Revised Critical Infrastructure Protection Reliability Standards, 071615 FERC, RM15-14-000

Docket Nº:RM15-14-000
Party Name:Revised Critical Infrastructure Protection Reliability Standards
Judge Panel:Nathaniel J. Davis, Sr., Deputy Secretary.
Case Date:July 16, 2015
Court:Federal Energy Regulatory Commission
 
FREE EXCERPT

152 FERC ¶ 61, 054

Revised Critical Infrastructure Protection Reliability Standards

No. RM15-14-000

United States of America, Federal Energy Regulatory Commission

July 16, 2015

AGENCY: Federal Energy Regulatory Commission.

ACTION: Notice of proposed rulemaking.

SUMMARY: The Federal Energy Regulatory Commission (Commission) proposes to approve seven critical infrastructure protection (CIP) Reliability Standards: CIP-003-6 (Security Management Controls), CIP-004-6 (Personnel and Training), CIP-006-6 (Physical Security of BES Cyber Systems), CIP-007-6 (Systems Security Management), CIP-009-6 (Recovery Plans for BES Cyber Systems), CIP-010-2 (Configuration Change Management and Vulnerability Assessments), and CIP-011-2 (Information Protection). The North American Electric Reliability Corporation (NERC) submitted the proposed Reliability Standards in response to the Commission's Order No. 791. The proposed Reliability Standards address the cyber security of the bulk electric system and improve upon the current Commission-approved CIP Reliability Standards. In addition, the Commission proposes to direct NERC to develop certain modifications to Reliability Standard CIP-006-6 and to develop requirements addressing supply chain management.

DATES: Comments are due [INSERT DATE 60 days after publication in the FEDERAL REGISTER].

ADDRESSES: Comments, identified by docket number, may be filed in the following ways:

• Electronic Filing through http://www.ferc.gov. Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format.

• Mail/Hand Delivery: Those unable to file electronically may mail or hand-deliver comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street, NE, Washington, DC 20426.

Instructions: For detailed instructions on submitting comments and additional information on the rulemaking process, see the Comment Procedures Section of this document.

FOR FURTHER INFORMATION CONTACT: Daniel Phillips (Technical Information) Office of Electric Reliability Federal Energy Regulatory Commission 888 First Street, NE Washington, DC 20426 (202) 502-6387 daniel.phillips@ferc.gov

Kevin Ryan (Legal Information) Office of the General Counsel Federal Energy Regulatory Commission 888 First Street, NE Washington, DC 20426 (202) 502-6840 kevin.ryan@ferc.gov

SUPPLEMENTARY INFORMATION:

NOTICE OF PROPOSED RULEMAKING

1. Pursuant to section 215 of the Federal Power Act (FPA), 1 the Commission proposes to approve seven critical infrastructure protection (CIP) Reliability Standards: CIP-003-6 (Security Management Controls), CIP-004-6 (Personnel and Training), CIP-006-6 (Physical Security of BES Cyber Systems), CIP-007-6 (Systems Security Management), CIP-009-6 (Recovery Plans for BES Cyber Systems), CIP-010-2 (Configuration Change Management and Vulnerability Assessments), and CIP-011-2 (Information Protection). The North American Electric Reliability Corporation, the Commission-certified Electric Reliability Organization (ERO), submitted the proposed Reliability Standards in response to Order No. 791.2 The Commission also proposes to approve NERC's proposed implementation plan and violation risk factor and violation severity level assignments. In addition, we propose to approve NERC's proposed new or revised definitions for inclusion in the NERC Glossary of Terms Used in Reliability Standards (NERC Glossary). Further, the Commission proposes to approve the retirement of Reliability Standards CIP-003-5, CIP-004-5.1, CIP-006-5, CIP-007-5, CIP-009-5, CIP-010-1, and CIP-011-1.

