reliability Standards that help mitigate supply chain risks, providing increased attention on minimizing the attack surfaces of information and communications technology products and services procured to support reliable bulk electric system operations, consistent with Order No. 829. --------------------------------------------------------------------------- \31\ Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 are not attached to this final rule. The Reliability Standards are available on the Commission's eLibrary document retrieval system in Docket No. RM17-13-000 and on the NERC website, www.nerc.com. --------------------------------------------------------------------------- 12. NERC states that the supply chain risk management Reliability Standards apply only to medium and high impact BES Cyber Systems. NERC explains that the goal of the CIP Reliability Standards is to ``focus[] industry resources on protecting those BES Cyber Systems with heightened risks to the [bulk electric system] . . . [and] that the requirements applicable to low impact BES Cyber Systems, given their lower risk profile, should not be overly burdensome to divert resources from the protection of medium and high impact BES Cyber Systems.'' \32\ NERC further maintains that the standard drafting team chose to limit the applicability of the Reliability Standards to medium and high impact BES Cyber Systems because the supply chain risk management Reliability Standards are ``consistent with the type of existing CIP cybersecurity requirements applicable [[Page 53995]] to high and medium impact BES Cyber Systems as opposed to those applicable to low impact BES Cyber Systems.'' \33\ --------------------------------------------------------------------------- \32\ NERC Petition at 16-17. \33\ Id. at 18. --------------------------------------------------------------------------- 13. NERC states that the standard drafting team also excluded EACMS, PACS, and PCAs from the scope of the supply chain risk management Reliability Standards, with the exception of the modifications in Reliability Standard CIP-005-6, which apply to PCAs. NERC explains that although certain requirements in the existing CIP Reliability Standards apply to EACMS, PACS, and PCAs due to their association with BES Cyber Systems (either by function or location), the standard drafting team determined that the supply chain risk management Reliability Standards should focus on high and medium impact BES Cyber Systems only. NERC states that this determination was based on the conclusion that applying the proposed Reliability Standards to EACMS, PACS, and PCAs ``would divert resources from protecting medium and high BES Cyber Systems.'' \34\ --------------------------------------------------------------------------- \34\ Id. at 20. --------------------------------------------------------------------------- 14. NERC asserts that with respect to low impact BES Cyber Systems and EACMS, PACS, and PCAs, while not mandatory, NERC expects that these assets will likely be subject to responsible entity supply chain risk management plans required by Reliability Standard CIP-013-1. Specifically, NERC explains that ``[r]esponsible [e]ntities may implement a single process for procuring products and services associated with their operational environments.'' \35\ NERC contends that ``by requiring that entities implement supply chain cybersecurity risk management plans for high and medium impact BES Cyber Systems, those plans would likely also cover their low impact BES Cyber Systems.'' \36\ NERC also claims that responsible entities ``may also use the same vendors for procuring PACS, EACMS, and PCAs as they do for their high and medium impact BES Cyber Systems such that the same security considerations may be addressed for those Cyber Assets.'' \37\ --------------------------------------------------------------------------- \35\ Id. \36\ Id. at 19. \37\ Id. at 20. --------------------------------------------------------------------------- Proposed Reliability Standard CIP-013-1 15. NERC states that the focus of proposed Reliability Standard CIP-013-1 is on the steps that responsible entities must take ``to consider and address cybersecurity risks from vendor products and services during BES Cyber System planning and procurement.'' \38\ NERC explains that proposed Reliability Standard CIP-013-1 does not require any specific controls or mandate ``one-size-fits-all'' requirements due to the differences in needs and characteristics of responsible entities and the diversity of bulk electric system environments, technologies, and risks. NERC states that the goal of the proposed Reliability Standard is ``to help ensure that responsible entities establish organizationally-defined processes that integrate a cybersecurity risk management framework into the system development lifecycle.'' \39\ NERC observes that, among other things, proposed Reliability Standard CIP- 013-1 addresses the risk associated with information system planning, as well as vendor risk management and procurement controls, the third and fourth objectives outlined in Order No. 829. --------------------------------------------------------------------------- \38\ Id. at 22. \39\ Id. at 23. --------------------------------------------------------------------------- 16. NERC maintains that, consistent with Order No. 829, responsible entities need not apply their supply chain risk management plans to the acquisition of vendor products or services under contracts executed prior to the effective date of Reliability Standard CIP-013-1, nor would such contracts need to be renegotiated or abrogated to comply with the Reliability Standard. In addition, NERC indicates that, consistent with the development of a forward looking Reliability Standard, it would not expect entities in the middle of procurement activities for an applicable product or service at the time of the effective date of Reliability Standard CIP-013-1 to begin those activities anew to implement their supply chain cybersecurity risk management plan. 17. With regard to assessing compliance with Reliability Standard CIP-013-1, NERC states that NERC and Regional Entities would focus on whether responsible entities: (1) Developed processes reasonably designed to (i) identify and assess risks associated with vendor products and services in accordance with Part 1.1 and (ii) ensure that the security items listed in Part 1.2 are an integrated part of procurement activities; and (2) implemented those processes in good faith. NERC explains that NERC and Regional Entities will evaluate the steps a responsible entity took to assess risks posed by a vendor and associated products or services and, based on that risk assessment, the steps the entity took to mitigate those risks, including the negotiation of security provisions in its agreements with the vendor. Proposed Modifications in Reliability Standard CIP-005-6 18. Proposed Reliability Standard CIP-005-6 includes two new parts, Parts 2.4 and 2.5, to address vendor remote access, which is the second objective discussed in Order No. 829. NERC explains that the new parts work in tandem with proposed Reliability Standard CIP-013-1, Requirement R1.2.6, which requires responsible entities to address Interactive Remote Access and system-to-system remote access when procuring industrial control system hardware, software, and computing and networking services associated with bulk electric system operations. NERC states that proposed Reliability Standard CIP-005-6, Requirement R2.4 requires one or more methods for determining active vendor remote access sessions, including Interactive Remote Access and system[hyphen]to[hyphen]system remote access. NERC explains that the security objective of Requirement R2.4 is to provide awareness of all active vendor remote access sessions, both Interactive Remote Access and system[hyphen]to[hyphen]system remote access, that are taking place on a responsible entity's system. Proposed Modifications in Reliability Standard CIP-010-3 19. Proposed Reliability Standard CIP-010-3 includes a new part, Part 1.6, to address software integrity and authenticity, the first objective addressed in Order No. 829, by requiring that the publisher is identified and the integrity of all software and patches are confirmed. NERC explains that proposed Reliability Standard CIP-010-3, Requirement R1.6 requires responsible entities to verify software integrity and authenticity prior to a change from the existing baseline configuration, if the software source provides a method to do so. Specifically, NERC states that proposed Reliability Standard CIP-010-3, Requirement R1.6 requires that responsible entities verify the identity of the software source and the integrity of the software obtained by the software sources prior to installing software that changes established baseline configurations, when methods are available to do so. NERC asserts that the security objective of proposed Requirement R1.6 is to ensure that the software being installed in the BES Cyber System was not modified without the awareness of the software supplier and is not counterfeit. NERC contends that these steps help reduce the [[Page 53996]] likelihood that an attacker could exploit legitimate vendor patch management processes to deliver compromised software updates or patches to a BES Cyber System. BOT Resolutions 20. In the petition, NERC states that in conjunction with the adoption of the supply chain risk management Reliability Standards, on August 10, 2017, the BOT adopted resolutions regarding supply chain risk management. In particular, the BOT directed NERC management, in collaboration with appropriate NERC technical committees, industry representatives, and appropriate experts, including representatives of industry vendors, to further study the nature and complexity of cybersecurity supply chain risks, including risks associated with low impact assets not currently subject to the supply chain risk management Reliability Standards. The BOT further directed NERC to develop recommendations for follow-up actions that will best address any issues identified. Finally, the BOT directed that NERC management provide an interim progress report no later than 12 months after the adoption of these resolutions (i.e., by August 10, 2018) and a final report no later than 18 months after the adoption of the resolutions (i.e., by February 10, 2019). In its petition, NERC states that ``over the next 18 months, NERC, working with various stakeholders, will continue to assess whether supply chain risks related to low impact BES Cyber Systems, PACS, EACMS and PCA necessitate further consideration for inclusion in a mandatory Reliability Standard.'' \40\ --------------------------------------------------------------------------- \40\ Id. at 20-21. --------------------------------------------------------------------------- Implementation Plan 21. NERC's proposed implementation plan provides that the supply chain risk management Reliability Standards become effective on the first day of the first calendar quarter that is 18 months after the effective date of a Commission order approving them. NERC states that the proposed implementation period is designed to afford responsible entities sufficient time to develop and implement their supply chain cybersecurity risk management plans required under proposed Reliability Standard CIP-013-1 and implement the new controls required in proposed Reliability Standards CIP-005-6 and CIP-010-3. D. Notice of Proposed Rulemaking 22. On January 18, 2018, the Commission issued a NOPR proposing to approve supply chain risk management Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 (83 FR 3422, January 25, 2018). The NOPR stated that the supply chain risk management Reliability Standards ``will enhance existing protections for bulk electric system reliability by addressing the four objectives set forth in Order No. 829: (1) Software integrity and authenticity; (2) vendor remote access; (3) information system planning; and (4) vendor risk management and procurement controls.'' \41\ Accordingly, the NOPR proposed to determine that the supply chain risk management Reliability Standards constitute substantial progress in addressing the supply chain cybersecurity risks identified by the Commission in Order No. 829.\42\ --------------------------------------------------------------------------- \41\ NOPR, 162 FERC ] 61,044 at P 29. \42\ Id. P 30. --------------------------------------------------------------------------- 23. The NOPR proposed to approve the supply chain risk management Reliability Standards' associated violation risk factors and violation severity levels. However, with respect to the implementation plan and effective date, the NOPR proposed to reduce the implementation period from the first day of the first calendar quarter that is 18 months following the effective date of a Commission order approving the proposed Reliability Standards, as proposed by NERC, to the first day of the first calendar quarter that is 12 months following the effective date of a Commission order.\43\ --------------------------------------------------------------------------- \43\ Id. P 44. --------------------------------------------------------------------------- 24. The NOPR proposed to determine that a significant cybersecurity risk associated with the supply chain for BES Cyber Systems persists because the proposed supply chain risk management Reliability Standards exclude EACMS, PACS, and PCAs, with the exception of the modifications in Reliability Standard CIP-005-6, which apply to PCAs. To address this gap, pursuant to section 215(d)(5) of the FPA, the NOPR proposed to direct NERC to develop modifications to the CIP Reliability Standards to include EACMS associated with medium and high impact BES Cyber Systems within the scope of the supply chain risk management Reliability Standards. In addition, the Commission proposed to direct that NERC evaluate the cybersecurity supply chain risks presented by PACS and PCAs in the study of cybersecurity supply chain risks directed by the NERC BOT in its resolutions of August 10, 2017. 25. The Commission received fifteen comments on the NOPR. E. Interim BOT-Directed Report 26. On September 7, 2018, NERC submitted to the Commission an informational filing containing the BOT-directed interim report prepared by the Electric Power Research Institute (EPRI).\44\ The interim report explains that EPRI analyzed: --------------------------------------------------------------------------- \44\ NERC, Informational Filing regarding Proposed Supply Chain Risk Management Reliability Standards, Docket No. RM17-13-000 (September 7, 2018) (NERC Interim Report). --------------------------------------------------------------------------- (1) Information regarding bulk electric system products and manufacturers; (2) emerging vendor practices and industry standards; and (3) the applicability of the CIP Reliability Standards to supply chain risks. The interim report concludes with three categories of identified next steps for further analysis and investigation. 27. First, EPRI identifies four noteworthy industry practices, not already required by the CIP Reliability Standards, which may potentially reduce future supply chain risks if implemented correctly: (1) Third-party accreditation processes; (2) secure hardware delivery; (3) threat-informed procurement language; and (4) processes related to unsupported or open-source technology. Second, EPRI recommends further study in modeling and assessing the potential impact of common-mode vulnerabilities, especially those targeting low-impact BES Cyber Systems. EPRI states that ``risks of common-mode vulnerabilities . . . can be mitigated if supply chain security practices are applied uniformly across cyber asset types.'' \45\ Finally, EPRI recommends various methods to obtain additional data on industry practices. These methods included issuing pre-audit surveys and questionnaires; targeting outreach to bulk electric system vendors; developing standard vendor data sheets related to the CIP Reliability Standards; and independently testing legacy assets. In its accompanying filing, NERC states its intention to continue to study supply chain risks over the coming months, develop recommendations for follow-up actions, and present a final report to the NERC BOT at its February 2019 meeting. --------------------------------------------------------------------------- \45\ Id. at 5-1. --------------------------------------------------------------------------- II. Discussion 28. Pursuant to section 215(d)(2) of the FPA, the Commission approves supply chain risk management Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 as just, reasonable, not unduly discriminatory [[Page 53997]] or preferential, and in the public interest. We determine that the supply chain risk management Reliability Standards will enhance existing protections for bulk electric system reliability by addressing the four objectives identified in Order No. 829: (1) Software integrity and authenticity; (2) vendor remote access; (3) information system planning; and (4) vendor risk management and procurement controls. 29. Reliability Standard CIP-013-1 addresses information system planning and vendor risk management and procurement controls by requiring that responsible entities develop and implement one or more documented supply chain cybersecurity risk management plan(s) for high and medium impact BES Cyber Systems. The required plans must address, as applicable, a baseline set of six security concepts: (1) Vendor security event notification; (2) coordinated incident response; (3) vendor personnel termination notification; (4) product/services vulnerability disclosures; (5) verification of software integrity and authenticity; and (6) coordination of vendor remote access controls. Reliability Standard CIP-005-6 addresses vendor remote access by creating two new requirements for determining active vendor remote access sessions and for having one or more methods to disable active vendor remote access sessions. Reliability Standard CIP-010-3 addresses software authenticity and integrity by creating a new requirement that responsible entities verify the identity of the software source and the integrity of the software obtained from the software source prior to installing software that changes established baseline configurations, when methods are available to do so. 30. While we determine that the approved supply chain risk management Reliability Standards constitute substantial progress in addressing the supply chain cybersecurity risks identified in Order No. 829, as discussed below, we find that the exclusion of EACMS from the scope of the Reliability Standards presents risks to the cybersecurity of the bulk electric system. As explained in Order No. 848, EACMS are defined in the NERC Glossary as ``Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.'' Among other things, EACMS include firewalls, authentication servers, security event monitoring systems, intrusion detection systems and alerting systems. The purpose of an ESP, in turn, is to manage electronic access to BES Cyber Systems to support the protection of the BES Cyber Systems against compromise that could lead to misoperation or instability in the bulk electric system.\46\ The record indicates that the vulnerabilities associated with EACMS are well understood and appropriate for mitigation. Thus, pursuant to section 215(d)(5) of the FPA, we direct NERC to develop modifications to the CIP Reliability Standards to include EACMS within the scope of the supply chain risk management Reliability Standards. We direct NERC to submit the directed modifications within 24 months of the effective date of this final rule. --------------------------------------------------------------------------- \46\ Order No. 848, 164 FERC ] 61,033 at PP 39-40. --------------------------------------------------------------------------- 31. In addition, while PACS and PCAs also present concerns, we agree with NERC and others that further study is warranted with regard to the impacts and benefits of directing that the ERO address the risks associated with PACS and PCAs in the supply chain risk management Reliability Standards. Accordingly, we accept NERC's commitment to evaluate the cybersecurity supply chain risks presented by PACS and PCAs in the cybersecurity supply chain risks study directed by the BOT. The Commission further directs NERC to file the BOT-directed final report with the Commission upon its completion. 32. In the sections below, we discuss the following issues: (A) Inclusion of EACMS in the supply chain risk management Reliability Standards; (B) inclusion of PACS and PCAs in the BOT-directed study on cybersecurity supply chain risks and filing of the BOT-directed final report with the Commission; (C) supply chain risk management Reliability Standards' implementation plan and effective date; and (D) other issues raised in the NOPR comments. A. Inclusion of EACMS in CIP Reliability Standards 1. NOPR 33. The NOPR observed that the supply chain risk management Reliability Standards do not apply to low impact BES Cyber Systems or Cyber Assets associated with medium and high impact BES Cyber Systems (i.e., EACMS, PACS, and PCAs). The NOPR, however, recognized that the BOT-directed study on cybersecurity supply chain risks will examine the risks posed by low impact BES Cyber Systems.