At its open meeting, on April 18, 2013, FERC took a number of actions related to reliability.
CIP Version 5
The most significant of these actions is the issuance of a notice of proposed rulemaking (NOPR) in which FERC proposes to adopt “Version 5 Critical Infrastructure Protection Reliability Standards.” These are NERC’s proposals to modify cyber security controls and extend the scope of the systems that are protected by the critical infrastructure protection (CIP) reliability standards. NERC’s proposal includes its new approach to identifying and classifying covered assets – now called “BES Cyber Systems.” It also requires at least a minimum classification of “Low Impact” for all BES Cyber Systems. While proposing to approve the proposed CIP standards, the Commission seeks comment on a number of aspects of the CIP standards and proposes to direct that NERC remove ambiguous language and assure that Low Impact assets have a clear compliance expectation that includes specified cyber security controls.
NERC’s January 31, 2013 petition submitting the Version 5 standards sought Commission approval of eight modified CIP reliability standards and two new ones:
- CIP-002-5 – Cyber Security – BES Cyber System Categorization: Instead of designating “critical assets” and “critical cyber assets”, this revised standards identifies BES Cyber Systems, which can adversely affect the BES within 15 minutes of being compromised and adopts three categories of such systems (high, medium and low impact) based on specific criteria that characterize their potential impact for on the reliable operation of the BES.
- CIP-003-5 – Cyber Security – Security Management Controls: Requires implementation of policies related to cyber security awareness, physical security controls, electronic access controls, and incident response to a Cyber Security Incident for those assets that have Low Impact BES Cyber Systems under CIP-002-5’s categorization process.
- CIP-004-5 – Cyber Security – Personnel and Training: Requires documented processes or programs for security awareness, cyber security training, personnel risk assessment, and access management. Also, the revised standard adds specific training roles for visitor control programs, electronic interconnectivity supporting the operation and control of BES Cyber Security Systems, and Storage Media as part of the treatment of BES Cyber System Information.
- CIP-005-5 – Cyber Security – Electronic Security Perimeter(s): Focuses on the discrete Electronic Access Points rather than the logical “perimeter” which is the focus of the currently effective CIP-005-3.
- CIP-006-5 – Cyber Security – Physical Security of BES Cyber Systems: Manages physical access to BES Cyber Systems by specifying a physical security plan to protect BES Cyber Systems against compromise that could lead to misoperation or instability.
- CIP-007-5 – Cyber Security – Systems Security Management: Addresses system security by specifying technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability of the BES. The changes to this standard make the requirements less dependent on specific technology so that they will remain relevant for future, yet-unknown developing technologies.
- CIP-008-5 – Cyber Security – Incident Reporting and Response Planning: Requires responsible entities to report Cyber Security Incidents within 1 hour of recognition, test to verify response plan effectiveness, and perform after-action review for tests or actual incidents.
- CIP-009-5 – Cyber Security – Recovery Plans for BES Cyber Systems: Includes controls to protect data that would be useful in the investigation of an event that results in the execution of a Cyber System recovery plan and operational testing to support the recovery of BES Cyber Systems.
- CIP-010-1- Cyber Security – Configuration Change Management and Vulnerability Assessments: Consolidates the configuration change management requirements previously included in CIP-003, CIP-005,and CIP-007 and establishes the configuration monitoring requirements intended to detect unauthorized modification of BES Cyber Systems, and establishes the vulnerability assessment requirements intended to ensure proper implementation of cyber security controls while promoting continuous improvement of a responsible entity’s cyber security posture.
- CIP-011-1 – Cyber Security – Information Protection: Consolidates information protection controls previously covered by CIP-003 and CIP-007 to prevent unauthorized access to BES Cyber System Information and specifies reuse and disposal provisions to prevent unauthorized dissemination of protected information.
In the NOPR, the Commission found that the modified CIP Version 5 standards are an improvement over the current CIP standards and are just, reasonable, not unduly discriminatory or preferential, and are in the public interest. However, the Commission identified several concerns with certain provisions of the standards.
The Commission expressed concern that 17 requirements of the CIP Version 5 standards incorporate a requirement that Responsible Entities implement cyber policies in a manner to “identify, assess, and correct” deficiencies. The Commission is concerned that this language is unclear with respect to the implementation and compliance obligations it places on regulated entities and that it is too vague to audit and enforce compliance. Although the language appears to impose a substantive requirement to design cyber policies in a manner consistent with NERC’s risk-based approach to regulation and its efforts to encourage entities to develop strong internal controls, the Commission was concerned that the language could be read to impose to separate obligations – one, to adopt certain cyber policies and two, to correct deficiencies. The Commission sought comment on the meaning of this language and how it will be implemented and enforced.