2. The proposed Reliability Standards are designed to mitigate the cybersecurity risks to bulk electric system facilities, systems, and equipment, which, if destroyed, degraded, or otherwise rendered unavailable as a result of a cybersecurity incident, would affect the reliable operation of the Bulk-Power System.3 As discussed below, we believe that the proposed CIP Reliability Standards are just and reasonable and address the directives in Order No. 791 by: (1) eliminating the "identify, assess, and correct" language in 17 of the CIP version 5 Standard requirements; (2) providing enhanced security controls for Low Impact assets; (3) providing controls to address the risks posed by transient electronic devices (e.g., thumb drives and laptop computers); and (4) addressing in an equally effective and efficient manner the need for a NERC Glossary definition for the term "communication networks." Accordingly, we propose to approve the proposed CIP Reliability Standards because they improve the base-line cybersecurity posture of applicable entities compared to the current Commission-approved CIP Reliability Standards.

3. In addition, pursuant to FPA section 215(d)(5), the Commission proposes to direct NERC to develop certain modifications to Reliability Standard CIP-006-6. Specifically, while proposed CIP-006-6 would require protections for communication networks among a limited group of bulk electric system Control Centers, we propose to direct that NERC modify Reliability Standard CIP-006-6 to require protections for communication network components and data communicated between all bulk electric system Control Centers. In addition, we seek comment on the sufficiency of the security controls incorporated in the current CIP Reliability Standards regarding remote access used in relation to bulk electric system communications. Finally, as discussed in more detail below, we propose to direct NERC to develop requirements relating to supply chain management for industrial control system hardware, software, and services.

I. Background

A. Section 215 and Mandatory Reliability Standards

4. Section 215 of the FPA requires a Commission-certified ERO to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently.4 Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO, 5 and subsequently certified NERC.6

B. Order No. 791

5. On November 22, 2013, in Order No. 791, the Commission approved the CIP version 5 Standards (Reliability Standards CIP-002-5 through CIP-009-5, and CIP-010-1 and CIP-011-1).7 The Commission determined that the CIP version 5 Standards represented an improvement over prior iterations of the CIP Reliability Standards because, inter alia, they included a revised BES Cyber Asset categorization methodology that incorporated mandatory protections for all High, Medium, and Low Impact BES Cyber Assets, and because several new security controls improved the security posture of responsible entities.8 In addition, pursuant to section 215(d)(5) of the FPA, the Commission directed NERC to: (1) remove the "identify, assess, and correct" language in 17 of the CIP Standard requirements; (2) develop enhanced security controls for Low Impact assets; (3) develop controls to protect transient electronic devices (e.g., thumb drives and laptop computers); (4) create a NERC Glossary definition for the term "communication networks, " and develop new or modified Reliability Standards to protect the nonprogrammable components of communications networks.

6. In addition, the Commission directed NERC to conduct a survey of Cyber Assets that are included or excluded under the new BES Cyber Asset definition and submit an informational filing within one year.9 Finally, the NOPR directed Commission staff to convene a technical conference to examine the technical issues concerning communication security, remote access, and the National Institute of Standards and Technology (NIST) Risk Management Framework.10

C. Informational Filing

7. On February 3, 2015, NERC submitted an informational filing assessing the results of a survey conducted to identify the scope of assets subject to the definition of the term BES Cyber Asset as it is applied in the CIP version 5 Standards. NERC states that the results of the survey indicate that, in general, the application of the BES Cyber Asset definition, and the 15 minute parameter in particular, resulted in the identification of BES Cyber Assets consistent with the language and intent of the CIP version 5 Standards.11NERC maintained that the survey results demonstrate that the definition of BES Cyber Asset provides a sound basis for identifying the types of Cyber Assets that should be subject to the cyber security protections required by the CIP Reliability Standards.12]

D. April 29, 2014 Technical Conference

8. On April 29, 2014, a staff-led technical conference was held pursuant to a directive in Order No. 791.13 The topics discussed at the technical conference included: (1) the adequacy of the approved CIP version 5 Standards' protections for Bulk-Power System data being transmitted over data networks; (2) whether additional security controls are needed to protect Bulk-Power System communications networks, including remote systems access; and (3) the functional differences between the respective methods utilized for the identification, categorization, and specification of appropriate levels of protection for cyber assets using the CIP version 5 Standards as compared with those employed within the NIST Cybersecurity Framework.

9. With respect to the current state of protection for communications networks under the CIP version 5 Standards, some panelists opined that the CIP version 5 Standards lack controls to: (1) protect communications outside of the Electronic Security Perimeter; (2) protect data in motion; (3) authenticate messages and commands to BES Cyber Assets; and (4)...

To continue reading

FREE SIGN UP