\47\ While acknowledging NERC's commitment to study these issues, as evinced by the BOT-directed study, the NOPR proposed to direct NERC to modify the supply chain risk management Reliability Standards to include within their scope EACMS associated with medium and high impact BES Cyber Systems.\48\ --------------------------------------------------------------------------- \47\ NOPR, 162 FERC ] 61,044 at P 33. \48\ Id. P 39. --------------------------------------------------------------------------- 34. Specifically, the NOPR explained that BES Cyber Systems have associated Cyber Assets, which, if compromised, pose a threat to the BES Cyber System by virtue of, inter alia, the security control function they perform.\49\ In particular, EACMS support BES Cyber Systems and are part of the network and security architecture that allows BES Cyber Systems to work as intended by performing electronic access control or electronic access monitoring of the ESP or BES Cyber Systems. --------------------------------------------------------------------------- \49\ Reliability Standard CIP-002-5.1a (Cyber Security--BES Cyber System Categorization), Background at 6. --------------------------------------------------------------------------- 35. The NOPR indicated that since EACMS support and enable BES Cyber System operation, misoperation and unavailability of EACMS that support a given BES Cyber System could also contribute to misoperation of a BES Cyber System or render it unavailable, which could adversely affect bulk electric system reliability. The NOPR also explained that EACMS control electronic access, including interactive remote access, into the ESP that protects high and medium impact BES Cyber Systems. As the NOPR further noted, an attacker does not need physical access to the facility housing a BES Cyber System in order to gain access to a BES Cyber System or PCA via an EACMS compromise. The NOPR concluded that EACMS represent the most likely route an attacker would take to access a BES Cyber System or PCA within an ESP.\50\ --------------------------------------------------------------------------- \50\ NOPR, 162 FERC ] 61,044 at P 35. --------------------------------------------------------------------------- 2. Comments 36. NERC does not support the proposed directive to include EACMS within the scope of the supply chain risk management Reliability Standards at this time. NERC indicates that it is currently analyzing supply chain risks associated with EACMS, among other things, as part of the BOT-directed study of supply chain risks related to low impact BES Cyber Systems. NERC explains that the ``study will help identify and differentiate the risks presented by various types of EACMS'' to help in any directed standards development process.\51\ NERC requests that the Commission refrain from issuing a directive on EACMS until the results of the BOT-directed study to [[Page 53998]] assess supply chain risks associated with EACMS are received.\52\ --------------------------------------------------------------------------- \51\ NERC Comments at 6. \52\ Id. at 4-6. --------------------------------------------------------------------------- 37. Most commenters agree with NERC that the Commission should approve the supply chain risk management Reliability Standards as filed and not direct the inclusion of EACMS at this time. Instead, Trade Associations, EEI, ITC, IRC, and MISO TOs support evaluating in the BOT-directed study the possibility of including EACMS in the supply chain risk management Reliability Standards.\53\ --------------------------------------------------------------------------- \53\ Trade Associations Comments at 10, EEI Comments at 10, ITC Comments at 5, IRC Comments at 3. --------------------------------------------------------------------------- 38. Trade Associations contend that first allowing completion of the BOT-directed study would allow NERC to assess the diversity of EACMS that perform control or monitoring functions with varying risk levels and ``is likely to provide more specific information and analysis concerning whether any category of EACMS might be appropriately included within the scope of the supply chain Reliability Standards.'' \54\ Trade Associations also maintain that first having the BOT-directed study results will facilitate a more efficient and effective standards development process. --------------------------------------------------------------------------- \54\ Trade Associations Comments at 10. --------------------------------------------------------------------------- 39. While also supportive of awaiting the results of the BOT- directed study, EEI asserts that EACMS are protected under existing CIP Reliability Standards. EEI cites Reliability Standards CIP-005-5, Requirements R1, Part 1.3 and R2, Parts 2.1-2.3, CIP-007-6, Requirements R1, Part 1.1, R2, R3, R4, and R5, and CIP-010-2, Requirement 2, Part 2.1 as protecting EACMS against compromise.\55\ Moreover, EEI states that the likelihood of compromise of an EACMS from potential supply chain-derived threats was not addressed in the NOPR and ``should be evaluated before directing a CIP Standard scope expansion.'' \56\ Even so, EEI supports further evaluating the feasibility, as well as the benefits, of adding EACMS to the supply chain risk management Reliability Standards. EEI contends that waiting for the BOT-directed study will allow industry time to gain experience implementing the supply chain risk management Reliability Standard requirements as well as help identify potential follow-up actions.\57\ --------------------------------------------------------------------------- \55\ EEI Comments at 8. \56\ Id. \57\ Id. at 10. --------------------------------------------------------------------------- 40. MISO TOs likewise aver that EACMS, while important, are ``not unprotected'' under currently-effective CIP Reliability Standards. MISO TOs, like EEI, reference Reliability Standard CIP-007-6 (Cyber Security -- System Security Management), which requires responsible entities to manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems. MISO TOs state that this Reliability Standard applies to EACMS. AECC also contends that the existing CIP Reliability Standards already sufficiently cover any risks associated with EACMS.\58\ In particular, AECC states that ``CIP-005-6 already addresses vendor-initiated remote access . . . [and] developing technology services for BEC Cyber Systems under CIP-010-3 inherently already requires coverage for EACMS, PACS, and PCAs due to the nature of the technology.'' \59\ --------------------------------------------------------------------------- \58\ AECC Comments at 2-3. \59\ Id. at 3. --------------------------------------------------------------------------- 41. ITC, IRC, and MISO TOs assert that including EACMS within the supply chain risk management Reliability Standards would constitute a substantial expansion of the Reliability Standards and would require significant additional resources for compliance, without a commensurate improvement in bulk electric system reliability. According to ITC, the record does not contradict NERC's technical assessment that inclusion of EACMS within the supply chain risk management Reliability Standards is not justified. ITC claims that the NOPR, while ``descriptively accurate,'' misunderstands the purpose and function of EACMS, which, ITC states, are intended to protect the ESP and the BES Cyber Assets contained therein and are not intended to provide a reliability function. ITC concludes that misoperation of an EACMS, while serious, does not rise to the level of a direct threat to the reliability of the bulk electric system. 42. IRC similarly believes that including EACMS within the scope of the supply chain risk management Reliability Standards would require ``significant resources and effort'' and because EACMS vendors supply such systems to a larger market than just the power sector there would need to be coordination with other industries before implementing a supply chain risk management Reliability Standard for EACMS.\60\ MISO TOs also contend that including EACMS would affect numerous pieces of equipment and assets, with associated costs, system changes, and other burdens, without showing commensurate benefits.\61\ --------------------------------------------------------------------------- \60\ IRC Comments at 2-3. \61\ MISO TO Comments at 16. --------------------------------------------------------------------------- 43. Idaho Power, for its part, does not believe that EACMS should be included in the scope of the supply chain risk management Reliability Standards based on its view that EACMS are used in other industries and are not specific to critical infrastructure. Instead, Idaho Power states that the focus should be on correctly configuring EACMS devices as opposed to addressing procurement practices.\62\ --------------------------------------------------------------------------- \62\ Idaho Power Comments at 2. --------------------------------------------------------------------------- 44. Appelbaum, Reclamation, Resilient Societies, Isologic, Mabee, and MPUC support the NOPR directive regarding EACMS associated with medium and high impact BES Cyber Systems. In addition, the commenters urge the Commission to extend the scope of the supply chain risk management Reliability Standards to low impact BES Cyber Systems.\63\ MPUC states, for example, that the supply chain risk management Reliability Standards should apply to all BES Cyber System assets, unless the specific asset can be shown to be completely isolated from the bulk electric system.\64\ Resilient Societies states that the supply chain risk management Reliability Standards should apply to low impact BES Cyber Systems since the compromise of a low impact BES Cyber System could lead to the compromise of medium or high impact BES Cyber Systems.\65\ --------------------------------------------------------------------------- \63\ Appelbaum Comments at 6, Reclamation Comments at 7, Resilient Societies Comments at 3-4, Isologic Comments at 3, Mabee Comments at 4, MPUC Comments at 6. \64\ MPUC Comments at 6. \65\ Resilient Societies Comments at 3. --------------------------------------------------------------------------- 45. APS states that it supports the NOPR proposal to direct NERC to modify the supply chain risk management Reliability Standards to include EACMS associated with medium and high impact BES Cyber Systems. However, APS contends that the Commission should delay their inclusion until NERC and industry complete their analysis of the potential need to separate the functions reflected in the current EACMS definition (e.g., electronic access control versus electronic access monitoring). APS states that, including EACMS that perform electronic access control functions within the scope of the supply chain risk management Reliability Standards ``represents good cybersecurity posture . . . [h]owever, at this time, the definition of EACMS is not sufficiently mature to make the necessary distinction discussed above.'' \66\ --------------------------------------------------------------------------- \66\ APS Comments at 5. --------------------------------------------------------------------------- [[Page 53999]] 3. Commission Determination 46. Pursuant to section 215(d)(5) of the FPA, we adopt the NOPR proposal and direct NERC to develop modifications to include EACMS associated with medium and high impact BES Cyber Systems within the scope of the supply chain risk management Reliability Standards. While we are sensitive to the position taken by NERC and other commenters that the Commission should not issue a directive until after completion of the BOT-directed final report, we conclude that the record before us supports directing NERC to include at least some subset of EACMS associated with medium and high impact BES Cyber Systems at this time. We are not persuaded by comments advocating delay in view of the forthcoming BOT-directed final report because the standard drafting team will have the benefit of the BOT-directed final report, which is due in February 2019, when developing the directed Reliability Standard modifications.\67\ --------------------------------------------------------------------------- \67\ As we have imposed a 24-month deadline for NERC to file the modified supply chain risk management Reliability Standards, the standard drafting team will have ample time to review and incorporate the findings in the BOT-directed final report. --------------------------------------------------------------------------- 47. We continue to believe that EACMS represent the most likely route an attacker would take to access a BES Cyber System or PCA within an ESP based on the functions they perform.\68\ EACMS support BES Cyber Systems and are part of the network and security architecture that allows BES Cyber Systems to work as intended because they perform electronic access control or electronic access monitoring of the ESP or BES Cyber Systems. In particular, EACMS control electronic access, including interactive remote access, into the ESP that protects high and medium impact BES Cyber Systems. One specific function of electronic access control is to prevent malware or malicious actors from gaining access to the BES Cyber Systems and PCAs within the ESP.\69\ Given the significant role that EACMS play in the protection scheme for medium and high impact BES Cyber Systems, we determine that EACMS should be within the scope of the supply chain risk management Reliability Standards to provide minimum protection against supply chain attack vectors. --------------------------------------------------------------------------- \68\ See NOPR, 162 FERC ] 61,044 at P 35. \69\ Id. --------------------------------------------------------------------------- 48. No commenter disagreed with the NOPR that misoperation or unavailability of EACMS that support a given BES Cyber System could contribute to the misoperation of the BES Cyber System or render it unavailable, which could pose a significant risk to reliable operation. Instead, commenters generally agree that EACMS perform important security-related functions.\70\ For example, NERC states that a compromised firewall ``may allow unfettered access to the ESP.'' \71\ EEI also agrees that the compromise of certain EACMS that control access could adversely affect the reliable operation of an associated BES Cyber System, although EEI asserts that other CIP Reliability Standards adequately protect those EACMS.\72\ Although some commenters, as discussed below, maintain that the reliability benefit of including EACMS in the supply chain risk management Reliability Standards is outweighed by the perceived costs, these commenters do not challenge the proposition that misoperation or unavailability of EACMS has negative reliability ramifications. For example, ITC, while opposing the NOPR directive, recognizes that misoperation of an EACMS is ``serious'' and ``[w]ere CIP resources infinite, it would no doubt increase BES reliability by some degree to include EACMS within this Standard.'' \73\ --------------------------------------------------------------------------- \70\ See NERC Comments at 5-6, Appelbaum Comments at 5-6, APS Comments at 5, EEI Comments at 7-8, IRC Comments at 3, Idaho Power Comments at 2, MPUC Comments at 6. \71\ NERC Comments at 5. \72\ EEI Comments at 7-8. \73\ ITC Comments at 5. --------------------------------------------------------------------------- 49. We disagree with the comments asserting that existing CIP Reliability Standards adequately protect EACMS against supply chain- based threats. While existing CIP Reliability Standards include requirements that address aspects of supply chain risk management, existing Reliability Standards do not adequately protect EACMS based on the four security objectives in Order No. 829.\74\ The CIP Reliability Standards cited by EEI, MISO TOs and AECC address aspects of electronic access control, systems security management, and configuration monitoring, but they do not address protection from supply chain threats such as insertion of counterfeits or malicious software, unauthorized production, tampering, or theft, as well as poor manufacturing and development practices. By contrast, the supply chain risk management Reliability Standards approved in this final rule specifically address the above listed supply chain threats, and, we determine, should be extended to at least some subset of EACMS. --------------------------------------------------------------------------- \74\ Order No. 829, 156 FERC ] 61,050 at P 71. --------------------------------------------------------------------------- 50. Specifically, the goal of the supply chain risk management Reliability Standards is ``to help ensure that responsible entities establish organizationally-defined processes that integrate a cybersecurity risk management framework into the system development life cycle.'' \75\ The current CIP Reliability Standards identified in the comments, however, do not adequately address supply chain risks. For example, while Reliability Standard CIP-005-5 provides a level of electronic access protection for an ESP through controls applied to an Electronic Access Point associated with an EACMS, those controls would only apply after an asset is procured and deployed on a responsible entity's system. In this situation, the EACMS at issue could already contain built-in vulnerabilities making it susceptible to compromise or, in the worst-case scenario, could have been compromised before acquisition. --------------------------------------------------------------------------- \75\ NERC Comments at 23. --------------------------------------------------------------------------- 51. Given the documented risks to the cyber posture of the bulk electric system associated with EACMS, we are not persuaded to await the completion of the BOT-directed final report before issuing a directive regarding EACMS.\76\ Instead, it is reasonable to initiate modification of the supply chain risk management Reliability Standards based on the conclusion that at least some categories of EACMS should be included. As discussed above, we are convinced that EACMS in general are a known risk that should be protected under the supply chain risk management Reliability Standards. But we leave it to the standard drafting team to assess the various types of EACMS and their associated levels of risk. We are confident that the standard drafting team will be able to develop modifications that include only those EACMS whose compromise by way of the cybersecurity supply chain can affect the reliable operation of high and medium impact BES Cyber Systems. While it will no doubt inform the standard drafting team's work, the BOT- directed final report is not, in our view, likely to alter the conclusion that at least some EACMS functions should be included in the supply chain risk management Reliability Standards.\77\ --------------------------------------------------------------------------- \76\ See NERC Comments at 4-6, EEI Comments at 7-10, IRC Comments at 3, ITC Comments at 5, Trade Associations at 8-12, MISO TOs Comments at 16-18. \77\ The BOT-directed interim report provides the example of a situation where a firewall used to protect BES Cyber Systems within an ESP was compromised due to supply chain vulnerability, noting that each system within the ESP could be exposed due to its logical proximity to the compromised firewalls. NERC Interim Report at 4-4. --------------------------------------------------------------------------- [[Page 54000]] 52. The record does not support delaying a directive to modify the CIP Reliability Standards to include EACMS. While commenters opposing the NOPR proposal contend that the Commission should not act until NERC has the results of the BOT-directed final report, we note that: (1) NERC will have 24 months from the effective date of this final rule to develop and submit the modified Reliability Standards; and (2) the BOT- directed final report is due in the near term (i.e., February 2019). Nothing in our directive prevents the standard drafting team from using the findings in the BOT-directed final report to refine its understanding of which types of EACMS functions present the greatest risk and are worthy of inclusion in the supply chain risk management Reliability Standards. Indeed, as discussed below, in view of the BOT- directed study and the Commission's guidance, the standard drafting team could modify the supply chain risk management Reliability Standards to include an appropriate subset of EACMS functions similar to the approach in Order No. 848.\78\ --------------------------------------------------------------------------- \78\ Order No. 848, 164 FERC ] 61,033 at PP 53-54. --------------------------------------------------------------------------- 53. As we have indicated above, including EACMS within the scope of the supply chain risk management Reliability Standards is consistent with the approach in Order No. 848 regarding cybersecurity incident reporting. In Order No. 848, the Commission determined that EACMS that perform certain functions are significant to bulk electric system reliability so as to justify their being within the scope of the cybersecurity incident reporting Reliability Standards. Specifically, Order No. 848 addressed the identification of EACMS that should be subject to mandatory reporting requirements: With regard to identifying EACMS for reporting purposes, NERC's reporting threshold should encompass the functions that various electronic access control and monitoring technologies provide. Those functions must include, at a minimum: (1) Authentication; (2) monitoring and logging; (3) access control; (4) interactive remote access; and (5) alerting.