Also, Commission found that NERC’s new approach to categorizing BES Cyber Systems is “a step closer to comprehensively protecting assets that could cause cyber security risks to the [BES].” However, the Commission indicated that NERC should consider improving the categorization process and should modify the minimum protections required for Low Impact assets. Specifically, the Commission noted that the only the protections for Low Impact BES Cyber Systems were under CIP-003-5 R2 which requires an entity to document and implement policies for cyber security awareness, physical and electronic security and incident response. Because the obligation to adopt policies may result in inconsistent implementation of the CIP Reliability Standards, the Commission proposed to direct NERC to develop a modification to CIP-003-5 to require responsible entities to adopt specific, technically-supported cyber security controls for Low Impact assets.
Additionally, the Commission sought comment on three areas where it generally believes the proposed standards could be enhanced:
- whether the adoption of certain communications security protections, such as cryptography and protections for non-routable protocol, would improve the CIP Reliability Standards;
- whether the adoption of more stringent controls for remote access would improve the CIP Reliability Standards; and
- whether the adoption of certain aspects of the NIST Risk Management framework could improve the security controls proposed in the CIP Version 5 Standards.
Comments on the NOPR are due sometime in June, 60 days after the NOPR is published in the Federal Register.
BES Definition; GO/TO Standards; Criteria for 215 Funding
FERC issued three other orders related to different aspects reliability regulation.
First, in Order No. 773-A, “Revisions to Electric Reliability Organization Definition of Bulk Electric System and Rules of Procedure,” the Commission affirmed its findings in Order No. 773 that (1) the modified definition of “bulk electric system” improves upon the currently-effective definition by establishing a bright-line threshold that includes all facilities operated at or above 100 kV and removing language that allows for broad regional discretion; (2) NERC’s case-by-case exception process to add elements to, and remove elements from, the definition of the bulk electric system adds transparency and uniformity to the determination of what constitutes the bulk electric system; (3) the Commission can designate sub-100 kV facilities, or other facilities, as part of the bulk electric system; and (4) an entity can seek a determination by the Commission whether facilities are “used in local distribution” as set forth in the Federal Power Act.
Second, the Commission issued a second NOPR, entitled “Generator Requirements at the Transmission Interface.” In this NOPR, the Commission is proposing to approve four modified reliability standards to clarify their applicability to generator interconnection facilities. The Commission states that the proposed modifications improve reliability by extending their applicability to certain generator interconnection facilities, or by clarifying that the existing Reliability Standard is and remains applicable to generator interconnection facilities. Among these four revised reliability standards are:
- FAC-001-1 (Facility Connection Requirements) – which was clarified to provide that generators need only publish facility connection requirements for their generator interconnection facilities when they have entered into a reliability impact study agreement with a third party
- FAC-003-3 (Transmission Vegetation Management) – which extends the vegetation management requirements to generator leads that extend more than a mile from the switchyard or that do not have a clear line of sight from the switchyard
- PRC-004-2.1a (Analysis and Mitigation of Transmission and Generation Protection System Misoperations) – which was clarified to extend the requirement that a generator owner analyze misoperations on the protection systems both for the generating units and for the generator interconnection facilities
- PRC-005-1.1b (Transmission and Generation Protection System Maintenance and Testing) – which was clarified to extend required maintenance and testing programs to protection systems governing the generator interconnection facilities (and not the protection systems for the generating units).
Finally in a third order, FERC accepted with minor modification NERC’s proposed criteria for identifying activities that would be subject to funding under Section 215 of the Federal Power Act. These criteria were proposed as a result of the 2011-12 audit of NERC by FERC audit staff. The Edison Electric Edison objected strongly to these criteria as being too expansive and unrelated to NERC’s core statutory responsibilities of writing reliability standards, enforcing them, and conducting periodic reliability assessments. Despite these objections, FERC approved the criteria with minor modification. Although NERC had proposed criteria for activities that “involve and support” standards development, enforcement and other identified functions, FERC required NERC to replace the “involve and support” language with stronger language that would make a NERC activity eligible for statutory funding only if it was “necessary and appropriate” for a statutory function.
- Commissioner LaFleur’s statement about FERC’s actions on April 18, 2013 — http://www.ferc.gov/media/statements-speeches/lafleur/2013/04-18-13-lafleur-E-7.asp
- Commissioner Norris’s statement on the CIP Version 5 NOPR — http://elibrary.ferc.gov/idmws/common/opennat.asp?fileID=13237787
- FERC’s press release on the CIP Version 5 NOPR — http://ferc.gov/EventCalendar/Files/20130418103704-E-7-NEWS.pdf
- FERC Staff’s presentation on the CIP Version 5 NOPR — http://ferc.gov/EventCalendar/Files/20130418103617-E-7-Discusion.pdf