\79\ \79\ Id. P 54. --------------------------------------------------------------------------- 54. As with cybersecurity incident reporting, in the context of this proceeding, if, for example, a vulnerability in the supply chain for EACMS is found, we determine that responsible entities should have processes in place to be notified of such vulnerabilities by the vendor, as required by Reliability Standard CIP-013-1, Requirement R1.2.4. We recognize that including EACMS within the scope of the supply chain risk management Reliability Standards will impose a burden on responsible entities. Nonetheless, the burden of possible procurement inefficiencies or resource constraints must be weighed against the significant risk of a cyber incident resulting from unmitigated supply chain vulnerabilities.\80\ --------------------------------------------------------------------------- \80\ EEI Comments at 9, MISO TOs Comments at 16-17, ITC Comments at 5. --------------------------------------------------------------------------- 55. It is also important to consider that in Order No. 848 the Commission determined that the modified reporting Reliability Standard need not include all EACMS as currently defined and, instead, the standard drafting team may analyze the matter to determine an appropriate subset of EACMS for reporting purposes.\81\ Likewise, the standard drafting team that is formed in response to our present directive may determine, based on the work done in response to Order No. 848 as well as the results of the BOT-directed study, what EACMS functions are most important to the reliable operation of the Bulk- Power System and therefore should be included in the supply chain risk management Reliability Standards. --------------------------------------------------------------------------- \81\ Order No. 848, 164 FERC ] 61,033 at P 53. --------------------------------------------------------------------------- 56. We find the remaining objections to our directive unpersuasive. BES Cyber Systems rely on EACMS to enable and secure the communications capability that these systems depend on to control their assigned portion of the bulk electric system. Commenters opposing the NOPR directive fail to provide convincing examples of why EACMS should not receive the same level of protection as the BES Cyber Systems with which they are associated. In addition, contrary to EEI's assertion that the ``likelihood of compromise'' is unclear, ample evidence exists that supply chain vulnerabilities are an active issue for vendors, whom malicious parties have intentionally targeted.\82\ By contrast, commenters supporting the NOPR directive provided examples where notable vendors of EACMS functions announced vulnerabilities, specifically in firewall firmware.\83\ Reliability Standard CIP-013-1, Requirement R1, Part 1.2.1, when applied to certain EACMS functions, will require that responsible entities have processes to require notification by the vendor of the discovery of such vulnerabilities, representing a clear enhancement of the protections provided by the CIP Reliability Standards. --------------------------------------------------------------------------- \82\ EEI Comments at 8-9. \83\ Resilient Societies Comments at 3 (noting a February 2016 Cisco ``critical'' security advisory on a vulnerability that could allow an unauthenticated, remote attacker to obtain full control of its Industrial Security Appliance line of firewalls, and a December 2015 Juniper ``out-of-cycle security advisory'' on unauthorized code identified in a specific operating system that could allow an attacker to access some firewalls). --------------------------------------------------------------------------- 57. Although some commenters question the importance of the EACMS monitoring function, we note that these systems work in concert with access control systems to alert of possible intrusion.\84\ Standard monitoring systems such as intrusion detection systems are an essential component designed to recognize suspicious activity and collect data used for incident reporting. A compromised intrusion detection system may provide false information and generate false alarms. Indeed, a compromised intrusion detection system may not only negate the value of the reported information, but could also potentially provide misleading information. Various intrusion detection system modules collect user logs, provide audit trails and indicate whether suspicious activity is malicious or normal. An attacker could change the various settings, removing or inserting false information. A compromised intrusion detection system may also allow the attacker to manipulate the system continuously without generating an alarm. In addition, an attacker may alter the compromised system such that it will deny legitimate activity and accept malicious activity.\85\ --------------------------------------------------------------------------- \84\ EEI Comments at 7, APS Comments at 3-5, MISO TOs Comments 17-18. \85\ International Journal of Information Sciences and Techniques (IJIST) Vol.6, No.1/2, March 2016, Cyber Attacks on Intrusion Detection Systems at P 195, http://aircconline.com/ijist/V6N2/6216ijist20.pdf. --------------------------------------------------------------------------- 58. For the reasons discussed above, we adopt the NOPR proposal and, pursuant to section 215(d)(5) of the FPA, direct NERC to develop modifications to the CIP Reliability Standards to include EACMS associated with medium and high impact BES Cyber Systems within the scope of the supply chain risk management Reliability Standards. We direct NERC to submit the directed modifications within 24 months of the effective date of this final rule. B. Study of PACS and PCAs in the BOT-Directed Cybersecurity Supply Chain Risk Study 1. NOPR 59. The NOPR stated that it would be appropriate to await the findings from the BOT-directed study on cybersecurity supply chain risks before considering [[Page 54001]] whether low impact BES Cyber Systems should be addressed in the supply chain risk management Reliability Standards. The NOPR explained that the BOT resolutions stated that the BOT-directed study should examine the risks posed by low impact BES Cyber Systems, but the BOT resolutions did not identify PACS and PCAs as subjects of the study. The NOPR noted, however, that NERC's petition suggests that NERC will evaluate PACS and PCAs as part of the BOT-directed study.\86\ --------------------------------------------------------------------------- \86\ NOPR, 162 FERC ] 61,044 at P 27 (citing NERC Petition at 21 (``over the next 18 months, NERC, working with various stakeholders, will continue to assess whether supply chain risks related to low impact BES Cyber Systems, PACS, EACMS, and PCA necessitate further consideration for inclusion in a mandatory Reliability Standard'')). --------------------------------------------------------------------------- 60. The NOPR proposed to direct that NERC, consistent with the representation made in NERC's petition, include PACS and PCAs in the BOT-directed study and to await the findings of the study's final report before considering further action. The NOPR indicated that the risks posed by EACMS also apply to varying degrees to PACS and PCAs. However, the NOPR explained the distinction between EACMS and the other Cyber Assets: For example, a compromise of a PACS through the supply chain, which would potentially grant an attacker physical access to a BES Cyber System or PCA, is more difficult since it would also require physical access. Physical access is not required to take advantage of a compromised EACMS. Accordingly, the NOPR proposed immediate action to provide for the protection of EACMS, because they represent the most likely route an attacker would take to access a BES Cyber System or PCA within an ESP, while possible action on other Cyber Assets can await completion of the BOT-directed study's final report.\87\ --------------------------------------------------------------------------- \87\ NOPR, 162 FERC ] 61,044 at P 42. --------------------------------------------------------------------------- 61. In addition to proposing to direct NERC to include PACS and PCAs in the BOT-directed study, the NOPR proposed to direct that NERC file the study's interim and final reports with the Commission upon their completion.\88\ --------------------------------------------------------------------------- \88\ Id. P 43. --------------------------------------------------------------------------- 2. Comments 62. NERC concurs with the NOPR proposal and states that the Commission should ``await the results of the Board-requested study before considering whether low impact BES Cyber Systems, PACS, and PCAs should be addressed in the proposed Reliability Standards.'' \89\ NERC maintains that the BOT-directed report will help determine whether the supply chain risk management Reliability Standards are appropriately scoped to mitigate the risks identified by the Commission.\90\ --------------------------------------------------------------------------- \89\ NERC Comments at 4. \90\ Id. at 5. --------------------------------------------------------------------------- 63. EEI and Trade Associations support the supply chain risk management Reliability Standards' exclusion of low impact BES Cyber Systems. EEI agrees with the NOPR proposal to wait for NERC to study the supply chain risks posed by low impact BES Cyber Systems as well as PACS and PCAs before directing further modifications.\91\ Trade Associations also ``strongly support'' limiting the supply chain risk management Reliability Standards' applicability to medium and high impact BES Cyber Systems.\92\ --------------------------------------------------------------------------- \91\ EEI Comments at 3. \92\ Trade Associations Comments at 7. --------------------------------------------------------------------------- 64. Other commenters contend that low impact BES Cyber Systems pose a significant risk and disagree with the view that excluding such assets will focus industry resources on protecting systems with heightened risk, while not being overly burdensome. For example, Resilient Societies maintains that cyber attackers could use low impact BES Cyber Systems as network entry points to attack high and medium impact BES Cyber Systems, with a potential coordinated cyberattack on multiple low impact facilities causing a cascading collapse.\93\ Similarly, Appelbaum asserts that ``if a large number of [low impact BES Cyber Systems] are compromised, then the effort to correct or replace the compromised assets could be significant.'' \94\ Reclamation also recommends including low impact BES Cyber Systems in the proposed Reliability Standards in order to avoid gaps that could compromise bulk electric system security.\95\ --------------------------------------------------------------------------- \93\ Resilient Societies Comments at 3-4. \94\ Appelbaum Comments at 6. \95\ Reclamation Comments at 1. --------------------------------------------------------------------------- 65. MPUC states that many of the concerns identified in the NOPR apply to all classifications of BES Cyber Systems and that responsible entities should be required to apply the supply chain risk management Reliability Standards to all BES Cyber System assets, unless the entities can show the assets in question to be completely isolated.\96\ Reclamation has similar concerns and states that the supply chain risk management Reliability Standards should apply to all BES Cyber System impact ratings, including low impact.\97\ Mabee cautions against giving industry the discretion to determine which cyber systems are ``easy'' to protect and which are ``burdensome'' to protect.\98\ Isologic also disagrees with the exclusion of low impact BES Cyber Systems and contends that awaiting the BOT-directed final report would unduly delay an examination by the Commission of risks involving the ``massive array of unprotected [low impact] transmission substations.'' \99\ --------------------------------------------------------------------------- \96\ MPUC Comments at 6. \97\ Reclamation Comments at 1. \98\ Mabee Comments at 4. \99\ Isologic Comments at 5. --------------------------------------------------------------------------- 3. Commission Determination 66. We accept NERC's commitment to evaluate the cybersecurity supply chain risks presented by low impact BES Cyber Systems, PACS, and PCAs in the study of cybersecurity supply chain risks directed by the NERC BOT. In light of that commitment, we conclude it is not necessary to separately direct that NERC expand the scope of the BOT-directed study. However, we adopt the NOPR proposal to direct NERC to file the BOT-directed study's final report with the Commission upon its completion. 67. We continue to believe that it is appropriate to await the findings from the BOT-directed final report on cybersecurity risks before considering whether low impact BES Cyber Systems, PACS and PCAs should be addressed in modified supply chain risk management Reliability Standards.\100\ While we do not prejudge the findings from the forthcoming final report, at this time we find that NERC is taking adequate and timely steps to study whether low impact BES Cyber Systems, PACS and PCAs should be included in the supply chain risk management Reliability Standards. Given that the BOT-directed final report is scheduled to be completed in February 2019, we do not view our determination as unduly delaying consideration of this important issue. Once NERC submits the BOT-directed final report, the Commission will be in a better position to consider what further steps, if any, should be taken to provide for the reliability of the bulk electric system. --------------------------------------------------------------------------- \100\ NOPR, 162 FERC ] 61,044 at P 40. --------------------------------------------------------------------------- C. Implementation Plan 1. NOPR 68. The NOPR stated that the 18-month implementation period proposed by NERC may not be justified based on the anticipated effort required to develop and implement a supply chain risk management plan. The NOPR explained that while, according to NERC, the proposed implementation period is ``designed to afford responsible entities sufficient time to develop and implement their supply [[Page 54002]] chain cybersecurity risk management plans required under proposed Reliability Standard CIP-013-1 and implement the new controls required in proposed Reliability Standards CIP-005-6 and CIP-010-3,'' the security objectives of the proposed Reliability Standards are process- based and do not prescribe technology that might justify an extended implementation period.\101\ Accordingly, the NOPR proposed to reduce the time for implementation such that the supply chain risk management Reliability Standards would become effective the first day of the first calendar quarter that is 12 months, as opposed to NERC's 18 months, following the effective date of a Commission order approving the Reliability Standards. --------------------------------------------------------------------------- \101\ NOPR, 162 FERC ] 61,044 at P 44 (citing NERC Petition at 35). --------------------------------------------------------------------------- 2. Comments 69. NERC does not support the NOPR proposal to reduce the implementation period for the supply chain risk management Reliability Standards to 12 months. NERC states that the proposed 18-month implementation period is intended to give responsible entities adequate time to develop and implement a supply chain risk management plan required under proposed Reliability Standard CIP-013-1, as well as to implement new controls required under proposed Reliability Standards CIP-005-6 and CIP-010-3. NERC explains that although proposed Reliability Standard CIP-013-1 is process-based, the development and implementation of the underlying Reliability Standard requirements ``involves performing a complex risk assessment process for planning and procuring BES Cyber Systems.'' \102\ --------------------------------------------------------------------------- \102\ NERC Comments at 7. --------------------------------------------------------------------------- 70. Other commenters support NERC's proposed 18-month implementation period and contend that 12 months is not enough time for responsible entities to develop and implement the plan and controls required under the supply chain risk management Reliability Standards. EEI, Idaho Power, IRSC, MISO TOs, and Trade Associations contend that while the Commission is correct that the requirements in the Reliability Standards are process-based, certain requirements will require technology enhancements, as well as coordination with vendors.\103\ For example, Trade Associations state that Reliability Standard CIP-005-6 will require work with vendors to facilitate the ability to disable vendor remote access, while Reliability Standard CIP-010-3 will also require technology upgrades.\104\ APS does not agree with the NOPR's assessment that a 12-month implementation period is reasonable, noting the potential need for new technology and the limitations imposed by capital budget and planning cycles.\105\ ITC and MISO TOs argue that the Commission does not have the legal authority to modify the implementation period unilaterally for a proposed Reliability Standard. --------------------------------------------------------------------------- \103\ See EEI Comments at 3-4, Idaho Power Comments at 3-4, IRC Comments at 4, Trade Associations Comments at 12-13. \104\ Trade Associations Comments at 12-13 (citing NOPR, 152 FERC ] 61,054 at P 44). \105\ APS Comments at 5-7. --------------------------------------------------------------------------- 71. Appelbaum supports a shortened implementation period for proposed Reliability Standards CIP-010-3 and CIP-005-6, for the reasons stated in the NOPR, but contends that an 18-month implementation period for proposed Reliability Standard CIP-013-1 is more appropriate. Specifically, Appelbaum notes that the proposed Reliability Standard includes new risk planning and documentation requirements that will take time to implement. Appelbaum also contends that the risk assessment will likely involve multiple vendors and various different assets. Appelbaum states that an 18-month implementation period would provide the time to develop a supply chain risk management policy and associated processes, and then apply the processes to current and future procurement activities.\106\ --------------------------------------------------------------------------- \106\ Appelbaum Comments at 4. --------------------------------------------------------------------------- 3. Commission Determination 72. We do not adopt the NOPR proposal to reduce the implementation period and instead approve the implementation plan and effective date as proposed by NERC. The NOPR proposal was largely based on the premise that the security objectives of the supply chain risk management Reliability Standards are process-based and do not prescribe technology that might justify a longer implementation period. However, based on the comments, we are persuaded that technical upgrades are likely necessary to meet the security objectives of the supply chain risk management Reliability Standards, which could involve longer time- horizon capital budgets and planning cycles. 73. While the Commission could, as Appelbaum suggests, direct an 18-month implementation period for Reliability Standard CIP-013-1 and a 12-month period for Reliability Standards CIP-005-6 and CIP-010-3, we conclude that different timelines could complicate implementation and potentially increase the administrative burden of implementation without a commensurate improvement in security. 74. Based on the discussion above, we do not adopt the NOPR proposal and approve NERC's proposed implementation plan whereby the supply chain risk management Reliability Standards will be effective on the first day of the first calendar quarter that is 18 months following the effective date of this final rule. D. Other Issues 1. Comments 75. Certain commenters raised additional issues not addressed in the NOPR. MISO TOs, APS, and Trade Associations request clarification regarding the term ``vendor.'' Specifically, APS seeks clarification of the definition of ``vendor'' and on the applicability of Reliability Standard CIP-013-1 to those vendors that would only provide services associated with a BES Cyber System that is already procured and in service.\107\ APS also seeks clarification on whether responsible entities are required to perform individualized vendor assessments for every in-scope procurement activity.\108\ --------------------------------------------------------------------------- \107\ APS Comments at 9-11. \108\ Id. --------------------------------------------------------------------------- 76. MISO TOs contend that the Commission should clarify that the supply chain risk management Reliability Standards do not apply to vendors and that responsible entities will not be responsible for vendor noncompliance. MISO TOs also request that the Commission clarify that responsible entities do not have any obligation to work only with compliant vendors.\109\ --------------------------------------------------------------------------- \109\ MISO TOs Comments at 7-9. --------------------------------------------------------------------------- 77. APS also seeks clarification regarding the scope of access intended within the term ``system-to-system access.'' \110\ As an example, APS asserts that, although there is a connection, User Datagram Protocol would not qualify as ``system-to-system access'' and seeks clarification regarding the scope of connections that would qualify as ``system-to-system access.'' \111\ --------------------------------------------------------------------------- \110\ APS Comments at 9-11. \111\ Id. --------------------------------------------------------------------------- 2. Commission Determination 78. The Supplemental Materials for Reliability Standard CIP-013-1 explain the meaning of the term ``vendor.'' Specifically, the Supplemental Materials state that a vendor ``is limited to those persons, companies, or other organizations with whom the [[Page 54003]] [r]esponsible [e]ntity, or its affiliates, contracts with to supply BES Cyber Systems and related services.'' \112\ The Supplemental Materials also note that a vendor, for purposes of the supply chain risk management Reliability Standards, may include: (i) Developers or manufacturers of information systems, system components, or information system services; (ii) product resellers; or (iii) system integrators.\113\ --------------------------------------------------------------------------- \112\ Reliability Standard CIP-013-1 at 12. \113\ Id. --------------------------------------------------------------------------- 79. With regard to vendor-related compliance concerns, vendors are not subject to the supply chain risk management Reliability Standards. As NERC explains, ``the proposed Reliability Standards apply only to registered entities and do not directly impose obligations on suppliers, vendors or other entities that provide products or services to registered entities.'' \114\ This is consistent with the Commission's guidance in Order No. 829 that ``any action taken by NERC in response to the Commission's directive to address the supply chain- related reliability gap should respect `section 215 jurisdiction by only addressing the obligations of responsible entities' and `not directly impose obligations on suppliers, vendors or other entities that provide products or services to responsible entities.' '' \115\ --------------------------------------------------------------------------- \114\ NERC Petition at 14. \115\ Order No. 829, 156 FERC ] 61,050 at P 21. --------------------------------------------------------------------------- 80. As to the question of responsible entity liability for vendor noncompliance, NERC explains that ``any resulting obligation that a supplier, vendor or other entity accepts in providing products or services to the registered entity is a contractual matter between the registered entity and the third party outside the scope of the proposed Reliability Standard[.]'' \116\ The security objective of the supply chain risk management Reliability Standards is to ``ensure that [r]esponsible [e]ntities consider the security, integrity, quality, and resilience of the supply chain, and take appropriate mitigating action when procuring BES Cyber Systems to address threats and vulnerabilities in the supply chain.'' \117\ Therefore, while a responsible entity is not directly liable for vendor actions, the responsible entity is required to mitigate any resulting risks. Finally, the supply chain risk management Reliability Standards do not dictate a responsible entity's contracting decision. --------------------------------------------------------------------------- \116\ NERC Petition at 17. \117\ Id. at 13. --------------------------------------------------------------------------- 81. As to the term ``system-to-system,'' NERC explains that the objective of Reliability Standard CIP-005-6, Requirement R2.4 is for entities to have visibility of active vendor remote access sessions, including Interactive Remote Access and system-to-system remote access, taking place on their system.\118\ Reliability Standard CIP-005-6 requires entities to have a method to determine all active vendor remote access sessions.\119\ --------------------------------------------------------------------------- \118\ Id. at 31. \119\ See Reliability Standard CIP-005-6 at 28. --------------------------------------------------------------------------- III. Information Collection Statement 82. The FERC-725B information collection requirements contained in this final rule are subject to review by the Office of Management and Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 1995.\120\ OMB's regulations require approval of certain information collection requirements imposed by agency rules.\121\ Upon approval of a collection of information, OMB will assign an OMB control number and expiration date. Respondents subject to the filing requirements of this rule will not be penalized for failing to respond to these collections of information unless the collections of information display a valid OMB control number. In the NOPR, the Commission solicited comments on the Commission's need for this information, whether the information will have practical utility, the accuracy of the burden estimates, ways to enhance the quality, utility, and clarity of the information to be collected or retained, and any suggested methods for minimizing respondents' burden, including the use of automated information techniques. The Commission did not receive any comments on the specific burden estimates discussed below. --------------------------------------------------------------------------- \120\ 44 U.S.C. 3507(d). \121\ 5 CFR 1320.11. --------------------------------------------------------------------------- 83. The Commission bases its paperwork burden estimates on the changes in paperwork burden presented by the approved CIP Reliability Standard CIP-013-1 and the approved revisions to CIP Reliability Standard CIP-005-6 and CIP-010-3 as compared to the current Commission- approved Reliability Standards CIP-005-5 and CIP-010-2, respectively. As discussed above, the final rule addresses several areas of the CIP Reliability Standards through Reliability Standard CIP-013-1, Requirements R1, R2, and R3. Under Requirement R1, responsible entities would be required to have one or more processes to address the following baseline set of security concepts, as applicable, in their procurement activities for high and medium impact BES Cyber Systems: (1) Vendor security event notification processes (Part 1.2.1); (2) coordinated incident response activities (Part 1.2.2); (3) vendor personnel termination notification for employees with access to remote and onsite systems (Part 1.2.3); (4) product/services vulnerability disclosures (Part 1.2.4); (5) verification of software integrity and authenticity (Part 1.2.5); and (6) coordination of vendor remote access controls (Part 1.2.6). Requirement R2 mandates that each responsible entity implement its supply chain cybersecurity risk management plan. Requirement R3 requires a responsible entity to review and obtain the CIP Senior Manager's approval of its supply chain risk management plan at least once every 15 calendar months in order to ensure that the plan remains up-to-date. 84. Separately, Reliability Standard CIP-005-6, Requirement R2.4 requires one or more methods for determining active vendor remote access sessions, including Interactive Remote Access and system[hyphen]to[hyphen]system remote access. Reliability Standard CIP- 005-6, Requirement R2.5 requires one or more methods to disable active vendor remote access, including Interactive Remote Access and system[hyphen]to[hyphen]system remote access. Reliability Standard CIP- 010-3, Requirement R1.6 requires responsible entities to verify software integrity and authenticity in the operational phase, if the software source provides a method to do so. 85. The NERC Compliance Registry, as of December 2017, identifies approximately 1,250 unique U.S. entities that are subject to mandatory compliance with Reliability Standards. Of this total, we estimate that 288 entities will face an increased paperwork burden under the approved Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3. Based on these assumptions, we estimate the following reporting burden: [[Page 54004]] RM17-13-000 Final Rule [Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards] -------------------------------------------------------------------------------------------------------------------------------------------------------- Annual number Number of of responses Total number Average burden & cost Total annual burden Cost per respondents per of responses per response \122\ hours & total annual respondent ($) respondent cost (1) (2) (1) * (2) = (4)..................... (3) * (4) = (5)........ (5) / (1) (3) -------------------------------------------------------------------------------------------------------------------------------------------------------- Create supply chain risk management 288 1 288 546 hrs.; $44,226....... 157,248 hrs.; $44,226 plan (one-time) \123\ (CIP-013-1 R1). $12,737,088. Updates and reviews of supply chain 288 1 288 30 hrs.; 2,430.......... 8,640 hrs.; 699,840.... 2,430 risk management plan (ongoing) \124\ (CIP-013-1 R2). Develop Procedures to update remote 288 1 288 50 hrs.; 4,050.......... 14,400 hrs.; 1,166,400. 4,050 access requirements (one time) (CIP- 005-6 R1-R4). Develop procedures for software 288 1 288 50 hrs.; 4,050.......... 14,400 hrs.; 1,166,400. 4,050 integrity and authenticity requirements (one time) (CIP-010-3 R1-R4). Total (one-time)................. .............. .............. 864 ........................ 186,048 hrs.; .............. 15,069,888. Total (ongoing).................. .............. .............. 288 ........................ 8,640 hrs.; 699,840.... .............. -------------------------------------------------------------------------------------------------------------------------------------------------------- The one-time burden of 186,048 hours will be averaged over three years (186,048 hours / 3 = 62,016 hours/year over three years). --------------------------------------------------------------------------- \122\ The loaded hourly wage figure (includes benefits) is based on the average of the occupational categories for 2017 found on the Bureau of Labor Statistics website (http://www.bls.gov/oes/current/naics2_22.htm): Legal (Occupation Code: 23-0000): $143.68. Information Security Analysts (Occupation Code 15-1122): $61.55. Computer and Information Systems Managers (Occupation Code: 11- 3021): $96.51. Management (Occupation Code: 11-0000): $94.28. Electrical Engineer (Occupation Code: 17-2071): $66.90. Management Analyst (Code: 43-0000): $63.32. These various occupational categories are weighted as follows: [($94.28)(.10) + ($61.55)(.315) + ($66.90)(.02) + ($143.68)(.15) + ($96.51)(.10) + ($63.32)(.315)] = $81.30. The figure is rounded to $81.00 for use in calculating wage figures in this final rule. \123\ One-time burdens apply in Year One only. \124\ Ongoing burdens apply in Year 2 and beyond.. --------------------------------------------------------------------------- The ongoing burden of 8,640 hours applies to only Years 2 and beyond. The number of responses is also average over three years (864 responses (one-time) + (288 responses (Year 2) + 288 responses (Year 3)) / 3 = 480 responses. The responses and burden for Years 1-3 will total respectively as follows:Year 1: 480 responses; 62,016 hours Year 2: 480 responses; 62,016 hours + 8,640 hours = 70,656 hours Year 3: 480 responses; 62,016 hours + 8,640 hours = 70,656 hours. 86. The following shows the annual cost burden for each year, based on the burden hours in the table above: Year 1: $15,069,888 Years 2 and beyond: $699,840 The paperwork burden estimate includes costs associated with the initial development of a policy to address requirements relating to: (1) Developing the supply chain risk management plan; (2) updating the procedures related to remote access requirements (3) developing the procedures related to software integrity and authenticity. Further, the estimate reflects the assumption that costs incurred in year 1 will pertain to plan and procedure development, while costs in years 2 and 3 will reflect the burden associated with maintaining the supply chain risk management plan and modifying it as necessary on a 15-month basis. 87. Title: FERC-725B (Mandatory Reliability Standards, Revised Critical Infrastructure Protection Reliability Standards). Action: Information Collection, FERC-725B (Supply Chain Risk Management Reliability Standards). OMB Control No.: 1902-0248. Respondents: Businesses or other for-profit institutions; not-for- profit institutions. Frequency of Responses: On Occasion. Necessity of the Information: This final rule approves the requested modifications to Reliability Standards pertaining to critical infrastructure protection. As discussed above, the Commission approves NERC's CIP Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 pursuant to section 215(d)(2) of the FPA because they improve upon the currently-effective suite of cybersecurity CIP Reliability Standards. Internal Review: The Commission has reviewed the approved Reliability Standards and made a determination that its action is necessary to implement section 215 of the FPA. 88. Interested persons may obtain information on the reporting requirements by contacting the following: Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426 [Attention: Ellen Brown, Office of the Executive Director, email: [email protected], phone: (202) 502-8663, fax: (202) 273-0873]. 89. For submitting comments concerning the collection(s) of information and the associated burden estimate(s), please send your comments to the Commission, and to the Office of Management and Budget, Office of Information and Regulatory Affairs, 725 17th Street NW, Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission, phone: (202) 395-4638, fax: (202) 395-7285]. For security reasons, comments to OMB should be submitted by email to: [email protected]. Comments submitted to OMB should include Docket Number RM17-13-000 and OMB Control Number 1902-0248. IV. Environmental Analysis 90. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human [[Page 54005]] environment.\125\ The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended.\126\ The actions taken herein fall within this categorical exclusion in the Commission's regulations. --------------------------------------------------------------------------- \125\ Regulations Implementing the National Environmental Policy Act of 1969, Order No. 486, FERC Stats. & Regs. ] 30,783 (1987). \126\ 18 CFR 380.4(a)(2)(ii). --------------------------------------------------------------------------- V. Regulatory Flexibility Act Analysis 91. The Regulatory Flexibility Act of 1980 (RFA) generally requires a description and analysis of proposed rules that will have significant economic impact on a substantial number of small entities.\127\ The Small Business Administration's (SBA) Office of Size Standards develops the numerical definition of a small business.\128\ The SBA revised its size standard for electric utilities (effective January 22, 2014) to a standard based on the number of employees, including affiliates (from the prior standard based on megawatt hour sales).\129\ --------------------------------------------------------------------------- \127\ 5 U.S.C. 601-12. \128\ 13 CFR 121.101. \129\ 13 CFR 121.201, Subsector 221. --------------------------------------------------------------------------- 92. Reliability Standards CIP-013-1, CIP-005-6, CIP-010-3 are expected to impose an additional burden on 288 entities \130\ (reliability coordinators, generator operators, generator owners, interchange coordinators or authorities, transmission operators, balancing authorities, and transmission owners). --------------------------------------------------------------------------- \130\ Public utilities may fall under one of several different categories, each with a size threshold based on the company's number of employees, including affiliates, the parent company, and subsidiaries. For the analysis in this NOPR, we are using a 500 employee threshold due to each affected entity falling within the role of Electric Bulk Power Transmission and Control (NAISC Code: 221121). --------------------------------------------------------------------------- 93. Of the 288 affected entities discussed above, we estimate that approximately 248 or 86.2 percent of the affected entities are small entities. We estimate that each of the 248 small entities to whom the approved modifications to Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 apply will incur one-time costs of approximately $52,326 per entity to implement the approved Reliability Standards, as well as the ongoing paperwork burden reflected in the Information Collection Statement (approximately $2,430 per year per entity). We do not consider the estimated costs for these 248 small entities to be a significant economic impact. Accordingly, we certify that Reliability Standards CIP-013-1, CIP-005-6, and CIP-010-3 will not have a significant economic impact on a substantial number of small entities. VI. Document Availability 94. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the internet through the Commission's Home Page (http://www.ferc.gov) and in the Commission's Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE, Room 2A, Washington, DC 20426. 95. From the Commission's Home Page on the internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number of this document, excluding the last three digits, in the docket number field. User assistance is available for eLibrary and the Commission's website during normal business hours from the Commission's Online Support at (202) 502-6652 (toll free at 1-866-208- 3676) or email at [email protected], or the Public Reference Room at (202) 502-8371, TTY (202) 502-8659. Email the Public Reference Room at [email protected]. VII. Effective Date and Congressional Notification 96. The final rule is effective December 26, 2018. The Commission has determined that this final rule imposes no substantial effect upon either NERC or NERC registered entities \131\ and, with the concurrence of the Administrator of the Office of Information and Regulatory Affairs of OMB, that this rule is not a ``major rule'' as defined in section 351 of the Small Business Regulatory Enforcement Fairness Act of 1996. This final rule is being submitted to the Senate, House, and Government Accountability Office. --------------------------------------------------------------------------- \131\ 5 U.S.C. 804(3)c. By the Commission. Chairman McIntyre was not present at the Commission Meeting held on October 18, 2018 and did not vote on this --------------------------------------------------------------------------- item. Issued: October 18, 2018. Nathaniel J. Davis, Sr., Deputy Secretary. Note: The following appendix will not appear in the Code of Federal Regulations. Appendix Commenters ------------------------------------------------------------------------ Abbreviation Commenter ------------------------------------------------------------------------ AECC.............................. Arkansas Electric Cooperative Corporation. Appelbaum......................... Jonathan Appelbaum. APS............................... Arizona Public Service Company. EEI............................... Edison Electric Institute. Idaho Power....................... Idaho Power Company. IRC............................... ISO/RTO Council. Isologic.......................... Isologic LLC. ITC............................... International Transmission Company. Mabee............................. Michael Mabee. MISO TOs.......................... MISO Transmission Owners. MPUC.............................. Maine Public Utilities Commission. NERC.............................. North American Electric Reliability Corporation. Reclamation....................... U.S. Bureau of Reclamation. Resilient Societies............... Foundation for Resilient Societies. Trade Associations................ American Public Power Association, Electricity Consumers Resource Council, Large Public Power Council, National Rural Electric Cooperative Association, and Transmission Access Policy Study Group. ------------------------------------------------------------------------ [FR Doc. 2018-23201 Filed 10-25-18; 8:45 am] BILLING CODE 6717-01-P
![53992 Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations
enactment of the Act, which is data because of reliability concerns, in Assessments) submitted by the North
December 4, 2018. Accordingly, airlines the interest of providing air travel American Electric Reliability
determined by the Department’s Office consumers with access to reliable Corporation (NERC). In addition, the
of Airline Information (OAI) as mishandled baggage data, the Commission directs NERC to develop
accounting for at least 1 percent of Enforcement Office expects that the and submit modifications to the supply
domestic scheduled passenger revenues airline will accurately report chain risk management Reliability
for calendar year 2018 3 must submit mishandled baggage data to the Standards so that the scope of the
mishandled baggage data to the Department using the prior mishandled Reliability Standards include Electronic
Department using the new mishandled bag reporting methodology (i.e., the total Access Control and Monitoring Systems.
baggage methodology and must number of passengers enplaned and the DATES: This rule is effective December
separately report statistics for total number of MBRs filed with the 26, 2018.
mishandled wheelchairs and scooters airline in the manner described in 14 FOR FURTHER INFORMATION CONTACT:
for domestic scheduled flights they CFR 234.6(a) and OAI Technical Simon Slobodnik (Technical
operate beginning December 4, 2018 and Reporting Directive #29A, for the flights Information) Office of Electric
through December 31, 2018. See 81 FR it operates December 1 through 31, Reliability, Federal Energy Regulatory
73000 (November 2, 2016). The airlines 2018). Even if an airline indicates an Commission, 888 First Street NE,
must submit this data to the Department inability to report accurately the total Washington, DC 20426, (202) 502–6707,
no later than January 15, 2019.4 The number of mishandled bags and simon.slobodnik@ferc.gov.
data would consist of: (1) Operating enplaned bags, the Enforcement Office Patricia Eke (Technical Information)
carrier code; (2) month and year of data; will expect the airline to accurately Office of Electric Reliability, Federal
(3) number of mishandled bags; (4) report the total number of mishandled Energy Regulatory Commission, 888
number of bags enplaned; (5) number of wheelchairs and scooters and total First Street NE, Washington, DC 20426,
mishandled wheelchairs and scooters; number of wheelchair and scooters (202) 502–8388, patricia.eke@ferc.gov.
(6) number of wheelchairs and scooters enplaned. Because the Enforcement Kevin Ryan (Legal Information) Office
enplaned; (7) certification that to the Office expects that airlines should be of the General Counsel, Federal Energy
best of the signing official’s knowledge able to accurately report mishandled Regulatory Commission, 888 First Street
and belief the data is true, correct, and wheelchair and scooter data, the NE, Washington, DC 20426, (202) 502–
complete; and (8) date of submission, Enforcement Office requests a detailed 6840, kevin.ryan@ferc.gov.
name of airline representative, and explanation no later than January 3, SUPPLEMENTARY INFORMATION:
signature. 2019, from any airline asserting that it Before Commissioners: Cheryl A. LaFleur,
If a reporting carrier is unable to is not able to accurately report Neil Chatterjee, and Richard Glick.
report accurate data on the total number wheelchair and scooter data to the
of mishandled bags and enplaned bags 1. Pursuant to section 215(d)(2) of the
Department for flights beginning Federal Power Act (FPA), the
for the entire reportable period December 4, 2018.
beginning December 4, 2018, and Commission approves supply chain risk
ending December 31, 2018, the Issued in Washington, DC, on October 22, management Reliability Standards CIP–
2018. 013–1 (Cyber Security—Supply Chain
Enforcement Office will exercise its
enforcement discretion as appropriate.5 Blane A. Workie, Risk Management), CIP–005–6 (Cyber
An airline should inform the Assistant General Counsel for Aviation Security—Electronic Security
Enforcement Office no later than Enforcement and Proceedings. Perimeter(s)) and CIP–010–3 (Cyber
January 3, 2019, if the airline is unable [FR Doc. 2018–23475 Filed 10–25–18; 8:45 am] Security—Configuration Change
to provide accurate mishandled baggage BILLING CODE 4910–9X–P Management and Vulnerability
data using the methodology set forth in Assessments).1 The North American
the November 2, 2016 rule for the Electric Reliability Corporation (NERC),
December 2018 reportable period. To DEPARTMENT OF ENERGY the Commission-certified Electric
the extent the Enforcement Office Reliability Organization (ERO),
decides not to pursue action against an Federal Energy Regulatory submitted the supply chain risk
airline that does not report the required Commission management Reliability Standards for
approval in response to a Commission
3 For calendar year 2018, 12 airlines reached the 18 CFR Part 40 directive in Order No. 829.2 As
reporting threshold of 906,261,000 in domestic discussed below, we approve the supply
scheduled passenger revenue (one percent of total [Docket No. RM17–13–000; Order No. 850] chain risk management Reliability
domestic scheduled passenger revenue) and are Standards as they are responsive to
required to report mishandled baggage data. These Supply Chain Risk Management
airlines are: Alaska Airlines, American Airlines, Reliability Standards Order No. 829 and improve the electric
Delta Air Lines, Envoy Air, ExpressJet Airlines, industry’s cybersecurity posture by
Frontier Airlines, Hawaiian Airlines, JetBlue AGENCY: Federal Energy Regulatory requiring that entities mitigate certain
Airways, SkyWest Airlines, Southwest Airlines, Commission, DOE. cybersecurity risks associated with the
Spirit Airlines and United Airlines.
4 As section 441 only changes the compliance ACTION: Final rule. supply chain for BES Cyber Systems.3
date of the November 2 final rule, airlines are not
required to submit data for any code-share SUMMARY: The Federal Energy 1 16 U.S.C. 824o(d)(2).
operations, which is a requirement of the November Regulatory Commission (Commission) 2 Revised Critical Infrastructure Protection
3, 2016, final rule. approves supply chain risk management Reliability Standards, Order No. 829, 156 FERC ¶
khammond on DSK30JT082PROD with RULES
5 During the past year, the Enforcement Office has 61,050, at P 43 (2016).
been working with the reporting carriers to ensure
Reliability Standards CIP–013–1 (Cyber 3 BES Cyber System is defined as ‘‘[o]ne or more
that they are able to report new mishandled baggage Security—Supply Chain Risk BES Cyber Assets logically grouped by a
data for flights on or after January 1, 2019. This Management), CIP–005–6 (Cyber responsible entity to perform one or more reliability
notification is not intended to suggest an airline’s Security—Electronic Security tasks for a functional entity.’’ Glossary of Terms
delay in submitting the new mishandled baggage Used in NERC Reliability Standards (NERC
data for flights occurring on or after January 1, 2019,
Perimeter(s)) and CIP–010–3 (Cyber Glossary), http://www.nerc.com/files/glossary_of_
would lead the Enforcement Office to exercise its Security—Configuration Change terms.pdf. The acronym BES refers to the bulk
enforcement discretion. Management and Vulnerability electric system.
VerDate Sep<11>2014 18:06 Oct 25, 2018 Jkt 247001 PO 00000 Frm 00028 Fmt 4700 Sfmt 4700 E:\FR\FM\26OCR1.SGM 26OCR1](https://thefederalregister.org/doc/83_FR_54200/page/1.svg)
![Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations 53993
2. The Commission has previously time-horizon capital budgets and will only let essential traffic cross
explained that the global supply chain planning cycles. security boundaries[,] . . . [i]f they are
affords significant benefits to customers, 4. While the supply chain risk not properly configured, they could
including low cost, interoperability, management Reliability Standards easily pass unauthorized or malicious
rapid innovation, and a variety of address the Commission’s directive in users or content.’’ 12 Accordingly, if
product features and choice.4 Despite Order No. 829, we determine that there EACMS are compromised, that could
these benefits, the global supply chain remains a significant cybersecurity risk adversely affect the reliable operation of
creates opportunities for adversaries to associated with the supply chain for associated BES Cyber Systems.13 Given
directly or indirectly affect the BES Cyber Systems because the the significant role that EACMS play in
management or operations of companies approved Reliability Standards do not the protection scheme for medium and
with potential risks to end users. Supply address Electronic Access Control and high impact BES Cyber Systems, we
chain risks include insertion of Monitoring Systems (EACMS).7 As we determine that EACMS should be
counterfeits or malicious software, observed in the NOPR, it is widely within the scope of the supply chain
unauthorized production, tampering, or recognized that the types of access and risk management Reliability Standards
theft, as well as poor manufacturing and monitoring functions that are included to provide minimum protection against
development practices. Based on the within NERC’s definition of EACMS, supply chain attack vectors.
record in this proceeding, we conclude such as firewalls, are integral to 5. To address this gap, pursuant to
that the supply chain risk management protecting industrial control systems.8 section 215(d)(5) of the FPA,14 the
Reliability Standards largely address Moreover, as stated in Order No. 848, Commission directs NERC to develop
these supply chain cybersecurity risks EACMS, which include, for example, modifications to include EACMS
as set out within the scope of Order No. firewalls, authentication servers, associated with medium and high
security event monitoring systems, impact BES Cyber Systems within the
829. Among other things, the supply
intrusion detection systems and alerting scope of the supply chain risk
chain risk management Reliability
systems, control electronic access into management Reliability Standards.15
Standards are forward-looking and
Electronic Security Perimeters (ESP), We direct NERC to submit the directed
objective-based and require each
play a significant role in the protection modifications within 24 months of the
affected entity to develop and
of high and medium impact BES Cyber effective date of this final rule.
implement a plan that includes security
Systems.9 Once an EACMS is 6. Further, the NERC proposal does
controls for supply chain management
compromised, an attacker could more not address Physical Access Control
for industrial control system hardware,
easily enter the ESP and effectively Systems (PACS) 16 and Protected Cyber
software, and services associated with
control the BES Cyber System or Assets (PCA),17 with the exception of
bulk electric system operations.5 Protected Cyber Asset.10 For example,
Consistent with Order No. 829, the the modifications in Reliability
the Department of Homeland Security’s Standard CIP–005–6, which apply to
Reliability Standards focus on the Industrial Control Systems Cyber
following four security objectives: (1) PCAs. We remain concerned that the
Emergency Response Team (ICS–CERT) exclusion of these components may
Software integrity and authenticity; (2) identifies firewalls as ‘‘the first line of
vendor remote access protections; (3) leave a gap in the supply chain risk
defense within an ICS network management Reliability Standards.
information system planning; and (4) environment’’ that ‘‘keep the intruder
vendor risk management and Nevertheless, in contrast to EACMS, we
out while allowing the authorized believe that more study is necessary to
procurement controls. passage of data necessary to run the determine the impact of PACS and
3. The Commission also approves the organization.’’ 11 ICS–CERT further PCAs in the context of the supply chain
supply chain risk management explains that firewalls ‘‘act as sentinels, risk management Reliability Standards.
Reliability Standards’ associated or gatekeepers, between zones . . .
violation risk factors and violation [and] [w]hen properly configured, they 12 Id.
severity levels. Regarding the Reliability 13 NOPR, 162 FERC ¶ 61,044 at P 37.
Standards’ implementation plan and 7 EACMS are defined as ‘‘Cyber Assets that 14 16 U.S.C. 824o(d)(5).
effective date, we approve NERC’s perform electronic access control or electronic 15 Reliability Standard CIP–002–5.1a (Cyber
access monitoring of the Electronic Security Security System Categorization) provides a ‘‘tiered’’
proposed implementation period of 18 Perimeter(s) or BES Cyber Systems. This includes approach to cybersecurity requirements, based on
months following the effective date of a Intermediate Systems.’’ NERC Glossary. Reliability classifications of high, medium and low impact BES
Commission order. The NOPR proposed Standard CIP–002–5.1a (Cyber Security — BES Cyber Systems.
to reduce the implementation period to Cyber System Categorization) states that examples 16 PACS are defined as ‘‘Cyber Assets that control,
of EACMS include ‘‘Electronic Access Points, alert, or log access to the Physical Security
12 months.6 However, as discussed Intermediate Systems, authentication servers (e.g., Perimeter(s), exclusive of locally mounted hardware
below, the NOPR comments provide RADIUS servers, Active Directory servers, or devices at the Physical Security Perimeter such
sufficient justification for adopting the Certificate Authorities), security event monitoring as motion sensors, electronic lock control
18-month implementation period systems, and intrusion detection systems.’’ mechanisms, and badge readers.’’ NERC Glossary.
Reliability Standard CIP–002–5.1a (Cyber Security Reliability Standard CIP–002–5.1a states that
proposed by NERC. Specifically, the — BES Cyber System Categorization) Section A.6 at examples include ‘‘authentication servers, card
comments clarify that technical 6. systems, and badge control systems.’’Id.
upgrades are likely necessary to meet 8 NOPR, 162 FERC ¶ 61,044 at P 37.
17 PCAs are defined as ‘‘[o]ne or more Cyber
the Reliability Standards’ security 9 Cyber Security Incident Reporting Reliability
Assets connected using a routable protocol within
objectives, which could involve longer Standards, Order No. 848, 164 FERC ¶ 61,033, at or on an Electronic Security Perimeter that is not
P 10 (2018). ESP is defined as ‘‘[t]he logical border part of the highest impact BES Cyber System within
surrounding a network to which BES Cyber Systems the same Electronic Security Perimeter. The impact
4 Revised Critical Infrastructure Protection are connected using a routable protocol.’’ NERC
khammond on DSK30JT082PROD with RULES
rating of Protected Cyber Assets is equal to the
Reliability Standards, Notice of Proposed Glossary. highest rated BES Cyber System in the same
Rulemaking, 152 FERC ¶ 61,054, at PP 61–62 10 Order No. 848, 164 FERC ¶ 61,033 at P 10.
[Electronic Security Perimeter].’’ NERC Glossary.
(2015). 11 ICS–CERT, Recommended Practice: Improving Reliability Standard CIP–002–5.1a states that
5 Order No. 829, 156 FERC ¶ 61,050 at P 2.
Industrial Control System Cybersecurity with examples include, to the extent they are within the
6 Supply Chain Risk Management Reliability Defense-in-Depth Strategies at 23, https://ics- Electronic Security Perimeter, ‘‘file servers, ftp
Standards, Notice of Proposed Rulemaking, 83 FR cert.us-cert.gov/sites/default/files/recommended_ servers, time servers, LAN switches, networked
3433 (January 25, 2018), 162 FERC ¶ 61,044 (2018) practices/NCCIC_ICS-CERT_Defense_in_Depth_ printers, digital fault recorders, and emission
(NOPR). 2016_S508C.pdf. monitoring systems.’’ Id.
VerDate Sep<11>2014 18:06 Oct 25, 2018 Jkt 247001 PO 00000 Frm 00029 Fmt 4700 Sfmt 4700 E:\FR\FM\26OCR1.SGM 26OCR1](https://thefederalregister.org/doc/83_FR_54200/page/2.svg)
![53994 Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations
We distinguish among EACMS and the Commission directed NERC to develop NERC’s response to the Order No. 829
other Cyber Assets because compromise a forward-looking, objective-based directive should respect the
of PACS and PCAs are less likely. For Reliability Standard that would require Commission’s jurisdiction under FPA
example, a compromise of a PACS, responsible entities to develop and section 215 by only addressing the
which would potentially grant an implement a plan with supply chain obligations of responsible entities and
attacker physical access to a BES Cyber management security controls focused not by directly imposing any obligations
System or PCA, is less likely since on four security objectives: (1) Software on non-jurisdictional suppliers, vendors
physical access is also required. In integrity and authenticity; (2) vendor or other entities that provide products
addition, PCAs typically become remote access; (3) information system or services to responsible entities.30
vulnerable to remote compromise only planning; and (4) vendor risk
C. NERC Petition and Proposed
once EACMS have been compromised. management and procurement
Reliability Standards
Thus, we accept NERC’s commitment to controls.24
evaluate the cybersecurity supply chain 9. The Commission explained that 11. On September 26, 2017, NERC
risks presented by PACS and PCAs in verification of software integrity and submitted for Commission approval
the study of cybersecurity supply chain authenticity is intended to reduce the proposed Reliability Standards CIP–
risks directed by the NERC Board of likelihood that an attacker could exploit 013–1, CIP–005–6, and CIP–010–3 and
Trustees (BOT) in its resolutions of legitimate vendor patch management their associated violation risk factors
August 10, 2017.18 The Commission processes to deliver compromised and violation severity levels,
further directs NERC to file the BOT- software updates or patches to a BES implementation plan, and effective
directed final report with the Cyber System.25 For vendor remote date.31 NERC states that the purpose of
Commission upon its completion.19 access, the Commission stated that the the Reliability Standards is to enhance
objective is intended to address the the cybersecurity posture of the electric
I. Background threat that vendor credentials could be industry by requiring responsible
A. Section 215 and Mandatory stolen and used to access a BES Cyber entities to take additional actions to
Reliability Standards System without the responsible entity’s address cybersecurity risks associated
knowledge, as well as the threat that a with the supply chain for BES Cyber
7. Section 215 of the FPA requires a Systems. NERC explains that the
compromise at a trusted vendor could
Commission-certified ERO to develop Reliability Standards are designed to
traverse over an unmonitored
mandatory and enforceable Reliability augment the existing controls required
connection into a responsible entity’s
Standards, subject to Commission in the currently-effective CIP Reliability
BES Cyber System.26 As to information
review and approval. Reliability Standards that help mitigate supply
system planning, Order No. 829
Standards may be enforced by the ERO, chain risks, providing increased
indicated that the objective is intended
subject to Commission oversight, or by attention on minimizing the attack
to address the risk that responsible
the Commission independently.20 surfaces of information and
entities could unintentionally plan to
Pursuant to section 215 of the FPA, the communications technology products
procure and install unsecure equipment
Commission established a process to and services procured to support
or software within their information
select and certify an ERO,21 and reliable bulk electric system operations,
systems, or could unintentionally fail to
subsequently certified NERC.22 consistent with Order No. 829.
anticipate security issues that may arise
B. Order No. 829 due to their network architecture or 12. NERC states that the supply chain
during technology and vendor risk management Reliability Standards
8. In Order No. 829, the Commission apply only to medium and high impact
directed NERC to develop a new or transitions.27 For vendor risk
management and procurement controls, BES Cyber Systems. NERC explains that
modified Reliability Standard that the goal of the CIP Reliability Standards
addresses supply chain risk the Commission explained that this
objective is intended to address the risk is to ‘‘focus[] industry resources on
management for industrial control protecting those BES Cyber Systems
system hardware, software and that responsible entities could enter into
contracts with vendors that pose with heightened risks to the [bulk
computing and networking services electric system] . . . [and] that the
associated with bulk electric system significant risks to the responsible
entities’ information systems, as well as requirements applicable to low impact
operations.23 Specifically, the BES Cyber Systems, given their lower
the risk that products procured by a
responsible entity fail to meet minimum risk profile, should not be overly
18 NERC Board of Trustees, Proposed Additional
Resolutions for Agenda Item 9.a: Cyber Security— security criteria. This objective also burdensome to divert resources from the
Supply Chain Risk Management—CIP–005–6, CIP– addresses the risk that a compromised protection of medium and high impact
010–3, and CIP–013–1 (August 10, 2017). vendor would not provide adequate BES Cyber Systems.’’ 32 NERC further
19 As discussed later in this final rule, the NOPR
notice and related incident response to maintains that the standard drafting
proposed to direct NERC to file the BOT-directed team chose to limit the applicability of
interim report, due 12 months from the date of the responsible entities with whom that
BOT resolutions, as well as the final report, which vendor is connected.28 the Reliability Standards to medium and
is due 18 months from the date of the BOT 10. Order No. 829 stated that while high impact BES Cyber Systems because
resolutions. On September 7, 2018, NERC filed the
responsible entities should be required the supply chain risk management
BOT-directed interim report in this docket. Reliability Standards are ‘‘consistent
20 16 U.S.C. 824o(e). to develop and implement a plan, NERC
21 Rules Concerning Certification of the Electric need not impose any specific controls or with the type of existing CIP
Reliability Organization; and Procedures for the ‘‘one-size-fits-all’’ requirements.29 In cybersecurity requirements applicable
Establishment, Approval, and Enforcement of addition, the Commission stated that
khammond on DSK30JT082PROD with RULES
Electric Reliability Standards, Order No. 672, FERC 30 Id. P 21.
Stats. & Regs. ¶ 31,204, order on reh’g, Order No. 24 Id.
31 ReliabilityStandards CIP–013–1, CIP–005–6,
672–A, FERC Stats. & Regs. ¶ 31,212 (2006). P 45.
25 Id. P 49.
and CIP–010–3 are not attached to this final rule.
22 North American Electric Reliability Corp., 116 The Reliability Standards are available on the
26 Id. P 52.
FERC ¶ 61,062, order on reh’g and compliance, 117 Commission’s eLibrary document retrieval system
27 Id. P 57.
FERC ¶ 61,126 (2006), aff’d sub nom. Alcoa, Inc. in Docket No. RM17–13–000 and on the NERC
v. FERC, 564 F.3d 1342 (D.C. Cir. 2009). 28 Id. P 60. website, www.nerc.com.
23 Order No. 829, 156 FERC ¶ 61,050 at P 43. 29 Id. P 13. 32 NERC Petition at 16–17.
VerDate Sep<11>2014 18:06 Oct 25, 2018 Jkt 247001 PO 00000 Frm 00030 Fmt 4700 Sfmt 4700 E:\FR\FM\26OCR1.SGM 26OCR1](https://thefederalregister.org/doc/83_FR_54200/page/3.svg)
![Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations 53995
to high and medium impact BES Cyber System planning and procurement.’’ 38 negotiation of security provisions in its
Systems as opposed to those applicable NERC explains that proposed Reliability agreements with the vendor.
to low impact BES Cyber Systems.’’ 33 Standard CIP–013–1 does not require
Proposed Modifications in Reliability
13. NERC states that the standard any specific controls or mandate ‘‘one-
Standard CIP–005–6
drafting team also excluded EACMS, size-fits-all’’ requirements due to the
PACS, and PCAs from the scope of the differences in needs and characteristics 18. Proposed Reliability Standard
supply chain risk management of responsible entities and the diversity CIP–005–6 includes two new parts,
Reliability Standards, with the of bulk electric system environments, Parts 2.4 and 2.5, to address vendor
technologies, and risks. NERC states that remote access, which is the second
exception of the modifications in
the goal of the proposed Reliability objective discussed in Order No. 829.
Reliability Standard CIP–005–6, which
Standard is ‘‘to help ensure that NERC explains that the new parts work
apply to PCAs. NERC explains that
responsible entities establish in tandem with proposed Reliability
although certain requirements in the
organizationally-defined processes that Standard CIP–013–1, Requirement
existing CIP Reliability Standards apply
integrate a cybersecurity risk R1.2.6, which requires responsible
to EACMS, PACS, and PCAs due to their
management framework into the system entities to address Interactive Remote
association with BES Cyber Systems
development lifecycle.’’ 39 NERC Access and system-to-system remote
(either by function or location), the
observes that, among other things, access when procuring industrial
standard drafting team determined that
proposed Reliability Standard CIP–013– control system hardware, software, and
the supply chain risk management computing and networking services
Reliability Standards should focus on 1 addresses the risk associated with
information system planning, as well as associated with bulk electric system
high and medium impact BES Cyber operations. NERC states that proposed
Systems only. NERC states that this vendor risk management and
procurement controls, the third and Reliability Standard CIP–005–6,
determination was based on the Requirement R2.4 requires one or more
conclusion that applying the proposed fourth objectives outlined in Order No.
829. methods for determining active vendor
Reliability Standards to EACMS, PACS, remote access sessions, including
and PCAs ‘‘would divert resources from 16. NERC maintains that, consistent
Interactive Remote Access and
protecting medium and high BES Cyber with Order No. 829, responsible entities
system-to-system remote access. NERC
Systems.’’ 34 need not apply their supply chain risk
explains that the security objective of
14. NERC asserts that with respect to management plans to the acquisition of Requirement R2.4 is to provide
low impact BES Cyber Systems and vendor products or services under awareness of all active vendor remote
EACMS, PACS, and PCAs, while not contracts executed prior to the effective access sessions, both Interactive Remote
mandatory, NERC expects that these date of Reliability Standard CIP–013–1, Access and system-to-system remote
assets will likely be subject to nor would such contracts need to be access, that are taking place on a
responsible entity supply chain risk renegotiated or abrogated to comply responsible entity’s system.
management plans required by with the Reliability Standard. In
Reliability Standard CIP–013–1. addition, NERC indicates that, Proposed Modifications in Reliability
Specifically, NERC explains that consistent with the development of a Standard CIP–010–3
‘‘[r]esponsible [e]ntities may implement forward looking Reliability Standard, it 19. Proposed Reliability Standard
a single process for procuring products would not expect entities in the middle CIP–010–3 includes a new part, Part 1.6,
and services associated with their of procurement activities for an to address software integrity and
operational environments.’’ 35 NERC applicable product or service at the time authenticity, the first objective
contends that ‘‘by requiring that entities of the effective date of Reliability addressed in Order No. 829, by
implement supply chain cybersecurity Standard CIP–013–1 to begin those requiring that the publisher is identified
risk management plans for high and activities anew to implement their and the integrity of all software and
medium impact BES Cyber Systems, supply chain cybersecurity risk patches are confirmed. NERC explains
those plans would likely also cover their management plan. that proposed Reliability Standard CIP–
low impact BES Cyber Systems.’’ 36 17. With regard to assessing 010–3, Requirement R1.6 requires
NERC also claims that responsible compliance with Reliability Standard responsible entities to verify software
entities ‘‘may also use the same vendors CIP–013–1, NERC states that NERC and integrity and authenticity prior to a
for procuring PACS, EACMS, and PCAs Regional Entities would focus on change from the existing baseline
as they do for their high and medium whether responsible entities: (1) configuration, if the software source
impact BES Cyber Systems such that the Developed processes reasonably provides a method to do so.
same security considerations may be designed to (i) identify and assess risks Specifically, NERC states that proposed
addressed for those Cyber Assets.’’ 37 associated with vendor products and Reliability Standard CIP–010–3,
services in accordance with Part 1.1 and Requirement R1.6 requires that
Proposed Reliability Standard CIP–013– (ii) ensure that the security items listed responsible entities verify the identity of
1 in Part 1.2 are an integrated part of the software source and the integrity of
15. NERC states that the focus of procurement activities; and (2) the software obtained by the software
proposed Reliability Standard CIP–013– implemented those processes in good sources prior to installing software that
1 is on the steps that responsible entities faith. NERC explains that NERC and changes established baseline
must take ‘‘to consider and address Regional Entities will evaluate the steps configurations, when methods are
cybersecurity risks from vendor a responsible entity took to assess risks available to do so. NERC asserts that the
khammond on DSK30JT082PROD with RULES
products and services during BES Cyber posed by a vendor and associated security objective of proposed
products or services and, based on that Requirement R1.6 is to ensure that the
33 Id. at 18.
risk assessment, the steps the entity took software being installed in the BES
34 Id. at 20. to mitigate those risks, including the Cyber System was not modified without
35 Id. the awareness of the software supplier
36 Id. at 19. 38 Id. at 22. and is not counterfeit. NERC contends
37 Id. at 20. 39 Id. at 23. that these steps help reduce the
VerDate Sep<11>2014 18:06 Oct 25, 2018 Jkt 247001 PO 00000 Frm 00031 Fmt 4700 Sfmt 4700 E:\FR\FM\26OCR1.SGM 26OCR1](https://thefederalregister.org/doc/83_FR_54200/page/4.svg)
![53998 Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations
assess supply chain risks associated like EEI, reference Reliability Standard 43. Idaho Power, for its part, does not
with EACMS are received.52 CIP–007–6 (Cyber Security — System believe that EACMS should be included
37. Most commenters agree with Security Management), which requires in the scope of the supply chain risk
NERC that the Commission should responsible entities to manage system management Reliability Standards based
approve the supply chain risk security by specifying select technical, on its view that EACMS are used in
management Reliability Standards as operational, and procedural other industries and are not specific to
filed and not direct the inclusion of requirements in support of protecting critical infrastructure. Instead, Idaho
EACMS at this time. Instead, Trade BES Cyber Systems. MISO TOs state Power states that the focus should be on
Associations, EEI, ITC, IRC, and MISO that this Reliability Standard applies to correctly configuring EACMS devices as
TOs support evaluating in the BOT- EACMS. AECC also contends that the opposed to addressing procurement
directed study the possibility of existing CIP Reliability Standards practices.62
including EACMS in the supply chain already sufficiently cover any risks
risk management Reliability 44. Appelbaum, Reclamation,
associated with EACMS.58 In particular, Resilient Societies, Isologic, Mabee, and
Standards.53 AECC states that ‘‘CIP–005–6 already
38. Trade Associations contend that MPUC support the NOPR directive
addresses vendor-initiated remote regarding EACMS associated with
first allowing completion of the BOT- access . . . [and] developing technology
directed study would allow NERC to medium and high impact BES Cyber
services for BEC Cyber Systems under
assess the diversity of EACMS that Systems. In addition, the commenters
CIP–010–3 inherently already requires
perform control or monitoring functions urge the Commission to extend the
coverage for EACMS, PACS, and PCAs
with varying risk levels and ‘‘is likely to scope of the supply chain risk
due to the nature of the technology.’’ 59
provide more specific information and management Reliability Standards to
41. ITC, IRC, and MISO TOs assert low impact BES Cyber Systems.63
analysis concerning whether any
category of EACMS might be that including EACMS within the MPUC states, for example, that the
appropriately included within the scope supply chain risk management supply chain risk management
of the supply chain Reliability Reliability Standards would constitute a Reliability Standards should apply to all
Standards.’’ 54 Trade Associations also substantial expansion of the Reliability BES Cyber System assets, unless the
maintain that first having the BOT- Standards and would require significant specific asset can be shown to be
directed study results will facilitate a additional resources for compliance, completely isolated from the bulk
more efficient and effective standards without a commensurate improvement electric system.64 Resilient Societies
development process. in bulk electric system reliability. states that the supply chain risk
39. While also supportive of awaiting According to ITC, the record does not management Reliability Standards
the results of the BOT-directed study, contradict NERC’s technical assessment should apply to low impact BES Cyber
EEI asserts that EACMS are protected that inclusion of EACMS within the Systems since the compromise of a low
under existing CIP Reliability supply chain risk management impact BES Cyber System could lead to
Standards. EEI cites Reliability Reliability Standards is not justified. the compromise of medium or high
Standards CIP–005–5, Requirements R1, ITC claims that the NOPR, while
impact BES Cyber Systems.65
Part 1.3 and R2, Parts 2.1–2.3, CIP–007– ‘‘descriptively accurate,’’
6, Requirements R1, Part 1.1, R2, R3, R4, misunderstands the purpose and 45. APS states that it supports the
and R5, and CIP–010–2, Requirement 2, function of EACMS, which, ITC states, NOPR proposal to direct NERC to
Part 2.1 as protecting EACMS against are intended to protect the ESP and the modify the supply chain risk
compromise.55 Moreover, EEI states that BES Cyber Assets contained therein and management Reliability Standards to
the likelihood of compromise of an are not intended to provide a reliability include EACMS associated with
EACMS from potential supply chain- function. ITC concludes that medium and high impact BES Cyber
derived threats was not addressed in the misoperation of an EACMS, while Systems. However, APS contends that
NOPR and ‘‘should be evaluated before serious, does not rise to the level of a the Commission should delay their
directing a CIP Standard scope direct threat to the reliability of the bulk inclusion until NERC and industry
expansion.’’ 56 Even so, EEI supports electric system. complete their analysis of the potential
further evaluating the feasibility, as well 42. IRC similarly believes that need to separate the functions reflected
as the benefits, of adding EACMS to the including EACMS within the scope of in the current EACMS definition (e.g.,
supply chain risk management the supply chain risk management electronic access control versus
Reliability Standards. EEI contends that Reliability Standards would require electronic access monitoring). APS
waiting for the BOT-directed study will ‘‘significant resources and effort’’ and states that, including EACMS that
allow industry time to gain experience because EACMS vendors supply such perform electronic access control
implementing the supply chain risk systems to a larger market than just the functions within the scope of the supply
management Reliability Standard power sector there would need to be chain risk management Reliability
requirements as well as help identify coordination with other industries Standards ‘‘represents good
potential follow-up actions.57 before implementing a supply chain risk cybersecurity posture . . . [h]owever, at
40. MISO TOs likewise aver that management Reliability Standard for this time, the definition of EACMS is
EACMS, while important, are ‘‘not EACMS.60 MISO TOs also contend that not sufficiently mature to make the
unprotected’’ under currently-effective including EACMS would affect necessary distinction discussed
CIP Reliability Standards. MISO TOs, numerous pieces of equipment and above.’’ 66
assets, with associated costs, system
khammond on DSK30JT082PROD with RULES
52 Id. at 4–6. 62 Idaho
changes, and other burdens, without Power Comments at 2.
53 Trade Associations Comments at 10, EEI 63 Appelbaum
showing commensurate benefits.61 Comments at 6, Reclamation
Comments at 10, ITC Comments at 5, IRC Comments at 7, Resilient Societies Comments at 3–
Comments at 3. 4, Isologic Comments at 3, Mabee Comments at 4,
54 Trade Associations Comments at 10. 58 AECC Comments at 2–3. MPUC Comments at 6.
55 EEI Comments at 8. 59 Id.at 3. 64 MPUC Comments at 6.
56 Id. 60 IRC Comments at 2–3. 65 Resilient Societies Comments at 3.
57 Id. at 10. 61 MISO TO Comments at 16. 66 APS Comments at 5.
VerDate Sep<11>2014 18:06 Oct 25, 2018 Jkt 247001 PO 00000 Frm 00034 Fmt 4700 Sfmt 4700 E:\FR\FM\26OCR1.SGM 26OCR1](https://thefederalregister.org/doc/83_FR_54200/page/7.svg)
![Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations 53999
3. Commission Determination BES Cyber System or render it 50. Specifically, the goal of the supply
46. Pursuant to section 215(d)(5) of unavailable, which could pose a chain risk management Reliability
the FPA, we adopt the NOPR proposal significant risk to reliable operation. Standards is ‘‘to help ensure that
and direct NERC to develop Instead, commenters generally agree responsible entities establish
modifications to include EACMS that EACMS perform important organizationally-defined processes that
associated with medium and high security-related functions.70 For integrate a cybersecurity risk
impact BES Cyber Systems within the example, NERC states that a management framework into the system
scope of the supply chain risk compromised firewall ‘‘may allow development life cycle.’’ 75 The current
management Reliability Standards. unfettered access to the ESP.’’ 71 EEI also CIP Reliability Standards identified in
While we are sensitive to the position agrees that the compromise of certain the comments, however, do not
taken by NERC and other commenters EACMS that control access could adequately address supply chain risks.
that the Commission should not issue a adversely affect the reliable operation of For example, while Reliability Standard
directive until after completion of the an associated BES Cyber System, CIP–005–5 provides a level of electronic
BOT-directed final report, we conclude although EEI asserts that other CIP access protection for an ESP through
that the record before us supports Reliability Standards adequately protect controls applied to an Electronic Access
directing NERC to include at least some those EACMS.72 Although some Point associated with an EACMS, those
subset of EACMS associated with commenters, as discussed below, controls would only apply after an asset
medium and high impact BES Cyber maintain that the reliability benefit of is procured and deployed on a
Systems at this time. We are not including EACMS in the supply chain responsible entity’s system. In this
persuaded by comments advocating risk management Reliability Standards situation, the EACMS at issue could
delay in view of the forthcoming BOT- is outweighed by the perceived costs, already contain built-in vulnerabilities
directed final report because the these commenters do not challenge the making it susceptible to compromise or,
standard drafting team will have the proposition that misoperation or in the worst-case scenario, could have
benefit of the BOT-directed final report, unavailability of EACMS has negative been compromised before acquisition.
which is due in February 2019, when reliability ramifications. For example, 51. Given the documented risks to the
developing the directed Reliability ITC, while opposing the NOPR cyber posture of the bulk electric system
Standard modifications.67 directive, recognizes that misoperation associated with EACMS, we are not
47. We continue to believe that of an EACMS is ‘‘serious’’ and ‘‘[w]ere persuaded to await the completion of
EACMS represent the most likely route CIP resources infinite, it would no the BOT-directed final report before
an attacker would take to access a BES doubt increase BES reliability by some issuing a directive regarding EACMS.76
Cyber System or PCA within an ESP degree to include EACMS within this Instead, it is reasonable to initiate
based on the functions they perform.68 Standard.’’ 73 modification of the supply chain risk
EACMS support BES Cyber Systems and 49. We disagree with the comments management Reliability Standards based
are part of the network and security asserting that existing CIP Reliability on the conclusion that at least some
architecture that allows BES Cyber Standards adequately protect EACMS categories of EACMS should be
Systems to work as intended because against supply chain-based threats. included. As discussed above, we are
they perform electronic access control While existing CIP Reliability Standards convinced that EACMS in general are a
or electronic access monitoring of the include requirements that address known risk that should be protected
ESP or BES Cyber Systems. In aspects of supply chain risk under the supply chain risk
particular, EACMS control electronic management, existing Reliability management Reliability Standards. But
access, including interactive remote Standards do not adequately protect we leave it to the standard drafting team
access, into the ESP that protects high EACMS based on the four security to assess the various types of EACMS
and medium impact BES Cyber objectives in Order No. 829.74 The CIP and their associated levels of risk. We
Systems. One specific function of Reliability Standards cited by EEI, MISO are confident that the standard drafting
electronic access control is to prevent TOs and AECC address aspects of team will be able to develop
malware or malicious actors from electronic access control, systems modifications that include only those
gaining access to the BES Cyber Systems security management, and configuration EACMS whose compromise by way of
and PCAs within the ESP.69 Given the monitoring, but they do not address the cybersecurity supply chain can
significant role that EACMS play in the protection from supply chain threats affect the reliable operation of high and
protection scheme for medium and high such as insertion of counterfeits or medium impact BES Cyber Systems.
impact BES Cyber Systems, we malicious software, unauthorized While it will no doubt inform the
determine that EACMS should be production, tampering, or theft, as well
within the scope of the supply chain standard drafting team’s work, the BOT-
as poor manufacturing and development directed final report is not, in our view,
risk management Reliability Standards practices. By contrast, the supply chain
to provide minimum protection against likely to alter the conclusion that at
risk management Reliability Standards least some EACMS functions should be
supply chain attack vectors. approved in this final rule specifically
48. No commenter disagreed with the included in the supply chain risk
address the above listed supply chain management Reliability Standards.77
NOPR that misoperation or
threats, and, we determine, should be
unavailability of EACMS that support a
extended to at least some subset of 75 NERC Comments at 23.
given BES Cyber System could
EACMS. 76 See NERC Comments at 4–6, EEI Comments at
contribute to the misoperation of the 7–10, IRC Comments at 3, ITC Comments at 5,
khammond on DSK30JT082PROD with RULES
70 See NERC Comments at 5–6, Appelbaum
Trade Associations at 8–12, MISO TOs Comments
67 As we have imposed a 24-month deadline for at 16–18.
NERC to file the modified supply chain risk Comments at 5–6, APS Comments at 5, EEI 77 The BOT-directed interim report provides the
management Reliability Standards, the standard Comments at 7–8, IRC Comments at 3, Idaho Power
example of a situation where a firewall used to
drafting team will have ample time to review and Comments at 2, MPUC Comments at 6.
71 NERC Comments at 5.
protect BES Cyber Systems within an ESP was
incorporate the findings in the BOT-directed final compromised due to supply chain vulnerability,
report. 72 EEI Comments at 7–8.
noting that each system within the ESP could be
68 See NOPR, 162 FERC ¶ 61,044 at P 35. 73 ITC Comments at 5.
exposed due to its logical proximity to the
69 Id. 74 Order No. 829, 156 FERC ¶ 61,050 at P 71. Continued
VerDate Sep<11>2014 18:06 Oct 25, 2018 Jkt 247001 PO 00000 Frm 00035 Fmt 4700 Sfmt 4700 E:\FR\FM\26OCR1.SGM 26OCR1](https://thefederalregister.org/doc/83_FR_54200/page/8.svg)
![Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations 54001
whether low impact BES Cyber Systems supply chain risk management protect and which are ‘‘burdensome’’ to
should be addressed in the supply chain Reliability Standards are appropriately protect.98 Isologic also disagrees with
risk management Reliability Standards. scoped to mitigate the risks identified the exclusion of low impact BES Cyber
The NOPR explained that the BOT by the Commission.90 Systems and contends that awaiting the
resolutions stated that the BOT-directed 63. EEI and Trade Associations BOT-directed final report would unduly
study should examine the risks posed support the supply chain risk delay an examination by the
by low impact BES Cyber Systems, but management Reliability Standards’ Commission of risks involving the
the BOT resolutions did not identify exclusion of low impact BES Cyber ‘‘massive array of unprotected [low
PACS and PCAs as subjects of the study. Systems. EEI agrees with the NOPR impact] transmission substations.’’ 99
The NOPR noted, however, that NERC’s proposal to wait for NERC to study the 3. Commission Determination
petition suggests that NERC will supply chain risks posed by low impact
evaluate PACS and PCAs as part of the BES Cyber Systems as well as PACS and 66. We accept NERC’s commitment to
BOT-directed study.86 PCAs before directing further evaluate the cybersecurity supply chain
60. The NOPR proposed to direct that modifications.91 Trade Associations also risks presented by low impact BES
NERC, consistent with the ‘‘strongly support’’ limiting the supply Cyber Systems, PACS, and PCAs in the
representation made in NERC’s petition, chain risk management Reliability study of cybersecurity supply chain
include PACS and PCAs in the BOT- Standards’ applicability to medium and risks directed by the NERC BOT. In light
directed study and to await the findings high impact BES Cyber Systems.92 of that commitment, we conclude it is
of the study’s final report before 64. Other commenters contend that not necessary to separately direct that
considering further action. The NOPR low impact BES Cyber Systems pose a NERC expand the scope of the BOT-
indicated that the risks posed by significant risk and disagree with the directed study. However, we adopt the
EACMS also apply to varying degrees to view that excluding such assets will NOPR proposal to direct NERC to file
PACS and PCAs. However, the NOPR focus industry resources on protecting the BOT-directed study’s final report
explained the distinction between systems with heightened risk, while not with the Commission upon its
EACMS and the other Cyber Assets: For being overly burdensome. For example, completion.
example, a compromise of a PACS 67. We continue to believe that it is
Resilient Societies maintains that cyber
through the supply chain, which would appropriate to await the findings from
attackers could use low impact BES
the BOT-directed final report on
potentially grant an attacker physical Cyber Systems as network entry points
cybersecurity risks before considering
access to a BES Cyber System or PCA, to attack high and medium impact BES
whether low impact BES Cyber Systems,
is more difficult since it would also Cyber Systems, with a potential
PACS and PCAs should be addressed in
require physical access. Physical access coordinated cyberattack on multiple low
modified supply chain risk management
is not required to take advantage of a impact facilities causing a cascading Reliability Standards.100 While we do
compromised EACMS. Accordingly, the collapse.93 Similarly, Appelbaum not prejudge the findings from the
NOPR proposed immediate action to asserts that ‘‘if a large number of [low forthcoming final report, at this time we
provide for the protection of EACMS, impact BES Cyber Systems] are find that NERC is taking adequate and
because they represent the most likely compromised, then the effort to correct timely steps to study whether low
route an attacker would take to access or replace the compromised assets could impact BES Cyber Systems, PACS and
a BES Cyber System or PCA within an be significant.’’ 94 Reclamation also PCAs should be included in the supply
ESP, while possible action on other recommends including low impact BES chain risk management Reliability
Cyber Assets can await completion of Cyber Systems in the proposed Standards. Given that the BOT-directed
the BOT-directed study’s final report.87 Reliability Standards in order to avoid final report is scheduled to be
61. In addition to proposing to direct gaps that could compromise bulk completed in February 2019, we do not
NERC to include PACS and PCAs in the electric system security.95 view our determination as unduly
BOT-directed study, the NOPR 65. MPUC states that many of the delaying consideration of this important
proposed to direct that NERC file the concerns identified in the NOPR apply issue. Once NERC submits the BOT-
study’s interim and final reports with to all classifications of BES Cyber directed final report, the Commission
the Commission upon their Systems and that responsible entities will be in a better position to consider
completion.88 should be required to apply the supply what further steps, if any, should be
2. Comments chain risk management Reliability taken to provide for the reliability of the
Standards to all BES Cyber System bulk electric system.
62. NERC concurs with the NOPR assets, unless the entities can show the
proposal and states that the Commission assets in question to be completely C. Implementation Plan
should ‘‘await the results of the Board- isolated.96 Reclamation has similar 1. NOPR
requested study before considering concerns and states that the supply
whether low impact BES Cyber Systems, 68. The NOPR stated that the 18-
chain risk management Reliability
PACS, and PCAs should be addressed in month implementation period proposed
Standards should apply to all BES Cyber
the proposed Reliability Standards.’’ 89 by NERC may not be justified based on
System impact ratings, including low
NERC maintains that the BOT-directed the anticipated effort required to
impact.97 Mabee cautions against giving
report will help determine whether the develop and implement a supply chain
industry the discretion to determine
risk management plan. The NOPR
which cyber systems are ‘‘easy’’ to
86 NOPR, 162 FERC ¶ 61,044 at P 27 (citing NERC explained that while, according to
Petition at 21 (‘‘over the next 18 months, NERC, NERC, the proposed implementation
khammond on DSK30JT082PROD with RULES
90 Id.at 5.
working with various stakeholders, will continue to 91 EEI period is ‘‘designed to afford
assess whether supply chain risks related to low Comments at 3.
impact BES Cyber Systems, PACS, EACMS, and
92 Trade Associations Comments at 7. responsible entities sufficient time to
PCA necessitate further consideration for inclusion 93 Resilient Societies Comments at 3–4. develop and implement their supply
in a mandatory Reliability Standard’’)). 94 Appelbaum Comments at 6.
87 NOPR, 162 FERC ¶ 61,044 at P 42. 95 Reclamation Comments at 1. 98 MabeeComments at 4.
88 Id. P 43. 96 MPUC Comments at 6. 99 Isologic
Comments at 5.
89 NERC Comments at 4. 97 Reclamation Comments at 1. 100 NOPR, 162 FERC ¶ 61,044 at P 40.
VerDate Sep<11>2014 18:06 Oct 25, 2018 Jkt 247001 PO 00000 Frm 00037 Fmt 4700 Sfmt 4700 E:\FR\FM\26OCR1.SGM 26OCR1](https://thefederalregister.org/doc/83_FR_54200/page/10.svg)
![Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations 54003
[r]esponsible [e]ntity, or its affiliates, risk management Reliability Standards CIP–010–2, respectively. As discussed
contracts with to supply BES Cyber do not dictate a responsible entity’s above, the final rule addresses several
Systems and related services.’’ 112 The contracting decision. areas of the CIP Reliability Standards
Supplemental Materials also note that a 81. As to the term ‘‘system-to- through Reliability Standard CIP–013–1,
vendor, for purposes of the supply chain system,’’ NERC explains that the Requirements R1, R2, and R3. Under
risk management Reliability Standards, objective of Reliability Standard CIP– Requirement R1, responsible entities
may include: (i) Developers or 005–6, Requirement R2.4 is for entities would be required to have one or more
manufacturers of information systems, to have visibility of active vendor processes to address the following
system components, or information remote access sessions, including baseline set of security concepts, as
system services; (ii) product resellers; or Interactive Remote Access and system- applicable, in their procurement
(iii) system integrators.113 to-system remote access, taking place on activities for high and medium impact
79. With regard to vendor-related their system.118 Reliability Standard BES Cyber Systems: (1) Vendor security
compliance concerns, vendors are not CIP–005–6 requires entities to have a event notification processes (Part 1.2.1);
subject to the supply chain risk method to determine all active vendor (2) coordinated incident response
management Reliability Standards. As remote access sessions.119 activities (Part 1.2.2); (3) vendor
NERC explains, ‘‘the proposed personnel termination notification for
Reliability Standards apply only to III. Information Collection Statement
employees with access to remote and
registered entities and do not directly 82. The FERC–725B information onsite systems (Part 1.2.3); (4) product/
impose obligations on suppliers, collection requirements contained in services vulnerability disclosures (Part
vendors or other entities that provide this final rule are subject to review by 1.2.4); (5) verification of software
products or services to registered the Office of Management and Budget integrity and authenticity (Part 1.2.5);
entities.’’ 114 This is consistent with the (OMB) under section 3507(d) of the and (6) coordination of vendor remote
Commission’s guidance in Order No. Paperwork Reduction Act of 1995.120 access controls (Part 1.2.6). Requirement
829 that ‘‘any action taken by NERC in OMB’s regulations require approval of R2 mandates that each responsible
response to the Commission’s directive certain information collection entity implement its supply chain
to address the supply chain-related requirements imposed by agency cybersecurity risk management plan.
reliability gap should respect ‘section rules.121 Upon approval of a collection Requirement R3 requires a responsible
215 jurisdiction by only addressing the of information, OMB will assign an entity to review and obtain the CIP
obligations of responsible entities’ and OMB control number and expiration Senior Manager’s approval of its supply
‘not directly impose obligations on date. Respondents subject to the filing chain risk management plan at least
suppliers, vendors or other entities that requirements of this rule will not be once every 15 calendar months in order
provide products or services to penalized for failing to respond to these to ensure that the plan remains up-to-
responsible entities.’ ’’ 115 collections of information unless the date.
80. As to the question of responsible collections of information display a
entity liability for vendor 84. Separately, Reliability Standard
valid OMB control number. In the CIP–005–6, Requirement R2.4 requires
noncompliance, NERC explains that NOPR, the Commission solicited
‘‘any resulting obligation that a supplier, one or more methods for determining
comments on the Commission’s need for active vendor remote access sessions,
vendor or other entity accepts in this information, whether the
providing products or services to the including Interactive Remote Access
information will have practical utility, and system-to-system remote access.
registered entity is a contractual matter the accuracy of the burden estimates,
between the registered entity and the Reliability Standard CIP–005–6,
ways to enhance the quality, utility, and Requirement R2.5 requires one or more
third party outside the scope of the clarity of the information to be collected
proposed Reliability Standard[.]’’ 116 methods to disable active vendor remote
or retained, and any suggested methods access, including Interactive Remote
The security objective of the supply
for minimizing respondents’ burden, Access and system-to-system remote
chain risk management Reliability
including the use of automated access. Reliability Standard CIP–010–3,
Standards is to ‘‘ensure that
information techniques. The Requirement R1.6 requires responsible
[r]esponsible [e]ntities consider the
Commission did not receive any entities to verify software integrity and
security, integrity, quality, and
comments on the specific burden authenticity in the operational phase, if
resilience of the supply chain, and take
estimates discussed below. the software source provides a method
appropriate mitigating action when
procuring BES Cyber Systems to address 83. The Commission bases its to do so.
threats and vulnerabilities in the supply paperwork burden estimates on the
changes in paperwork burden presented 85. The NERC Compliance Registry,
chain.’’ 117 Therefore, while a as of December 2017, identifies
responsible entity is not directly liable by the approved CIP Reliability
Standard CIP–013–1 and the approved approximately 1,250 unique U.S.
for vendor actions, the responsible entities that are subject to mandatory
entity is required to mitigate any revisions to CIP Reliability Standard
CIP–005–6 and CIP–010–3 as compared compliance with Reliability Standards.
resulting risks. Finally, the supply chain Of this total, we estimate that 288
to the current Commission-approved
112 Reliability Reliability Standards CIP–005–5 and entities will face an increased
Standard CIP–013–1 at 12.
113 Id.
paperwork burden under the approved
114 NERC Petition at 14. 118 Id.at 31. Reliability Standards CIP–013–1, CIP–
khammond on DSK30JT082PROD with RULES
115 Order No. 829, 156 FERC ¶ 61,050 at P 21. 119 See Reliability Standard CIP–005–6 at 28. 005–6, and CIP–010–3. Based on these
116 NERC Petition at 17. 120 44 U.S.C. 3507(d). assumptions, we estimate the following
117 Id. at 13. 121 5 CFR 1320.11. reporting burden:
VerDate Sep<11>2014 18:06 Oct 25, 2018 Jkt 247001 PO 00000 Frm 00039 Fmt 4700 Sfmt 4700 E:\FR\FM\26OCR1.SGM 26OCR1](https://thefederalregister.org/doc/83_FR_54200/page/12.svg)
![54004 Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations
RM17–13–000 FINAL RULE
[Mandatory Reliability Standards for Critical Infrastructure Protection Reliability Standards]
Annual Total annual
Average burden Cost per
Number of number of Total number burden hours
& cost per respondent
respondents responses per of responses & total annual
response 122 ($)
respondent cost
(1) (2) (1) * (2) = (3) (4) (3) * (4) = (5) (5) ÷ (1)
Create supply chain risk manage- 288 1 288 546 hrs.; $44,226 157,248 hrs.; $44,226
ment plan (one-time) 123 (CIP– $12,737,088.
013–1 R1).
Updates and reviews of supply 288 1 288 30 hrs.; 2,430 .... 8,640 hrs.; 2,430
chain risk management plan (on- 699,840.
going) 124 (CIP–013–1 R2).
Develop Procedures to update re- 288 1 288 50 hrs.; 4,050 .... 14,400 hrs.; 4,050
mote access requirements (one 1,166,400.
time) (CIP–005–6 R1–R4).
Develop procedures for software in- 288 1 288 50 hrs.; 4,050 .... 14,400 hrs.; 4,050
tegrity and authenticity require- 1,166,400.
ments (one time) (CIP–010–3
R1–R4).
Total (one-time) ........................ ........................ ........................ 864 ............................ 186,048 hrs.; ........................
15,069,888.
Total (ongoing) ......................... ........................ ........................ 288 ............................ 8,640 hrs.; ........................
699,840.
The one-time burden of 186,048 hours • Year 1: $15,069,888 effective suite of cybersecurity CIP
will be averaged over three years • Years 2 and beyond: $699,840 Reliability Standards.
(186,048 hours ÷ 3 = 62,016 hours/year • The paperwork burden estimate Internal Review: The Commission has
over three years). includes costs associated with the initial reviewed the approved Reliability
The ongoing burden of 8,640 hours development of a policy to address
Standards and made a determination
applies to only Years 2 and beyond. requirements relating to: (1) Developing
that its action is necessary to implement
The number of responses is also the supply chain risk management plan;
section 215 of the FPA.
average over three years (864 responses (2) updating the procedures related to
(one-time) + (288 responses (Year 2) + remote access requirements (3) 88. Interested persons may obtain
288 responses (Year 3)) ÷ 3 = 480 developing the procedures related to information on the reporting
responses. software integrity and authenticity. requirements by contacting the
The responses and burden for Years Further, the estimate reflects the following: Federal Energy Regulatory
1–3 will total respectively as follows: assumption that costs incurred in year Commission, 888 First Street NE,
• Year 1: 480 responses; 62,016 hours 1 will pertain to plan and procedure Washington, DC 20426 [Attention: Ellen
• Year 2: 480 responses; 62,016 hours + development, while costs in years 2 and Brown, Office of the Executive Director,
8,640 hours = 70,656 hours 3 will reflect the burden associated with email: DataClearance@ferc.gov, phone:
• Year 3: 480 responses; 62,016 hours + maintaining the supply chain risk (202) 502–8663, fax: (202) 273–0873].
8,640 hours = 70,656 hours. management plan and modifying it as 89. For submitting comments
86. The following shows the annual necessary on a 15-month basis. concerning the collection(s) of
cost burden for each year, based on the 87. Title: FERC–725B (Mandatory information and the associated burden
burden hours in the table above: Reliability Standards, Revised Critical estimate(s), please send your comments
Infrastructure Protection Reliability to the Commission, and to the Office of
122 The loaded hourly wage figure (includes Standards). Management and Budget, Office of
benefits) is based on the average of the occupational Action: Information Collection, Information and Regulatory Affairs, 725
categories for 2017 found on the Bureau of Labor FERC–725B (Supply Chain Risk 17th Street NW, Washington, DC 20503
Statistics website (http://www.bls.gov/oes/current/ Management Reliability Standards).
naics2_22.htm): [Attention: Desk Officer for the Federal
Legal (Occupation Code: 23–0000): $143.68.
OMB Control No.: 1902–0248. Energy Regulatory Commission, phone:
Respondents: Businesses or other for-
Information Security Analysts (Occupation Code (202) 395–4638, fax: (202) 395–7285].
15–1122): $61.55. profit institutions; not-for-profit
For security reasons, comments to OMB
Computer and Information Systems Managers institutions.
(Occupation Code: 11–3021): $96.51. Frequency of Responses: On should be submitted by email to: oira_
Management (Occupation Code: 11–0000): Occasion. submission@omb.eop.gov. Comments
$94.28. Necessity of the Information: This submitted to OMB should include
Electrical Engineer (Occupation Code: 17–2071):
final rule approves the requested Docket Number RM17–13–000 and
$66.90. OMB Control Number 1902–0248.
Management Analyst (Code: 43–0000): $63.32. modifications to Reliability Standards
khammond on DSK30JT082PROD with RULES
These various occupational categories are pertaining to critical infrastructure IV. Environmental Analysis
weighted as follows: [($94.28)(.10) + ($61.55)(.315) protection. As discussed above, the
+ ($66.90)(.02) + ($143.68)(.15) + ($96.51)(.10) + Commission approves NERC’s CIP 90. The Commission is required to
($63.32)(.315)] = $81.30. The figure is rounded to
$81.00 for use in calculating wage figures in this
Reliability Standards CIP–013–1, CIP– prepare an Environmental Assessment
final rule. 005–6, and CIP–010–3 pursuant to or an Environmental Impact Statement
123 One-time burdens apply in Year One only. section 215(d)(2) of the FPA because for any action that may have a
124 Ongoing burdens apply in Year 2 and beyond. they improve upon the currently- significant adverse effect on the human
VerDate Sep<11>2014 18:06 Oct 25, 2018 Jkt 247001 PO 00000 Frm 00040 Fmt 4700 Sfmt 4700 E:\FR\FM\26OCR1.SGM 26OCR1](https://thefederalregister.org/doc/83_FR_54200/page/13.svg)
![Federal Register / Vol. 83, No. 208 / Friday, October 26, 2018 / Rules and Regulations 54005
environment.125 The Commission has estimate that each of the 248 small document, excluding the last three
categorically excluded certain actions entities to whom the approved digits, in the docket number field. User
from this requirement as not having a modifications to Reliability Standards assistance is available for eLibrary and
significant effect on the human CIP–013–1, CIP–005–6, and CIP–010–3 the Commission’s website during
environment. Included in the exclusion apply will incur one-time costs of normal business hours from the
are rules that are clarifying, corrective, approximately $52,326 per entity to Commission’s Online Support at (202)
or procedural or that do not implement the approved Reliability 502–6652 (toll free at 1–866–208–3676)
substantially change the effect of the Standards, as well as the ongoing or email at ferconlinesupport@ferc.gov,
regulations being amended.126 The paperwork burden reflected in the or the Public Reference Room at (202)
actions taken herein fall within this Information Collection Statement 502–8371, TTY (202) 502–8659. Email
categorical exclusion in the (approximately $2,430 per year per the Public Reference Room at
Commission’s regulations. entity). We do not consider the public.referenceroom@ferc.gov.
estimated costs for these 248 small
V. Regulatory Flexibility Act Analysis entities to be a significant economic VII. Effective Date and Congressional
91. The Regulatory Flexibility Act of impact. Accordingly, we certify that Notification
1980 (RFA) generally requires a Reliability Standards CIP–013–1, CIP– 96. The final rule is effective
description and analysis of proposed 005–6, and CIP–010–3 will not have a December 26, 2018. The Commission
rules that will have significant significant economic impact on a has determined that this final rule
economic impact on a substantial substantial number of small entities. imposes no substantial effect upon
number of small entities.127 The Small either NERC or NERC registered
Business Administration’s (SBA) Office VI. Document Availability
entities 131 and, with the concurrence of
of Size Standards develops the 94. In addition to publishing the full the Administrator of the Office of
numerical definition of a small text of this document in the Federal Information and Regulatory Affairs of
business.128 The SBA revised its size Register, the Commission provides all OMB, that this rule is not a ‘‘major rule’’
standard for electric utilities (effective interested persons an opportunity to as defined in section 351 of the Small
January 22, 2014) to a standard based on view and/or print the contents of this Business Regulatory Enforcement
the number of employees, including document via the internet through the Fairness Act of 1996. This final rule is
affiliates (from the prior standard based Commission’s Home Page (http:// being submitted to the Senate, House,
on megawatt hour sales).129 www.ferc.gov) and in the Commission’s and Government Accountability Office.
92. Reliability Standards CIP–013–1, Public Reference Room during normal
CIP–005–6, CIP–010–3 are expected to business hours (8:30 a.m. to 5:00 p.m. By the Commission. Chairman McIntyre
was not present at the Commission Meeting
impose an additional burden on 288 Eastern time) at 888 First Street NE, held on October 18, 2018 and did not vote
entities 130 (reliability coordinators, Room 2A, Washington, DC 20426. on this item.
generator operators, generator owners, 95. From the Commission’s Home
Issued: October 18, 2018.
interchange coordinators or authorities, Page on the internet, this information is
available on eLibrary. The full text of Nathaniel J. Davis, Sr.,
transmission operators, balancing
authorities, and transmission owners). this document is available on eLibrary Deputy Secretary.
93. Of the 288 affected entities in PDF and Microsoft Word format for Note: The following appendix will not
discussed above, we estimate that viewing, printing, and/or downloading. appear in the Code of Federal Regulations.
approximately 248 or 86.2 percent of the To access this document in eLibrary,
affected entities are small entities. We type the docket number of this Appendix Commenters
Abbreviation Commenter
AECC .............................................. Arkansas Electric Cooperative Corporation.
Appelbaum ...................................... Jonathan Appelbaum.
APS ................................................. Arizona Public Service Company.
EEI .................................................. Edison Electric Institute.
Idaho Power .................................... Idaho Power Company.
IRC .................................................. ISO/RTO Council.
Isologic ............................................ Isologic LLC.
ITC .................................................. International Transmission Company.
Mabee ............................................. Michael Mabee.
MISO TOs ....................................... MISO Transmission Owners.
MPUC .............................................. Maine Public Utilities Commission.
NERC .............................................. North American Electric Reliability Corporation.
Reclamation .................................... U.S. Bureau of Reclamation.
Resilient Societies ........................... Foundation for Resilient Societies.
Trade Associations ......................... American Public Power Association, Electricity Consumers Resource Council, Large Public Power Council,
National Rural Electric Cooperative Association, and Transmission Access Policy Study Group.
[FR Doc. 2018–23201 Filed 10–25–18; 8:45 am]
khammond on DSK30JT082PROD with RULES
BILLING CODE 6717–01–P
125 Regulations Implementing the National 128 13 CFR 121.101. subsidiaries. For the analysis in this NOPR, we are
Environmental Policy Act of 1969, Order No. 486, 129 13 CFR 121.201, Subsector 221. using a 500 employee threshold due to each
FERC Stats. & Regs. ¶ 30,783 (1987). 130 Public utilities may fall under one of several affected entity falling within the role of Electric
126 18 CFR 380.4(a)(2)(ii). different categories, each with a size threshold Bulk Power Transmission and Control (NAISC
127 5 U.S.C. 601–12. based on the company’s number of employees, Code: 221121).
including affiliates, the parent company, and 131 5 U.S.C. 804(3)c.
VerDate Sep<11>2014 18:06 Oct 25, 2018 Jkt 247001 PO 00000 Frm 00041 Fmt 4700 Sfmt 4700 E:\FR\FM\26OCR1.SGM 26OCR1](https://thefederalregister.org/doc/83_FR_54200/page/14.svg)
Document Created: 2018-10-26 02:27:40
Document Modified: 2018-10-26 02:27:40
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Rules and Regulations | |
| Action | Final rule. | |
| Dates | This rule is effective December 26, 2018. | |
| Contact | Simon Slobodnik (Technical Information) Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6707, [email protected] | |
| FR Citation | 83 FR 53992 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR