Proposed Rule: Electric Utilities (Federal Power Act) : Critical Infrastructure Protection Mandatory Reliability Standards

Monday,
August 6, 2007
Part IV
Department of
Energy
Federal Energy Regulatory Commission
18 CFR Part 39
Mandatory Reliability Standards for
Critical Infrastructure Protection;
Proposed Rule
jlentini on PROD1PC65 with PROPOSALS3
VerDate Aug<31>2005 18:22 Aug 03, 2007 Jkt 211001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\06AUP3.SGM 06AUP3
43970 Federal Register / Vol. 72, No. 150 / Monday, August 6, 2007 / Proposed Rules
DEPARTMENT OF ENERGY safeguard critical cyber assets. In Please refer to the Comment Procedures
addition, pursuant to section 215(d)(5) section of the preamble for additional
Federal Energy Regulatory of the FPA, the Commission proposes to information on how to file paper
Commission direct NERC to develop modifications to comments.
the CIP Reliability Standards to address
18 CFR Part 39 specific concerns identified by the FOR FURTHER INFORMATION CONTACT: Gary
Commission. Approval of these Cohen (Legal Information), Office of the
[Docket No. RM06–22–000] General Counsel, Federal Energy
standards will help protect the nation’s
Bulk-Power System against potential Regulatory Commission, 888 First
Mandatory Reliability Standards for
disruptions from cyber attacks. Street, NE., Washington, DC 20426,
Critical Infrastructure Protection
(202) 502–8321.
DATES: Comments are due October 5,
July 20, 2007. Paul Silverman (Legal Information),
2007.
AGENCY: Federal Energy Regulatory Office of the General Counsel, Federal
Commission, Department of Energy. ADDRESSES: You may submit comments, Energy Regulatory Commission, 888
ACTION: Notice of proposed rulemaking. identified by docket number by any of First Street, NE., Washington, DC 20426,
the following methods: (202) 502–8683.
SUMMARY: Pursuant to section 215 of the • Agency Web Site: http://ferc.gov. Regis Binder (Technical Issues),
Federal Power Act (FPA), the Federal Follow the instructions for submitting Office of Energy Markets and Reliability,
Energy Regulatory Commission comments via the eFiling link found in Federal Energy Regulatory Commission,
(Commission), proposes to approve the Comment Procedures section of the 888 First Street, NE., Washington, DC
eight Critical Infrastructure Protection preamble. 20426, (202) 502–6460.
(CIP) Reliability Standards submitted to • Mail/Hand Delivery: Commenters
the Commission for approval by the unable to file comments electronically Jan Bargen (Technical Issues), Office
North American Electric Reliability must mail or hand deliver an original of Energy Markets and Reliability,
Corporation (NERC). The CIP Reliability and 14 copies of their comments to the Federal Energy Regulatory Commission,
Standards require certain users, owners, Federal Energy Regulatory Commission, 888 First Street, NE., Washington, DC
and operators of the Bulk-Power System Secretary of the Commission, 888 First 20426, (202) 502–6333.
to comply with specific requirements to Street, NE., Washington, DC 20426. SUPPLEMENTARY INFORMATION:
TABLE OF CONTENTS
Paragraph
Numbers
I. Background ............................................................................................................................................................................................ 2.
A. EPAct 2005 and Mandatory Reliability Standards ..................................................................................................................... 2.
B. Development of CIP Reliability Standards .................................................................................................................................. 7.
C. CIP Assessment ............................................................................................................................................................................. 11.
II. Discussion ............................................................................................................................................................................................ 13.
A. General Issues ............................................................................................................................................................................... 13.
1. Cyber Security Challenges ..................................................................................................................................................... 13.
2. Applicability .......................................................................................................................................................................... 21.
3. Compliance Measured by Outcome ...................................................................................................................................... 32.
4. Implementation Plan ............................................................................................................................................................. 42.
5. Issues Presented by Terminology .......................................................................................................................................... 50.
6. Guidance for Improving CIP Reliability Standards ............................................................................................................. 87.
B. Discussion of Each CIP Reliability Standard .............................................................................................................................. 89.
1. CIP–002–1—Critical Cyber Asset Identification .................................................................................................................. 89.
2. CIP–003–1—Security Management Controls ........................................................................................................................ 120.
3. CIP–004–1—Personnel and Training .................................................................................................................................... 149.
4. CIP–005–1—Electronic Security Perimeter(s) ...................................................................................................................... 176.
5. CIP–006–1—Physical Security of Critical Cyber Assets ...................................................................................................... 204.
6. CIP–007–1—Systems Security Management ........................................................................................................................ 223.
7. CIP–008–1—Incident Reporting and Response Planning .................................................................................................... 265.
8. CIP–009–1—Recovery Plans for Critical Cyber Assets ........................................................................................................ 289.
C. Violation Risk Factors .................................................................................................................................................................. 321.
1. Background ............................................................................................................................................................................. 321.
2. Commission Proposal ............................................................................................................................................................ 324.
III. Information Collection Statement ...................................................................................................................................................... 332.
IV. Environmental Analysis ..................................................................................................................................................................... 339.
V. Regulatory Flexibility Act Certification ............................................................................................................................................. 340.
VI. Comment Procedures ......................................................................................................................................................................... 350.
VII. Document Availability ...................................................................................................................................................................... 353.
Appendix A List of Commenters ............................................................................................................................................................. ..................
Appendix B Violation Risk Factors: Proposed Dispositions ................................................................................................................. ..................
Before Commissioners: Joseph T. Kelliher, Critical Infrastructure Protection (CIP) and operators of the Bulk-Power System
Chairman; Suedeen G. Kelly, Marc Spitzer, Reliability Standards submitted to the to comply with specific requirements to
Philip D. Moeller, and Jon Wellinghoff. Commission for approval by the North safeguard critical cyber assets.1 In
1. Pursuant to section 215 of the American Electric Reliability
Federal Power Act (FPA), the Corporation (NERC). The CIP Reliability 1 In the context of the CIP Reliability Standards,
Commission proposes to approve eight Standards require certain users, owners, cyber assets are programmable electronic devices
Federal Register / Vol. 72, No. 150 / Monday, August 6, 2007 / Proposed Rules 43971
addition, pursuant to section 215(d)(5) Standard to be applicable within that its critical assets and critical cyber
of the FPA, the Commission proposes to Interconnection.6 assets using a risk-based assessment
direct NERC to develop modifications to 5. The ERO must file with the methodology.
the CIP Reliability Standards to address Commission each new or modified • CIP–003–1—Cyber Security—
specific concerns identified by the Reliability Standard that it proposes to Security Management Controls:
Commission. be made effective under section 215 of Requires a responsible entity to develop
the FPA. The Commission can then and implement security management
I. Background approve or remand the Reliability controls to protect critical cyber assets
Standard. The Commission also can, identified pursuant to CIP–002–1.
A. EPAct 2005 and Mandatory
among other actions, direct the ERO to • CIP–004–1—Cyber Security—
Reliability Standards Personnel & Training: Requires
modify an approved Reliability
2. On August 8, 2005, the Electricity Standard to address a specific matter if personnel with access to critical cyber
Modernization Act of 2005, which is it considers this appropriate to carry out assets to have an identity verification
Title XII, Subtitle A, of the Energy section 215 of the FPA.7 Only and a criminal check. It also requires
Policy Act of 2005 (EPAct 2005), was Reliability Standards approved by the employee training.
Commission will become mandatory • CIP–005–1—Cyber Security—
enacted into law.2 EPAct 2005 adds a
and enforceable. Electronic Security Perimeters: Requires
new section 215 to the FPA, which the identification and protection of an
6. On April 4, 2006, as modified on
requires a Commission-certified Electric August 28, 2006, NERC submitted to the electronic security perimeter and access
Reliability Organization (ERO) to Commission a petition seeking approval points. The electronic security
develop mandatory and enforceable of 107 proposed Reliability Standards. perimeter is to encompass the critical
Reliability Standards, which are subject On March 16, 2007, the Commission cyber assets identified pursuant to the
to Commission review and approval. issued a final rule, Order No. 693, risk-based assessment methodology
Once approved, the Reliability approving 83 of these 107 Reliability required by CIP–002–1.
Standards may be enforced by the ERO Standards and directing other action • CIP–006–1—Cyber Security—
subject to Commission oversight, or the related to these Reliability Standards.8 Physical Security of Critical Cyber
Commission can independently enforce Assets: Requires a responsible entity to
Reliability Standards.3 B. Development of CIP Reliability
create and maintain a physical security
Standards
3. On February 3, 2006, the plan that ensures that all cyber assets
7. In August 2003, NERC approved within an electronic security perimeter
Commission issued Order No. 672,
the Urgent Action 1200 standard, which are kept in an identified physical
implementing section 215 of the FPA.4
was the first comprehensive cyber security perimeter.
Pursuant to Order No. 672, the
security standard for the electric • CIP–007–1—Cyber Security—
Commission certified one organization, industry. This voluntary standard Systems Security Management: Requires
NERC, as the ERO.5 The Reliability applied to control areas (i.e., balancing a responsible entity to define methods,
Standards developed by the ERO and authorities), transmission owners and processes, and procedures for securing
approved by the Commission will apply operators, and generation owners and the systems identified as critical cyber
to users, owners and operators of the operators that perform defined assets, as well as the non-critical cyber
Bulk-Power System, as set forth in each functions. Specifically, it established a assets within an electronic security
Reliability Standard. self-certification process relating to the perimeter.
4. Pursuant to section 215(d)(2) of the security of system control centers of the • CIP–008–1—Cyber Security—
FPA and § 39.5(c) of the Commission’s applicable entities. The Urgent Action Incident Reporting and Response
regulations, the Commission is required 1200 standard remained in effect on a Planning: Requires a responsible entity
to give due weight to the technical voluntary basis until June 1, 2006, at to identify, classify, respond to, and
expertise of the ERO with respect to the which time the eight CIP Reliability report cyber security incidents related to
content of a Reliability Standard or to a Standards that are the subject of the critical cyber assets.
Regional Entity organized on an current rulemaking replaced the Urgent • CIP–009–1—Cyber Security—
Interconnection-wide basis with respect Action 1200 standard. Recovery Plans for Critical Cyber Assets:
8. On August 28, 2006, NERC Requires the establishment of recovery
to a proposed Reliability Standard or a
submitted to the Commission for plans for critical cyber assets using
proposed modification to a Reliability approval the following eight proposed established business continuity and
CIP Reliability Standards:9 disaster recovery techniques and
and communication networks including hardware, • CIP–002–1—Cyber Security— practices.
software, and data. See note 69, infra.
2 Energy Policy Act of 2005, Pub. L. No. 109–58,
Critical Cyber Asset Identification: 9. NERC stated that these Reliability
Title XII, Subtitle A, 119 Stat. 594, 941 (2005), to Requires a responsible entity to identify Standards provide a comprehensive set
be codified at 16 U.S.C. 824o. of requirements to protect the Bulk-
3 16 U.S.C. 824o(e)(3). 6 18 CFR 39.5(c)(1), to be codified at 16
Power System from malicious cyber
4 Rules Concerning Certification of the Electric U.S.C.824o.
Reliability Organization; Procedures for the 7 Section 215(d)(5) of the FPA. attacks.10 They require Bulk-Power
Establishment, Approval and Enforcement of 8 Mandatory Reliability Standards for the Bulk- System users, owners, and operators to
Electric Reliability Standards, Order No. 672, 71 FR Power System, Order No. 693, 72 FR 16416 (Apr. establish a risk-based vulnerability
8662 (Feb. 17, 2006), FERC Stats. & Regs. ¶ 31,204 4, 2007), FERC Stats. & Regs. ¶ 31,242 (2007); reh’g assessment methodology and use that
(2006), order on reh’g, Order No. 672–A, 71 FR pending.
19814 (Apr. 18, 2006), FERC Stats. & Regs. ¶ 31,212 9 The proposed Reliability Standards are not
methodology to identify and prioritize
critical assets and critical cyber assets.
(2006). proposed to be codified in the CFR and are not

5 North American Electric Reliability Corp., 116 attached to the NOPR. They are, however, available Once the critical cyber assets are
FERC ¶ 61,062 (ERO Certification Order), order on on the Commission’s eLibrary document retrieval identified, the CIP Reliability Standards
reh’g & compliance, 117 FERC ¶ 61,126 (ERO system in Docket No. RM06–22–000 and are require, among other things, that the
Rehearing Order) (2006), order on compliance, 118 available on the ERO’s Web site, http://
FERC ¶ 61,030 (2007) (Jan. 2007 Compliance www.nerc.com/filez/standards/ responsible entities establish plans,
Order), appeal docket sub nom. Alcoa, Inc. v. FERC, Reliability_Standards.html#Critical_Infrastructure_
No. 06–1426 (D.C. Cir. Dec. 29, 2006). Protection. 10 NERC Filing at 24.
protocols, and controls to safeguard years, such stand-alone enclaves have development of new Reliability
physical and electronic access, to train been increasingly connected to both the Standards.12
personnel on security matters, to report corporate environment and the external 18. Thirteen of the 46 Blackout Report
security incidents, and to be prepared world. Recommendations relate to cyber
for recovery actions. Further, NERC 14. Modern computer and security. They address topics such as
explained that, because of the expanded communication network the development of cyber security
scope of facilities and entities covered policies and procedures; strict control of
interconnection brings with it the
by the eight CIP Reliability Standards, physical and electronic access to
potential for cyber attacks on these
and the investment in security upgrades operationally sensitive equipment;
systems. These concerns become
required in many cases, NERC has also assessment of cyber security risks and
developed an implementation plan that particularly critical when several vulnerability at regular intervals;
provides for a three-year phase-in to entities come under attack capability to detect wireless and remote
achieve full compliance with all simultaneously. The CIP Assessment wireline intrusion and surveillance;
requirements.11 identified ‘‘defense in depth’’ as a guidance on employee background
10. Each proposed Reliability widely recognized strategy to address checks; procedures to prevent or
Standard uses a common organizational cyber threats. Defense in depth involves mitigate inappropriate disclosure of
format that includes five sections, as the layering of various defense information; and improvement and
follows: (A) Introduction, which mechanisms in a way that either maintenance of cyber forensic and
includes ‘‘Purpose’’ and ‘‘Applicability’’ discourages an adversary from diagnostic capabilities.13 The proposed
sub-sections; (B) Requirements; (C) continuing an attack or aids in early CIP Reliability Standards address these
Measures; (D) Compliance; and (E) detection of cyber threats. and related topics.
Regional Differences. In this NOPR, 15. A major challenge to preserving 19. As we noted in Order No. 693, the
these section titles are capitalized when system protection is that changes occur Blackout Report recommendations
referencing a designated provision of a rapidly in system architectures, address key issues for assuring Bulk-
Reliability Standard. technology, and threats. As a result, Power System reliability and represent
C. CIP Assessment cyber security strategies must comprise a well-reasoned and sound basis for
a layered, interwoven approach to action.14 Likewise, in this NOPR, the
11. On December 11, 2006, the Commission recognizes the merits of
Commission released a ‘‘Staff vigilantly protect the Bulk-Power
System against evolving cyber security specific Blackout Report
Preliminary Assessment of the North recommendations as a basis for
American Electric Reliability threats.
proposing certain modifications to the
Corporation’s Proposed Mandatory 16. Cyber security involves a careful eight CIP Reliability Standards that the
Reliability Standards on Critical balance of the technologies available Commission proposes to approve.
Infrastructure Protection’’ (CIP with the existing control equipment and 20. We recognize that the guidance
Assessment). The CIP Assessment the functions they perform. Cyber and directives in the cyber security
identified staff’s preliminary security does have purely technical Reliability Standards themselves must
observations and concerns regarding the components, which consist of the also strike a reasonable balance. If the
eight proposed CIP Reliability various available technologies to defend provisions are overly prescriptive they
Standards. The CIP Assessment computer systems. The task of balancing tend to become a ‘‘one size fits all’’
described issues common to a number technical options comes into play as one solution, which does not suit this
of the proposed CIP Reliability selects and combines the various environment, where systems vary
Standards. It also reviewed and available technologies into a greatly in architecture, technology, and
identified issues regarding each comprehensive architecture to protect risk profile. However, if Reliability
individual CIP Reliability Standard but the specific computer environment. Standards lack sufficient detail, they
did not make specific recommendations will provide little useful direction,
regarding the appropriate action on a 17. A key to the successful cyber
protection of the Bulk-Power System thereby making compliance and
particular proposal. enforcement difficult, allow flawed
12. Comments on the CIP Assessment will be the establishment of CIP
implementation of security
were due by February 12, 2007. Entities Reliability Standards that provide
mechanisms, and result in inadequate
that filed comments are listed in sound, reliable direction on how to
protection. The Commission will
Appendix A to this NOPR. choose among alternatives to achieve an evaluate the proposed CIP Reliability
adequate level of security, and the Standards in the context of the above
II. Discussion
flexibility to make those choices. This over-arching considerations.
A. General Issues conclusion is consistent with the
lessons learned from the August 2003 2. Applicability
1. Cyber Security Challenges
blackout occurring in the central and 21. The Applicability section of each
13. The CIP Reliability Standards northeastern United States. The proposed CIP Reliability Standard
represent the most thorough attempt to identification of the causes of that and identifies the following 11 categories of
date to address cyber security issues other previous major blackouts helped responsible entities that must comply
that relate to the Bulk-Power System. determine where existing Reliability
For many years the control systems for Standards need modification or new 12 U.S.—Canada Power System Blackout Task
the Bulk-Power System have operated in Reliability Standards need to be Force, Final Report on the August 14, 2003
a stand-alone environment without Blackout in the United States and Canada: Causes
developed to improve Bulk-Power and Recommendations (April 2004) (Blackout

computer or communication links to an
System reliability. The U.S.—Canada Report). The Blackout Report is available on the
external Information Technology (IT)
Power System Blackout Task Force, in Internet at http://www.ferc.gov/industries/electric/
infrastructure. However, over recent indus-act/blackout.asp.
its Blackout Report, developed specific 13 See Blackout Report at 163–169,
11 Id. at 24: Exhibit B (Implementation Plan for
recommendations for the improving the Recommendations 32–44.
Cyber Security Standards). then-current voluntary standards and 14 See Order No. 693 at P 234.
with the Reliability Standard: reliability relatively small entity could have ensure that the proper entities are
coordinators, balancing authorities, critical importance from a cyber security registered and that each knows which
interchange authorities, transmission perspective. Commission-approved Reliability
service providers, transmission owners, 24. A number of commenters stated Standard(s) are applicable to it.’’ 22
transmission operators, generator that the focus should be on those Further, the Commission approved
owners, generator operators, load entities that own or operate critical NERC registry criteria that identify
serving entities, NERC, and Regional assets, rather than being addressed in specific categories of users, owners and
Reliability Organizations. terms of ‘‘large’’ or ‘‘small’’ size of operators of the Bulk-Power System and
22. The CIP Assessment raised two entities.18 These commenters warn that criteria for registering entities within
issues regarding applicability of the CIP a blanket waiver that uniformly exempts each of the categories.23
Reliability Standards. First, it stated small entities from compliance with 27. The Commission will also rely on
that, although it is likely that NERC and certain provisions of the proposed CIP the NERC registration process to
the Regional Entities 15 are not directly Reliability Standards therefore would determine applicability with the CIP
subject to mandatory Reliability not be appropriate. NERC and other Reliability Standards. In other words, an
Standards, their compliance with the commenters maintain that applicability entity would be responsible to comply
CIP Reliability Standards is important to should not be determined based on with the CIP Reliability Standards if the
the extent that they have cyber cyber connections but, rather by entity is (1) registered by NERC under
communications with users, owners or identifying those users, owners and one or more functional categories and
operators of the Bulk-Power System.16 operators of the Bulk-Power System that (2) within a functional category for
The CIP Assessment suggested that own or operate critical assets and which the entity is registered as
NERC and Regional Entity compliance associated critical cyber assets. Another identified in the Applicability section of
could be required pursuant to NERC’s group of commenters urge that the the CIP Reliability Standards. However,
Rules of Procedure. Some commenters Commission not impose the same even though it is the Commission’s
pointed out that NERC out-sources compliance obligations on smaller present intention to rely on the NERC
critical application systems that are entities as on larger entities when a registration process to identify
relied upon by many responsible violation by the smaller entity would appropriate entities, we remain
entities, such as the Interchange not have a critical impact on the Bulk- concerned about the possibility of
Distribution Calculator, and suggest that Power System. They maintain that entities not identified by the registration
the out-source provider should be adverse impacts on the grid from small process becoming a weakness in the
contractually compelled to comply with entities would be an uncommon security of the Bulk-Power System. In
the CIP Reliability Standards, with occurrence and urge a case-by-case this regard, we note that, in Order No.
NERC ultimately responsible for non- approach to granting waivers from 693, the Commission explained that, ‘‘if
compliance.17 compliance with the CIP Reliability there is an entity that is not registered
23. Second, the CIP Assessment raised Standards.19 and NERC later discovers that the entity
concerns about the appropriateness of a should have been subject to the
size threshold, below which small Commission Proposal Reliability Standards, NERC has the
entities would be exempt from 25. With regard to the applicability of ability to add the entity, and possibly
compliance. It explained that, while the the CIP Reliability Standards to the other entities of a similar class, to the
assets and operations of a smaller entity ERO, NERC has modified its Rules of registration list * * *.’’ 24 In addition,
may not have a major day-to-day Procedure to provide that the ERO will in Order No. 693, the Commission
operational impact on the Bulk-Power comply with each Reliability Standard indicated that it would further examine
System, such an entity can provide a that identifies the ERO as an applicable applicability issues under section 215 of
cyber gateway to compromise larger entity.20 Similarly, the delegation the FPA in a future proceeding, and
users, owners, or operators of the Bulk- agreements between NERC and each of notes the same intention here.25
Power System. When attacked the eight Regional Entities expressly 28. Regarding our concern about small
simultaneously with the facilities of state that the Regional Entity is entities becoming a gateway for cyber
other small entities, the aggregate result committed to comply with approved attacks, some commenters argue that the
could have an adverse impact on the Reliability Standards.21 The Commission should not focus on cyber
reliability of the Bulk-Power System. Commission believes that this approach connections to determine applicability
Thus, the CIP Assessment suggested that is sufficient and, accordingly, does not of the CIP Reliability Standards. Others
a key to any determination of whether propose any additional measures or state that it would be uncommon for a
an entity should be subject to the CIP revisions on this issue. small entity to cause an adverse impact
Reliability Standards is whether or not 26. The Commission’s determinations upon the grid. The Commission’s
it is a user, owner, or operator of the in Order No. 693 are relevant to reliance upon the NERC registration
Bulk-Power System and whether it has deciding the applicability of the CIP process to determine the applicability of
a cyber connection to other users, Reliability Standards to small entities. the CIP Reliability Standards is in part
owners or operators of the Bulk-Power In Order No. 693, the Commission based upon our expectation that
System. The CIP Assessment concluded approved NERC’s compliance registry industry will use the ‘‘mutual distrust’’
that the CIP Reliability Standards process as a reasonable means ‘‘to posture discussed below regarding CIP–
should apply to all users, owners, or
operators regardless of size, because a 18 E.g., Allegheny, California PUC, EEI, Georgia 22 Order No. 693 at P 92, quoting ERO
System, ISO–NE, MidAmerican, NERC, Certification Order, 116 FERC ¶ 61,062 at P 689.
15 In Order No. 693, at P 157, the Commission ReliabilityFirst, Northeast Utilities, NRECA, Ontario 23 Order No. 693 at P 93–95. NERC’s Statement of
directed NERC to remove all references to the IESO, Tampa Electric, and Xcel. Compliance Registry Criteria (Revision 3), approved
Regional Reliability Organization and replace them 19 E.g., APPA/LPPC and Santa Clara. by the Commission in Order No. 693, is available
with a reference to the Regional Entity where 20 See NERC Rules of Procedure, section 100. on NERC’s Web site at: ftp://www.nerc.com/pub/
appropriate. This directive should apply to the CIP 21 See North American Electric Reliability Corp., sys/all_updl/ero/Statement_of_Compliance_
Reliability Standards as well. 119 FERC ¶ 61,060 at P 4–5 (2007) (approving the Registry_Criteria_Rev3.pdf.
16 See CIP Assessment at 12–14. 24 Order No. 693 at P 97.
delegation agreements and directing certain
17 E.g., ISO–NE, ISO/RTO Council, and SPP. modifications). 25 Id. at P 77.
003–1. The term ‘‘mutual distrust’’ is 3. Compliance Measured by Outcome oversight of the responsible entity’s
used to denote how these ‘‘outside a. Performance-Based Standards activities. While the proposed
world’’ systems are treated by those Reliability Standards embody internal
inside the control system. A mutual 32. The CIP Assessment expressed management oversight strategies, there
distrust posture requires each concern that the lack of specificity should also be oversight that embodies
responsible entity that has identified within the proposed CIP Reliability a wide-area view. Second, when
critical cyber assets to protect itself and Standards could result in inadequate flexibility is exercised in a way that
not trust any communication crossing implementation efforts and inconsistent excepts an entity from a Requirement,
an electronic security perimeter, results.26 NERC, along with a number of such action should be monitored,
regardless of where that communication other commenters, states that the CIP documented, and periodically revisited
originates. Reliability Standards are not to determine consistency and
29. Similarly, the Commission is prescriptive, positing that the level of effectiveness of the implementation.
relying on the NERC registration process specificity they embody is appropriate. Third, reporting certain wide-area
to include all critical assets and NERC explains that the use of a information and analysis to the
associated critical cyber assets. For performance-based structure frames the Commission is vital to its role in
example, if assets are important to the CIP Reliability Standards in terms of ensuring that approved CIP Reliability
reliability of the Bulk-Power System, required results or outcomes with Standards achieve on an ongoing basis
such as black start units, we would criteria for verifying compliance, but an adequate level of cyber security
expect that the NERC registration without prescribing the methods for protection to the Bulk-Power System.
process would identify the owners or achieving the required results. In other These three strategies are applied in our
operators of those units as critical, and words, the specific means to achieve discussion below of various provisions
require them to register, even though the that outcome are left to the discretion of of the CIP Reliability Standards.
facilities may be ‘‘smaller’’ or at low the responsible entity. Such an
voltages. Demand side aggregators might approach contrasts with a prescribed or b. Adequacy of Outcomes
also need to be included in the NERC design-based standard. NERC concludes 35. The CIP Assessment explained
registration process if their load that, when taken together, the proposed that many of the Requirements in the
shedding capacity would affect the Reliability Standards constitute a proposed CIP Reliability Standards
reliability or operability of the Bulk- comprehensive set of cyber security consist of broad directives, and that the
Power System. activities, stating that it is more Measures and Compliance provisions
30. As discussed later, as an initial important that a pre-defined, desirable focus largely on proper documentation.
compliance step, each entity that is outcome is achieved than prescribing The Reliability Standards themselves do
responsible for compliance with the CIP the means to that end. not explain the interplay between the
Reliability Standards must identify 33. The Commission generally agrees Requirements, on one hand, and the
critical assets through the application of that use of performance-based standards Measures and Levels of Non-
a risk-based assessment as required by is a part of the design of cyber security Compliance, on the other.
CIP–002–1. Whether that entity must safeguards for the Bulk-Power System’s 36. The CIP Assessment expressed the
comply with the remainder of the critical assets. However, as we indicated view that the focus of the Measures and
requirements in the CIP Reliability in Order No. 672, performance-based Compliance provisions on
Standards would depend on the standards may not always be documentation could be interpreted to
outcome of that assessment and the appropriate, for example, in situations suggest that possession of
subsequent identification of critical where ‘‘the ‘how’ may be inextricably documentation can demonstrate
cyber assets, also required by CIP–002– linked to the Reliability Standard and compliance, regardless of the quality of
1. Thus, CIP–002–1 acts as a filter, may need to be specified to ensure the its contents. It suggested that
determining which entities must enforceability of the standard.’’ 27 compliance with the CIP Reliability
comply with the remaining CIP Accordingly, where necessary, the Standards must be understood in terms
requirements (i.e., CIP–003–1 through Commission proposes to direct NERC to of compliance with the Requirements,
CIP–009–1). modify the CIP Reliability Standards to which, according to NERC, define what
31. The Commission agrees with the address the ‘‘how.’’ Moreover, the an entity must do to be compliant and
commenters that access to information Commission is concerned that, while establishes an enforceable obligation.
essential to the operation of critical NERC explains that the CIP Reliability
cyber assets by out-sourced entities that Standards are performance-based, the Comments
are not otherwise subject to the CIP CIP Reliability Standards do not provide 37. NERC and others do not share the
Reliability Standards presents a a mechanism to measure performance or CIP Assessment concern regarding the
potential vulnerability to the Bulk- otherwise determine whether a focus on documentation.28 NERC and
Power System. We understand that, on responsible entity has met the goals of ReliabilityFirst acknowledge the
occasion, NERC negotiates contracts a particular requirement set forth in the extensive use of documentation
with such third party vendors, and the standards. throughout the CIP Reliability
products developed by the vendors are 34. The Commission believes that Standards, but note that the majority of
then used by responsible entities that, as monitoring the performance of this documentation is used to
owners of the critical cyber assets, are responsible entities identified in the CIP demonstrate that the Requirements have
ultimately responsible for their cyber Reliability Standards involves three been met. NERC indicates that, while
security protection under the CIP strategies. First, it is important that the ‘‘mere possession of
Reliability Standards. The Commission there be both internal and external documentation’’ does not guarantee
invites comment on whether and how compliance, appropriate documentation

such out-sourced entities should be 26 CIP Assessment at 3. is essential to demonstrate that steps to
27 Order No. 672 at P 260. The Commission also
contractually obligated to comply with comply with the Requirements have
explained that, for some Reliability Standards,
the CIP Reliability Standards while ‘‘leaving out implementation features could [inter been taken and will streamline after-the-
satisfying their other contractual alia] sacrifice necessary uniformity in
obligations. implementation * * *’’. 28 E.g., ReliabilityFirst, APPA/LPPC, and SPP.
fact compliance audits. Similarly, EEI Non-Compliance plays an important the various tasks associated with
believes that the quality of the role in assuring that a responsible entity compliance with the CIP Reliability
documentation is an important factor for is able to demonstrate to an auditor or Standards. The schedule gives a
assessing compliance and should be the others that it has complied with the timeline by calendar quarters for
subject of an audit. FirstEnergy and substantive Requirement of a Reliability completing various tasks and prescribes
Santa Clara state that it would be Standard, adequate documentation does milestones for when a responsible entity
helpful for NERC to provide guidance not substitute for substantive must: (1) ‘‘Begin work;’’ (2) ‘‘be
on what constitutes reasonable compliance with the obligations and substantially compliant’’ with a
documentation. responsibilities set forth in the requirement; (3) ‘‘be compliant’’ with a
38. Others raise concerns regarding Requirement. requirement; and (4) ‘‘be auditably
the emphasis on documentation. For 41. Related, certain Requirements of compliant’’ with a requirement.
example, Duke Energy agrees with the the CIP Reliability Standards obligate a 44. According to the implementation
CIP Assessment that the CIP Reliability responsible entity to develop and plan, ‘‘auditably compliant’’ must be
Standards rely heavily on maintain a plan, policy or procedure. achieved in 2009 for certain
documentation to verify compliance. However, such Requirements do not Requirements by certain responsible
Duke Energy believes that the always explicitly require entities, and in 2010 for the remainder.
accumulation of documentation to implementation of the plan, policy or
facilitate audits may prove to be less procedure.31 The Commission interprets CIP Assessment
than optimum for the CIP Reliability such provisions to include an implicit 45. The CIP Assessment suggested
Standards and suggests that efforts to requirement to implement the plan, that it may be possible to assess a
improve the CIP Requirements should policy or procedure; and to make a responsible entity’s level of compliance
gradually focus less on documentation, responsible entity subject to a non- prior to the time when it achieves its
and more on the actual level of cyber compliance action for failing to ‘‘auditably compliant’’ status. It noted
security to be implemented by the implement the policy. Such an that, if a responsible entity is in the
responsible entity. ISA Group states that interpretation is reasonable to prevent ‘‘begin work’’ phase, it has: (1)
the CIP Reliability Standards do not the scenario in which the ERO, Regional Developed and approved a plan to
specify clear Requirements and do not Entity or the Commission could assess address the Requirements of a
provide sufficient guidance. ISA Group a penalty against a responsible entity for Reliability Standard; (2) identified and
believes that the clarity and detail of the failure to develop a plan, policy or planned for necessary resources; and (3)
Levels of Non-Compliance in terms of procedure that satisfies the begun implementing the Requirements.
documentation give the impression that Requirements of the Reliability These are specific steps that an audit
the documentation is the focus of the Standard, but unable to assess a penalty can examine. The CIP Assessment
CIP Reliability Standards. against a responsible entity that has observed that the difference between the
developed an adequate plan but fails to ‘‘compliant’’ and ‘‘auditably compliant’’
Commission Proposal
implement it. Further, the Commission status for many of the Requirements is
39. The Commission agrees with proposes that the ERO, in developing the accumulation of 12 months of
NERC that, while documentation is modifications to the CIP Reliability compliance records. It sought comment
necessary, the documentation by itself Standards, include explicitly in such on whether it would be beneficial to
does not satisfy the Requirements of a Requirements that a responsible entity audit a responsible entity at the ‘‘begin
Reliability Standard. Rather, must implement a plan, policy or work’’ and ‘‘compliant’’ stages, even
implementation of the substance of the procedure that it is required to develop. though the responsible entity may not
Requirements is most important in have the full 12 month accumulation of
determining compliance. As we 4. Implementation Plan compliance records.
explained in Order No. 693, ‘‘while 42. Unlike the Reliability Standards
Measures and Levels of Non- approved in Order No. 693, which Comments
Compliance provide useful guidance to NERC formulated based on existing 46. A number of commenters agree
the industry, compliance will in all voluntary standards, the CIP Reliability that some type of assessment, although
cases be measured by determining Standards are new and require not necessarily in the form of an audit,
whether a party met or failed to meet applicable entities in many cases to is both possible and potentially
the Requirement given the specific facts develop new cyber security systems and beneficial prior to the time an entity
and circumstances of its use, ownership procedures, which will take time to achieves ‘‘auditably compliant’’
or operation of the Bulk-Power develop and implement. To address this status.33 NERC agrees that there is a
System.’’ 29 Moreover, the Commission task, NERC developed an benefit to ensuring that responsible
recognized that: implementation plan that includes a entities are moving timely toward
The most critical element of a Reliability proposed four-stage schedule for ‘‘auditably compliant’’ status. While
Standard is the Requirements. As NERC implementing the proposed CIP NERC believes that audits at an interim
explains, ‘‘the Requirements within a Reliability Standards over a three-year stage are not possible, it states that it
standard define what an entity must do to be period.32 plans to monitor progress through self-
compliant * * * [and] binds an entity to 43. The Implementation Plan sets out certification without assessing penalties.
certain obligations of performance under a proposed schedule for accomplishing Other commenters oppose interim
section 215 of the FPA.’’ If properly drafted,
audits, stating that they could interfere
a Reliability Standard may be enforced in the
absence of specified Measures or Levels of
31 See, e.g., CIP–006–1, Requirement R1
with implementation plans and lead to
(requiring a responsible entity to ‘‘create and penalties for non-compliance.34

Non-Compliance.30 maintain a ‘physical security plan’’ ’); cf. CIP–003–
40. To reiterate, while documentation 1, Requirement R1 (requiring a responsible entity to
‘‘document and implement a cyber security 33 E.g., Santa Clara, SPP, APPA/LPPC, NERC,
set forth in the Measures and Levels of policy’’). Allegheny, Georgia Operators, ISO RTO Council,
32 NERC August 28, 2006 Filing, Exhibit B MidAmerican, SoCal Edison, and NRECA.
29 Order No. 693 at P 253. ‘‘Implementation Plan for Cyber Security 34 E.g., ATC, EEI, National Grid, Tampa Electric,
30 Id., quoting NOPR at P 105 (footnote omitted). Standards’’ (Implementation Plan). and FirstEnergy.
Commission Proposal Reliability Standards and to assess the Courts generally hold that the phrase
status of their compliance efforts. The indicates reviewing tribunals should not
47. The Commission proposes to substitute their own judgment for that of the
approve NERC’s Implementation Plan, readiness reviews will also help the
Commission to evaluate the potential entity under review other than in extreme
including the proposed timelines for circumstances. A common formulation
achieving compliance. NERC indicates effectiveness of the cyber security indicates the business judgment of an
that the proposed timelines were Reliability Standards before they are entity—even if incorrect in hindsight—
developed with input from all sectors of implemented by disclosing the progress should not be overturned as long as it was
the electric industry. Further, while made by reviewed entities in their CIP made (1) in good faith (not an abuse or
some responsible entities have already Reliability Standards implementation indiscretion), (2) without improper favor or
efforts. bias, (3) using reasonably complete (if
installed the necessary equipment and
imperfect) information as available at the
software to address cyber security, the 5. Issues Presented by Terminology time of the decision, (4) based on a rational
Commission recognizes that many belief that the decision is in the entity’s
responsible entities must purchase and a. Business Judgment
business interest. This principle, however,
install new equipment and software to NERC Proposal does not protect an entity from simply failing
achieve compliance. Based on these to make a decision.
50. Each of the proposed CIP
considerations, the Commission
Reliability Standards incorporates the CIP Assessment
believes that the timetable proposed by
concept of ‘‘reasonable business
NERC sets reasonable deadlines for 52. The CIP Assessment
judgment’’ as a guide for determining
industry compliance. acknowledged the importance of
what constitutes appropriate
48. However, the Commission is flexibility and discretion in
compliance with those Reliability
concerned whether the industry will be implementing cyber security strategies.
Standards. The Purpose statement of
fully prepared for compliance upon However, it expressed skepticism about
Reliability Standard CIP–002–1
reaching the implementation deadline the appropriateness of the business
provides that:
and will take reasonable action to judgment rule in this context, given the
protect the Bulk-Power System during These standards recognize the differing
roles of each entity in the operation of the
unusually broad discretion it permits.
this interim period. The Commission The CIP Assessment thus expressed
believes that NERC’s plans to require Bulk Electric System, the criticality and
vulnerability of the assets needed to manage concern that such an approach to
self-certification during the interim Bulk Electric System reliability, and the risks flexibility and discretion would unduly
period are helpful. NERC, however, to which they are exposed. Responsible compromise the effectiveness of the CIP
does not indicate the interval for self- entities should interpret and apply Standards Reliability Standards and the ability to
certification. We believe that an annual CIP–002 through CIP–009 using reasonable enforce compliance with them.
certification would not allow adequate business judgment. 53. The CIP Assessment sought
monitoring of progress and propose to comment on: (1) Specific examples of
Each of the subsequent CIP Reliability
direct that the ERO develop a self- the differing roles of entities in
Standards includes a statement that
certification process with more frequent relationship to their potential impact on
‘‘Responsible Entities should interpret
certifications, either tied to target dates cyber security risks to Bulk-Power
and apply the Reliability Standard using
in the schedule or perhaps quarterly or System reliability; (2) alternatives to
reasonable business judgment.’’
semi-annual certifications. While we reliance on the reasonable business
agree with NERC that an entity should 51. NERC’s Glossary of Terms Used in
Reliability Standards (NERC glossary) judgment rule that would allow for
not be subject to a monetary penalty if recognition of differing roles of entities,
it is unable to certify that it is on does not define the term ‘‘reasonable
business judgment,’’ and the CIP vulnerability of assets, and exposure to
schedule, such an entity should explain risk but also permit effective
to the ERO the reason it is unable to Reliability Standards do not otherwise
suggest how the term is to be enforcement of the CIP Reliability
self-certify. The ERO and the Regional Standards; and (3) the ramifications of
Entities should then work with such an interpreted. NERC’s Frequently Asked
Questions (FAQ) document that removing the ‘‘reasonable business
entity either informally or, if judgment’’ language from the proposed
appropriate, by requiring a remedial accompanies the CIP Reliability
Standards provides the only available CIP Reliability Standards while an
plan to assist such an entity in alternative approach is developed using
achieving full compliance in a timely guidance on the issue.35 It states that the
phrase is meant ‘‘to reflect—and to the ERO’s Reliability Standards
manner. Further, the ERO and the development process.
Regional Entities should provide inform—any regulatory body or ultimate
informational guidance, upon request, judicial arbiter of disputes regarding Comments
to assist a responsible entity in assessing interpretation of these Standards—that
responsible entities have a significant 54. A number of commenters stress
its progress in reaching ‘‘auditably the importance of flexibility and
compliant’’ status. degree of flexibility in implementing
these Standards.’’ The FAQ document discretion in implementing the CIP
49. To further address our concerns Reliability Standards, but agree that it
about the period prior to when notes that there is a long history of
judicial interpretation of the business would not be reasonable to give the term
responsible entities achieve full ‘‘business judgment’’ the meaning it has
compliance with the CIP Reliability judgment rule and suggests that this
history is relevant to the use of this rule in the context of corporate fiduciary
Standards, the Commission also responsibility.36 Other commenters state
proposes to direct the ERO to add a in the context of the CIP Reliability
Standards. The document goes on to that the use of reasonable business
cyber security assessment to NERC’s judgment was not meant to allow
existing readiness reviews. In this say:

entities to evade application of the CIP
readiness assessment process, the ERO Reliability Standards, but they
35 NERC included the FAQ document in its
should assist in the identification of best acknowledge that legal precedent
August 28, 2006 filing. The FAQ document is also
practices and deficiencies of the available at ftp://www.nerc.com/pub/sys/all_updl/
reviewed entities, both to help them standards/sar/Revised_CIP–002– 36 E.g., California PUC, APPA/LPPC, EPSA, and
prepare for implementation of the CIP 009_FAQs_06Mar06.pdf. Progress Energy.
suggests that inclusion of the term could control interpretation of the CIP different assumptions apply. As
increase the potential for disputes.37 Reliability Standards. explained below, when transferred to
These commenters support the use of 57. Finally, some commenters the realm of cyber security or Bulk-
alternative terms to acknowledge the acknowledge that the traditional Power System reliability generally,
need for flexibility and discretion, such corporate business judgment rule does recourse to reasonable business
as ‘‘reasonableness,’’ ‘‘good utility grant officers and directors broad judgment is inconsistent with the
practice,’’ or ‘‘good engineering discretion, but also contains elements purpose of FPA section 215.
practices.’’ that temper this discretion.42 To receive 60. Cyber standards are essential to
the benefit of the rule, a business protecting the Bulk-Power System
55. Other commenters argue that the decision must be made on an informed against attacks by terrorists and others
‘‘reasonable business judgment’’ basis, in good faith and in honest belief seeking to damage the grid. Because of
language is essential to provide balance that the action taken was in the best the interconnected nature of the grid, an
in the implementation of the CIP interests of the company. In addition, attack on one system can affect the
Reliability Standards and should not be the person making the decision must act entire grid. It is therefore unreasonable
removed. Some indicate that use of the with the care that an ordinarily prudent to allow each user, owner or operator to
term was intended to allow person would reasonably be expected to determine compliance with the CIP
consideration of cost or business exercise in a like position with similar Reliability Standards based on its own
implications of an action.38 For circumstances. The commenters argue ‘‘business interests.’’ Business
instance, NERC states that, if business that these requirements permit the term convenience cannot excuse compliance
considerations are left out of account, reasonable business judgment to be with mandatory Reliability Standards.
the CIP Reliability Standards would adapted to the cyber security context. 61. While some commenters argue
describe an impossibly high level of that references to reasonable business
technical content, and the cost of Commission Proposal judgment in the CIP Reliability
implementing such a solution would 58. For the reasons discussed below, Standards were not intended to trigger
approach an infinite amount of time, the Commission proposes to direct the the traditional corporate business
money, and resources. Commenters also ERO to modify the CIP Reliability judgment rule, the FAQ document can
state that use of reasonable business Standards to remove references to the be read to suggest the contrary. In fact,
judgment allows every entity the ‘‘reasonable business judgment’’ the FAQ document states explicitly that
flexibility to make the best choice for its language before compliance audits start ‘‘reasonable business judgment’’ means
unique situation.39 Finally, some in 2009. what the courts have said it means in
commenters believe that the term 59. The Commission agrees with the corporate context. It states that the
reasonable business judgment will commenters that flexibility and phrase has an almost 200 year history in
ensure that the CIP Reliability Standards discretion are essential in implementing the common law nations and notes that
are enforceable by permitting the CIP Reliability Standards and that ‘‘[c]ourts generally hold that the phrase
development of a record of industry implementing those Reliability indicates reviewing tribunals should not
practices over time that provides a body Standards must be done on the basis of substitute their own judgment for that of
of reasonable, industry cyber security the specific facts and circumstances the entity under review other than in
applicable in the individual case at extreme circumstances.’’ The FAQ
practices.40
hand. Cyber security problems do not document then goes on to list the
56. Some commenters argue that use lend themselves to one-size-fits-all elements of reasonable business
of the term ‘‘reasonable business solutions. In addition, the Commission judgment as the courts generally define
judgment’’ was not intended to trigger acknowledges that cost can be a valid it. The FAQ document nowhere states or
the exculpatory ‘‘business judgment consideration in implementing the CIP suggests that the meaning and
rule’’ as used in connection with the Reliability Standards. However, the significance of reasonable business
actions of corporate directors.41 They Commission believes that the traditional judgment is subject to some
contend the term was intended as a concept of reasonable business modification or qualification in the
‘‘reasonableness’’ standard that was judgment is ill suited to the task of context of implementing and complying
meant to add a defined and objective implementing an appropriate program with the CIP Reliability Standards.
measure for assessing an entity’s actions of cyber security pursuant to FPA 62. Moreover, as the FAQ document
in implementing the CIP Reliability section 215. The concept of reasonable makes clear, compliance turns on
Standards based on the entity’s business judgment addresses the issue whether a decision was ‘‘based on a
particular system and assets. EEI argues of whether a decision-making process rational belief that the decision is in the
that while the NERC FAQ accurately conforms to certain standards. It was entity’s business interest.’’ That test is
describes traditional use of the developed specifically to address the fundamentally incompatible with
reasonable business judgment rule in issue of how courts should approach Congress’ decision to adopt a regime of
the context of corporate law, it does not business decisions made by a mandatory Reliability Standards. As we
articulate how this language is being company’s officers or directors, and the stated above, the vulnerability of one
used in the context of cyber security answer it provides is based on certain entity can pose risks to the entire grid.
standards. EEI also states that it is assumptions about how our economic We therefore cannot allow each user,
unlikely that the FAQ document would system operates and who is most likely owner or operator to determine
to have the knowledge and expertise compliance based on its own parochial
37 E.g., Duke, Progress Energy, Xcel, and National needed to make appropriate business business interests. The purpose of
Grid. decisions. However, the concept of section 215 is to protect the national
38 E.g., NERC, Southern, and PG&E.

reasonable business judgment takes on a interest in grid reliability.
39 E.g., NERC, NU, PJM, Santa Clara, and
very different meaning when removed 63. The business judgment rule was
Cleveland Public Power.
40 E.g., IRC and Tampa Electric.
from its original context and applied to adopted in a context that is simply not
41 E.g., Arizona Public Service, EEI, Progress a different factual situation where very appropriate for mandatory Reliability
Energy, SoCal, TEC, Duke, ReliabilityFirst and Standards. The business judgment rule
National Grid. 42 E.g., EEI and Progress Energy. recognizes that officers and directors
must have wide latitude if a company is references to ‘‘reasonable business ‘‘technically feasible,’’ and the
to be managed properly and efficiently judgment’’ from the CIP Reliability Reliability Standards themselves do not
and that it is not in the interest of Standards. specify how an entity is to determine
shareholders to create incentives for 66. We wish to stress, however, that, whether an action is technically
officers and directors to be overly even though we propose to delete the feasible. NERC’s FAQ document
cautious.43 Courts have noted that business judgment rule, we believe provides the following guidance on the
shareholders voluntarily undertake the flexibility in the application of the CIP meaning of the phrase ‘‘where
risk of bad business judgments and Reliability Standards remains technically feasible:’’
investors who are adverse to such risk appropriate. First, as discussed Technical feasibility refers only to
have alternative investment throughout this NOPR, the CIP engineering possibility and is expected to be
opportunities available to them.44 In the Reliability Standards contain specific a ‘‘can/cannot’’ determination in every
context of section 215, however, these provisions that explicitly permit various circumstance. It is also intended to be
determined in light of the equipment and
principles do not apply. The issue alternative courses of action. More
facilities already owned by the responsible
under section 215 is not whether the importantly, however, the CIP entity. The responsible entity is not required
management of a business is acting in Reliability Standards do not simply to replace any equipment in order to achieve
the interest of its own shareholders, but allow the exercise of flexibility and compliance with the Cyber Security
rather whether an entity is taking discretion, they require it. Even with the Standards. When existing equipment is
appropriate action to avert risks that various revisions and additions that the replaced, however, the responsible entity is
could threaten the entire grid. Commission is proposing in this NOPR, expected to use reasonable business
64. It is also notable that the business the CIP Reliability Standards constitute judgment to evaluate the need to upgrade the
judgment rule is invoked, in the a relatively brief document, and the equipment so that the new equipment can
perform a particular specified technical
corporate governance context, only in Requirements it contains are largely function in order to meet the requirements of
extreme circumstances. Generally, to performance based. These Requirements these standards.49
find an officer or director liable there for the most part are quite general and Technical feasibility is here related to
must be evidence establishing that he or do not dictate specific solutions to reasonable business judgment, but only
she acted fraudulently, in bad faith, or cyber-security problems. Responsible in a situation where equipment is being
with gross or culpable negligence.45 entities therefore must interpret and replaced. Otherwise, the FAQ document
Some cases refer to unconscionable apply them to their specific treats technical feasibility in terms of
conduct, illegal or oppressive acts, circumstances. The CIP Assessment objective engineering judgments
willful abuse of discretionary power or explained: regarding what is possible with existing
neglect of duty, and recklessness as The task of balancing technical options equipment.
situations that fall outside reasonable comes into play as one selects and combines 70. Some Requirements in the CIP
business judgment.46 While the FAQ the various available technologies into a Reliability Standards permit an entity
document does not explain this point comprehensive architecture to protect the not to take the actions specified in the
clearly, it does allude to it when it notes specific computer environment. The key to Requirement if they ‘‘document
that the ‘‘[c]ourts generally hold that the success is possessing cyber security
standards that provide reliable direction on
compensating measures applied to
phrase indicates reviewing tribunals mitigate risk exposure or an acceptance
should not substitute their own how to choose among alternatives to achieve
an adequate level of security.47 of risk.’’ 50 The Reliability Standards do
judgment for that of the entity under not provide explicit guidance on the
67. Based on our careful consideration
review other than in extreme circumstances in which it is appropriate
of this issue as discussed above,
circumstances.’’ (Emphasis supplied). to accept the risk of non-compliance.
65. These criteria are plainly pursuant to section 215(d)(5) of the FPA
inappropriate for mandatory CIP and § 39.5(f) of our regulations, the CIP Assessment
Reliability Standards. For example, if an Commission proposes to direct that the
ERO modify each of the proposed CIP 71. In the discussion of specific
inadequate cyber plan caused a grid- Reliability Standards, the CIP
wide disturbance or blackout, a Reliability Standards to remove
references to the ‘‘reasonable business Assessment expressed concern about
violation could be established only in the need to reference technical
‘‘extreme circumstances’’ where there judgment’’ language before compliance
audits start in 2009. feasibility, either because the action in
was ‘‘unconscionable conduct’’ or question appeared to be clearly
‘‘recklessness’’ or, as discussed above, b. ‘‘Technical Feasibility’’ and technically feasible or because of the
where the entity’s plan was not ‘‘Acceptance of Risk’’ extremely limited number of situations
consistent with its ‘‘own business in which technical feasibility could
68. Two CIP Reliability Standards
interest.’’ These highly deferential legal become an issue.51
contain language that provides
standards are not compatible with a 72. The CIP Assessment noted that
exceptions from compliance with a
mandatory reliability regime under acceptance of risk raised special
Requirement. This language takes two
section 215 of the FPA. We therefore concern in a cyber environment. Where
forms: one focuses on technical
propose to direct NERC to delete there are interconnected control
feasibility, and the other focuses on
acceptance of risk. systems, an acceptance of a cyber risk
43 Cramer v. General Telephone and Electronics
Corp., 582 F.2d 259 (3d Cir. 1978); Joy v. North, 692 69. Some provisions require a by one entity would actually be
F.2d 880 (2d Cir. 1982). responsible entity to take action ‘‘where tantamount to an acceptance of risk on
44 Joy v. North, 692 F.2d 880 (2d Cir. 1982). technically feasible.’’ 48 The NERC behalf of all entities connected with it
45 In Re Bal Harbour Club, Inc., 316 F.3d 1192
glossary does not define the term because the first entity can serve as a
(11th Cir. 2003) (Bal Harbour); Froelich v. Senior gateway to the others as noted above.
Campus Living LLC, 355 F.3d 802 (4th Cir. 2004);
Poth v. Rassey, 281 F. Supp. 2d (E.D. Va. 2003)
47 CIP Assessment at 8. The entity that initially accepts the risk
(Poth v. Rassey). 48 The ‘‘technically feasible’’ phrase is found in
46 Bal Harbour; Poth v. Rassey; Gray v. Manhattan 49 FAQ Document at 1.
CIP–005–1, Requirements R2.4, R2.6, R3.1, R3.2 and
50 See CIP–007–1, Requirements R2.3, R3.2, and
Medical Center, Inc., (18 P.3d 291 (Kan. 2001); G CIP–007–1, Requirements R4, R5.3, R6, R6.3.
& N Aircraft, Inc. v. Boehm, 743 N.E.2d 227 (Ind. Additionally, CIP–007, Requirement R2.3 uses R4.1.
2001). ‘‘technical limitations’’ to similar effect. 51 See, e.g., CIP Assessment at 26–27, 32–33.
becomes a ‘‘weak link’’ in the chain. certain qualifications. NERC states that entities should not be permitted to
The CIP Assessment noted that there is the concept of risk acceptance invoke technical feasibility on the basis
no provision in the proposed CIP recognizes that flexibility and judgment of ‘‘reasonable business judgment,’’ as
Reliability Standards for oversight or are required to make prudent decisions, NERC’s FAQ suggests. We have already
consideration of the broader impacts of but does not allow an entity to do discussed the concerns that reasonable
risk acceptance in individual cases. It nothing. It also contends that business judgment can create for
sought comment on the appropriateness acceptance of risk is a fundamental effective cyber security. Nor should a
of risk acceptance and suggested that, if tenet of an audit process, which responsible entity be able to except
this concept is appropriate, clear recognizes that not all systems or itself unilaterally from a Requirement of
guidance is needed to explain the implementations can be perfect. Other a mandatory Reliability Standard with
limited circumstances in which it is commenters state that acceptance of risk no oversight. Unless invocation of the
appropriate. is needed to allow for flexibility and technical feasibility exception is
that it can be workable if decisions to carefully circumscribed, substantial
Comments
accept risk are documented, opportunity for abuse, difficulty in
73. NERC states that the term compensating or mitigating action is enforcement and the continued
‘‘technical feasibility’’ is intended to be taken, and decisions to accept risk are allowance of unacceptable reliability
very limited in scope. It defines the term transparent and subject to review and risks could result.
as the physical ability of in-place oversight.53 Some commenters state that 79. Therefore, the Commission
equipment or software to conform any invocation of the risk acceptance proposes to require the ERO to establish
directly to some Requirement in the provision should be subject to a sunset a structure to require accountability
Reliability Standards or the ability of in- date or plan to achieve compliance.54 In from those who rely on ‘‘technical
place equipment or software to perform contrast, Wisconsin Electric states that feasibility’’ as the basis for an exception.
its required function if modified in a acceptance of risk could seriously Such a structure would require a
way that would most directly conform endanger reliability and supports responsible entity to: (1) Develop and
to some Requirement. The term is used removal of the option to accept risk. implement interim mitigation steps to
to prevent penalizing responsible address the vulnerabilities associated
entities unnecessarily in situations Commission Proposal with each exception; (2) develop and
where they cannot change immediately 77. For the reasons discussed below, implement a remediation plan to
or prudently to comply with a pursuant to section 215(d)(5) of the FPA eliminate the exception, including
Requirement. NERC states that where and § 39.5(f) of our regulations, the interim milestones and a reasonable
the concept of technical feasibility Commission proposes to direct that the completion date; and (3) obtain written
applies, the responsible entity should ERO: (1) interpret the term ‘‘technical approval of these steps by the senior
document the technical issue and its feasibility’’ narrowly as applying to the manager assigned with overall
mitigation plans or strategies. technical characteristics of existing responsibility for leading and managing
74. Many commenters 52 emphasize assets and having no relation to the the entity’s implementation of, and
that the phrase ‘‘where technically considerations of business judgment adherence to, the CIP Reliability
feasible’’ is intended to permit discussed above; (2) treat instances Standards as provided in CIP–003–1,
flexibility, to permit the application of where technical feasibility is invoked as Requirement R2. This proposed
the Reliability Standards to a wide exceptions that require certain structure should include a review by
variety of situations, and to allow alternative courses of action; (3) senior management of the expediency
compliance with the Reliability eliminate the ‘‘acceptance of risk’’ and effectiveness of the manner in
Standards to evolve over time as option from the CIP Reliability which a responsible entity has
technologies change. Some commenters Standards; and (4) develop an annual addressed each of these three proposed
note that in many cases it is not feasible report that quantifies, on a wide-area conditions. In addition, the Commission
to enhance equipment without replacing basis, the frequency with which proposes to require a responsible entity
it. In some cases, off-the-shelf solutions responsible entities invoke ‘‘technical to report and justify to the ERO and the
are not available for various parts of the feasibility’’ or other provisions that Regional Entity for approval each
system. produce the same outcome. The reason exception and its expected duration. In
75. ISA Group states that the phrase the Commission believes these proposed situations where any of the proposed
‘‘where technically feasible’’ could be safeguards are necessary, as well as conditions are not satisfied, the ERO or
eliminated entirely from the CIP additional details regarding these the Regional Entity would inform the
Reliability Standards and replaced with proposals, are provided below. responsible entity that its claim to an
an exception mechanism that requires a exception based on technical feasibility
decision to invoke technical feasibility Technical Feasibility is insufficient and therefore not
to be explicit and reviewable. The 78. The Commission acknowledges approved. Failure to timely rectify the
exception mechanism should require that, in the near term, exceptions from deficiency would invalidate the
that there be alternative mitigation that compliance based on the concept of exception for compliance purposes.
provides the level of security that would ‘‘technical feasibility’’ may be 80. The Commission believes that it is
otherwise have been achieved. appropriate in a limited set of important that the ERO, Regional
California PUC argues that the phrase circumstances.55 However, responsible Entities and the Commission
‘‘technically feasible’’ should be understand the circumstances and
removed unless there is a serious 53 E.g., Allegheny, MidAmerican and National manner in which responsible entities
question about the actual feasibility of a Grid. invoke the technical feasibility
54 E.g., MidAmerican and Allegheny.

requirement being imposed. provision as well as other provisions
55 For example, it is understandable that some
76. Most commenters support the that function as an exception to the CIP
older ‘‘legacy’’ systems are not capable of utilizing
‘‘acceptance of risk’’ terminology with certain cyber protection strategies needed to fully Reliability Standards. The Commission,
comply with the Requirements of these CIP
52 E.g., National Grid; ISO/RTO Council; PJM, Reliability Standards. In such a case, the upon the satisfactory submittal of a mitigation plan
Ontario IESO, SPP, and ISO–NE. responsible entity could be granted an exception leading to compliance, by a date certain.
therefore, proposes to direct the ERO to responsible Entity to opt out of certain publications, including Federal
submit an annual report that would provisions of a mandatory Reliability Information Processing Standards (FIPS)
include, at a minimum, the frequency of Standard at its discretion. 199, FIPS 200, and SP 800–53,
the use of such provisions, the 84. Further, there is no requirement constitute a comprehensive and
circumstances or justifications that that a responsible entity communicate coherent basis for cyber security in the
prompt their use, the interim mitigation to a responsible authority information electric power sector. NIST recommends
measures used to address the related to the potential vulnerabilities that the Commission consider a planned
vulnerabilities, and the milestone created by a decision to accept risk and transition to cyber security standards
schedule to eliminate them and to bring how they could affect Bulk-Power that are identical to, consistent with, or
the entities into compliance to eliminate System reliability. The resulting based on SP 800–53 and related NIST
future reliance on the exception. The uncertainty concerning who had standards and guidelines.
Commission expects that the report invoked ‘‘acceptance of risk’’ and in
what connection would mean that Commission Proposal
would not provide a level of detail so
as to contain critical energy neither the ERO, Regional Entities nor 88. The Commission declines to
infrastructure information, but would others would know whether adequate propose at this time that NERC
include sufficient information such that cyber security precautions are in place incorporate any provisions of the NIST
it is clear that the mitigation measures to protect critical assets. The possibility standards into the CIP Reliability
have addressed the interim that appropriate security measures for Standards. However, the Commission
vulnerabilities and the milestone critical assets have not been expects NERC to monitor the
schedules will be sufficient to bring the implemented due to acceptance of risk development and implementation of the
entities into compliance by a date and that no corresponding NIST standards to determine if they
certain in a timely manner. The report compensating or mitigating steps have contain provisions that will better
should include aggregated information been taken presents an undue and protect the Bulk-Power System.56
with sufficient detail for the unacceptable risk to Bulk-Power System Several federal entities, such as the
Commission to understand the reliability. Tennessee Valley Authority and
frequency in which specific provisions 85. Moreover, the Commission Western Area Power Administration, are
are being invoked as well as mitigation believes the acceptance of risk language subject to both the NIST standards and
and remediation plans over time and by does not serve any justifiable purpose. the Reliability Standards, and therefore
region. Such information would allow To the extent that an entity would are likely to have unique insights into
the Commission to evaluate whether to invoke this exception because the NIST standards. The Commission
initiate the development of additional compliance is not technically feasible, it expects the ERO to seek and consider
Reliability Standards or require new should rely on that exception, which comments from those federal entities on
Reliability Standards and/or with the Commission’s proposal would the effectiveness of the NIST standards
modifications to existing Reliability have specific safeguards and limitations. and on any implementation issues. Any
Standards. To the extent that a responsible entity provisions that will better protect the
81. The Commission also seeks would invoke the acceptance of risk Bulk-Power System should be addressed
comment on additional categories of language because its business preference in the ERO’s Reliability Standards
information that should be included in is not to expend resources on cyber development process. The Commission
the content of this report that would be vulnerability, we believe that is may revisit this issue in future
useful for the Commission, as well as inappropriate for all the reasons proceedings as part of an evaluation of
the ERO and Regional Entities, in discussed previously. A responsible existing Reliability Standards or the
evaluating the invocation of technical entity should not be able to jeopardize need for new Reliability Standards, or as
feasibility and similar provisions, and critical assets of others, and create a part of assessing NERC’s performance of
the impact on protection of critical significant and unknown risk to Bulk- its responsibilities as the ERO.57
assets. Power System reliability, simply B. Discussion of Each CIP Reliability
82. The Commission proposes to because it is willing to ‘‘accept the risk’’ Standard
direct the ERO to consider making that its own assets may be
‘‘technically feasible,’’ and derivative compromised. 1. CIP–002–1—Critical Cyber Asset
forms of that phrase as used in the CIP 86. Accordingly, the Commission Identification
Reliability Standards, defined terms in proposes to direct that the ERO remove 89. Reliability Standard CIP–002–1
NERC’s glossary, pursuant to the prior the ‘‘acceptance of risk’’ language from deals with the identification of critical
clarifications, without any reference to the CIP Reliability Standards. cyber assets. The NERC glossary defines
reasonable business judgment. ‘‘cyber assets’’ as ‘‘programmable
6. Guidance for Improving CIP
Acceptance of Risk Reliability Standards electronic devices and communication
networks including hardware, software,
83. The Commission has several 87. Several commenters discussed the and data.’’ It defines ‘‘critical cyber
concerns regarding the references to proposed CIP Reliability Standards in assets’’ as ‘‘cyber assets essential to the
‘‘acceptance of risk’’ that appear in the relation to other standards that exist for reliable operation of critical assets.’’
CIP Reliability Standards. As proposed governmental and industrial cyber NERC defines ‘‘critical assets’’ as
by NERC, there are no controls or limits security. MITRE and NIST suggest that ‘‘facilities, systems, and equipment
on a responsible entity’s use of this more advanced cyber security standards which, if destroyed, degraded, or
exception. For example, a responsible have been developed that could provide otherwise rendered unavailable, would
entity may invoke the ‘‘acceptance of a model in future improvements to the
risk’’ exception without any CIP Reliability Standards. In particular, 56 The Commission is also aware that the
explanation, mitigation efforts, they point to NIST Special Publication Instrumentation, Systems, and Automation Society
evaluation of the potential ramifications 800–53 Revision 1, Recommended (ISA) is developing cyber security standards,
referred to as ISA SP–99, and that other
of accepting the risk, or other Security Controls for Federal infrastructure sectors are considering adopting the
accountability. In essence, the phrase Information Systems (SP 800–53). ISA standards for their control systems.
‘‘or an acceptance of risk’’ allows a MITRE believes that the relevant NIST 57 See Order No. 672 at P 186–91.
affect the reliability or operability of the assets and associated critical cyber depends on whether it identifies critical
Bulk Electric System.’’ 58 assets; (2) internal approval of the risk cyber assets pursuant to CIP–002–1.
90. As the first step in identifying assessment; (3) oversight of critical asset Commenters also agree that the risk
critical cyber assets, CIP–002–1 requires identification; and (4) interdependency assessment methodology is the key to a
each responsible entity to develop a analysis. responsible entity accurately identifying
risk-based assessment methodology to its critical assets and critical cyber
a. Risk-Based Assessment Methodology
use in identifying its critical assets. security assets.
Requirement R1 specifies certain types 93. As mentioned above, CIP–002–1 97. While some commenters agree
of assets that an assessment must requires each responsible entity to with the CIP Assessment that the
consider for critical asset status and also develop a risk-based assessment Requirement for the risk-based
allows the consideration of additional methodology to identify critical assets. assessment methodology would benefit
assets that the responsible entity deems CIP Assessment from additional guidance or specificity,
appropriate. Requirement R2 requires the majority disagree. Among those who
94. The CIP Assessment noted that, support the need for more specificity,
the responsible entity to develop a list
while CIP–002–1 requires use of a risk- Arizona Public Service expresses
of critical assets based on an annual
based assessment methodology, it does concern that CIP–002–1, as proposed,
application of the risk-based assessment
not provide direction on the nature and may place a responsible entity in the
methodology. Requirement R3 provides
scope of that methodology, its basic position of not having enough guidance
that the responsible entity must use the
features or the issues it should address. on whether its risk-based methodology
list of critical assets to develop a list of
The CIP Assessment expressed concern will result in the identification of all
associated critical cyber assets that are
that the absence of such direction could critical assets.
essential to the operation of the critical
result in the Requirement being 98. Ontario IESO agrees that the CIP
assets. CIP–002–1 requires an annual re-
unevenly executed, which could result Assessment’s reasons for concern are
evaluation and approval by senior
in inconsistency and inefficiency. It valid, which stem from the fact that
management of the lists of critical assets
stated that, due to this lack of direction, many assessments will be performed by
and critical cyber assets.
the Reliability Standard does not entities not previously subject to
91. The CIP Assessment emphasized
provide a basis for evaluating whether compliance with NERC Reliability
that, while CIP–002–1 through CIP–
the risk-based assessment methodology Standards, and from the potential
009–1 function as an integrated whole,
adopted by a particular entity will disagreement between entities on what
CIP–002–1 is a key to the success of the
permit effective identification of all constitutes a critical asset. It also shares
cyber security framework that these
critical assets. the concern that some entities may
Reliability Standards seek to create.59 95. The CIP Assessment explained avoid declaring critical assets to avoid
The CIP Assessment also stressed that, that proper risk-based assessment further compliance obligations with the
because CIP–002–1 addresses the methodology is essential to achieve CIP Reliability Standards. Ontario IESO
assessment methodology and process for sufficient scope and implementation of emphasizes that an essential feature of
identifying critical assets and critical critical infrastructure protection. a good assessment is the quality of the
cyber assets, it represents the critical Requirement R4 specifically judgments that necessarily must be
first step that can fundamentally affect contemplates the circumstance that a applied. Rather than making
the chances for successful ‘‘Responsible Entity may determine that modifications to provide more explicit
implementation of the remaining CIP it has no Critical Assets or Critical Cyber direction, Ontario IESO suggests that
Reliability Standards. The methodology Assets,’’ and correspondingly requires much of the concern associated with
and process used by a responsible entity that a signed and dated record of critical asset identification could be
must be stringent and rigorous. management approval of the list of addressed by modifying the Reliability
Otherwise, a responsible entity may fail critical assets and critical cyber assets Standard to require that the responsible
to identify some facilities that are be kept ‘‘even if such lists are null.’’ The entity consult with its reliability
critical to effective cyber protection and, CIP Assessment pointed out, however, coordinator, and granting the reliability
as a consequence, leave them vulnerable that a small entity whose operations coordinator the authority to make the
to an attack that could threaten the may not have a major, day-to-day final determination of critical assets
reliability of the Bulk-Power System. operational impact on the Bulk-Power within its territory.
92. The Commission proposes to System can have critical importance 99. NERC and others oppose
approve Reliability Standard CIP–002–1 from a cyber security perspective, including additional specificity,
as mandatory and enforceable. In especially as a gateway to larger entities claiming that CIP–002–1 is specifically
addition, the Commission proposes to or when attacked simultaneously with written to allow each responsible entity
direct the ERO to develop modifications other entities. The absence of adequate the flexibility to implement it as it
to this Reliability Standard. In our direction on what constitutes a proper applies to the specific circumstances
discussion below, the Commission risk-based assessment methodology may within each organization, and at each
addresses its concerns in the following potentially result in entities improperly location containing critical cyber
topic areas regarding CIP–002–1: (1) The identifying a limited or ‘‘null set’’ of assets.60 These commenters are
proper risk-based assessment critical assets and critical cyber assets. concerned that a Commission directive
methodology for identifying critical This result could have serious adverse to include additional guidance would
effects for Bulk-Power System restrict the needed flexibility. For
58 ‘‘The term ‘reliable operation’ means operating
the elements of the bulk-power system within reliability. example, APPA argues that the
proposed provisions provide an
equipment and electric system thermal, voltage, and

stability limits so that instability, uncontrolled
Comments adequate basis for evaluating the
separation, or cascading failures of such system will 96. Commenters generally agree that methodology, stating that prescribing a
not occur as a result of a sudden disturbance, CIP–002–1 plays a crucial role because
including a cybersecurity incident, or unanticipated
national-level ‘‘one size fits all’’ risk-
failure of system elements.’’ EPAct 2005, section whether a responsible entity must based assessment methodology would
215(a)(4). comply with the substance of the
59 CIP Assessment at 16–17. remaining CIP Reliability Standards 60 E.g., ReliabilityFirst, EEI, EPSA, and APPA.
require a costly effort to comply, but consequence of an outage should be the list of critical assets and critical cyber
would not result in measurable cyber controlling factor. We note that the assets. The CIP Assessment suggested
security improvements. APPA adds that definition of ‘‘critical assets’’ is focused that that this senior management
every entity’s risk-based assessment will on the criticality of the assets, not the involvement should be extended to
be subject to challenge by an audit team likelihood of an outage. approving the risk-based assessment
from time-to-time, which will include 103. Accordingly, the Commission methodology developed pursuant to
review by peer technical experts who proposes to direct NERC to develop Requirement R1.61 Several commenters
share the goal of preventing any modifications to CIP–002–1 to provide disagree,62 stating that this approval is
successful attack on critical assets. some basic guidance on the content or implied by the requirement for senior
AMP-Ohio suggests that it would be considerations to be applied in a risk management approval of the critical
inappropriate to divide the Bulk Electric assessment methodology. We are not asset list and the critical cyber asset list.
System into a large number of small, proposing that NERC develop specific Other commenters generally believe that
discrete and in some cases rather details of a methodology that must be senior management approval of the risk-
isolated pieces and then to assign applied in all circumstances. However, based assessment methodology would
responsibility to each of these small the Commission believes that be a benefit.63
pieces to determine what is or is not responsible entities would benefit from
critical to the reliable operation of the NERC providing some common Commission Proposal
Bulk Electric System. understanding regarding the scope,
purpose and basic direction of the risk 107. The Commission believes that
Commission Proposal assessment methodology. For example, senior management approval of the risk-
100. Most commenters on the CIP the Reliability Standard should indicate based assessment methodology has clear
Assessment acknowledge the that a proper risk-based assessment benefits that exceed any additional
importance of CIP–002–1 in ensuring methodology to identify critical assets burden placed on the responsible
that an appropriate set of critical assets should examine (1) the consequences of entities, and the rigor that the senior
is identified. However, many the loss of the asset to the Bulk-Power management approval would encourage
commenters oppose any modification to System and (2) the consequence to the is worth the effort. As explained in the
CIP–002–1 to provide additional Bulk-Power System if an adversary CIP Assessment, since a poor
specificity regarding the risk assessment gains control of the asset for intentional methodology will likely result in an
methodology for identifying critical misuse. Such guidance could also inadequate identification of critical
assets, based on concerns that such address how a generation owner, or assets and critical cyber assets, senior
specificity will impede the needed even a partial owner of generation, management awareness and approval of
flexibility that is currently provided by without a wide-area reliability the chosen risk-based assessment
the Reliability Standard. perspective, should approach a risk- methodology is of critical importance.64
101. The Commission recognizes the based assessment. It is not clear to the Commission that,
commenters’ concerns and is mindful of 104. Further, we are concerned that as some commenters suggest, senior
the need for flexibility in the risk relatively smaller registered entities, management approval of the risk-based
assessment process to take into account such as some resources, load-serving assessment methodology is implicit in
the individual circumstances of a entities, and demand side aggregators, the requirement that senior management
responsible entity. Yet, the Commission may have difficulty in determining approve the critical asset list and critical
is concerned that, without some whether a particular asset is ‘‘critical’’ cyber asset list. Commenters did not
additional guidance, each responsible for Bulk-Power System reliability, since, object to the concept, but only believed
entity will have to devise its own for example, the impact of their that it might be redundant. We believe
assessment methodology without facilities may be dependent on their this additional layer of oversight is
sufficient assurance that the connection with a transmission owner important and should be made explicit.
methodology is adequate to identify the or operator. We believe that such an The Commission also notes that
types of assets necessary to protect the entity may want to perform an accurate requiring this senior management
reliability of the Bulk-Power System. As assessment but lack the regional view to approval helps to implement the
explained by Ontario IESO, many make a determination on its own. Thus, Blackout Report’s Recommendation 43,
responsible entities performing the risk we propose that the ERO and Regional which calls for establishing ‘‘clear
assessment have not previously been Entities provide reasonable technical authority and ownership for physical
subject to compliance with NERC’s support to such entities that would and cyber security.’’ 65
Reliability Standards. Further, there is a assist them in determining whether
potential for disagreement among 108. Thus, pursuant to section
their assets are critical to the Bulk- 215(d)(5) of the FPA and § 39.5(f) of our
responsible entities regarding what Power System.
constitutes a critical asset. regulations, the Commission proposes to
105. Accordingly, pursuant to section
102. The Commission also is direct that the ERO develop a
215(d)(5) of the FPA and § 39.5(f) of our
concerned that the risk assessment modification to CIP–002–1 through its
regulations, the Commission proposes to
methodologies required by CIP–002–1 Reliability Standards development
direct that the ERO develop
must place the proper emphasis on the process to include a requirement that a
modifications to CIP–002–1 through its
possible consequences from an outage of senior manager annually review and
Reliability Standards development
a particular asset. Generically, risk approve the risk-based assessment
process to provide additional guidance
assessments include consideration of methodology.
as to the features and functionality of an
both consequence (in this case, the adequate risk-based assessment
61 CIP Assessment at 17–18.

effect of loss of availability of an asset methodology, as discussed above. 62 NERC, ReliabilityFirst, and Santa Clara.
on the reliable operation of the Bulk-
Power System) and threat (the b. Internal Approval of Risk Assessment 63 E.g., APPA/LPPC, FirstEnergy, National Grid,
Progress Energy, and Xcel.

likelihood that an outage will occur, 106. Requirement R4 of CIP–002–1 64 CIP Assessment at 18.
naturally or by malicious act). However, requires that a senior manager ‘‘or 65 See Blackout Report at 169, Recommendation
in this context we believe that the delegate(s)’’ must approve annually the 43.
c. Oversight of Critical Assets responsibility away from the asset other data essential to the proper
Identification owner or operator. We believe that such operation of a critical asset, and
109. The CIP Assessment emphasized a shift would not improve the possibly the computer systems that
the underlying importance that each identification of critical assets, but more produce or process that data, would be
responsible entity develop accurate lists likely overwhelm the Regional Entities. considered critical cyber assets subject
of critical assets and critical cyber 112. On the other hand, the to the CIP Reliability Standards.
assets. Several commenters note that Commission believes that a formal or Therefore, the Commission proposes to
responsible entities currently lack a systematic approach to external direct the ERO to develop guidance on
wide-area view that would enable them oversight of the identification of critical the steps that would be required to
to better assess the risks associated with assets would assure a wide-area view. apply the CIP Reliability Standards to
certain assets.66 They suggest that Such an approach, on a regional basis, such data and to include computer
guidance or oversight from an external would better ensure that responsible systems that produce the data.
organization could help ensure that entities are identifying similar assets. 115. The Commission is concerned
responsible entities have properly Even taking into account the individual that all critical assets are identified, and
identified critical assets from a regional circumstances of a responsible entity, interprets the phrase, ‘‘[t]he risk-based
perspective. Cleveland Public Power we would expect certain trends in assessment shall consider the following
suggests that the Regional Entities critical asset identification within a assets:’’ in Requirement R1.2 to mean
should assume this role. Similarly, class of responsible entities, such as that a responsible entity must be able to
AMP-Ohio recommends that the generator owners or transmission show, based on the risk-based
Regional Entities should be responsible owners. If the vast majority of assessment methodology used, why
for identifying critical assets, with input transmission owners, for example, specific assets were or were not chosen
from reliability coordinators and identified a certain asset as critical, and as critical assets. The Commission is
transmission planners. EPSA indicates a few did not, this result could be due also concerned that sufficient rigor is
that independent system operators to the unique circumstances of those applied in examining whether control
(ISOs) and regional transmission transmission owners or from a flawed systems are determined to be critical
organizations (RTOs) could provide risk-based assessment methodology. assets. While it seems obvious that an
guidance to individual companies in However, without external oversight evaluation of a control system for
assessing critical assets and their using a wide-area view, such trends or critical asset status would consider the
vulnerability, in coordination with deviations would never be identified potential loss of operability of the
NERC and the Commission. prior to an incident or audit, perhaps control center due to power or
110. NERC, however, opposes precluding a necessary adjustment to a communications failure, we also believe
regional oversight, stating that ‘‘[i]t is particular critical asset list. In addition, that such an evaluation should include
not the function of the standards to a wide-area view would help to ensure an examination of any misuse of the
implement an oversight or hierarchical that assets that have regional control system, the impact this misuse
organization for determining risks or importance, such as for reactive power could have on any electric facilities that
vulnerabilities.’’ 67 NERC suggests that supply, are included as critical assets. the responsible entity controls, and the
regional perspective is gained through 113. NERC suggests that such issues combined impact of such facilities.
information sharing forums such as the can be addressed through existing Therefore, the Commission proposes to
Electricity Sector Information Sharing forums for the voluntary exchange of direct the ERO to modify Requirement
and Analysis Center (ESISAC) 68 and information on cyber security issues. R1.2 to clarify the requirement to show
NERC’s Critical Infrastructure Protection The Commission believes that this why specific assets were or were not
Committee. matter is too important to leave to chosen as critical assets, and to require
voluntary mechanisms. Accordingly, the consideration of misuse of control
Commission Proposal pursuant to section 215(d)(5) of the FPA systems.
111. The Commission disagrees with and § 39.5(f) of our regulations, the
commenters that suggest that the Commission proposes to direct that the d. Interdependency
responsibility for identifying critical ERO develop a modification to CIP– 116. The CIP Assessment noted that
assets should be placed on the Regional 002–1 through its Reliability Standards CIP–002–1 does not address the issue of
Entities or another organization instead development process to include a interdependency with other
of the categories of applicable entities mechanism for the external review and infrastructures and explained that there
currently identified in CIP–002–1. Such approval of critical asset lists based on may be occasions where an electric
an approach would shift primary a regional perspective. While we sector asset, while not critical to Bulk-
propose that the Regional Entities Power System reliability, may be crucial
66 E.g., AMP-Ohio, EPSA, and Cleveland Public should be responsible for this function, to the operation of another critical
Power. we will not exclude the possibility of a
67 NERC Comments, Attachment 1 at 17 (in
infrastructure.70 The CIP Assessment
critical asset review process that allows asked (1) whether this issue is
response to a CIP Assessment suggestion regarding
the need for regional perspective in CIP–003–1). for participation of other organizations, appropriate for inclusion in CIP–002–1
68 The Electric Sector Information Sharing and such as transmission planners and and (2) whether this topic is an area for
Analysis Center was created based on a reliability coordinators. future coordination and collaboration
recommendation of Presidential Decision Directive 114. Moreover, we note that the with other industries and government
63, which defined specific infrastructures critical to definition of ‘‘critical cyber assets’’
the national economy and public well-being. agencies.
ESISAC serves the Electricity Sector by facilitating encompasses data.69 Thus, marketing or 117. Commenters generally agree that
communications between electricity sector this issue is worthy of consideration and

participants, governmental entities, and other 69 The NERC Glossary defines ‘‘Critical Cyber
critical infrastructures. It is the job of the ESISAC Assets’’ as ‘‘Cyber Assets essential to the reliable
coordination and cooperation could be
to promptly disseminate threat indications, operation of critical assets.’’ It defines ‘‘Cyber
analyses, and warnings, together with Assets’’ as ‘‘programmable electronic devices and operation of the critical asset may confer critical
interpretations, to assist electricity sector communication networks including hardware, cyber asset status to those data and the computer
participants to take protective actions. NERC is software, and data.’’ Therefore, marketing data or systems that process them.
functioning as the operator of the ESISAC. other system data that are essential to the proper 70 CIP Assessment at 17.
advantageous. However, most management’s commitment and ability Requirement could actually mask
commenters consider the topic outside to secure its critical cyber assets. The certain security vulnerabilities.
the scope of CIP–002–1.71 By contrast, responsible entity must designate a 125. APPA/LPPC are not convinced
one commenter posits that there is a senior manager to lead and direct the that the variation allowed in cyber
clear need to articulate that this type of responsible entity’s cyber security security policies means that plans lack
interdependency analysis should be part program. This senior manager will also a sufficient level of protection. They
of the responsible entity’s determination be the person authorized to approve any believe that the Reliability Standard
of critical assets.72 exception set out in the entity’s cyber allows an appropriate level of variation
security policy. as to how specific requirements will be
Commission Proposal met. Likewise, Georgia System does not
121. Further, a responsible entity
118. Reliability Standard CIP–002–1 must implement an information share the CIP Assessment’s concern that
pertains to the identification of assets protection program to identify, classify Requirement R1 could allow responsible
critical to Bulk-Power System and protect sensitive information entities to mask vulnerabilities, positing
reliability. While broader concerning critical cyber assets, as well that it is in a utility’s self-interest to take
interdependency issues cannot be as an access control program to actions that improve reliability. Thus, it
ignored, the Commission intends to designate who may have access to such does not see a need for any additional
revisit this matter through future information. Finally, the responsible guarantee that the involvement of senior
proceedings and with other agencies. entity must establish a change control management will result in
This work will help to inform the and configuration management program improvements to the responsible
electric sector and this Commission to oversee changes made to the critical entity’s cyber security policy.
about the need for future Reliability cyber assets’ hardware or software.
Standards, especially when the Commission Proposal
122. The Commission proposes to 126. The Commission acknowledges
interdependent infrastructures affect
approve Reliability Standard CIP–003–1 that details of particular security
generating capabilities, such as through
as mandatory and enforceable. In policies will vary due to the different
fuel transportation.
addition, we propose to direct the ERO cyber architectures and equipment used
e. Commission Proposal Summary to develop modifications to this by the responsible entities. However, in
119. In summary,73 the Commission Reliability Standard. In our discussion addition to consideration of every
proposes to approve Reliability below, the Commission addresses its Requirement in Reliability Standards
Standard CIP–002–1 as mandatory and concerns in the following topic areas CIP–002–1 through CIP–009–1, the
enforceable. In addition, the regarding CIP–003–1: (1) Adequacy of Commission expects that responsible
Commission proposes to direct the ERO, policy guidance; (2) discretion to grant entities’ security policies will address
pursuant to section 215(d)(5) of the FPA exceptions; (3) leadership; (4) access issues that are not currently reflected in
and § 39.5(f) of our regulations, to authorization; (5) change control and the CIP Reliability Standards, but are
develop modifications to CIP–002–1 configuration management; and (6) important to the security of the control
through its Reliability Standards interconnected networks. system. For instance, currently data
development process that: (1) Provide a. Adequacy of Policy Guidance networks and communication networks
some basic guidance on the content or are not covered by any CIP Reliability
considerations to be applied in a risk- 123. Requirement R1 of Reliability
Standard. Yet these networks play an
based assessment methodology; (2) Standard CIP–003–1 directs the
important role in the proper functioning
include a requirement that a senior responsible entity to ‘‘document and
of the control systems. The Commission
manager annually review and approve implement a cyber security policy that
would expect a security policy for
the risk-based assessment methodology; represents management’s commitment
control systems to address the
(3) include a mechanism for the external and ability to secure its critical cyber
responsible entity’s actions to protect
review and approval of critical asset assets.’’ The only guidance that is given
communication networks. Other
lists based on a regional perspective; with regard to the nature and scope of
possible topics for guidance here are the
and (4) modify Requirement R1.2 to (a) the cyber security policy is that it
appropriate use of defense in depth
clarify the requirement to show why ‘‘addresses the Requirements in CIP–
strategy; the use of wireless
specific assets were or were not chosen 002–1 through CIP–009–1, including the
communications for control systems;
as critical assets and (b) require the provisions for emergency situations.’’
uninterruptible power supplies; and
consideration of misuse of control The Requirement also requires that a
heating, ventilation, and air-
systems. senior manager annually review and
conditioning equipment for critical
approve the policy.
2. CIP–003–1—Security Management cyber assets. We note that
124. The CIP Assessment stated that Recommendation 34 of the Blackout
Controls senior management involvement should Report states that ‘‘grid-related
120. Reliability Standard CIP–003–1 improve the prioritization of control organizations should have a planned
seeks to ensure that each responsible system security within the entity, and documented security strategy,
entity has minimum security including allocation of resources.74 It governance model, and architecture for
management controls in place to protect explained that, since many of the EMS [energy management systems]
critical cyber assets identified pursuant Requirements in the CIP Reliability automation systems.’’ 75
to CIP–002–1. To achieve this goal, a Standards leave considerable discretion 127. The Commission proposes to
responsible entity first must develop a to each responsible entity, the scope and direct the ERO to modify CIP–003–1 to
cyber security policy that represents thoroughness of the cyber security provide additional guidance for the
policies could vary widely. Thus, the topics and processes that the required
71 E.g., APPA/LPPC, Duke, EEI, Georgia System,
CIP Assessment expressed concern that, cyber security policy should address to
National Grid, NERC, ReliabilityFirst, SPP, Xcel, because Requirement R1 does not
SoCal Edison, Progress Energy, and MidAmerican. ensure that the responsible entity
72 ISA Group. address the policy’s adequacy, this
73 This summary should be read in conjunction 75 See Blackout Report at 165, Recommendation
with the discussion above. 74 CIP Assessment at 19. 34.
reasonably protects its critical cyber Entity, in turn, can then communicate c. Leadership
assets. appropriately to any interconnected
entities so that they might take any 134. The CIP Assessment notes that
b. Discretion to Grant Exceptions senior management involvement in
necessary action.
128. Requirement R3 of CIP–003–1 security issues is important to ensure
provides that a responsible entity must Commission Proposal that responsible entities achieve
document as an exception, with senior 132. The Commission is concerned compliance as quickly as possible and
manager authorization, each instance that CIP–003–1 allows a responsible to ensure that it exercises any necessary
where a responsible entity cannot entity too much latitude in excusing discretion in an appropriate manner.77
conform to its security policy developed itself from compliance with its cyber 135. While National Grid concurs
pursuant to Requirement R1. security policy. While there may be with the CIP Assessment, it also
Documentation of the exception must valid reasons for exceptions to a cyber suggests that given the wide variety of
include ‘‘an explanation as to why the security policy, and it is helpful that critical assets, critical cyber assets and
exception is necessary and any exceptions must be explained in writing physical security requirements, no
compensating measures, or a statement and approved by a designated senior single senior manager has the expertise
accepting risk.’’ An exception to the manager, the Commission does not or authority to ensure compliance with
cyber security policy must be believe that the ‘‘exceptions’’ provision all of the CIP Reliability Standards.
documented within 30 days of senior provides sufficient rigor or external
management approval. An authorized accountability regarding the decision of Commission Proposal
exception must be reviewed and a responsible entity to except itself from 136. The Commission’s view is that
approved annually to ensure that the the cyber security policy. Accordingly, Requirement R2 of CIP–003–1 should be
exception is still required and valid. the Commission proposes to direct that interpreted to require the designation of
129. The CIP Assessment expressed NERC develop a modification to a single manager who has direct and
concern that this provision allows for Requirement R3 of CIP–003–1 to require comprehensive responsibility for the
broad discretion and may serve as a a responsible entity to periodically implementation and ongoing
disincentive for upgrading to control submit to the Regional Entity the compliance with the CIP Reliability
systems that fully comply with cyber documentation of exceptions to the
Standards. While this senior manager
security Reliability Standards.76 With cyber security policy. The Commission
must have authority to delegate tasks
regard to a responsible entity’s option to believes that the external review of this
and responsibilities within the entity’s
‘‘accept the risk,’’ it pointed out that, for documentation will provide added
interconnected control systems of management structure, we believe that
assurance that each responsible entity
various entities, acceptance of risk by the senior manager must remain
adequately justifies the exceptions to its
one entity is actually an acceptance of accountable for the responsible entity’s
cyber security policy.
risk for all those that are interconnected. 133. In addition, the Commission compliance with the CIP Reliability
Yet, other entities may not be aware of believes that there is a distinction Standards. In our view, it is essential to
the vulnerability, particularly absent between situations where a responsible make clear both the ‘‘authority and
any oversight or regional perspective of entity excepts itself from its cyber ownership’’ for security, as
the risks or vulnerabilities that may security policy, rather than from Recommendation 43 of the Blackout
exist. specific Requirements of the CIP Report states.78 Therefore, the
130. Most commenters believe that it Reliability Standards based on technical Commission proposes to direct the ERO
is appropriate to provide latitude for feasibility. An exception to a cyber to modify CIP–003–1, to make clear the
management to document exceptions to security policy provision does not also senior manager’s ultimate
the responsible entity’s established excuse compliance with a Requirement responsibility.
policies, select alternative and of a CIP Reliability Standard. Generally, d. Access Authorization
mitigating solutions, and ultimately a responsible entity has no authority to
accept residual risk. APPA/LPPC expect excuse itself from compliance with a 137. Requirement R5 of CIP–003–1
that the exercise of discretion will be mandatory Reliability Standard. As directs the responsible entity to
one of the areas that will draw the most discussed above in section II.B.1.6, the implement a program for managing
attention from auditors. CIP Reliability Standards do include access to protected critical cyber asset
131. Others, such as California PUC several Requirements that allow an information. The CIP Assessment
agree with the CIP Assessment’s exception based on technical feasibility. suggested that an annual review of
concern that the broad discretion However, the Commission has proposed personnel access to this information
allowed for exceptions could act as a to direct NERC to modify such appears insufficient and could result in
disincentive for upgrading control provisions so that a responsible entity unnecessary vulnerability, especially
systems. California PUC also agrees that can only invoke the technical feasibility since there is no requirement that a
acceptance of the risk in a cyber exception after fulfilling specific responsible entity revise access
environment is actually an acceptance conditions including receiving approval privileges to such protected information
of risk for all connected entities because from the ERO or the relevant Regional upon employee termination or job
the entity that initially accepts the risk Entity. In contrast, an exception to a reassignment.
becomes the ‘‘weak link’’ in the chain. cyber security policy would require 138. Many commenters agree with the
Santa Clara suggests that a responsible only senior manager approval and after- CIP Assessment’s concern that an
entity that makes exceptions and the-fact reporting to the Regional Entity. employee who leaves the company or
‘‘accepts risks’’ is responsible for Accordingly, the Commission proposes who no longer performs job functions
communicating such exceptions to its to direct NERC to clarify that the that require access to critical cyber
Regional Entity, which can then exceptions mentioned in Reliability assets should have that access revoked
evaluate the overall ‘‘risk,’’ if any, to the Standard CIP–003–1, Requirements R2.3
bulk electric system. The Regional and R3, do not except responsible 77 CIP Assessment at 20.
entities from the requirements of the CIP 78 See Blackout Report at 169, Recommendation
76 CIP Assessment at 20. Reliability Standards. 43.
promptly.79 NERC, Xcel, FirstEnergy prevent inappropriate disclosure of the essence of managing changes
and ReliabilityFirst note that this information.80 Thus, the Commission intentionally made to critical cyber
Requirement seeks establishment of ‘‘a proposes to direct the ERO to modify assets, it fails to address accidental
program for managing access to Reliability Standards CIP–003–1, CIP– consequences or malicious actions by
protected critical cyber asset 004–1, and/or CIP–007–1, to ensure and individuals. Thus, the Commission
information.’’ They stress that CIP–003– make clear that access to protected believes that this Requirement needs to
1, Requirement R5 relates to the information is revoked promptly. go further and we propose to direct the
governance and approval process, not ERO to make two changes. First, we
the implementation and review of e. Change Control and Configuration propose additional wording to require
individual access (the oversight Management verification that authorized changes
responsibility of which lies with the 140. Requirement R6 requires the made to critical cyber assets, which
senior manager of the responsible responsible entity to establish a process include software and data, only affect
entity). NERC asserts that the three of change control and configuration processes that are intended. Our
requirements work together. The management for adding, modifying, concern here includes both accidental
implementation provisions are in replacing, or removing critical cyber consequences and malicious actions by
Requirement R5 of CIP–007–1, the asset hardware or software. individuals performing the changes.
revocation requirements are in 141. The CIP Assessment noted that Second, we propose a requirement for
Requirement R4 of CIP–004–1, and the entities often rely on commercial responsible entities to take actions to
management review and approval vendors to test and certify that detect unauthorized changes to critical
requirements are in Requirement R5 of electronic security patches they provide cyber assets. Such changes could result
CIP–003–1. NERC argues that, together, will not adversely affect other electronic from malicious actions originating
these provisions serve as a check that systems already in place. It is not clear either outside or inside the responsible
the CIP–004–1 revocation provision has how a responsible entity could entity. No electronic security perimeter
been implemented. otherwise verify that a problem does not is 100 percent effective, especially when
exist without burdensome testing each a malicious action is performed by an
Commission Proposal
time a patch is implemented. Such a insider, and detection must be part of a
139. The Commission believes that testing requirement may also inhibit or good cyber security program. Therefore,
the language of CIP–007–1, Requirement delay the use of security patches and the Commission proposes, as suggested
R5, CIP–004–1, Requirement R4, and thereby prolong vulnerabilities that by SPP, to direct the ERO to modify
CIP–003–1, Requirement R5 does not would otherwise be relatively easy to Requirement R6 of Reliability Standard
interlink these related provisions as fix. CIP–003–1 to include in the process of
clearly as some commenters assert. We 142. Santa Clara submits that electric change control and configuration
are not persuaded by commenters who utilities, like all ‘‘cyber users,’’ must management a requirement for detection
claim these Requirements adequately rely on information technology vendors and monitoring controls to determine if
address the access issues related to for accurate and reliable ‘‘emergency or changes are made as intended and to
employee turnover. We believe that the normal modifications.’’ It suggests that investigate whether any unintended or
interrelationship among these it is not only unrealistic, but unplanned changes have been made.
provisions must be made clearer. We unnecessary, to expect that all
note that CIP–007–1, Requirement f. Interconnected Networks
responsible entities under the CIP
R5.1.3, which specifically refers to CIP– Reliability Standards should, or could, 145. The CIP Assessment also raised
003–1, Requirement R5, addresses ‘‘user possess the technical expertise to a concern that interconnected control
accounts.’’ Likewise, CIP–004–1, understand an IT vendor’s code in system networks are more susceptible to
Requirement R4 addresses authorization enough detail to ensure that any infiltration by a cyber intruder. Georgia
for unescorted physical or cyber access modifications made by the IT vendor are Operators responds that every
to ‘‘critical cyber assets.’’ However, the accurate and reliable. responsible entity must protect its
information for which Requirement R4 143. SPP believes that the purpose of critical cyber assets by guarding its
of CIP–003–1 requires protection the change management program is to electronic access points against the
appears to be broader than ‘‘user ensure the entity is aware of all changes spread of harm from external
accounts’’ and ‘‘critical cyber assets.’’ being made to a critical cyber asset and, interconnected entities. This task can
According to CIP–003–1, Requirement in being aware, readily recognizes when only be accomplished by assuming that
R4, protected information includes lists an unapproved change is made. An such external entities are themselves
of critical cyber assets, floor plans, and unapproved change could be an unprotected.
security configuration information. indication of a cyber attack in progress. 146. NERC and ReliabilityFirst claim
While the concept of access SPP comments that Requirement R6 that the purpose of establishing policy
authorization is similar across these may fall short because it does not and procedure is for a responsible entity
provisions, there is no explicit mention specify the need for detection and to protect itself from the ‘‘outside
in them of revoking access to monitoring controls to determine when world’’ wherever that ‘‘outside world’’
‘‘information’’ about critical cyber changes occur. SPP also asserts that a might exist. It does not matter if the
assets. While the priority must be on proper change management program ‘‘outside’’ is an internally connected
granting and revoking access to the includes provisions for routine, planned corporate network, or a completely
critical cyber assets themselves, access changes and emergency, unplanned separate entity. These commenters
to information concerning the critical changes. explain that the CIP Reliability
cyber assets should also be adequately Standards address a responsible entity’s
protected, and revocations always Commission Proposal area of responsibility—the equipment it

should be made promptly. We also note 144. While Requirement R6 of owns and controls. All interconnected
that Recommendation 44 of the Reliability Standard CIP–003–1 captures control system network
Blackout Report stresses the need to communications will traverse through
80 See Blackout Report at 169, Recommendation electronic access points; therefore, there
79 E.g., APPA/LPPC and California PUC. 44. exists a need for ‘‘security’’ on the
interconnection points. Both the required cyber security policy in a. Training

commenters state that the electronic order to ensure that the responsible 151. The CIP Assessment noted that
security perimeter effectively entity reasonably protects its critical the training requirements specified in
implements a model of mutual distrust cyber assets; (2) require a responsible Requirement R2 apply to all personnel,
between any collection of critical cyber entity to submit periodically to the contractors, and service vendors who
assets within an electronic security Regional Entity the documentation of have authorized cyber access or
perimeter, and any and all other cyber exceptions to the cyber security policy; unescorted physical access to critical
assets. (3) clarify that the exceptions mentioned cyber assets.82 It then expressed concern
Commission Proposal in Requirements R2.3 and R3 of CIP– that this requirement does not clearly
003–1 do not except responsible entities address the interconnectivity of
147. The Commission agrees with from the requirements of the CIP systems; i.e., the required training
commenters who caution that a Reliability Standards; (4) make clear programs should address not only the
responsible entity should protect itself that the senior manager ultimately critical cyber assets themselves, but also
from whatever is outside its control remains responsible for the responsible any networking hardware or software
system. The phrase ‘‘mutual distrust’’ entity’s compliance with the CIP linking them. It noted that the
has been used to denote how these Reliability Standards; (5) ensure and importance of network support to
‘‘outside world’’ systems are treated by make clear that access to protected overall security environment may not be
those inside the control system. critical cyber asset information is understood by personnel if the training
However, there is very little guidance revoked promptly (and make parallel does not encompass the related non-
for how a responsible entity would modifications to CIP–004–1 and CIP– critical cyber assets, such as switches
configure an architecture under a 007–1 as needed); (6) include in the and routers that can impact the security
‘‘mutual distrust’’ posture to handle process of change control and of the critical cyber assets. Moreover, it
both interactive login-type connectivity configuration management a pointed out that while this requirement
between the outside world and the requirement for detection and specifies the minimum topics that
control system as well as direct monitoring controls to determine if training should cover, it does not
application communications (data changes were made as intended and to provide criteria for assessing the quality
shared between programs) that also investigate whether any unintended or and adequacy of the training. With
occur between the control system and unplanned changes have occurred; and regard to both the awareness program of
the outside world (both internal and Requirement R1 and the training
(7) provide direction regarding the
external to the responsible entity). In program of Requirement R2, the CIP
issues and concerns that a ‘‘mutual
addition, the Commission notes that, in Assessment noted that certain NIST
distrust’’ posture must address in order
our earlier discussion regarding the publications provide guidance on
to protect a responsible entity’s control
applicability of the CIP Reliability training of personnel and practices that
system from the ‘‘outside world.’’
Standards to small entities, we relied in enhance the security posture of
part upon the expectation that the 3. CIP–004–1—Personnel and Training information systems.83
responsible entities would adopt 152. NERC states that a subset of
‘‘mutual distrust’’ postures when 149. Reliability Standard CIP–004–1 networking hardware and software is
receiving communications from others requires that personnel having included in Requirement R2 to the
that impact the functioning of control authorized cyber access or unescorted extent active communications hardware
systems. Therefore, the Commission physical access to critical cyber assets and software reside within the defined
proposes to direct the ERO to modify must have an appropriate level of electronic security perimeter, and
Reliability Standard CIP–003–1 to personnel risk assessment, training and because hardware and software acts as
provide direction regarding the issues security awareness. Responsible entities an electronic access control, defining
and concerns that a ‘‘mutual distrust’’ must develop and implement a security the electronic security perimeter. NERC
posture must address to protect the awareness program that addresses draws attention to the fact that
control system from the ‘‘outside concerns related to cyber security; a communication networks and data
world.’’ 81 cyber security training program for communication links between discrete
affected personnel that addresses electronic security perimeters are
g. Commission Proposal Summary policies, access controls, procedures for specifically excluded by Applicability
148. In summary, the Commission the proper use of critical cyber assets, section 4.2.2 of this Reliability
proposes to approve Reliability physical and electronic access to critical Standard.
Standard CIP–003–1 as mandatory and cyber assets, proper handling of asset 153. APPA/LPPC believe that most, if
enforceable. In addition, the information, and recovery methods after not all, networking hardware and
Commission proposes to direct the ERO, a Cyber Security Incident; and a software will be essential to the
pursuant to section 215(d)(5) of the FPA personnel risk assessment program for operation and control of critical cyber
and § 39.5(f) of our regulations, to all personnel having access to critical assets and therefore will be subject to
develop modifications to CIP–003–1 cyber assets. the Reliability Standard and
through its Reliability Standards encompassed by the security training
150. The Commission proposes to
development process that (1) provide requirement. FirstEnergy notes the
approve Reliability Standard CIP–004–1
additional guidance for the topics and Measures and Compliance provisions
as mandatory and enforceable. In currently require only documentation of
processes that should be addressed by
addition, we propose to direct the ERO
to develop modifications to this
81 An architecture with a mutual distrust posture 82 CIP Assessment at 23.

could involve various hardware or software Reliability Standard. In our discussion 83 See NIST Special Publication 800–16,
mechanisms or manual procedures to restrict and below, the Commission addresses its Information Technology Security Training
verify access to the control system from these concerns in the following topic areas Requirements: A Role- and Performance-Based
outside sources. Examples include: Firewalls; data Model (1998); and NIST Special Publication 800–
checking software(s); or procedures for manually
regarding CIP–004–1: (1) Training; (2) 50, Building an Information Technology Security
implementing a connection to allow a vendor to personnel risk assessments; (3) access; Awareness Training Program (2003), available at:
perform maintenance work. and (4) jointly owned facilities. http://csrc.nist.gov/publications/nistpubs/.
the requirements and states that NERC to the critical cyber assets to be the ISA Group that security trainers be
should focus on developing Reliability protected and that persons who provide adequately trained themselves.
Standards to maintain the quality of the training should be adequately 160. In addition, we propose to direct
personnel training in this area. trained to address the cyber security of the ERO to modify the CIP–004–1 to
FirstEnergy states that training the systems. SPP and ISO–NE agree clarify that the cyber security training
requirements should be appropriate to with the CIP Assessment that allowing programs required by Requirement R2
each employee’s experience and access unescorted access to critical cyber assets are intended to encompass training on
level. prior to security training introduces an the networking hardware and software
154. The CIP Assessment also unnecessary risk. SPP suggests that, and other issues of electronic
questioned whether it is appropriate to under normal circumstances, training interconnectivity supporting the
allow personnel to have access to prior to access should be the operation and control of the critical
critical cyber assets for up to 90 days requirement with provisions made for cyber assets. As indicated by the
prior to receiving any cyber security emergency conditions. comments, it is not clear whether
training, as Requirement R2.1 allows. It interconnectivity issues are already
Commission Proposal included in the proposed language of
suggested that personnel should receive
the training prior to such access. 158. Training is clearly integral to the the training requirement of CIP–004–1.
155. NERC and ReliabilityFirst state protection of critical cyber assets. One method of clarification the ERO
that the sub-requirements of Allowing personnel to access critical should consider is the addition of a
Requirement R2 list specific expected cyber assets prior to receiving training provision such as that contained in CIP–
outcomes from the training. NERC and increases the vulnerability of and risk to 005–1, Requirement R1.4, which
ReliabilityFirst state that the 90-day such assets. Thus, such access should specifically subjects any non-critical
period is based on the belief that certain not be the norm under the Reliability cyber asset within a defined electronic
conditions may require that personnel Standard. Accordingly, we propose to security perimeter to the Reliability
receive access prior to specific direct the ERO to modify this provision Standard. CIP–004–1 should leave no
additional training in cyber security to require affected personnel to receive doubt that cyber security training
processes and procedures in order to the required training before obtaining concerning a critical cyber asset should
maintain or restore the reliable access to critical cyber assets (rather encompass the electronic environment
operation of the Bulk-Power System. than within 90 days of access in which the asset is situated and the
They explain that standard industry authorization), but allowing limited attendant vulnerabilities.
practice ensures anyone with access to 161. Finally, we propose to direct the
exceptions, such as during emergencies,
sensitive systems has had adequate ERO to increase the guidance in the
subject to documentation and
training, but that such training may not Reliability Standard as to the scope and
mitigation.
have been specific to the systems or quality of training. We note that part of
159. Alternate provisions for the goal for training, in conjunction
environment to which they receive emergencies and certain other
access, such as when, in an emergency with awareness programs, is to keep
conditions could be designed, such as security practices on the minds of
restoration, personnel with specialized requiring documentation of all
knowledge may be required to access employees, contractors, and vendors.
personnel who received access to Examples of some areas where the
systems outside their normal particular equipment during the
assignments.84 inclusion of guidance can be considered
emergency and whether they received a are: control of electronic devices (such
156. APPA/LPPC agree with the CIP briefing or any other training prior to
Assessment that, whenever possible, as laptop computers), the appropriate
their access concerning the specific audiences for the training, delivery
personnel should receive their cyber facilities; the extent to which people
security training and undergo the methods, and updates of training
needed for the emergency had received materials. In our view, the awareness
required personnel risk assessment general training and possessed and training programs, addressed
before being allowed access to critical appropriate specialized expertise for the separately by Requirements R1 and R2,
cyber assets. However, APPA/LPPC circumstance; and any risk mitigation complement each other and work in
favor retention of the 90-day period for steps taken during the emergency tandem. In parallel with the security
conducting training so that responsible access, as discussed by commenters in awareness program, we expect the ERO
entities will not risk a technical this proceeding. To facilitate to consider relevant aspects of the cited
violation of the Reliability Standard communications in emergency NIST Special Publications, as well as
when emergency conditions require that situations, the Commission proposes to other relevant models, to improve CIP–
personnel obtain access before they are direct the ERO to require responsible 004–1 and prevent a lowest common
trained or authorized with access. entities to identify ‘‘core training’’ denominator result.
157. ISA Group agrees with the CIP elements to ensure that essential
Assessment that training in critical training elements will not go unheeded b. Personnel Risk Assessment
security practices should occur prior to in an emergency and other contingency 162. Requirement R3 of CIP–004–1
an individual having the corresponding situations where full training prior to requires each responsible entity to have
access and suggests making a distinction access will not best serve the reliability a documented personnel risk
between the training that is needed of the Bulk-Power System. We note that assessment program. It also requires that
before access is granted and the during ‘‘emergency conditions,’’ the a personnel risk assessment, including a
remaining training that is not critical for Bulk-Power System could be criminal check, be conducted within 30
access but still significant. The ISA particularly vulnerable to mischief or days after a person receives cyber access
Group also states that training and mistakes, and we propose to require the or unescorted physical access to critical
awareness programs should be specific ERO to consider this when developing cyber assets. The CIP Assessment noted
84 APPA/LPPC, SPP and Xcel agree that this
the modification. We also propose to that Requirement R3 would allow access
flexibility is needed in emergency situations, and
direct the ERO to consider what, if any, to critical cyber assets while
comment that training beforehand would not modifications to CIP–004–1 should be investigation is still underway, and even
always be practical. made to address the concern raised by before an investigation has started.
163. NERC and ReliabilityFirst assert background checks.85 At the same time, Commission Proposal
that certain conditions affecting the we believe that commenters have raised 169. Timely system updates to access
reliable operation of the Bulk-Power a valid concern regarding the rights are important. Employee,
System may require that personnel be disruptions that would result if current contractor, or vendor access to critical
allowed to access the critical cyber employees and vendors with established cyber assets when the employee,
assets prior to completing the personnel involvement were denied access to contractor, or vendor no longer has a
risk assessment process, although they critical cyber assets for a 30-day period. need for such access, due for example
may be subject to escort and review Accordingly, we propose that the ERO to a transfer or termination, represents
during the investigative period. develop modifications to Requirement
164. Several commenters agree with a gap in security. Moreover, while
R2 to provide that newly-hired Requirement R4 of CIP–004–1 requires a
the CIP Assessment that an appropriate
personnel and vendors should not have responsible entity to maintain a list of
personnel risk assessment should be
access to critical cyber assets, except in authorized personnel, it does not
completed before an employee
(especially a newly hired employee or specified circumstances such as an indicate what the responsible entity
vendor) is granted access to critical emergency. The ERO should determine must do with the list. Accordingly, the
cyber assets. SPP states that emergency the parameters of such exceptional Commission proposes to direct that
contingency procedures can be circumstances in developing the NERC develop modifications to CIP–
developed to handle situations where proposed modification through its 004–1 to require immediate revocation
access must be granted prior to Reliability Standards development of access privileges when an employee,
completing the required background process. However, to avoid disruptions, contractor, or vendor no longer performs
check. we propose that the 30-day window a function that requires authorized
165. However, NERC and other allowing access before the personnel physical or electronic access to a critical
commenters have concerns about risk assessment is completed remain in cyber asset for any reason (including
existing personnel. NERC and effect for current employees and disciplinary action, transfer, retirement
ReliabilityFirst assert that certain vendors with existing contractual or termination). Because an organization
conditions affecting the reliable relationships with the responsible entity is typically aware in advance of
operation of the Bulk-Power System as of the effective date of the Reliability personnel action dates, timely updating
may require that personnel be allowed Standard. We propose to direct that the of the authorization list should not be
to access the critical cyber assets prior ERO include, in developing unduly burdensome. Further, we
to the completion of the personnel risk modifications to CIP–004–1, criteria that propose to direct that NERC modify
assessment process, although they may Requirement R4 to make clear that
address circumstances in which current
be subject to escort and review during unescorted physical access should be
personnel can continue access to critical
the investigative period. National Grid denied to individuals that are not
cyber assets during the 30-day
expresses concern that, since the identified on the authorization list.
investigative period during initial
Requirement appears to apply to a d. Question of Jointly Owned Facilities
compliance with CIP–004–1.
significant portion of existing utility
workforce, any attempt to revoke access c. Access 170. APPA/LPPC request that the
to such employees while completing Commission direct NERC to consider
their personnel risk assessments would 167. Requirement R4 directs the clarifications for entities with facilities
create more reliability concerns than responsible entity to maintain list(s) of governed by existing joint use or joint
simply allowing such employees to personnel with authorized cyber or ownership agreements. They explain
remain on the job. FirstEnergy states authorized unescorted physical access that most of there members have joint
that the 30-day window may be to critical cyber assets. The CIP facilities with neighboring entities (e.g.,
appropriate for employees and vendors Assessment observed that the lists do a transmission substation at a point of
with which the responsible entity has not serve to deny personnel access from interconnection with an adjacent
had a working relationship. FirstEnergy critical cyber assets prior to completion system), and that joint facility
comments that Requirement R3 does not of a personnel risk assessment. agreements often prohibit individual co-
provide sufficient detail on what However, Requirement R4.2 requires owners from blocking the other co-
constitutes an adequate personnel risk that access to critical cyber assets be owners’ use of, or access to, such
assessment, which could cause variable revoked within 24 hours for personnel facilities. APPA/LPPC state that CIP–
interpretations of this Requirement. terminated for cause and within seven 004–1 obligates individual responsible
ISO–NE agrees with the CIP Assessment calendar days for personnel who no entities to block certain persons from
that the Reliability Standard provides longer require such access. their facilities, possibly including
insufficient direction regarding the persons with existing contractual rights
168. NERC states that while the access of access. APPA/LPPC believe that one
elements of an appropriate awareness
program. list itself does not prevent access, it joint facility owner should not be able
does provide for identification of to block another unaffiliated entity’s
Commission Proposal personnel for which additional levels of existing contractual rights of access.
166. Similar to our concerns regarding review and escort may be assigned. APPA/LPPC also ask that entities with
the training provisions of Requirement California PUC suggests amending the joint facilities not be subject to
R2, we believe that allowing applicable Reliability Standard to require sanctions solely because an unaffiliated
personnel, including vendors, to access immediate updates when an employee entity that is a party to one of its joint
critical cyber assets prior to the is transferred, retires, or is terminated. facility agreements failed to comply
completion of their personnel risk with CIP–004–1 when acting

assessment increases the vulnerability 85 See Blackout Report at 167–168,
independently.
of, and risk to, these assets. We also Recommendation 41, where the Blackout Report
observe that Recommendation 41 of the recommends that NERC provide guidance on Commission Proposal
background checks to be completed on contractor
Blackout Report emphasizes the need and sub-contractor employees in advance of 171. The Commission views joint
for guidance on implementing allowing access to secure facilities. owners of critical cyber assets as being
equally subject to the CIP Reliability training’’ elements to ensure that mechanisms to control and monitor
Standards as other responsible entities. essential training elements will not go electronic access to all electronic access
If an asset is designated as a critical unheeded in an emergency and other points. Furthermore, the responsible
cyber asset by one joint owner, it must contingency situations where full entity must assess the electronic
be treated likewise by the other training prior to access will not best security perimeter’s cyber vulnerability
owner(s). Thus, each entity that serve the reliability of the Bulk-Power and test every electronic access point at
possesses an interest in a jointly-owned System; (3) clarify that the cyber least annually.
facility would be responsible to develop security training programs required by 177. The Commission proposes to
a list of its authorized personnel and to Requirement R2 are intended to approve Reliability Standard CIP–005–1
respect each other joint owner’s encompass training on networking as mandatory and enforceable. In
corresponding list. hardware and software and other issues addition, we propose to direct the ERO
172. APPA/LPPC also raise the issue of electronic interconnectivity to develop modifications to this
of ‘‘joint use’’ arrangements. For supporting the operation and control of Reliability Standard. Further, the
example, an owner of a critical cyber critical cyber assets; (4) provide Commission also proposes to require the
asset substation may well house increased guidance on the scope and ERO to consider various other matters of
electronic or other equipment on its quality of training; (5) make clarification, guidance, and
premises that belongs to another entity modifications to Requirement R2 to modification. In our discussion below,
that may or may not be subject to these provide that newly-hired personnel and the Commission addresses its concerns
Reliability Standards. The Commission vendors should not have access to in the following topic areas regarding
believes that, in principle, the owner of critical cyber assets, except in specified CIP–005–1: (1) Adequacy of electronic
a critical cyber asset is responsible circumstances such as an emergency; (6) security perimeters; (2) protecting
under the Reliability Standards for address circumstances in which current access points and controls; (3)
ensuring that all persons having access personnel can continue access to critical monitoring access logs; (4) vulnerability
to the critical cyber asset meet the cyber assets during the 30-day assessments; and (5) document updates.
requirements of these Reliability investigative period during initial
Standards, much as the owner is a. Adequacy of Electronic Security
compliance with CIP–004–1; and (7)
responsible to ensure that vendor Perimeters
require immediate revocation of both
personnel have the required levels of physical and electronic access privileges 178. Requirement R1 of CIP–005–1
security training, awareness and when an employee, for any reason addresses the identification of electronic
background checks. (including disciplinary action, transfer, security perimeters to ensure that every
173. Nevertheless, we can appreciate termination, or retirement), no longer critical cyber asset resides within one.
that even with this general guidance, performs a function that requires access The CIP Assessment explained that the
further clarification regarding how to critical cyber assets. electronic security perimeter constitutes
‘‘joint use’’ arrangements should be 175. In addition, the Commission the appropriate first line of defense.
addressed. Therefore, we propose to proposes to direct the ERO to (1) However, a responsible entity should
direct the ERO to address the ‘‘joint consider what, if any, modifications to use a cyber security protection program
use’’ concerns expressed by APPA/LPPC CIP–004–1 should be made to address that contains additional security
while developing any modifications to the concern raised by the ISA Group measures to detect and stop intrusions
these Reliability Standards directed in a that security trainers be adequately that penetrate the outer shell of the
final rule. Regardless of whether a trained; (2) consider relevant aspects of defense (i.e., a defense in depth
facility subject to CIP–004–1 is jointly certain NIST Special Publications, as approach).
owned or not, all entities that have well as other relevant models, to 179. APPA/LPPC and Xcel agree with
access to it must comply with CIP–004– improve CIP–004–1; and (3) address the the CIP Assessment’s concept of defense
1. Each entity, however, is responsible ‘‘joint use’’ concerns expressed by in depth and when possible, securing
for only its compliance and may not APPA/LPPC and discussed herein by the non-critical cyber assets outside the
attempt to block or limit another’s the Commission when developing electronic security perimeter. However,
access on the basis of its perception that modifications to the Reliability APPA/LPPC state that the use of
the other entity has not complied with Standards that the Commission may ‘‘defense in depth’’ may not be practical
CIP–004–1. In the event non-compliance direct when we issue our final rule. for all critical cyber assets, such as
is suspected, it must be promptly assets supplied by vendors that are no
4. CIP–005–1—Electronic Security
reported to the Regional Entity or ERO. longer in business.
Perimeter(s)
180. Xcel notes that a line needs to be
e. Commission Proposal Summary 176. Reliability Standard CIP–005–1 drawn in order to avoid responsible
174. In summary, the Commission requires identification and protection of entities taking expensive precautions
proposes to approve Reliability the electronic security perimeters inside that are not cost-effective. It further adds
Standard CIP–004–1 as mandatory and which all critical cyber assets are that CIP–005–1 should not be extended
enforceable. In addition, the located, as well as all access points. The to equipment and systems beyond the
Commission proposes to direct the ERO, electronic security perimeters are to electronic security perimeter.
pursuant to section 215(d)(5) of the FPA encompass all the critical cyber assets
and § 39.5(f) of our regulations, to that are identified using the risk-based Commission Proposal
develop modifications to CIP–004–1 assessment methodology required by 181. The Commission recognizes that
through its Reliability Standards Reliability Standard CIP–002–1. there is a point at which having
development process that: (1) Require Multiple electronic security perimeters multiple defense layers would not be
affected personnel, with limited may be required; for example, one may cost effective. However, the
exceptions, to receive required training be needed around a control room while effectiveness of any one defense
before obtaining access to critical cyber another may be established around a measure is often dependent upon the
assets (rather than within 90 days of substation. Once each electronic quality of active human maintenance,
access authorization); (2) require security perimeter has been established, and there is no one perfect defense
responsible entities to identify ‘‘core the responsible entity must develop measure that will guarantee the
protection of the Bulk-Power System. 185. California PUC comments that are concerned that requiring ‘‘strong’’
Therefore, we believe that a responsible access controls should be implemented controls does not provide sufficient
entity must implement two or more at all access points to the network and guidance and possibly sets subjective
distinct security measures when that the caveat of ‘‘technical feasibility’’ criteria. Thus, we believe that
constructing an electronic security in the NERC-proposed Reliability Requirement R2.4 should provide
perimeter. Thus, the Commission Standard is inappropriate. California greater clarity regarding the expectation
proposes to direct the ERO to develop PUC further states that Requirement for adequate compliance by identifying
a requirement to implement a defensive R2.0 prescribes, inter alia, that only examples of specific verification
security approach including two or those ports and services required for technologies that would satisfy the
more defensive measures in a defense in normal or emergency operations should Requirement, while also allowing
depth posture. This approach should be enabled, while all others should be compliance pursuant to other
not inhibit, but instead supplement the disabled. Furthermore, it notes that technically equivalent measures or
establishment of an electronic security access control, including the technologies. The Commission agrees
perimeter. While such layers/measures authorization process and with California PUC that strong
are generally integrated within and authentication method for each access verification includes technologies such
constitute part of a system or program, point, should be documented. Access as digital certificates and two-factor
many are also effectively, and more should be monitored twenty-four hours authentication. We also note that
feasibly, placed ‘‘in front of’’ a system, a day, seven days a week, and Recommendation 32 of the Blackout
such as an older, legacy system. disturbances and unauthorized access Report emphasizes the need ‘‘to ensure
attempts should be identified. All access is granted only to users who have
b. Protecting Access Points and Controls responsible entities should conduct corresponding job responsibilities.’’ 87
182. Requirement R2 of CIP–005–1 vulnerability assessments of their access We propose to direct the ERO to modify
requires a responsible entity to points, scanning to verify that only the this Reliability Standard accordingly.
implement organizational processes and proper ports and services are enabled. 189. The Commission believes that
technical and procedural mechanisms California PUC agrees with the CIP providing such basic security measures
for control of electronic access at all Assessment assertion that ‘‘such (strong as access control can be accomplished
electronic access points to the electronic access control) technology currently using/placing measures ‘‘in front of’’
security perimeter. Requirement R2.4 exists’’ and implementation by every systems as opposed to ‘‘inside’’ systems.
requires ‘‘strong procedural and entity is feasible. Such an approach can be used to secure
technical controls’’ at enabled external 186. NERC disagrees with the CIP even older, yet functioning, legacy
access points ‘‘to ensure authenticity of Assessment comment that a ‘‘technical systems. The Commission proposes to
the accessing party, where technically feasibility’’ caveat is not needed in direct the ERO to evaluate the issue and
feasible.’’ Requirement R2.4, particularly for provide specific guidance to responsible
legacy implementations and substation entities that must face such issues.
183. The CIP Assessment raised 190. The Commission is persuaded by
concerns regarding the qualifier ‘‘where environments. NERC agrees that the CIP
Assessment statement may be commenters that maintain that, due to
technically feasible’’ in Requirement the variety of equipment and systems,
R2.4. The CIP Assessment also applicable in a modern control center
environment, where common IT some discretion must be preserved that
cautioned that keeping pace with would allow responsible entities to
advances in cyber security is a systems have migrated into the control
environment. However, NERC states control access points. Further, in our
necessary part of the defense strategy general discussion of ‘‘technical
needed to protect against intrusion by that this is not the case for many
existing field systems. The technical feasibility’’ in section II.A.5.b above, we
an adversary. The CIP Assessment noted explained that, while we have concerns
that implementation and maintenance feasibility clause, NERC claims, is
needed to accommodate the vast regarding the broad discretion currently
of strong controls to ensure authenticity allowed in the use of the technical
of the accessing party is not a question majority of legacy systems that cannot
be upgraded due to the age and nature feasibility language, we would not
of technical feasibility. It represents that propose to eliminate the provision but,
the technology currently exists and that of their system configurations.86
187. Given the numerous scenarios rather, propose to require specific
every responsible entity identifying controls and accountability when a
critical cyber assets should be able to surrounding access control, APPA/LPPC
believe that removing the ‘‘technically responsible entity chooses to invoke the
implement such controls. Balancing an provision. Specifically, a responsible
appropriate mix of protections and feasibility’’ caveat will not provide a
solution in every situation. They assert entity invoking a technical feasibility
technology is part of achieving effective exception would have to: (1) Develop
cyber security. The CIP Assessment also that Requirement R2.4 is appropriate as
currently written. APPA/LPPC note that and implement interim mitigation steps
expressed the view that Requirement to address the vulnerabilities associated
R2.4 should not allow a responsible some access control solutions, such as
biometric ones, are still subject to with each exception; (2) develop and
entity to fail to implement rudimentary implement a remediation plan to
procedural and technical access failure and may grant access to
unauthorized people. eliminate the exception, including
controls. interim milestones and a reasonable
184. California PUC states that Commission Proposal completion date; and (3) obtain written
electronic access from outside the 188. Requirement R2.4 of CIP–005–1 approval of these steps by the senior
electronic security perimeter should calls for the implementation of ‘‘strong manager responsible for leading and
require strong verification, such as procedural or technical controls’’ at managing compliance with the CIP
digital certificates or two-factor access points to ensure authenticity of Reliability Standards. As discussed
authentication. It suggests that such a the accessing party. While we agree previously, the Commission proposes
system is virtually impenetrable and with the goal of Requirement R2.4, we that a responsible entity invoking a
that it, or some similar system, should
be required in the CIP Reliability 86 Progress Energy, ReliabilityFirst, and Santa 87 See Blackout Report at 164–165,
Standards. Clara agree with NERC. Recommendation 32.
technical feasibility exception must because of the varied methods and ‘‘readily accessible’’ or ‘‘not readily
have a review by senior management of technologies used to gather and review accessible,’’ consistent with our
the expediency and effectiveness of the the logs. NERC asserts that automated discussion above.
manner in which a responsible entity alert technology can detect many
d. Vulnerability Assessments
has addressed each of these three attempts and breaches, and leave a
proposed conditions. In addition, the much smaller set of ‘‘questionable’’ 198. The CIP Assessment stated that
Commission proposes to require a events which can readily be analyzed Requirement R4 fails to specify whether
responsible entity to report and justify manually.89 a live vulnerability assessment is
to the ERO and the Regional Entity for required, as opposed to a paper
Commission Proposal assessment.90 It recommends
approval each exception and its
expected duration. 195. The Commission is persuaded by performing a ‘‘live’’ cyber vulnerability
191. Consistent with our earlier the commenters that varied technologies assessment at least annually and
discussion, we will not propose the and locations make setting a ‘‘one size developing an action plan to remediate
removal of the ‘‘technical feasibility’’ fits all’’ frequency of access log review any weaknesses identified. It also notes
language from Requirement R2.4 of CIP– requirement difficult. However, the that permitting a one year window,
005–1. However, such discretion will Commission believes that, while without any specificity regarding
not lie solely with the responsible automated review systems provide a updates, could be inadequate.
entities. We propose to direct that reasonable day-to-day check of the 199. NERC, Progress Energy and
Regional Entities review the application system and a convenient screening for ReliabilityFirst state that Requirement
of ‘‘technical feasibility’’ as the basis for obvious system breaches, periodic R4 intentionally allows for either
allowing a responsible entity an manual review provides the opportunity vulnerability assessment approach, live
exception to full compliance with a to recognize an unanticipated form of or paper-based, to allow a responsible
malicious activity and improve entity to determine the approach best
Requirement.
automated detection settings. Thus, suited to its own level of sophistication
c. Monitoring Access Logs regular manual review is beneficial. and tolerance for risk. NERC
192. Requirement R3. of CIP–005–1 196. The Commission believes that acknowledges that some responsible
requires responsible entities to frequent reviews of access logs are entities already perform live testing but
implement electronic or manual necessary to detect breaches that notes that such testing is limited to
processes for monitoring and logging automated alerts do not detect. specific systems and circumstances of
access at access points to the electronic Moreover, where automated alerts are the responsible entity.
not used, frequent monitoring takes on 200. Georgia System argues that the
security perimeter at all times. Further,
even greater importance. The existing Requirement R4 is well-
where technically feasible, the security
Commission recognizes that designed. It suggests, however, that
monitoring process must detect and
accessibility of an access log may affect annual testing of each electronic access
alert for attempts at or actual
the review interval. For instance, logs point should not be imposed, because
unauthorized access. Where such alerts such wide-spread ‘‘live’’ testing could
are not technically feasible, that are readily available, such as those
from within a control room setting, have adverse impacts on system
Requirement R3.2 requires a responsible reliability. APPA/LPPC disagree with
entity to review access logs at least should be reviewed at least weekly.
Those logs that are not readily available, the CIP Assessment and insist that an
every 90 calendar days. annual testing requirement is sufficient,
193. The CIP Assessment noted that such as those located at a remote
substation, are less accessible and as long as the responsible entity does
frequent reviews of access logs are not make changes to any border devices.
necessary to look for security breaches therefore can be read less frequently.
APPA/LPPC argue that, if changes occur
that automated alerts do not detect. It However, any attempt to differentiate
to the perimeter, then the entity should,
cautioned that the ‘‘technical the required frequency of review of
as a good business practice, reassess the
feasibility’’ caveat in Requirement R3.2 these logs must be balanced against the
vulnerability of that portion of the
can allow a 90-day lapse in review of criticality of the facilities. It is not
perimeter.
access logs when it is commonplace in acceptable to dismiss a critical facility
the IT industry for logs to be reviewed from timely review simply because it is Commission Proposal
every one or two days. The CIP remote. 201. The Commission believes that
Assessment also advised that the use of 197. For the reasons discussed above, annual vulnerability assessments are
discretion to address ‘‘technical the Commission believes that more sufficient, provided that no
feasibility’’ permitted in Requirement frequent review of access logs is modifications are made to the electronic
R3.2 should not be a basis for failing to important and therefore proposes to security perimeter during the year.
implement a process that detects direct the ERO to develop a bifurcated However, when the electronic security
attempts to access or actual review requirement of access logs at perimeter, or another measure in a
unauthorized access. Such monitoring electronic access points in which defense in depth strategy, is modified, it
technology is available 88 and no readily available logs are reviewed more is not acceptable to wait a year to test
responsible entity should be excepted frequently than every 90 days. The modifications. Thus, the Commission
due to technical infeasibility. Commission believes such review proposes to direct the ERO to revise the
194. NERC agrees with the CIP should be performed at least weekly. As Reliability Standard to require a
Assessment that logs should be part of developing this bifurcated vulnerability assessment of the
reviewed frequently. However, NERC review requirement, the ERO must electronic access points as part of, or
believes that a strict requirement for the include in the Reliability Standard contemporaneously with, any
review period cannot be specified guidance on how a responsible entity
should designate individual assets as 90 A live vulnerability assessment typically
88 Technology that is currently available for involves the use of specialized software or
monitoring access (e.g., network servers, firewalls, 89 FirstEnergy, ReliabilityFirst, ISO/RTO Council, hardware to scan electronic access points to
Intrusion Detection Systems, Intrusion Prevention Georgia System, Xcel, and Santa Clara agree with determine which communications each access
Systems) has alarm capability built into it. NERC. point allows to pass through.
modifications to the electronic security 5. CIP–006–1—Physical Security of perimeter also reside within an
perimeter or defense in depth strategy. Critical Cyber Assets identified physical security perimeter.
202. In addition, the Commission 204. Reliability Standard CIP–006–1 The CIP Assessment noted that
proposes that Requirement R4 should addresses the physical security of the Requirement R1.1 anticipates that there
provide for the conduct of live critical cyber assets identified in may be instances where a completely
vulnerability assessments at least once Reliability Standard CIP–002–1. In enclosed border cannot be established
every three years, with subsequent particular, CIP–006–1 requires a and that, in such instances, the
annual paper assessments in the responsible entity to create and responsible entity shall deploy and
intervening years. If such live maintain a physical security plan that document ‘‘alternative measures’’ to
vulnerability assessments are not ensures that all cyber assets within an control physical access to the critical
‘‘technically feasible,’’ consistent with electronic security perimeter also reside cyber assets. It cautioned, however, that
the Commission’s earlier determination, within an identified physical security Requirement R1.1 does not provide
a responsible entity may seek to be perimeter.91 The physical security plan guidance on how an alternative measure
excused from full compliance via an must be approved by senior should be identified or determined to be
application to the Regional Entity fully management and must contain adequate.
documenting the necessary interim processes for identifying, controlling,
actions, milestone schedule, and 208. SPP recognizes the CIP
and monitoring all access points and
mitigation plan. Assessment concern with Requirement
authorization requests.
205. Reliability Standard CIP–006–1 R1.1, but disagrees that the language of
e. Commission Proposal Summary the Requirement needs revision. SPP
also addresses operational and
203. In summary, the Commission procedural controls to manage physical maintains that while the Reliability
proposes to approve Reliability access at all access points to the Standard prescribes what must be done,
Standard CIP–005–1 as mandatory and physical security perimeter at all times it does not and should not prescribe
enforceable. In addition, the by the use of alarm systems and/or how a particular Requirement is to be
Commission proposes to direct the ERO, human observation or video monitoring. implemented. SPP states that NERC’s
pursuant to section 215(d)(5) of the FPA The Reliability Standard also requires FAQ document offers suggestions on
and § 39.5(f) of our regulations, to that the logging of physical access must how to physically secure critical cyber
develop modifications to CIP–005–1 occur at all times, and the information assets when they cannot be enclosed
through its Reliability Standards logged must be sufficient to uniquely within a restricted access six-wall
development process that (1) require identify individuals crossing the boundary. Progress Energy agrees with
implementation of a defensive security perimeter. Finally, the Reliability the CIP Assessment that NERC should
approach, including two or more Standard requires responsible entities to provide guidance on how an alternative
defensive measures in a defense in test and maintain all physical security measure would be identified or
depth posture; (2) add guidance to mechanisms on a three-year cycle. determined adequate. However,
Requirement R2 by identifying 206. The Commission proposes to Progress Energy contends that this
examples of specific verification approve Reliability Standard CIP–006–1 guidance should not be in the
technologies that would satisfy as mandatory and enforceable. In Reliability Standard itself, but rather in
compliance with the ‘‘strong controls’’ addition, we propose to direct the ERO an interpretive document like a FAQ
in Requirement R2.4, such as digital to develop modifications to this
certificates and two-factor document.
Reliability Standard. Further, the
authentication, while also allowing Commission also proposes to require the Commission Proposal
compliance by means of technically ERO to consider various other matters of
equivalent measures; (3) evaluates and clarification, guidance, and 209. The Commission’s current view
provides guidance regarding the use of modification. In our discussion below, is that the phrase ‘‘alternative
access security measures ‘‘in front of’’ as we address our concerns in the measures’’ as referenced in Requirement
opposed to ‘‘inside of’’ older systems; following topic areas regarding CIP– R1.1 should be interpreted to be a
(4) require additional controls and 006–1: (1) Physical security plan; (2) Requirement exception.92 Under this
accountability when a responsible entity physical access controls and monitoring Requirement, the responsible entity is
invokes the ‘‘technical feasibility’’ physical access controls; (3) physical required to deploy and document
exception in Requirement R2.4 security breach; and (4) maintenance alternative measures if a completely
consistent with the proposal discussion and testing. enclosed ‘‘six-wall’’ border cannot be
in section II.A.5.b of the NOPR; (5) established to control physical access to
provide a bifurcated review requirement a. Physical Security Plan
the critical cyber assets. However, the
of access logs at electronic access points 207. Requirement R1.1 of CIP–006–1 Requirements do not provide guidance
in which readily available logs are addresses processes that a responsible on how an alternative measure should
reviewed more frequently than 90 days entity must include in its physical be identified or determined to be
including guidance on which assets security plan to ensure that all cyber adequate. Therefore, the Commission
should be designated ‘‘readily assets within an electronic security proposes to direct the ERO to treat the
accessible;’’ (6) require a vulnerability allowance of ‘‘alternative measures’’ as
assessment of electronic access points as 91 As defined in the NERC Glossary, an
‘‘interim actions’’ developed and
part of, or contemporaneously with, any ‘‘Electronic Security Perimeter’’ means, ‘‘[t]he
logical border surrounding a network to which implemented as part of a mitigation
modifications to an electronic security
Critical Cyber Assets are connected and for which plan under a ‘‘technical feasibility’’
perimeter or defense in depth strategy; access is controlled. * * * and a Physical Security exception.
and (7) provide for the conduct of live Perimeter is ‘‘the physical, completely enclosed
vulnerability assessments at least once (‘‘six-wall’’) border surrounding computer rooms,
telecommunications rooms, operations centers, and 92 The Commission’s discussion elsewhere in this
every three years, with subsequent other locations in which Critical Cyber Assets NOPR, relating to discretion to make exceptions to
annual paper assessments in the means are housed and for which access is a Requirement based on technical feasibility applies
intervening years. controlled * * *.’’ here.
b. Physical Access Controls and regardless of their location or perceived proposed modification and no revision
Monitoring Physical Access Controls level of criticality. Consequently, they of CIP–006–1 is needed to address this
210. The CIP Assessment noted that believe the specific implementation of issue.
Requirement R2 of the Reliability protection must be functionally
d. Maintenance and Testing
Standard requires the use of at least one equivalent and sufficient at all
locations. 218. Requirement R6, which requires
of four listed physical access control a maintenance and testing program, to
methods, but does not require or suggest Commission Proposal ensure that all physical security systems
that the method(s) employed to control 214. We do not believe that the under Requirements R2, R3, and R4
physical access consider the proposal to require a minimum of two function properly, is critical for the
characteristics of the access point at different security procedures creates an overall success of CIP–006–1. The CIP
issue and the criticality of the asset unreasonable burden. We believe that a Assessment explained that, if the
being protected.93 Requirement R3 responsible entity must, at a minimum, system’s outer physical security
requires monitoring at each access point implement two or more different perimeter fails to secure critical assets,
to the physical security perimeter, security procedures when establishing a the electronic access controls may be
including alarm systems and/or human physical security perimeter. Use of a rendered ineffective. The CIP
monitoring. For both Requirement R2 minimum of two different security Assessment questioned whether
and Requirement R3, a responsible procedures will, for example, enable consideration should be given to testing
entity can choose whether to implement continuous security protection when the more important physical security
single or multiple access control one of the security protection measures mechanisms and systems more
methods and monitoring devices. The is undergoing maintenance and frequently, with testing and
CIP Assessment suggested that, provides redundant security protection maintenance records maintained for the
consistent with a defense in depth in the event that one of the measures is full three-year testing cycle.
strategy, a layered approach would breached. Therefore, while the 219. NERC and ReliabilityFirst
increase the complexity of an intrusion Commission recognizes that there is a reiterate that the Reliability Standards
by requiring that multiple security point at which implementing multiple do not make a distinction between
provisions be circumvented. The CIP layers of defense becomes an levels of criticality. These commenters
Assessment further suggested that such unreasonable burden to responsible assert that testing of more important
an approach would provide redundancy entities, the Commission proposes to systems cannot be performed, because
in case one system requires direct the ERO to modify this Reliability all critical assets have the same level of
maintenance or unexpectedly fails to Standard to state that a responsible criticality. Xcel states that a more
function as expected. entity must, at a minimum, implement frequent testing of the physical security
211. Xcel, FirstEnergy and others two or more different security perimeter is not needed because most of
agree that redundancy and the number procedures when establishing a physical the equipment will be used on a weekly
of layers should be a function of a security perimeter around critical cyber basis. Xcel maintains that since the
reasonable risk assessment and good assets. equipment will be in regular use, a
utility practice, which provide an Requirement for additional testing of the
objective basis for measuring c. Physical Security Breach equipment appears redundant.
compliance. They also state that 215. The CIP Assessment noted that 220. SPP agrees with the CIP
unnecessary redundancy would take Reliability Standard CIP–006–1 does not Assessment, stating that a three-year
funds and resources away from the include actions to be taken in response inspection cycle of physical access
assets that need the elaborate to a physical security breach. Thus, the control is too infrequent if a critical
redundancy. CIP Assessment suggested that the asset has high potential impact on
212. Xcel agrees with the CIP physical security plan specify reliability and where such testing is not
Assessment that defense in depth is an responsibilities and required inconvenient. SPP argues that, while it
optimal strategy, but states that it is not communication in such an event. may be appropriate to test the physical
always practical. For example, Xcel 216. California PUC states that CIP– access controls at a remote substation
notes that where a substation has cyber 006–1 is sound, except that it does not once every three years, the physical
security equipment inside a control require a plan in the contingency of a access controls at a generating plant and
building surrounded by a fence, it may physical security breach. California PUC a control center can and should be
not be worth the cost or administrative suggests that a guideline for such a plan tested far more frequently. FirstEnergy
burden to install fence detection should be incorporated into this also agrees with the CIP Assessment,
equipment at a remote substation. Reliability Standard. stating that more frequent testing should
213. FirstEnergy agrees with the CIP be required for critical facilities, but that
Assessment that Requirement R2 should Commission Proposal
the Requirement should specify the
include a process for identifying the 217. Below, the Commission form of testing that will be considered
criticality of critical cyber assets and a proposes, in CIP–008–1, to direct the adequate.
process for applying an appropriate ERO to develop and include (in CIP–
number of layers based on criticality. 008–1) language regarding what should Commission Proposal
NERC and ReliabilityFirst point out be included in the term ‘‘reportable 221. Currently, Requirement R6 of
that, throughout the Reliability incident.’’ The Commission proposes to CIP–006–1 requires that responsible
Standards, assets are classified as either direct the ERO, when it develops its entities implement maintenance and
critical or non-critical, with no language in Reliability Standard CIP– testing programs of physical security
subjectivity involved in determining 008–1 on the term ‘‘reportable systems on a cycle no longer than three
their ‘‘level’’ of criticality. They suggest incident,’’ to include a breach that may years and retain testing and
that all assets classified as critical must occur through cyber or physical means. maintenance records for the same cycle.
be afforded the same level of protection, Thus, the Commission expects that the In addition, Requirement R6 requires
issue of a physical security breach will retention of outage records of certain
93 CIP Assessment at 29. be fully addressed through that physical security systems for a
minimum of one year. The Commission within the electronic security controls. Responsible entities must
agrees with SPP that maintenance and perimeter(s). create, implement, and maintain cyber
testing of physical security systems 224. The CIP Assessment explained security test procedures in a manner
should occur more frequently than once that this Reliability Standard deals that minimizes adverse effects on the
every three years. However, the primarily with changes made to the production system or its operation.
Commission also agrees with SPP that operating control system 94 and They must document that testing is
such testing at remote substations verification that such changes will not performed in a manner that reflects the
should be allowed less frequently. inadvertently have adverse effects.95 production environment and must
Therefore, the Commission proposes to The CIP Assessment noted that the document test results.
direct the ERO to modify this Reliability operating control system is vulnerable
during the testing process for an 228. The CIP Assessment suggested
Standard to require that: (1) A readily that Requirement R1.2 should require
accessible critical cyber asset be tested indeterminate period of time prior to the
installation of a patch, and an attacker the responsible entity to document how
every year with a one-year record each significant difference between the
requirement for the retention of testing, could exploit the vulnerability. It
explained that contracts with vendors operation and testing environments is
maintenance, and outage records; and considered and addressed.96
(2) a non-readily accessible critical present another security challenge.
cyber asset be tested in a three-year Service contracts typically provide that 229. NERC and ReliabilityFirst
cycle with a three-year record retention the vendor will test patches before comment that any test environment that
requirement. The Commission believes allowing an entity to install them on its has a ‘‘significant difference’’ from the
that this approach provides an operating control system. The contracts production environment is not a true
appropriate assurance that security also typically prohibit installation ‘‘reflection’’ of the production
measures for geographically dispersed before the vendor verifies the patch, at requirement, as required by the
physical assets are functioning properly. risk of voiding the warranty. It Reliability Standard. National Grid
explained that the time involved in the states that the need for and amount of
e. Commission Proposal Summary testing and installation of a patch may testing will depend on the nature of the
222. In summary, the Commission provide an attacker a window of change that needs to be implemented.
proposes to approve Reliability opportunity to exploit the vulnerability Flexibility to assess each situation is
Standard CIP–006–1 as mandatory and that the patch is designed to prevent. necessary to determine the type of
225. Another challenge the CIP testing required. National Grid states
enforceable. In addition, the
Assessment identified is ensuring that that it may not be possible to establish
Commission proposes to direct the ERO,
the test environment accurately an isolated testing environment for all
pursuant to section 215(d)(5) of the FPA
approximates and mirrors the operating security upgrades because cyber assets
and § 39.5(f) of our regulations, to control system. It noted that an
develop modifications to CIP–006–1 in production operate continuously. A
inaccurate test environment can allow responsible entity therefore may need to
through its Reliability Standards potential failures of the new product to
development process that require that: take substantial steps to configure a test
go undetected. It noted that some environment, such as taking an entire
(1) The ERO treats the allowance of entities may not have the resources to
‘‘alternative measures’’ referenced in substation out of service.
maintain a backup system, let alone a
Requirement R1.1 as ‘‘interim actions’’ duplicate of their operating control Commission Proposal
developed and implemented as part of system.
a mitigation plan under a ‘‘technical 226. The Commission proposes to 230. If a testing environment does not
feasibility’’ exception; (2) a responsible approve Reliability Standard CIP–007–1 accurately reflect the operational
entity must, at a minimum, implement as mandatory and enforceable. In environment, testing of systems may not
two or more different security addition, we propose to direct the ERO be adequate to judge impacts on
procedures when establishing a physical to develop modifications to this reliability. While, ideally, testing should
security perimeter around critical cyber Reliability Standard. In our discussion be conducted on a precise duplicate of
assets; (3) the ERO, when it develops its below, the Commission addresses its the production system, the Commission
language in Reliability Standard CIP– concerns in the following topic areas acknowledges that this is not always
008–1 on the term ‘‘reportable regarding CIP–007–1: (1) Test possible. When it is not, any differences
incident,’’ include a breach that may procedures; (2) ports and services; (3) between the test environment and the
occur through cyber or physical means; security patch management; (4) production system should be
(4) a readily accessible critical cyber malicious software prevention; (5) documented. In addition, the
asset be tested every year with a one- security status Monitoring; (6) disposal Commission believes that responsible
year requirement for the retention of or redeployment; (7) cyber vulnerability entities should address to the
testing, maintenance, and outage assessment; and (8) documentation satisfaction of senior management these
records; and (5) a non-readily accessible review and maintenance. differences and how they propose to
critical cyber asset be tested in a three- mitigate the impact of any differences
year cycle with a three-year record a. Test Procedures between the testing environment and
retention requirement. 227. Requirement R1 of CIP–007–1 the production system. Therefore, the
requires a responsible entity to ensure Commission proposes to direct the ERO
6. CIP–007–1—Systems Security that new cyber assets and significant to modify Requirement R1 and its
Management changes to existing cyber assets within subparts to require documentation of
223. The Purpose statement in the electronic security perimeter do not each significant difference between the
Reliability Standard CIP–007–1 states adversely affect existing cyber security testing and the production
that it requires responsible entities to environments, and how each such
94 The term ‘‘operating control system’’ is used in
define methods, processes and difference is mitigated or otherwise
this NOPR to represent the control system used to
procedures for securing those systems control critical assets in real time, as opposed to
addressed.
determined to be critical cyber assets, as backup, training, or duplicate control systems.
well as the non-critical cyber assets 95 CIP Assessment at 31. 96 CIP Assessment at 32.
b. Ports and Services same time, the Commission proposes to implemented due to architecture,
231. Requirement R2 of CIP–007–1 leave intact the exception for ‘‘technical operating environment or warranty
requires a responsible entity to establish limitations.’’ However, the Commission issues. Allegheny states that if patches
a process to ensure that only those ports believes that the ‘‘technical limitations’’ were not applied, it is highly unlikely
and services required for normal and language of Requirement R2.3 raises the there would not be some form of
emergency operations are enabled and same concerns here as the ‘‘technical mitigation available such as physical
all others are disabled. feasibility’’ language referenced in protection and/or firewalls. It also states
232. The CIP Assessment stressed that section II.A.5.b. While an exception for that compensating measures should be
the requirement to ‘‘disable other ports ‘‘technical limitations’’ may be in place before there is an acceptance of
and services’’ is a basic building block appropriate, it must include the same risk. SoCal Edison states that acceptance
of a cyber security program, and that it conditions as discussed in the context of of the risk of non-compliance should be
‘‘technical feasibility.’’ Accordingly, we clearly documented so that an auditor
is a generally recognized security
propose that the same conditions and can see the rationale for this decision.
practice to assume a ‘‘deny all’’ stance
reporting requirements should apply 238. PG&E comments that older
(i.e., disabling all ports and services
here. Thus, the Commission proposes to devices have a limited modification
first) before opening the various ports
direct the ERO to revise Requirement R2 capability, and as a result the
that are needed only for operations. The
and its subparts to reflect our responsible entity must balance the risk
CIP Assessment expressed concern that
determinations discussed above to of replacing devices that currently
Requirement R2.3 allows a responsible
remove the ‘‘acceptance of risk’’ operate with new, untested, and
entity to ‘‘accept risk’’ rather than take
language and to impose the same potentially inadequate devices.
mitigating action where unused ports
conditions and reporting requirements
and services cannot be disabled due to here for ‘‘technical limitations’’ as Commission Proposal
‘‘technical limitations.’’ This imposed elsewhere in this NOPR
Requirement specifies that the regarding ‘‘technical feasibility.’’ 239. The Commission has discussed
responsible entity must either document acceptance of risk above and, because
(1) compensating measures to mitigate c. Security Patch Management those remarks and proposals apply
exposure or (2) an ‘‘acceptance of risk.’’ 235. Requirement R3 of CIP–007–1 equally here, we propose that the
The CIP Assessment noted that in requires a responsible entity to establish ‘‘acceptance of risk’’ language must be
situations where technical limitations and document a security patch removed here also.97 With the exception
prevent unused ports and services from management program for tracking, of references to acceptance of risk, the
being disabled and risk can at best be evaluating, testing and installing Commission considers the provisions of
mitigated, acceptance of risk appears to applicable cyber security software Requirement R3 to be acceptable and
mean acceptance of vulnerabilities patches for all cyber assets within an appropriate. Patch management must be
without further action. The CIP electronic security perimeter. Among weighed in light of the risks involved,
Assessment suggested that clear other things, a responsible entity must with senior management involved in the
guidance is needed to explain limited document the implementation of decision. As discussed under
circumstances for its use, and warned security patches. Where a patch is not Recommendation 33 of the Blackout
that accepting risk could potentially installed, the responsible entity must Report,98 using the most up-to-date
become an exception from compliance document compensating measure(s) patches that deal specifically with
that permits unacceptable risks. applied to mitigate risk exposure or an security vulnerabilities is of the utmost
233. NERC and ReliabilityFirst acceptance of risk. importance, provided it does not
comment that many situations exist 236. The CIP Assessment degrade the system and the patch does
where ports and services must be left acknowledged that compensating not create more vulnerability than the
open due to operating system measures are necessary at times, problem it is intended to fix.
requirements, the requirements of especially when patches require vendor
equipment manufacturers or vendors or support, but also expressed concern that d. Malicious Software Prevention
the lack of information from vendors Requirement R3.2 permits a wide 240. Requirement R4 of CIP–007–1
that is necessary to determine if a port variation of processes for patching a requires responsible entities to use anti-
or service can be disabled. APPA/LPPC system when it allows an ‘‘acceptance of virus and other malicious software
agree with the CIP Assessment that risk’’ in lieu of mitigating risk exposure prevention tools. The CIP Assessment
closing unused ports is generally a good through a patching program. The CIP noted that Reliability Standard CIP–
business practice, but they disagree that Assessment asserted that an effective 007–1 does not provide any direction on
it should be mandated. They state that Reliability Standard cannot simply offer how to implement this type of
in some cases there may be sound a responsible entity a choice between protection or where it should be
technical reasons why an unused port installing a patch or accepting the risk deployed, and that care must be taken
cannot be closed. They further comment of not doing so, and that at least some to implement and test malicious code
that this Requirement is acceptable as form of mitigation should always be protection in order to avoid harm to the
written because it allows the possible. operating control system. The CIP
responsible entity to use reasonable 237. NERC and ReliabilityFirst believe Assessment pointed out that the
business judgment. that ‘‘acceptance of risk’’ is not a Reliability Standard could suggest the
permanent solution but would be used use of a multi-layer, defense in depth
Commission Proposal during a period where testing and other strategy, to forestall or detect an
234. In section II.A.5.b above, the required upgrades may be attacker’s penetration of the electronic
Commission discusses the problems accomplished. In addition, they and security.99

presented by acceptance of risk. For the other commenters are concerned about
reasons discussed there, the implementing language in the 97 See supra discussion in section II.A.5.b.
Commission proposes to direct the ERO Reliability Standard that would seem to 98 See Blackout Report at 164, Recommendation
to eliminate the acceptance of risk require installation of patches on 33.
language from Requirement R2.3. At the platforms where patches cannot be 99 CIP Assessment at 33.
241. Requirement R4 requires the but not in a mandatory Reliability Standard should address the frequency
responsible entity to use anti-virus Standard. and scope of the review of system event
software and malicious software logs related to cyber security that is
Commission Proposal
prevention tools where ‘‘technically required by Requirement R6.5. It also
feasible.’’ The CIP Assessment 244. The Commission has discussed noted the lack of guidance on how data
questioned this phrase as allowing the issues of defense in depth, technical should be saved, backed up and stored
unnecessary discretion to opt out of feasibility, and risk acceptance where computerized cyber incident
Requirement R4. It noted that elsewhere above in this NOPR. The monitoring and logging is performed.
Requirement R4.1 raises the same remarks and proposals there apply 247. Several commenters state that all
concerns regarding the phrase equally to the issue of malicious devices of interest do not have the
‘‘acceptance of risk’’ as in Requirement software prevention. Therefore, the capability to create logs or that they may
R3.2, this time in connection with cases ‘‘acceptance of risk’’ language must be not provide the capability to capture
where anti-virus software and malicious removed here, and the same conditions ‘‘security related’’ information. They
software prevention tools are not and reporting requirements regarding state that many installed devices in
installed. The CIP Assessment noted a ‘‘technical feasibility’’ that apply power plants and substations do not
lack of direction in the Reliability elsewhere are applicable here. In have log generation capability. If there
Standard and sought comment on what addition, the Commission proposes to is no capacity to generate logs, then it
types of compensating measures are direct the ERO to modify Requirement is technically infeasible to maintain
available and what would be an R4 to include safeguards against logs.
adequate justification for accepting risk. personnel introducing, either 248. NERC and ReliabilityFirst
maliciously or unintentionally, viruses comment that generated logs from
242. In response to the CIP or malicious software in to a cyber asset remote locations may not be readily
Assessment observation that within the electronic security perimeter collected for frequent review. In many
Requirement R4 does not provide any through remote access, electronic cases, the telecommunications
direction on how to implement anti- media, or other means. infrastructure connecting these remote
virus protection or where it should be locations cannot support the rapid and
deployed, NERC and ReliabilityFirst e. Security Status Monitoring
frequent collection of log data,
comment that the Reliability Standards 245. Requirement R6 of CIP–007–1 especially if it is voluminous. The
are performance based; that they do not requires responsible entities to ensure remote location of some sites makes
specify how to perform a function, only that all cyber assets within the frequent visits to collect and store log
that the Requirement must be met. This electronic security perimeter, as data impractical.
comment is similar to the suggestion technically feasible, implement 249. SPP recommends that logs be
addressed in Order No. 672,100 that, ‘‘in automated tools or organizational transferred in real time to a separate
general, a Reliability Standard should process controls to monitor system logging system to mitigate the risk of a
address the ‘what’ and not the ‘how’ of events that are related to cyber security. successful attack destroying evidence of
reliability and that the actual Among other things, a responsible entity the intrusion. Where possible, the log
implementation of a Reliability must maintain logs of system events should be readable separately from the
Standard should be left to entities such related to cyber security, where device that created it or the device
as control area operators and system technically feasible, to support incident should be able to continue logging while
planners * * *.’’ 101 NERC and response as required in Reliability in playback mode. Wisconsin Electric
ReliabilityFirst conclude that, while the Standard CIP–008–1. Logs must be submits that cyber security logs should
responsible entity must implement a retained for 90 calendar days, and the be reviewed with the frequency
solution that meets the Requirement, it responsible entity must review logs of necessary to identify a cyber security
should not be restricted with regard to system events related to cyber security incident within the timeframe
how to do so. Thus, they argue the and maintain records documenting established in the entity’s cyber security
Reliability Standard should remain review of logs. incident response plan. The cyber
silent as to whether the anti-virus 246. The CIP Assessment questioned security logs should be stored in a
solution is implemented at the the need to limit Requirement R6.3, manner that assures that information is
electronic security perimeter border, on which requires logs of system events protected as required in CIP–003–1 and
an in-line device, or on the critical cyber related to cyber security to support that it is available through the 90-day
asset itself, so long as the implemented incident reporting, as specified in CIP– retention period.
solution meets the stated requirement. 008–1, to situations where this is
243. In response to the CIP ‘‘technically feasible.’’ The CIP Commission Proposal
Assessment comment that the Assessment also raised concerns about 250. We have discussed the issue of
Reliability Standard does not suggest the record retention requirements for technical feasibility. Our remarks and
the use of a multi-layered, defense in Requirements R6.3 and R6.4, which proposals there apply equally to the
depth strategy through the use of pertain to logs of cyber security-related technical feasibility of monitoring and
various products from multiple vendors, system events used to identify logging of system events related to cyber
NERC and ReliabilityFirst state that a reportable incidents and to support security.
multi-layered defense may be incident response, as required in CIP– 251. The Commission agrees with the
appropriate in a best practice document, 008–1. It noted that, depending upon CIP Assessment and Wisconsin Electric
the frequency of log review, the 90-day that logs should be reviewed with the
period specified may be inadequate and frequency necessary to ensure timely
100 FERC Stats. & Regs. ¶ 31,204 at P 260.

101 InOrder No. 672, the Commission that frequent review of logs would identification of a cyber security
immediately followed this general statement with facilitate the early detection of incident. Simply reviewing logs at the
the caution that, ‘‘in other situations, however, the reportable incidents. It also would end of the retention period will not
‘how’ may be inextricably linked to the Reliability
Standard and may need to be specified by the ERO
ensure that current data are available for ensure an appropriate level of security
to ensure the enforcement of the Reliability forensics. The CIP Assessment sought because it does not permit effective
Standard.’’ Order No. 672 at P 265. comment on whether the Reliability response to all incidents. We note that
this issue of log review touches on unauthorized retrieval of sensitive cyber requirement to document the
Blackout Report Recommendation 35, security or reliability data’’ does not ‘‘execution status’’ of the action plan
which addresses network monitoring, satisfy the Requirement. Likewise, serves to keep the action plan on track.
and Recommendation 37 which APPA/LPPC believe that it is clear from 259. ISA Group states that experience
addresses diagnostic capabilities.102 The the Requirement that ‘‘erase’’ means that shows that most companies do not
Commission therefore proposes to direct there is no opportunity for unauthorized know what devices have actually been
the ERO to revise Requirement R6 to retrieval of data from a cyber asset prior installed in the field. It maintains that
include a requirement that logs be to discarding it or redeploying it. They a requirement for a detailed walk-down
reviewed on a weekly basis for readily caution against being overly prescriptive of all critical cyber assets should be
accessible critical assets and reviewed regarding the exact process that mandatory for an acceptable
within the retention period for assets responsible entities must use to meet vulnerability assessment. Progress and
that are not readily accessible. This this Requirement. Xcel comment that the scope of the
direction should be completed vulnerability test should be clearly
Commission Proposal
consistent with our discussion above defined.
regarding ‘‘readily accessible’’ assets.103 256. The Commission agrees with
commenters that degaussing is not the Commission Proposal
Accessibility should take into account
both physical remoteness and available sole means for achieving the goal of the 260. The Commission believes that
communications channels. We would requirement. As noted by commenters, vulnerability testing is a valuable tool in
expect control centers to fall within the the issue is less one of erasure, which determining whether actions that were
‘‘readily accessible’’ category. is as much a method as it is a goal, than taken to shore up the security posture of
252. The Commission also proposes to of assuring that there is no opportunity the electronic security perimeter and
direct the ERO to revise Requirement for unauthorized retrieval of data from other areas of responsibility are in fact
R6.4 to clarify that while the retention a cyber asset prior to discarding it or adequate. The Blackout Report
period for all logs specified in redeploying it. The Commission recognized the importance of
Requirement R6 is 90 days, the retention therefore proposes to direct the ERO to vulnerability assessments in
period for logs mentioned in modify this Requirement to clarify this Recommendation 38 that called for
Requirement R6.3 for the support of point. vulnerability assessment activities to
incident response as required in CIP– g. Cyber Vulnerability Assessment identify weaknesses and mitigating
008–1 is the retention period required actions.106 The Commission believes, as
by CIP–008–1, i.e., three years. 257. Requirement R8 of CIP–007–1 noted by NERC and ReliabilityFirst, that
Requirement R6.4 is somewhat unclear requires a responsible entity to perform execution status is a good means to keep
and could be read to suggest that the 90 a cyber vulnerability assessment of all the action plan on track. Therefore, the
day period also applies to logs kept for cyber assets within the electronic Commission proposes to require that the
purposes of CIP–008–1, and such an security perimeter at least annually. The ERO provide more direction on what
interpretation would conflict with the CIP Assessment noted that this features, functionality, and
Requirements of that Reliability Requirement provides little direction on vulnerabilities the responsible entities
Standard. what features, functionality, and should address when conducting the
vulnerabilities responsible entities vulnerability assessments, and to revise
f. Disposal or Redeployment should focus on in a vulnerability Requirement R8.4 to require an entity-
253. Requirement R7 of CIP–007–1 assessment. The CIP Assessment imposed timeline for completion of the
requires the responsible entity to pointed out that a poorly chosen already-required action plan.
establish formal methods, processes and vulnerability assessment process could
procedures for disposal or redeployment result in a false sense of security. The h. Documentation Review and
of cyber assets. The CIP Assessment CIP Assessment also noted that while Maintenance
noted that erasing alone may not be Requirement R8.4 requires development 261. Requirement R9 of CIP–007–1
adequate because technology exists that of an action plan to remediate or requires the responsible entity to
allows retrieval of ‘‘erased’’ data from mitigate vulnerabilities identified in the review, update and maintain all
storage devices, and that effective assessment, it does not provide a documentation needed to support
protection requires discarded or timeframe for completion of the action compliance with the Requirements of
redeployed assets to undergo high plan.105 CIP–007–1 at least annually. Changes
quality degaussing.104 258. Several commenters state that a resulting from modifications to the
254. Allegheny and SPP agree with responsible entity must determine the systems or controls must be
the CIP Assessment that erasing alone approach it will implement based on its documented within 90 calendar days of
may be inadequate because technology own level of sophistication and its the change. The CIP Assessment
currently exists that allows retrieval of internal tolerance for risk. These expressed the view that the 90-day
‘‘erased’’ data from storage devices. SPP commenters state that every timeframe for updating documentation
also states that if the magnetic media is environment and implementation is appears excessively long, especially
being disposed of, physical destruction different, and any additional specificity when one considers that this Reliability
of the media is also an appropriate would be impossible to describe for all Standard establishes a line of defense
technique to render it unreadable. possible situations, and, consequently, for protecting critical cyber assets and
255. NERC and ReliabilityFirst state would not be productive. NERC and that up-to-date documentation is
that any method that fails to ‘‘prevent ReliabilityFirst state that requiring a essential in case of an emergency.
specific timeframe for completion of an 262. NERC and ReliabilityFirst state
102 See Blackout Report at 165–166,

action regardless of its complexity that the 90-day time period is
Recommendations 35 and 37. serves no useful purpose because the
103 See section II.B.4.c (Monitoring Access Logs)
appropriate, given the nature and type
in this NOPR.
timeframe will depend on the actions of facilities and their locations,
104 CIP Assessment at 34–35. To degauss is to required. They maintain that the
demagnetize. Degaussing a magnetic storage 106 See Blackout Report at 167, Recommendation
medium removes all data stored on it. 105 CIP Assessment at 35. 38.
particularly in light of the potential in Requirement R6.3 for the support of a. Definition of a Reportable Incident
need for internal reviews and approvals incident response as required in CIP– 267. The CIP Assessment noted that
by a number of people or groups of 008–1 is the retention period required Requirement R1 of CIP–008–1 makes
people before a documentation change by CIP–008–1, i.e., three years; (8) revise reference to reportable cyber security
can be effected. ReliabilityFirst adds Requirement R7 of the Reliability incidents, but it does not provide a
that the 90-day period also takes into Standard to clarify that the issue is less definition of a ‘‘reportable incident.’’
account possible management changes one of erasure than of assuring that Consequently, cyber security incidents
or extended time out of the office. there is no opportunity for unauthorized may go unreported depending upon a
Commission Proposal retrieval of data from a cyber asset prior responsible entity’s interpretation of a
to discarding it or redeploying; (9) ‘‘reportable incident.’’ 107
263. The Commission proposes to 268. NERC and ReliabilityFirst affirm
direct the ERO to modify Requirement provide more direction on what
features, functionality, and the CIP Assessment concern, stating that
R9 to state that the changes resulting each responsible entity is required to
from modifications to the system or vulnerabilities the responsible entities
should address when conducting the develop the required procedures for the
controls shall be documented within a determination of a reportable incident.
30-day time period. We believe that the vulnerability assessments; (10) revise
Requirement R8.4 to require an entity- They add that the definition of a
planning and engineering of system and reportable incident is currently
control modifications require sufficient imposed timeline for completion of the
already-required action plan; and (11) undergoing extensive industry debate.
lead time to enable the documentation 269. A number of commenters state
of such modifications to take place revise Requirement R9 to state that the
that FERC should require NERC to
within a 30 calendar day timeframe. changes resulting from modifications to clarify what types of cyber security
the system or controls shall be incidents are ‘‘reportable incidents.’’
i. Commission Proposal Summary
documented in within 30 days. National Grid points out that the
264. In summary, the Commission
7. CIP–008–1—Incident Reporting and Commission should seek to ensure that
proposes to approve Reliability
Response Planning any further interpretation of what is
Standard CIP–007–1 as mandatory and
considered a reportable incident be
enforceable. In addition, the
Commission proposes to direct the ERO, 265. Proposed Reliability Standard consistent with the reporting obligations
pursuant to section 215(d)(5) of the FPA CIP–008–1 requires a responsible entity of utilities under the DOE Form 417.
and § 39.5(f) of our regulations to to identify, classify, respond to, and Allegheny suggests that, in order to
develop modifications to CIP–007–1 report cyber security incidents related to maintain consistency, the DOE Form
through its Reliability Standards critical cyber assets. Specifically, 417 reporting requirements should be
development process that: (1) Modify Requirement R1 of CIP–008–1 requires referenced as part of the Reliability
Requirement R1 and its subparts to responsible entities to develop and Standard. Progress Energy, on the other
require documentation of each maintain an Incident Response Plan that hand, states that such increased
significant difference between the addresses responses to a cyber security specificity is not possible and would be
testing and the production incident. The plan should characterize subject to constant revision in response
environments, and how each such and classify pertinent events as to ever-changing incidents or threats to
difference is mitigated or otherwise reportable cyber security incidents and cyber systems.
addressed; (2) revise Requirement R2 provide corresponding response actions. Commission Proposal
and its subparts to remove the The response actions should include: (1) 270. The Commission believes that
‘‘acceptance of risk’’ language and apply The roles and responsibilities of the guidance regarding what should be
the same conditions and reporting incident response teams, (2) procedures included in the term ‘‘reportable
requirements here for ‘‘technical for handling incidents, and (3) incident’’ can be provided. The
limitations’’ as imposed elsewhere in associated communication plans. In Blackout Report pointed out the need
this NOPR for ‘‘technical feasibility;’’ (3) addition, cyber security incidents must for ‘‘uniform standards for the reporting
remove the ‘‘acceptance of risk’’ be reported to the ESISAC either and sharing of physical and cyber
provision from Requirement R3 and R4; directly or through an intermediary. The security incident information’’ in
(4) modify Requirement R4 to include Incident Response Plan should be Recommendation 42.108 As NERC and
safeguards against personnel reviewed and tested at least annually.
introducing, either maliciously or ReliabilityFirst state, the definition of a
Changes to the Incident Response Plan ‘‘reportable incident’’ is currently
unintentionally, viruses or malicious are to be documented within 90 days.
software to a cyber asset within the undergoing extensive industry debate.
Responsible entities must retain
electronic security perimeter through documentation related to reportable 107 CIP Assessment at 36. The CIP Assessment
remote access, electronic media, or cyber security incidents for a period of recognized that NERC’s FAQ document answers the
other means; (5) ensure that references question of ‘‘what is a reportable incident?’’ by
three years.
to ‘‘technical feasibility’’ in CIP–007–1 referencing definitions in the ESISAC Indications,
are subject to the same conditions and 266. The Commission proposes to Analysis, and Warnings Program guidelines
approve Reliability Standard CIP–008–1 document entitled ‘‘Indications, Analysis and
reporting requirements discussed Warnings Program Standard Operating Procedure’’
elsewhere; (6) revise Requirement R6 to as mandatory and enforceable. In and the Department of Energy Form OE 417 Report
include a requirement that logs be addition, we propose to direct the ERO entitled ‘‘Electric Emergency Incident and
reviewed on a weekly basis for readily to develop modifications to this Disturbance Report.’’ However, since these
materials are not incorporated into the proposed
accessible critical assets and reviewed Reliability Standard. In our discussion
CIP Reliability Standards, CIP–008–1 remains

within the retention period for assets below, the Commission addresses its ambiguous in this regard. North American Electric
that are not readily accessible; (7) revise concerns in the following topic areas Reliability Council, Frequently Asked Questions
Requirement R6.4 to clarify that while regarding CIP–008–1: (1) Definition of a (FAQs) Cyber Security Standards CIP–002–1
through CIP–009–1, March 6, 2006, page 27,
the retention period for all logs reportable incident; (2) reporting; and question 1.
specified in Requirement R6 is 90 days, (3) full operational exercises and lessons 108 See also Blackout Report at 168,
the retention period for logs mentioned learned. Recommendation 42.
This debate can be a catalyst for because, when an event occurs, the need 278. Third, the Commission disagrees
developing an appropriate level of to meet a reporting deadline should not with commenters that believe that a
guidance. As noted in the NERC be the entity’s primary concern, rather reporting limit will not provide others
Glossary, a ‘‘cyber security incident’’ is restoration of operations must take with time for responsive action to
defined as a compromise, or an attempt precedence. NERC and ReliabilityFirst mitigate other potential Cyber Security
to compromise, the electronic security state that ESISAC’s IAW SOP is Incidents. While a reporting time limit
perimeter or physical security perimeter intentionally not a part of this may not allow such mitigation in every
of a critical asset. The Commission Reliability Standard, and is classified as situation, it very well could allow such
proposes to direct the ERO to: (1) a guideline, because it has not been mitigation in many situations.
Develop and include in CIP–008–1 through the ERO standards development 279. Fourth, although ESISAC’s time
language that takes into account a process. These commenters believe the limit is voluntary, a one hour NERC
breach that may occur through cyber or requirement is to report incidents to the reporting time limit would match up
physical means; 109 (2) harmonize, but ESISAC, with the implication that an with the ESISAC reporting time limit
not necessarily limit, the meaning of the established ESISAC reporting protocol and, thus, would avoid conflicting
term reportable incident with other is to be used. requirements and would not cause any
reporting mechanisms, such as DOE 274. APPA/LPPC do not believe that new reporting burden.
Form 417; (3) recognize that the term incorporating the ESISAC one-hour 280. Thus, the Commission proposes
should not be triggered by ineffectual reporting limit or any other deadline to direct the ERO to modify CIP–008–1
and untargeted attacks that proliferate would provide adequate time for to require a responsible entity to contact
on the internet; and (4) ensure that the another responsible entity to take appropriate government authorities and
guidance language that is developed meaningful precautions to prevent a industry participants in the event of a
results in a Reliability Standard that can cyber attack. Cyber attacks are designed Cyber Security Incident as soon as
be audited and enforced. to occur nearly simultaneously in more possible, but, in any event, within one
b. Reporting than one location. Thus, even an hour of the event, even if it is a
extremely short deadline, such as one preliminary report. While we leave
271. CIP–008–1, Requirement R1.3, minute, is unlikely to provide other development of the details to NERC, the
requires that each responsible entity responsible entities time to take Commission agrees with APPA/LPPC
establish a process for reporting cyber precautions. Nonetheless, APPA/LPPC that the reporting timeframe should run
security incidents to the ESISAC. The suggest that, if a deadline is prescribed, from the discovery of the incident by
responsible entity must ensure that all it should run from the discovery of the the responsible entity, and not the
reportable cyber security incidents are incident by the responsible entity, and occurrence of the incident.
reported to the ESISAC either directly or not from the occurrence of the incident.
through an intermediary. c. Full Operational Exercises and
275. Several commenters argue Lessons Learned
272. ESISAC procedures require the against any time limit for reporting
reporting of a cyber incident within one security incidents. They believe the 281. The CIP Assessment stated that
hour of a suspected malicious incident. requirement to report such incidents to the annual testing of the Incident
However, compliance with ESISAC’s the ESISAC is sufficient. Wisconsin Response Plan should require full
Indications, Analysis and Warnings Electric notes that using the same one- operational exercises due to the
Program (IAW) Standard Operating hour limit in CIP 008–1 as in the potential for such exercises to uncover
Procedure (SOP) is voluntary. The CIP ESISAC IAW SOP would not represent unforeseen complications.110 In
Assessment noted the importance of a new performance threshold to the addition, it indicated that CIP–008–1
other responsible entities receiving industry. does not require documentation or
timely information regarding a reassessment of a plan’s adequacy as a
reportable cyber security incident, so Commission Proposal result of lessons learned from testing or
they can take precautions against being 276. The Commission believes that in response to specific issues.
the target of a similar incident. The CIP the ESISAC one-hour reporting limit is 282. NERC and ReliabilityFirst state
Assessment stated that, depending upon reasonable and proposes that it be that there are many instances in
the nature of the incident, timelines of incorporated into CIP 008–1. We reach substations or power plants where
incident reporting may be critical. It this conclusion for several reasons. backup or fully functional test systems
expressed concern with regard to the First, although it is true that cyber do not exist, making a full operational
voluntary nature of the one-hour attacks against different entities could exercise an extremely risky proposition.
reporting requirement associated with occur simultaneously, it would still be Because of this, NERC and
ESISAC’s IAW SOP. Therefore, the CIP extremely useful to those attempting to ReliabilityFirst believe that a universal
Assessment requested comment on defend against those attacks to know requirement for a full operational
whether CIP–008–1 should incorporate what kind of threat they are dealing exercise may be unduly disruptive and
ESISAC’s one-hour reporting limit or with. The fact that simultaneous attacks burdensome to reliable operations, and
another reporting interval that would are directed at other entities would be represent a threat to the overall
provide adequate time for another important information about the nature reliability of the Bulk-Power System.
responsible entity to take meaningful of the attacks. NERC and ReliabilityFirst believe that
precautions. 277. Second, while the Commission table-top exercises are sufficient to test
273. NERC and ReliabilityFirst agree agrees that, in the aftermath of a cyber the effectiveness of an Incident
that rapid reporting is desirable. attack, restoring the system is the Response Plan. Several commenters
However, they state that imposing a utmost priority, we do not believe that agree. Ontario IESO posits that there is
specific time period is not advisable sending this short report would be a no evidence that a paper drill would be
time consuming distraction, and we materially inferior to an operational
109 The Commission emphasizes that a cyber
judge that its probative value would exercise.
security incident that does not result in a material
loss of physical assets should not prevent the justify the minimal time spent in
incident from being reported. making this report. 110 CIP Assessment at 37.
283. A number of commenters believe operational drills are important because harmonize, but not necessarily limit, the
that requiring a full operational exercise they may reveal weaknesses, meaning of the term reportable incident
during the three-year documentation vulnerabilities, and opportunity for with other reporting mechanisms, such
cycle and paper drills during the other improvement that a paper drill would as DOE Form 417; (3) recognize that the
two years should provide the desired not identify. The Commission agrees term ‘‘reportable incident’’ should not
benefits of testing the Incident Response with the commenters that suggest that a be triggered by ineffectual and
Plan. An actual incident response full operational exercise should be untargeted attacks that proliferate on the
would satisfy the need for a full performed at least once every three internet; (4) ensure that the guidance
operational exercise during a three-year years, and that tabletop exercises are language that is developed results in a
cycle. One commenter, the ISA Group, sufficient for the other two years. We Reliability Standard that can be audited
believes that full operational exercises believe this strikes an appropriate and enforced; (5) require a responsible
should be mandated at least yearly. balance between the benefits of entity to contact appropriate
Wisconsin Electric states that, if full executing an operational exercise and
government authorities and industry
drills become a requirement, they the associated costs and potential risks
participants in the event of a Cyber
should be conducted every five years, of misoperations. Therefore, the
with paper drills only when the process Commission proposes to direct the ERO Security Incident as soon as possible,
or procedure is created or changed. to revise the Reliability Standard to but at least within one hour of the event,
284. Several commenters note that require responsible entities to perform a even if it is a preliminary report; (6)
there may be a significant benefit in ‘‘full operational exercise’’ at least once require responsible entities to perform a
executing an operational exercise over a every three years, or to fully document ‘‘full operational exercise’’ at least once
paper drill, but note that an operational its reason for not conducting an exercise every three years, or to fully document
exercise also can require expensive in full operational mode pursuant to the its reason for not conducting an exercise
back-up systems and may unnecessarily technical feasibility parameters in full operational mode pursuant to the
risk damaging system functionality in discussed earlier in section II.A.5.b. technical feasibility parameters
case of an error or unforeseen system Further, the Commission proposes to discussed earlier herein and provide
effect. Georgia System believes each direct the ERO to provide guidance on guidance on the meaning of the term
responsible entity has to determine the meaning of the term ‘‘full ‘‘full operational exercise;’’ (7) refine
whether the incremental benefit from a operational exercise.’’ 111 Requirement R2 to require responsible
yearly exercise is worth the costs and 287. The Commission believes that entities to maintain documentation of
reliability risks associated with the industry will benefit from a requirement paper drills, full operational drills, and
exercise. MidAmerican states it could to document and implement lessons responses to actual incidents, all of
support full operational exercises for a learned from testing or responses to which must include lessons learned;
limited number of critical assets, with actual cyber security incidents. and (8) require revisions to the Incident
paper exercises for the remaining Although NERC and ReliabilityFirst Response Plan to address the lessons
facilities. National Grid suggests that suggest that this is included in the learned.
operational drills are more appropriate ‘‘update’’ language of Requirement R1.4,
for actual recovery plans under CIP– we believe that the Reliability Standard 8. CIP–009–1—Recovery Plans for
009–1, and paper drills are more than would be improved by making a Critical Cyber Assets
adequate to assess whether the response ‘‘lessons learned’’ requirement explicit.
plans under CIP–008–1 identify and Therefore, the Commission proposes to 289. The purpose of proposed
alert the right responders. Xcel Energy direct that the ERO refine CIP–008–1, Reliability Standard CIP–009–1 is to
is concerned that operational drills (like Requirement R2 to require responsible ensure that recovery plans for critical
vulnerability tests) could cause an entities to maintain documentation of cyber assets are in place and following
inadvertent disruption to EMS and paper drills, full operational drills, and established business continuity and
SCADA systems. responses to actual incidents, all of disaster recovery techniques and
285. NERC and ReliabilityFirst state which must include lessons learned. practices. This Reliability Standard
that collection and maintenance of The Commission also proposes to direct establishes required development,
lessons learned, and plan improvement the ERO to include language to require updating, and testing of recovery plans,
are included in the ‘‘update’’ language revisions to the Incident Response Plan as well as storage and testing of
of Requirement R1.4. Allegheny states to address these lessons learned. associated backup data and backup
that documentation and implementation media.
of lessons learned is a critical part of d. Commission Proposal Summary
290. The Commission proposes to
any incident response or drill. As such, 288. In summary, the Commission approve Reliability Standard CIP–009–1
Allegheny believes the need to maintain proposes to approve Reliability
as mandatory and enforceable. In
a collection of lessons learned as a Standard CIP–008–1 as mandatory and
addition, we propose to direct the ERO
result of testing the Incident Response enforceable. In addition, the
Plan and to apply them to plan to develop modifications to this
Commission proposes to direct the ERO,
improvements is necessary to ensure Reliability Standard. Further, the
pursuant to section 215(d)(5) of the FPA
response plans remain viable. Commission also proposes to require the
and § 39.5(f) of our regulations to
Wisconsin Electric submits that lessons develop modifications to CIP–008–1 ERO to consider various other matters of
learned from incident response through its Reliability Standards clarification, guidance, and
exercises should be documented as well development process that: (1) Develop modification. In our discussion below,
as audited for completion of any and include language regarding the term the Commission addresses its concerns
enhancements to the process. ‘‘reportable incident’’ that takes into in the following topic areas regarding
account a breach that may occur CIP–009–1: (1) Recovery plans; (2)
Commission Proposal forensic data collection; (3) operational
through cyber or physical means; (2)
286. We understand from commenters exercises; (4) recovery plan updates; (5)
that annual testing may be costly and 111 We address the meaning of the term ‘‘full backup and storage of restoration data
disruptive. Nonetheless, periodic operational exercise’’ in section II.B.8.c below. and (6) testing of backup media.
a. Recovery Plans 295. NERC, ReliabilityFirst, and PG&E of good forensic data collection
291. Requirement R1 of CIP–009–1 assert that there are no Bulk-Power practices into this CIP Reliability
requires the responsible entity to create System reliability issues associated with Standard.
and annually review recovery plans for forensic data collection, and that there 298. In addition, we agree with
critical cyber assets. The CIP is a possibility that collection of forensic commenters that recovery of critical
data could impede the restoration of cyber assets and the Bulk-Power System
Assessment expressed concern that the
cyber assets, which in turn could affect is of short-term critical importance, and
‘‘events or conditions of varying
the reliable operation of the Bulk-Power information collection efforts should not
duration and severity that would
System. NERC comments that each impede or restrict system restoration.
activate the recovery plan(s)’’ language
entity must consider the balance Nonetheless, it is also important to long-
is very general and does not provide or
between data collection and actions term reliability interests that responsible
require a definition of what constitutes
required to rapidly restore the electric entities make solid forensic efforts in a
a precipitating event or triggering
power transmission. NERC states that given situation, such as collecting the
condition necessary for recovery plan
after-the-fact recovery of incident data data immediately after system
implementation.
cannot be assumed to be technically restoration or the recovery of critical
292. NERC, MidAmerican, Xcel, and possible on legacy equipment and that,
Allegheny comment that providing cyber assets, if that is what can be done.
therefore, it cannot be a requirement. We recognize that collecting forensic
additional detail will limit the scope of Georgia System stresses that restoring
potential ‘‘precipitating events’’ data may not be ‘‘technically feasible’’
the Bulk-Power System should remain for all situations due to equipment
addressed by recovery plans, and will the foremost objective of all immediate
not provide for the needed flexibility. limitations, such as older substation
efforts, over issues of data collection. installations with little electronic
NERC states that the determination of 296. Allegheny comments that
which events warrant a recovery plan is monitoring. Therefore, we suggest that
forensics collection should also be forensic data collection is an
intentionally left to the discretion of addressed within this range of plans.
responsible entities. Wisconsin Electric appropriate candidate for the ‘‘where
Noting again that one size does not fit technically feasible’’ exception clause,
and others agree with the CIP all in regards to scenarios for recovery
Assessment that additional clarification where, if invoked, the responsible entity
planning, Allegheny says that forensic would be required to propose interim
should be added to this Requirement. collection should be addressed in each actions, milestone schedules, and a
Commission Proposal of the plans that addresses the various mitigation plan, as described elsewhere
scenarios. in this NOPR. We agree with
293. The Commission shares the
concern that ‘‘precipitating events’’ are Commission Proposal commenters that the recovery plans
readily recognized by responsible 297. The Commission is concerned should include forensic data collection
entities so that recovery plans are that Requirement R1 of CIP–009–1 does procedures. Therefore, we propose to
promptly implemented. While we do not require the collection of forensics direct the ERO, when incorporating the
not propose to require modifications data and does not address how such use of good forensic data collection
regarding the ‘‘events and conditions’’ collection activities relate to restoration practices into this Reliability Standard,
language at this time, we do note that of service efforts. The Commission to make clear that such practices should
Requirement R1 fails to state that the believes that concern for the reliability not impede or restrict system restoration
plans it requires must be implemented of the Bulk-Power System requires and to consider whether it is necessary
when needed. That is, it requires that attention to forensics data collection. to include a ‘‘technical feasibility’’
recovery plans must be ‘‘created and The Blackout Report also emphasized provision.
reviewed’’ but does not explicitly the need to improve forensics and c. Operational Exercises
require actual implementation when the diagnostic capabilities in
‘‘events or conditions of varying Recommendation 37.112 Obtaining 299. Requirement R2 of CIP–009–1
duration and severity’’ occur. We forensic data will benefit the long-term requires the responsible entity to
propose to direct the ERO to modify to reliability of the Bulk-Power System exercise recovery plans at least
CIP–009–1 to include this requirement. because the lessons learned from one annually, and that such exercise can
In the interim period, the Commission event assist in eliminating or dealing range from a paper drill, to a full
will infer that implementation is with a repeat (or similar) event. Forensic operational exercise, to recovery from
embodied in this Requirement when data collection procedures could be as an actual incident. The CIP Assessment
enforcing it; i.e., if an entity has the minimal as preserving a corrupted asked whether full operational exercises
required recovery plan but does not drive, making a data mirror of the should be required to aid in identifying
implement it when the anticipated system before proceeding with recovery, potential problems and in realizing
event or conditions occur, the entity or taking the important assessment steps opportunities for improving recovery
will not be in compliance with this necessary to avoid reintroducing the plans.113
Reliability Standard. precipitating or corrupted data. 300. NERC and others believe that
Technical capabilities to do so will table-top exercises (or paper drills) are
b. Forensic Data Collection sufficient, and consistent with accepted
likely vary with the facility, and many
294. The CIP Assessment pointed out legacy systems present considerable practice used to test blackstart
that Requirement R1 does not provide technical limitations in this regard. In procedures. NERC cautions that full
guidance on whether and how the the interest of ‘‘raising the bar’’ above operational exercises may be extremely
recovery plans should preserve data for what the least capable equipment can risky because many substations or
forensics purposes. In particular, do to collect forensic data, the power plants do not have backup or
Requirement R1 does not specify Commission proposes to direct the ERO fully functional test systems. NERC,
whether forensics collection should to modify CIP–009–1 to incorporate use therefore, believes that a universal
occur prior to, contemporaneously with, requirement for full operational
or after recovery of the critical cyber 112 See Blackout Report at 166, Recommendation
assets. 37. 113 CIP Assessment at 38.
exercises may be unduly disruptive and ‘‘full operational exercises,’’ only to the one week to identify any process
burdensome to reliable operations. extent a responsible entity explains and workarounds and 30 days to modify
301. ISA Group and others support documents, for a particular substation or equipment as necessary.
required periodic operational testing of a particular generating plant, technical
restoration plans. California PUC Commission Proposal
infeasibility with the requisite interim
recommends annual testing through a actions, milestone schedules, and a 308. Requirement R3 of CIP–009–1
full operational exercise; and Allegheny mitigation plan, as described elsewhere requires that updates to a recovery plan
supports operational exercises on a in this NOPR. be communicated within 90 days to the
three-year cycle. Wisconsin Electric 304. We note that NERC points out a personnel responsible for activating or
suggests that a one-time full operational lack of clarity of the term ‘‘full implementing the recovery plan. The
test of the process would be beneficial. operational exercise.’’ The Commission Commission is concerned that
Georgia Operators supports periodic agrees and therefore proposes to direct individuals responsible for activating
operational testing, with the caveat that the ERO, in conjunction with making and implementing the recovery plan
each entity should determine whether the above modifications, to either define must have the most current information
the benefit is worth the costs and in its Glossary the term ‘‘full operational available, and believes that a 90-day
reliability risks associated with such an exercise’’ or provide more direction time lag between when a weakness in a
exercise. MidAmerican states that it directly in the Reliability Standard as to recovery plan is discovered and when it
could support full operational exercises the parameters of the term. As NERC is corrected and communicated to such
for a limited number of critical assets. and ReliabilityFirst note, many responsible personnel is too long.
operational exercise practices include Failure for such responsible personnel
Commission Proposal to have current information about a
table-top components in significant
302. The Commission agrees with the proportions. recovery plan could cause unnecessary
commenters that stress the benefits of delay in restoring critical cyber assets to
operational exercises; i.e., that potential d. Recovery Plan Updates service and thereby jeopardize the
problems, some of which could 305. Requirement R3 requires the reliability of the Bulk-Power System.
significantly impair reliability, will not responsible entity to update the Therefore, the Commission proposes to
be found without them. We do not recovery plans to reflect any changes or direct the ERO to modify Requirement
believe that table-top exercises alone, on lessons learned from an exercise or the R3 of CIP–009–1 to shorten the timeline
an ongoing basis, will suffice, given the recovery from an actual event. It for updating recovery plans to 30 days,
increasing complexity and requires plan updates to be while continuing to allow up to 90 days
interconnection of control systems. communicated to the personnel for completing the communications of
Some commenters acknowledge the responsible for activating or that update to responsible personnel.
benefits of operational exercises, but implementing the recovery plan within We believe a 30 day requirement for
believe they should occur only on a 90 days of the change. The CIP updating the recovery plans will
limited basis. We agree with this Assessment noted that individuals promote timely incorporation of lessons
approach, with the cautionary note that responsible for activation and learned during exercises and actual
technical feasibility and risks must be implementation of process changes in events. While key personnel should be
carefully weighed with the possible the recovery plans must have the most informed as soon as possible, we agree
benefits. We acknowledge that some current information available, and with SPP and others that 90 days is
infrastructure facilities exist for which questions whether a 90-day time lag is reasonable for the completion of
even limited operational exercises consistent with this objective. personnel training sessions, due to
present unsuitable reliability risks. 306. NERC comments that a shorter varied shifts schedules and other
However, we conclude that benefits time frame is impractical due to the feasibility issues with regard to facility
from operational exercises are sufficient number, kind and location of assets, and organization.
that the industry as a whole should especially field assets. Santa Clara
agrees with the CIP Assessment that e. Backup and Storage of Restoration
develop suitable operational exercises Data
in the course of evolving good cyber recovery plans must be updated as soon
security practices. as possible after an event, but also states 309. Requirement R4 requires that a
303. Accordingly, the Commission that 90 days is reasonable for recovery plan include processes and
proposes to direct the ERO to develop completion of training for all affected procedures for the backup and storage of
modifications to the Reliability personnel. Santa Clara notes that it may information necessary to successfully
Standard through its Reliability not be feasible to include all shift restore critical cyber assets. The CIP
Standards development process to schedules of personnel in training Assessment asserted that the
require a full operational exercise once sessions in a timeline shorter than 90 Requirement should specify that, when
every three years (unless an actual days. significant changes are made to the
incident occurs), but to permit reliance 307. ISO/RTO Council agrees with the operational control system, a backup
on table-top exercises annually in other CIP Assessment that that updates to should be made for recovery purposes
years. Further, we propose, in such documents generally can be and that it should be tested as part of
conjunction with the above proposed performed sooner than 90 days. ISO/ the system change before it is stored and
modification, that the ERO consider the RTO Council suggests that timely assumed to be operational.
appropriateness of a ‘‘technical updating should be a formal component 310. NERC and ReliabilityFirst state
feasibility’’ option, in the limited of any assessment or review process, that this concern is mitigated by the
fashion proposed earlier in this especially with regard to after-the-fact generally accepted practice of
NOPR.114 For example, CIP–009–1 analyses and timely application of maintaining multiple generations of
could be modified to allow for partial lessons learned. ISA Group states that a backup. NERC states that ‘‘backup made
operational exercises, reduced from 90-day time lag to activate or implement for recovery purposes’’ is contained in
process changes in recovery plans after the ‘‘supporting configuration
114 See section II.A.5.b (Technical Feasibility and deficiencies are discovered is not management activities’’ clause of CIP–
Acceptance of Risk). acceptable. ISA Group suggests up to 003–1, Requirement R6.
311. Progress Energy agrees with the the Reliability Standard does not specify when the backup fails. The Commission
CIP Assessment that a backup should be any actions to be taken in the event of agrees with SPP on this point.
tested before it is stored, but believes a failure in testing, and asked whether 319. The Commission proposes to
that the frequency of testing should be such testing should also be conducted direct the ERO to modify this Reliability
left to the discretion of the responsible on a more frequent basis. Standard to provide direction that
entity. SPP asserts that backups should 315. NERC and ReliabilityFirst backup practices include regular
be routinely and regularly backed up, comment that, since the Reliability procedures to ensure verification that
not just upon a significant change to the Standards cannot predict what backups are successful and backup
configuration. SPP notes that a properly technology will be used, they should failures are addressed, thus
configured backup and restoration not specify actions in response to guaranteeing that backups are available
testing process obviates the need to testing. They believe that routine use of for future use. Insertion of language
make special backups upon occurrence backups will serve to exercise the media such as, ‘‘backup procedures are to
of the significant changes to existing more often than the specified one-year include regular verification of
critical assets defined by CIP–007–1, test. Likewise, Georgia System states successful completion and procedures
Requirement R1. that annual testing is more than to address backup failures’’ would
adequate, even unnecessary, if no satisfy this goal. We agree that inability
Commission Proposal significant changes were made to the to recognize the failure of a backup
312. The Commission proposes to system; and more prescriptive process poses a great risk, and that the
instruct the ERO to modify this Reliability Standards should be annual restoration testing in this
Reliability Standard to incorporate developed only if experience shows that Requirement is adequate as long as the
guidance that the backup and discretion exercised in implementation backup process is properly managed.
restoration processes and procedures of the Reliability Standards is abused.
required by Requirement R4 should 316. Santa Clara agrees with the CIP g. Commission Proposal Summary
include, at least with regard to Assessment that testing of information 320. In summary, the Commission
significant changes made to the stored on backup media is crucial to the proposes to approve Reliability
operational control system, verification integrity of those backup systems. It Standard CIP–009–1 as mandatory and
that they are operational before the submits that such testing could be done enforceable. In addition, the
backups are stored or relied upon for on a periodic basis, and in an ‘‘off-line’’ Commission proposes to direct the ERO,
recovery purposes. mode if necessary. Santa Clara has pursuant to section 215(d)(5) of the FPA
313. The Commission agrees with found it beneficial to maintain more and § 39.5(f) of our regulations to
NERC that preserving multiple than one set of backups so that, if the develop modifications to CIP–009–1
generations of restoration backups is latest backup fails, the previous backup through its Reliability Standards
common practice, and believes that has been tested and validated, leaving a development process that: (1) Clarify
competent and complete ‘‘Plan B’’ restoration solution available Requirement R1 to make clear that the
implementation of the CIP Reliability until the latest backup system is required recovery plans must be
Standards would tend to include testing corrected. implemented when the ‘‘events or
of recovery backups as they are created, 317. Constellation adds that review of conditions of varying duration and
also as a matter of good, efficient the backup and recovery plans is severity’’ occur; (2) incorporate use of
practice. However, we disagree with implicit if the annual review of the good forensic data collection practices,
NERC that exercising these good Cyber Security Policy already required and make clear that such practices
practices is contained in, implied by, or by the CIP Reliability Standards is should not impede or restrict system
readily understood from Requirement performed competently. SPP agrees that restoration and to consider whether it is
R6 of CIP–003–1. Adding language, such restoration testing is only one part of a necessary to include a ‘‘technical
as ‘‘these procedures are to include more comprehensive backup plan, feasibility’’ provision with the
practices to test and verify the noting that the entity needs to have parameters discussed above; (3) define
operability of the backup before it is procedures to verify backups are in the NERC glossary the term ‘‘full
stored and relied upon for recovery,’’ successfully completed every cycle, and operational exercise’’ or provide more
would eliminate this ambiguity. As procedures for when the backup fails. direction directly in the Reliability
stated above, in our discussion of the SPP points out that failure to notice that Standard as to the parameters of the
change control processes required by a backup process has failed poses a far term; (4) require a full operational
Requirement R6 of CIP–003–1, the greater risk than infrequency of testing, exercise once every three years (unless
Commission reiterates its position, that as long as the backup process is an actual incident occurs), but to permit
there is a need for enhanced direction properly managed. reliance on table-top exercises annually
in issues related to proper change in other years and consider the
Commission Proposal appropriateness of a technical feasibility
control. The CIP Reliability Standards
should specifically state that a change 318. The Commission agrees with option in connection with modified
control process should include commenters that, if these CIP Reliability operational exercises; (5) shorten the
procedures for a tested backup. No Standards are implemented in a full and timeline to updating recovery plans to
backups of any kind are mentioned in competent manner, then adequate 30 days, while continuing to allow up
CIP–003–1, Requirement R6. backup verification measures will to 90 days to communicate those
probably be in place. Reliability updates to responsible and affected
f. Testing of Backup Media Standards, however, demand a higher personnel; (6) incorporate guidance that
314. Requirement R5 requires annual degree of certainty. The proposed the backup and restoration processes
testing of information stored on backup Reliability Standards do not provide the and procedures required by
media to ensure information essential to guidance that SPP offers—that Requirement R4 should include, at least
recovery is available. The CIP responsible entities need to have with regard to significant changes made
Assessment noted the criticality of such procedures to verify backups are to the operational control system,
information being accessible in the successfully completed every cycle and verification that they are operational
event of an actual incident, noted that to have recovery procedures in place for before the backups are stored or relied
upon for recovery purposes; and (7) and the Violation Risk Factors do not 326. NERC has assigned a ‘‘lower’’
provide direction that backup practices change the meaning or intent of the designation to almost 85 per cent of the
include regular procedures to ensure Reliability Standards. NERC explains Violation Risk Factors corresponding to
verification that backups are successful that it has defined the following three the Requirements of the CIP Reliability
and available for future use. levels of Violation Risk Factors: (1) High Standards. No Requirements received a
risk requirement; (2) medium risk ‘‘higher’’ Violation Risk Factor
C. Violation Risk Factors
requirement; and (3) lower risk assignment. By definition, a ‘‘lower’’
1. Background requirement.119 Violation Risk Factor assignment means
321. In a separate filing, NERC that the Requirement is administrative
2. Commission Proposal in nature where a violation of the
submitted over 1,000 Violation Risk
324. In reviewing the proposed Requirement would not be expected to
Factors, including 162 that correspond
Violation Risk Factor assignments, the affect the electrical state, capability,
to Requirements of the proposed CIP
Commission has used the same monitoring or control of the Bulk-Power
Reliability Standards.115 While the
guidelines it applied when evaluating System. The Commission believes that
Commission has addressed the
NERC’s submission of Violation Risk NERC has mischaracterized many of the
Violation Risk Factors that correspond
Factors as discussed in the May 18 Requirements as ‘‘administrative,’’
to the Requirements of the Commission-
Order. Specifically, to determine resulting in a ‘‘lower’’ Violation Risk
approved Reliability Standards, NERC
whether the proposed Violation Risk Factor assignment, where in fact a
requested that the Commission take
Factor assignments appropriately ‘‘medium’’ or ‘‘high’’ designation is
action on the Violation Risk Factors
indicate the potential or expected more appropriate.
when it takes actions on the associated 327. For example, CIP–002–1
impact to the reliability of the Bulk-
Reliability Standards.116 Accordingly, Requirement R2, which requires the
Power System, the Commission
the Commission will address the identification of assets that are critical
considered: (1) Consistency with the
Violation Risk Factors that correspond to the Bulk-Power System, is assigned a
conclusions of the Final Report on the
to the CIP Reliability Standards in this ‘‘lower’’ Violation Risk Factor. While
August 14, 2003 Blackout in the United
proceeding. the product of the Requirement is a list
322. As part of its compliance and States and Canada, (2) consistency
within a Reliability Standard, i.e., of critical assets, this is clearly not an
enforcement program, the ERO will use administrative Requirement. In fact, the
a three-step process to determine a among sub- and main Requirements of
the same Reliability Standard, (3) failure to properly identify critical
monetary penalty for a standard assets could place the Bulk-Power
violation. In the first of these steps, the consistency among Reliability Standards
with similar Requirements, (4) System at an unacceptable risk or
ERO or Regional Entity will set an restoration efforts could be hindered.
initial range for the base penalty amount consistency with NERC’s proposed
definition of the Violation Risk Factor Further, this Requirement has a
for the violation. In order to accomplish controlling effect over all of the CIP
this, the ERO or the Regional Entity will level, and (5) assignment of a Violation
Risk Factor level to those Requirements Reliability Standards that follow. If an
consider the applicable Violation Risk asset is critical and is not identified as
Factor 117 and Violation Severity in certain Reliability Standards that co-
mingle a higher risk reliability objective such, the remaining CIP Reliability
Level 118 in the ‘‘base penalty amount Standards will not be applied.
table’’ in Appendix A to NERC’s and a lesser risk reliability objective.120
325. Based on the application of these Depending on the asset that is
Sanction Guidelines. According to overlooked, and consequently not
NERC, the base penalty amount table guidelines, and for the reasons
explained below, the Commission protected by the standards, a ‘‘higher’’
adds a measure of certainty for those level of Bulk-Power System failure is
subject to penalties and assists the ERO proposes to approve the 162 proposed
Violation Risk Factor assignments that possible. Thus, by NERC’s definition,
in executing its penalty authority. this Requirement should have a
323. NERC states that a Violation Risk correspond to the Requirements of the
CIP Reliability Standards and direct ‘‘higher’’ Violation Risk Factor
Factor has been assigned to each assignment. In addition, the
Requirement of the Version 1 Reliability NERC to revise 43 of them. In addition,
the Commission notes that NERC did recommendations related to physical
Standards to delineate the relative risk and cyber security contained in the
to the Bulk-Power System associated not assign Violation Risk Factors to the
following nine Requirements and Blackout Report,121 while largely
with the violation of each Requirement, addressed by the proposed CIP
proposes to direct NERC to make these
115 See NERC’s March 23, 2007 filing in Docket Violation Risk Factor assignments and Reliability Standards, would essentially
No. RR07–10–000, Exh. A. file them for Commission approval: be thwarted if a responsible entity does
116 See North American Electric Reliability
CIP–002–1 Requirement R3.1 not comply with Requirements R2 and
Corporation, 119 FERC ¶ 61,145 (2007) (May 18 CIP–003–1 Requirement R4.1 R3 of CIP–002–1. Accordingly, we are
Order) (approving and modifying Violation Risk
CIP–003–1 Requirement R5.1.2 proposing to direct NERC to modify this
Factors). Requirement to denote a ‘‘higher’’
117 A Violation Risk Factor of lower, medium, or CIP–004–1 Requirement R2.2.2
high is assigned to each Requirement of each CIP–004–1 Requirement R2.2.3 Violation Risk Factor assignment.
mandatory Reliability Standard to associate a CIP–005–1 Requirement R1.5 328. Similarly, CIP–002–1
violation of the Requirement with its potential CIP–007–1 Requirement R5.1 Requirement R3, which requires the
impact on the reliability of the Bulk-Power System. CIP–007–1 Requirement R5.3.3 identification of cyber assets that are
118 For each Requirement of a Reliability
CIP–007–1 Requirement R7 essential to the operation of critical
Standard, NERC will define up to four Violation
Severity Levels-lower, moderate, high, and severe— Bulk-Power System assets, has a
‘‘medium’’ Violation Risk Factor
119 See May 18 Order at P 9 (providing the

as measurements of the degree to which a
Requirement is violated. In a June 7, 2007 order, the complete definition of each level of Violation Risk assignment. By definition, a ‘‘medium’’
Commission approved NERC’s proposal to apply Factor).
Violation Risk Factor assignment means
the current Levels of Non-Compliance in lieu of 120 See May 18 Order at P 16–36. We also note
Violation Severity Levels, while NERC develops a that the May 18 Order explained that this list is not that the Requirement is unlikely, under
comprehensive set of Violation Severity Levels by necessarily comprehensive. The Commission
March 1, 2008. North American Electric Reliability retains the flexibility to consider additional 121 Blackout Report at 163–169,
Corp., 119 FERC ¶ 61,248 (2007). guidelines in the future. Id. at n.12. Recommendations 32–44.
emergency, abnormal, or restoration OMB approve certain reporting and and, in addition, the CIP Reliability
conditions to lead to Bulk-Power recordkeeping (collections of Standards require responsible entities to
System instability, separation, or information) imposed by an agency.123 maintain various lists and access logs.
cascading failures, nor to hinder The information collection requirements 335. The CIP Reliability Standards do
restoration to a normal condition. proposed in this NOPR are identified not require a responsible entity to report
However, if this Requirement is under the Commission data collection, to the Commission, ERO or Regional
violated, the Bulk-Power System could FERC–725B ‘‘Mandatory Reliability Entities the various policies, plans,
in fact be at an unacceptable risk of Standards for Critical Infrastructure programs and procedures. However, the
failure or restoration efforts could be Protection.’’ These proposed documentation of the policies, plans,
hindered. Further, this Requirement has information collections will be programs and procedures must be
a controlling effect over all of the CIP submitted to OMB for review under available to demonstrate compliance
Reliability Standards that follow. As section 3507(d) of the Paperwork with the CIP Reliability Standards. The
with CIP–002–1 Requirement R2, Reduction Act of 1995.124 In addition, Commission has included the cost of
depending on the asset that is OMB regulations require OMB to developing the required documentation
overlooked, and consequently not approve certain reporting and for the required policies, plans,
protected by the Reliability Standards, a recordkeeping requirements imposed by programs and procedures in its burden
higher level of Bulk-Power System agency rule.125 estimate. The Commission, however,
failure is possible. Also, proper 333. The ‘‘public protection’’ did not include in our burden estimate
compliance with CIP–002–1, provisions of the Paperwork Reduction the cost of substantive compliance with
Requirement R3 is essential to the of 1995 requires each agency to display the CIP Reliability Standards, separate
ability of the proposed CIP Reliability a currently valid control number and from the requirements to develop
Standards to satisfy the inform respondents that a response is specific documentation.
recommendations of the Blackout not required unless the information In formulating our estimate of the
Report.122 Thus, by NERC’s definition collection displays a valid OMB control reporting burden, the Commission has
this Requirement should have a number on each information collection been guided by several factors.
‘‘higher’’ Violation Risk Factor or provides a justification as to why the Number of Entities: As of April 2007,
assignment. Accordingly, we are information collection control number NERC identified 1,266 registered
proposing to direct NERC to modify this cannot be displayed. In the case of entities in the United States. The
Requirement to denote a ‘‘higher’’ information collections published in Applicability section of each CIP
Violation Risk Factor assignment. regulations, the control number is to be Reliability Standard specifies nine
329. The other modifications that the published in the Federal Register. categories of users, owners and
Commission is proposing to direct 334. Public Reporting Burden: The operators of the Bulk-Power System (as
NERC to move the Violation Risk Factor Commission developed its estimate of well as NERC and the Regional Entities)
from a ‘‘lower’’ to a ‘‘medium’’ burden based upon the CIP Reliability that must comply with the CIP
assignment. The Commission’s primary Standards as proposed by NERC. The Reliability Standards. The nine
reason for directing these changes is to CIP Reliability Standards include only categories of users, owners and
promote implementation of the one actual reporting requirement. operators are based on the categories of
recommendations contained in the Specifically, CIP–008–1 requires functions identified in the NERC
Blackout Report; to establish responsible entities to report cyber Functional Model. Based on a review of
consistency within a Reliability security incidents to ESISAC. In NERC’s registration list, the Commission
Standard, i.e., among sub- and main addition, the eight CIP Reliability estimates that approximately 1,000
Requirements of the same Reliability Standards require responsible entities to entities will be required to comply with
Standard; and consistency across develop various policies, plans, the CIP Reliability Standards.
Reliability Standards. programs and procedures. For example, Variations in Compliance Burden:
330. The Commission proposes to each responsible entity must develop The Commission’s estimate is based on
approve the proposed Violation Risk and document a risk-based assessment all 1,000 entities documenting an
Factor assignments filed by NERC and methodology to identify critical assets, assessment methodology to identify
proposes to direct NERC to modify the which is then used to develop a list of critical assets and critical cyber assets
Violation Risk Factors corresponding to critical cyber assets (CIP–002–1). A pursuant to CIP–002–1. As explained
the Requirements as illustrated in the responsible entity that identifies any above, only those entities that identify
attached list of proposed disposition critical cyber assets must also critical cyber assets pursuant to CIP–
actions for the proposed Violation Risk document: a cyber security policy (CIP– 002–1 are responsible to comply with
Factors. 003–1); a security awareness program the requirements of CIP–003–1 through
331. We propose to direct NERC to (CIP–004–1, Requirement R1); a CIP–009–1. Accordingly, the cost
submit a filing containing these personnel risk assessment program burden estimate differs for those entities
modifications within 60 days of the date (CIP–004–1, Requirement R3); an that identify critical cyber assets and
of the Final Rule. We also propose to electronic security perimeter and those that do not.
direct NERC to include in its filing a processes for control of electronic access Further, the reporting burden would
complete Violation Risk Factor matrix. to all electronic access points to the vary with the number of critical cyber
The matrix should also include perimeter (CIP–005–1, Requirements R1 assets identified pursuant to CIP–002–1.
assignments for the missing Violation and R2); a physical security plan (CIP– An entity that identifies numerous
Risk Factor assignments discussed 006–1); procedures for securing certain critical cyber security assets, including
above. cyber assets (CIP–007–1); and recovery assets located at remote locations, will
plans for critical cyber assets (CIP–008– likely require more resources to develop
III. Information Collection Statement its policies, plans, programs and
1). The above is not an exhaustive list
332. The Office of Management and procedures compared to an entity that
Budget (OMB) Regulations require that 123 5 CFR 1320.11. identifies one or two critical cyber
124 44 U.S.C. 3507(d). assets, housed at a single location.
122 Id. 125 5 CFR 1320.11. Based on this distinction, the
Commission has developed separate the identification of ‘‘critical cyber industry and others. The Commission
estimates for large investor-owned assets,’’ and the development of a cyber has taken such customary practices into
utilities and other responsible entities security training program. Thus, entities account when estimating the reporting
such as municipals, generators and that voluntarily complied with UA– burden.
cooperatives. 1200 will continue these practices when
Customary Practices: Prior to the Time Period: The CIP Reliability
the mandatory CIP Reliability Standards
development of CIP–002–1 through Standards were approved by the NERC
are in effect.
CIP–009–1, NERC approved through its Further, many entities, including board in May 2006, with a designated
urgent action process a cyber security those that did not comply with UA– effective date of June 1, 2006.126 The
standard known as ‘‘UA–1200,’’ which 1200, typically have followed certain proposed implementation schedule
applied to entities ‘‘such as control practices specified in the CIP Reliability submitted with the CIP Reliability
areas, transmission owners and Standards. The Commission believes Standards plans for responsible entities
operators, and generation owners and that practices such as conducting cyber to be ‘‘auditably compliant’’ with most
operators.’’ UA–1200 addressed a security training, having procedures for requirements by mid-2010 or later. Mid-
number of the same reporting burdens whom to contact in case of a cyber 2010 is four years after CIP Reliability
as the CIP Reliability Standards at issue security incident, and developing a plan Standards went into effect. Therefore,
in this proceeding. For example, UA– for how to restore a computerized the Commission developed an annual
1200 required the creation and control system should it fail are usual burden estimate by dividing total costs
maintenance of a cyber security policy, and customary practices in the electric by 4 years.
Number of Number of Hours per Total annual

Data collection respondents responses response hours
FERC–725B
Large investor-owned utility ...................................................................... 155 1 2,080 322,400
Others, including munis and coops .......................................................... 795 1 1,000 795,000
Entities that have not identified critical cyber assets ............................... 50 1 160 8,000
Totals ................................................................................................. ........................ ........................ ........................ 1,125,400
Information Collection Costs: The OMB Control Number: To be proposed CIP Reliability Standards are
Commission seeks comments on the determined. necessary to safeguard the integrity of
costs to comply with these Frequency of responses: On occasion. the nation’s Bulk-Power System. The
requirements. It has projected the costs Necessity for information: As Commission has assured itself, by
to be: discussed above, EPAct 2005 adds a means of its internal review, that there
Large investor-owned utility = new section 215 to the FPA, which is specific, objective support for the
322,400 hours@$88 = $28,371,200. requires a Commission-certified ERO to burden estimate associated with the
Others, including munis and coops = develop mandatory and enforceable information requirements (FERC–725B
Reliability Standards, which are subject ‘‘Mandatory Reliability Standards for
795,000 hours@$88 = $69,960,000
to Commission review and approval. Critical Infrastructure Protection’’)
Entities that have not identified Once approved, the Reliability
critical cyber assets = 8,000 hours@$88 proposed to be imposed by this NOPR.
Standards may be enforced by the ERO
= $704,000. subject to Commission oversight, or the 337. Interested persons may obtain
Because auditably compliant status is Commission can independently enforce information on the reporting
not required for many requirements Reliability Standards. Pursuant to requirements by contacting the
until mid–2010, the Commission has section 215 of the FPA, the Commission following: Federal Energy Regulatory
projected the costs over a four-year proposes in this NOPR to approve eight Commission, 888 First Street, NE.,
period. On an annual basis the costs Critical Infrastructure Protection (CIP) Washington, DC 20426 (Attention:
will be ($28,371,200 + $69,960,000 + Reliability Standards submitted to the Michael Miller, Office of the Executive
$704,000)/4 years = $24,758,800 per Commission for approval by NERC. The Director, 202–502–8415) or from the
year. The hourly rate of $88 is a CIP Reliability Standards require certain Office of Management and Budget
composite figure of the average cost of users, owners, and operators of the (Attention: Desk Officer for the Federal
legal services ($200 per hour), technical Bulk-Power System to comply with Energy Regulatory Commission, fax:
employees ($39.99 per hour) and specific requirements to safeguard 202–395–7285, e-mail:
administrative support ($25 per hour), critical cyber assets. The information oira_submission@omb.eop.gov).
based on hourly rates from the Bureau collections proposed in this NOPR are 338. Comments concerning the
of Labor Statistics (BLS). Using the May needed to protect the electric industry’s collection of information(s) and the
2006 OES Industry-Specific Bulk-Power System against malicious associated burden estimate(s), should be
Occupational Employment and Wage cyber attacks that could threaten the sent to the contact listed above and to
Estimates, the median hourly rate wage reliability of the Bulk-Power System. the Office of Management and Budget,
estimate for a computer software 336. Internal Review: The Office of Information and Regulatory
engineer is $39.99.127 Commission has reviewed the CIP Affairs, Washington, DC 20503
Title: Mandatory Reliability Standards
Reliability Standards proposed for [Attention: Desk Officer for the Federal
for Critical Infrastructure Protection. approval in this NOPR and has made a Energy Regulatory Commission, phone:
Action: Proposed collection. preliminary determination that the (202) 395–7856, fax: (202) 395–7285].
126 Although NERC designated an effective date of for non-compliance, until they are approved by the 127 See http://www.bls.gov/oes/current/
June 1, 2006, the CIP Reliability Standards are not Commission. naics2_22.htm.
mandatory and enforceable, i.e., subject to penalties
IV. Environmental Analysis Affect on small entities pursuant to CIP–002–1 will not have
342. Our analysis shows that the compliance obligations pursuant to CIP–
339. The Commission is required to 003–1 through CIP–009–1. While a
prepare an Environmental Assessment DOE’s Energy Information
Administration (EIA) reports that there small entity that identifies only a few
or an Environmental Impact Statement critical cyber assets must comply with
were 3,284 electric utility companies in
for any action that may have a CIP–003–1 through CIP–009–1, the
the United States in 2005,135 and 3,029
significant adverse effect on the human of these electric utilities qualify as small Commission believes that the economic
environment.128 The Commission has entities under the SBA definition. Of impact of such compliance will not be
categorically excluded certain actions these 3,284 electric utility companies, significant. Likewise, the housing of a
from these requirements as not having a the EIA subdivides them as follows: (1) limited number of critical cyber assets
significant effect on the human 883 cooperatives of which 852 are small in a single location will lessen the
environment.129 The actions proposed entity cooperatives; (2) 1,862 municipal economic impact of compliance.
here fall within categorical exclusions utilities, of which 1842 are small entity 345. In addition, as discussed further
in the Commission’s regulations for municipal utilities; (3) 127 political below, while not required or proposed
rules that are clarifying, corrective, or subdivisions, of which 114 are small by this NOPR, small entities can, if they
procedural, for information gathering, entity political subdivisions; (4) 159 choose, collectively select a single
analysis, and dissemination, and for power marketers, of which 97 consultant to develop model software
sales, exchange, and transportation of individually could be considered small and programs to comply with the
electric power that requires no entity power marketers; 136 (5) 219 proposals in this NOPR on their behalf.
construction of facilities.130 Therefore, privately owned utilities, of which 104 Such an approach could significantly
an environmental assessment is could be considered small entity private reduce the costs that would be incurred
unnecessary and has not been prepared utilities; (6) 25 state organizations, of if each company would address these
in this NOPR. which 16 are small entity state issues independently.
organizations and (7) nine federal 346. While there will be some portion
V. Regulatory Flexibility Act organizations of which four are small of small entities that will have to
Certification entity federal organizations. expend significant amounts of resources
343. As explained above, the on labor and technology to comply with
340. The Regulatory Flexibility Act of Commission is relying on NERC’s the CIP Reliability Standards, the
1980 (RFA) 131 generally requires a compliance registry, applying the NERC Commission believes that this will be a
description and analysis of final rules Statement of Registry Criteria, to significant minority. Further, in such
that will have significant economic identify entities that must comply with circumstances, the economic impact is
impact on a substantial number of small the CIP Reliability Standards. To be justified as necessary to protect cyber
entities. In a NOPR, an agency must included in the compliance registry, the security assets that support Bulk-Power
either include an initial regulatory ERO will have made a determination System reliability.
flexibility analysis or certify that the that a specific small entity has a
proposed rule will not have a material impact on the Bulk-Power Alternatives
‘‘significant impact on a substantial System. Consequently, the compliance 347. In Order No. 693, which
number of small entities.’’ The Small of such small entities is justifiable as approved 83 Reliability Standard for the
Business Administration defines a small necessary for Bulk-Power System Bulk-Power System, the Commission
electric utility as one that has a total reliability. Based on NERC’s compliance discussed several alternatives that are
electric output of less than four million registry as of June 2007, the Commission also applicable to the CIP Reliability
MWh in the proceeding year. estimates that approximately 1,000 Standards.137 Several of these have
341. The RFA requires agencies in registered entities will be responsible already been implemented such as the
drafting a proposed rule: (1) To assess for compliance with the CIP Reliability approval of the NERC definition of bulk
the affect that their regulation will have Standards. Of these, the Commission electric system, which reduces
estimates that the CIP Reliability significantly the number of small
on small entities; (2) to analyze effective
Standards will apply to approximately entities responsible for compliance with
alternatives that may minimize a
632 small entities, consisting of 12 small mandatory Reliability Standards.138
regulation’s impact; and (3) to make
investor-owned utilities and 620 small Further, the Commission adopted the
their analyses available for public municipal and cooperatives.
comment.132 In its notice of proposed NERC compliance registry process to
344. The Commission believes that identify the entities responsible for
rule making (NOPR), the agency must the CIP Reliability Standards will not
either include an initial regulatory compliance with mandatory Reliability
have a significant economic impact on
flexibility analysis (Initial RFA) 133 or Standards.
a substantial number of small entities.
certify that the proposed rule will not 348. Another significant alternative is
The majority of small entities are not
have a ‘‘significant impact on a required to comply with mandatory the ability for a small entity to join a
substantial number of small Reliability Standards based on the joint action agency or similar
entities.’’ 134 application of the NERC Registry organization. Such an organization may
Criteria. Moreover, as explained above, accept responsibility for compliance
128 Order No. 486, Regulations Implementing the a small entity that is registered but does with mandatory Reliability Standards
National Environmental Policy Act, 52 FR 47897 not identify critical cyber assets on behalf of its members and also may
(Dec. 17, 1987), FERC Stats. & Regs. Preambles divide the responsibility for compliance
1986–1990 ¶ 30,783 (1987). with its members. The Commission
135 See Energy Information Administration

129 18 CFR 380.4.
130 See 18 CFR 380.4(a)(2)(ii), 380.4(a)(5),
Database, Form EIA–861, Dept. of Energy (2005), generally approved the concept of joint
380.4(a)(27).
available at http://www.eia.doe.gov/cneaf/ action agencies in Order No. 693 and
electricity/page/eia861.html. directed NERC to submit implementing
131 5 U.S.C. 601–612 (2006).
136 Most of these small entity power marketers
132 5 U.S.C. 601–604 (2006).
and private utilities are affiliated with others and,
133 5 U.S.C. 603(a) (2006). 137 See Order No. 693 at P 1945.
therefore, do not qualify as small entities under the
134 5 U.S.C. 605(b) (2006). SBA definition. 138 Id. at P 75, 1945.
procedures.139 NERC submitted 351. Comments may be filed to 5 p.m. Eastern time) at 888 First
revisions to its Rules of Procedure to electronically via the eFiling link on the Street, NE., Room 2A, Washington DC
allow for joint action agencies and Commission’s Web site at http:// 20426.
similar organizations and, in an order www.ferc.gov. The Commission accepts 354. From FERC’s Home Page on the
issuing concurrently with this NOPR, most standard word processing formats Internet, this information is available on
the Commission approves NERC’s joint and requests commenters to submit eLibrary. The full text of this document
action agency rules. These rules, comments in a text-searchable format is available on eLibrary in PDF and
supported by APPA, NRECA and others, rather than a scanned image format. Microsoft Word format for viewing,
will provide significant flexibility for Commenters filing electronically do not printing, and/or downloading. To access
small entities on how they will achieve need to make a paper filing. this document in eLibrary, type the
compliance with the CIP Reliability Commenters that are not able to file docket number excluding the last three
Standards or to assign compliance comments electronically must send an digits of this document in the docket
responsibility to a central organization. original and 14 copies of their number field.
comments to: Federal Energy Regulatory 355. User assistance is available for
Certification
Commission, Office of the Secretary, eLibrary and the FERC’s Web site during
349. Based on the above analysis, the 888 First Street, NE., Washington, DC normal business hours from FERC
Commission certifies that the proposed 20426. Online Support at (202) 502–6652 (toll-
rulemaking will not have a significant 352. All comments will be placed in free at 1–866–208–3676) or e-mail at
impact on a substantial number of small the Commission’s public files and may ferconlinesupport@ferc.gov, or the
entities. be viewed, printed, or downloaded Public Reference Room at (202) 502–
remotely as described in the Document 8371, TTY (202) 502–8659. E-Mail the
VI. Comment Procedures
Availability section below. Commenters Public Reference Room at
350. The Commission invites on this proposal are not required to
interested persons to submit comments public.referenceroom@ferc.gov.
serve copies of their comments on other
on the matters and issues proposed in commenters. List of Subjects in 18 CFR Part 39
this notice to be adopted, including any
related matters or alternative proposals VII. Document Availability Administrative practice and
that commenters may wish to discuss. 353. In addition to publishing the full procedure, Electric power, Penalties,
Comments are due October 5, 2007. text of this document in the Federal Reporting and recordkeeping
Comments must refer to Docket No. Register, the Commission provides all requirements.
RM06–22–000, and must include the interested persons an opportunity to By direction of the Commission.
commenter’s name, the organization view and/or print the contents of this Kimberly D. Bose,
they represent, if applicable, and their document via the Internet through Secretary.
address in their comments. Comments FERC’s Home Page (http://www.ferc.gov) [Note: The following appendices will not
may be filed either in electronic or and in FERC’s Public Reference Room be published in the Code of Federal
paper format. during normal business hours (8:30 a.m. Regulations.]
APPENDIX A
List of Commenters
Allegheny ............................................................ Allegheny Power and Allegheny Energy Supply Company.

AMP–Ohio ........................................................... American Municipal Power—Ohio, Inc.
APPA/LPPC ........................................................ American Public Power Association and Large Public Power Council.
ATC ..................................................................... American Transmission Company, LLC.
Arizona Public Service ........................................ Arizona Public Service Company.
California PUC .................................................... California Public Utilities Commission.
Cleveland Public Power ...................................... City of Cleveland, Division of Public Power.
Constellation ....................................................... Constellation Energy Group, Inc.
Dominion ............................................................. Dominion Resources, Inc.
Duke .................................................................... Duke Energy Corporation.
EEI ...................................................................... Edison Electric Institute.
EPSA .................................................................. Electric Power Supply Association.
FirstEnergy .......................................................... FirstEnergy Service Company.
Georgia System .................................................. Georgia System Operations Corporation.
ISA Group ........................................................... Three members of the ISA–SP99.05 Leadership Group (Instrument Society of America).
ISO/RTO Council ................................................ ISO/RTO Council.
ISO–NE ............................................................... ISO New England Inc.
MEAG Power ...................................................... MEAG Power Motion to Intervene.
MidAmerican ....................................................... MidAmerican Electric Operating Companies.
MITRE ................................................................. MITRE Corporation.
National Grid ....................................................... National Grid USA.
NERC .................................................................. North American Electric Reliability Corporation.
NIST .................................................................... National Institute of Standards and Technology.
Northeast Utilities ................................................ Northeast Utilities Service Company (on behalf of its transmission owning affiliates, the NU
Companies).
NRECA ............................................................... National Rural Electric Cooperative Association.
Ontario IESO ...................................................... Ontario Independent Electricity System Operator.
PG&E .................................................................. Pacific Gas and Electric Company.
PJM ..................................................................... PJM Interconnection, LLC.
139 Id. at P 107.
APPENDIX A—Continued
List of Commenters
Progress Energy ................................................. Progress Energy, Inc.

ReliabilityFirst ...................................................... ReliabilityFirst Corporation.
Santa Clara ......................................................... City of Santa Clara, for its municipal Silicon Valley Power.
SoCal Edison ...................................................... Southern California Edison Company.
Southern ............................................................. Southern Company Services, Inc.
Southwest TDUs ................................................. Southwest Transmission Dependent Utility Group.
SPP ..................................................................... Southwest Power Pool, Inc.
Tampa Electric .................................................... Tampa Electric Company.
Wisconsin Electric ............................................... Wisconsin Electric Power Company.
Xcel ..................................................................... Xcel Energy Services, Inc.
APPENDIX B.—VIOLATION RISK FACTORS: PROPOSED DISPOSITIONS

Violation risk factor
Standard No. Requirement No. Text of requirement Guideline
NERC pro- Commission
posal determination
CIP–002–1 ........... R1 ....................... Critical Asset Identification Method—The Responsible LOWER ......... MEDIUM ....... 1, 3, 4
Entity shall identify and document a risk-based as-
sessment methodology to use to identify its Critical
Assets.
CIP–002–1 ........... R1.2 .................... The risk-based assessment shall consider the fol- LOWER ......... MEDIUM ....... 2
lowing assets:
CIP–002–1 ........... R2 ....................... Critical Asset Identification—The Responsible Entity LOWER ......... HIGH ............. 1, 3, 4
shall develop a list of its identified Critical Assets
determined through an annual application of the
risk-based assessment methodology required in R1.
The Responsible Entity shall review this list at least
annually, and update it as necessary
CIP–002–1 ........... R3 ....................... Critical Cyber Asset Identification—Using the list of MEDIUM ....... HIGH ............. 1, 3, 4
Critical Assets developed pursuant to Requirement
R2, the Responsible Entity shall develop a list of
associated Critical Cyber Assets essential to the
operation of the Critical Asset. Examples at control
centers and backup control centers include systems
and facilities at master and remote sites that pro-
vide monitoring and control, automatic generation
control, real-time power system modeling, and real-
time interutility data exchange. The Responsible
Entity shall review this list at least annually, and up-
date it as necessary. For the purpose of Reliability
Standard CIP–002, Critical Cyber Assets are further
qualified to be those having at least one of the fol-
lowing characteristics:
CIP–003–1 ........... R1 ....................... Cyber Security Policy—The Responsible Entity shall LOWER ......... MEDIUM ....... 1
document and implement a cyber security policy
that represents management’s commitment and
ability to secure its Critical Cyber Assets. The Re-
sponsible Entity shall, at minimum, ensure the fol-
lowing:
CIP–003–1 ........... R2 ....................... Leadership—The Responsible Entity shall assign a LOWER ......... MEDIUM ....... 1
senior manager with overall responsibility for lead-
ing and managing the entity’s implementation of,
and adherence to, Reliability Standards CIP–002
through CIP–009.
CIP–003–1 ........... R4 ....................... Information Protection—The Responsible Entity shall LOWER ......... MEDIUM ....... 1
implement and document a program to identify,
classify, and protect information associated with
Critical Cyber Assets.
CIP–004–1 ........... R2.1 .................... This program will ensure that all personnel having LOWER ......... MEDIUM ....... 1
such access to Critical Cyber Assets, including con-
tractors and service vendors, are trained within 90

calendar days of such authorization.
CIP–004–1 ........... R2.2 .................... Training shall cover the policies, access controls, and LOWER ......... MEDIUM ....... 1, 2
procedures as developed for the Critical Cyber As-
sets covered by CIP–004, and include, at a min-
imum, the following required items appropriate to
personnel roles and responsibilities:
APPENDIX B.—VIOLATION RISK FACTORS: PROPOSED DISPOSITIONS—Continued

posal determination
CIP–004–1 ........... R2.2.4 ................. Action plans and procedures to recover or re-establish LOWER ......... MEDIUM ....... 1, 4
Critical Cyber Assets and access thereto following a
Cyber Security Incident.
CIP–004–1 ........... R3 ....................... Personnel Risk Assessment—The Responsible Entity LOWER ......... MEDIUM ....... 1, 3, 4
shall have a documented personnel risk assess-
ment program, in accordance with federal, state,
provincial, and local laws, and subject to existing
collective bargaining unit agreements, for personnel
having authorized cyber or authorized unescorted
physical access. A personnel risk assessment shall
be conducted pursuant to that program within 30
days of such personnel being granted such access.
Such program shall at a minimum include:
CIP–004–1 ........... R4.2 .................... The Responsible Entity shall revoke such access to LOWER ......... MEDIUM ....... 1, 3, 4
Critical Cyber Assets within 24 hours for personnel
terminated for cause and within seven calendar
days for personnel who no longer require such ac-
cess to Critical Cyber Assets.
CIP–005–1 ........... R1.1 .................... Access points to the Electronic Security Perimeter(s) LOWER ......... MEDIUM ....... 1, 2, 4
shall include any externally connected communica-
tion end point (for example, dial-up modems) termi-
nating at any device within the Electronic Security
Perimeter(s).
CIP–005–1 ........... R1.2 .................... For a dial-up accessible Critical Cyber Asset that uses LOWER ......... MEDIUM ....... 1, 2, 4
a non-routable protocol, the Responsible Entity
shall define an Electronic Security Perimeter for that
single access point at the dial-up device.
CIP–005–1 ........... R1.3 .................... Communication links connecting discrete Electronic LOWER ......... MEDIUM ....... 1, 2, 4
Security Perimeters shall not be considered part of
the Electronic Security Perimeter. However, end
points of these communication links within the Elec-
tronic Security Perimeter(s) shall be considered ac-
cess points to the Electronic Security Perimeter(s).
CIP–005–1 ........... R1.4 .................... Any non-critical Cyber Asset within a defined Elec- LOWER ......... MEDIUM ....... 1, 2, 4
tronic Security Perimeter shall be identified and pro-
tected pursuant to the requirements of Reliability
Standard CIP–005.
CIP–005–1 ........... R2 ....................... Electronic Access Controls—The Responsible Entity LOWER ......... MEDIUM ....... 1, 2, 4
shall implement and document the organizational
processes and technical and procedural mecha-
nisms for control of electronic access at all elec-
tronic access points to the Electronic Security Pe-
rimeter(s).
CIP–005–1 ........... R2.4 .................... Where external interactive access into the Electronic LOWER ......... MEDIUM ....... 1, 2
Security Perimeter has been enabled, the Respon-
sible Entity shall implement strong procedural or
technical controls at the access points to ensure au-
thenticity of the accessing party, where technically
feasible.
CIP–005–1 ........... R3 ....................... Monitoring Electronic Access—The Responsible Entity LOWER ......... MEDIUM ....... 1, 2
shall implement and document an electronic or
manual process(es) for monitoring and logging ac-
cess at access points to the Electronic Security Pe-
rimeter(s) twenty-four hours a day, seven days a
week.
CIP–005–1 ........... R3.1 .................... For dial-up accessible Critical Cyber Assets that use LOWER ......... MEDIUM ....... 1
non-routable protocols, the Responsible Entity shall
implement and document monitoring process(es) at
each access point to the dial-up device, where tech-
nically feasible.
CIP–005–1 ........... R3.2 .................... Where technically feasible, the security monitoring LOWER ......... MEDIUM ....... 1
process(es) shall detect and alert for attempts at or
actual unauthorized accesses. These alerts shall

provide for appropriate notification to designated re-
sponse personnel. Where alerting is not technically
feasible, the Responsible Entity shall review or oth-
erwise assess access logs for attempts at or actual
unauthorized accesses at least every 90 calendar
days.

posal determination
CIP–005–1 ........... R4 ....................... Cyber Vulnerability Assessment—The Responsible LOWER ......... MEDIUM ....... 1, 2
Entity shall perform a cyber vulnerability assess-
ment of the electronic access points to the Elec-
tronic Security Perimeter(s) at least annually. The
vulnerability assessment shall include, at a min-
imum, the following:
CIP–005–1 ........... R4.2 .................... A review to verify that only ports and services re- LOWER ......... MEDIUM ....... 1, 2
quired for operations at these access points are en-
abled.
CIP–005–1 ........... R4.3 .................... The discovery of all access points to the Electronic LOWER ......... MEDIUM ....... 1, 2
Security Perimeter;
CIP–005–1 ........... R4.4 .................... A review of controls for default accounts, passwords, LOWER ......... MEDIUM ....... 1, 2
and network management community strings; and
CIP–005–1 ........... R4.5 .................... Documentation of the results of the assessment, the LOWER ......... MEDIUM ....... 1, 4
action plan to remediate or mitigate vulnerabilities
identified in the assessment, and the execution sta-
tus of that action plan.
CIP–006–1 ........... R1.5 .................... Procedures for reviewing access authorization re- LOWER ......... MEDIUM ....... 1, 3
quests and revocation of access authorization, in
accordance with CIP–004 Requirement R4.
CIP–006–1 ........... R6.1 .................... Testing and maintenance of all physical security LOWER ......... MEDIUM ....... 2
mechanisms on a cycle no longer than three years.
CIP–007–1 ........... R1.1 .................... The Responsible Entity shall create, implement, and LOWER ......... MEDIUM ....... 1, 2
maintain cyber security test procedures in a manner
that minimizes adverse effects on the production
system or its operation.
CIP–007–1 ........... R2 ....................... Ports and Services—The Responsible Entity shall es- LOWER ......... MEDIUM ....... 1, 2
tablish and document a process to ensure that only
those ports and services required for normal and
emergency operations are enabled.
CIP–007–1 ........... R2.3 .................... In the case where unused ports and services cannot LOWER ......... MEDIUM ....... 1, 2
be disabled due to technical limitations, the Re-
sponsible Entity shall document compensating
measure(s) applied to mitigate risk exposure or an
acceptance of risk.
CIP–007–1 ........... R4 ....................... Malicious Software Prevention—The Responsible En- LOWER ......... MEDIUM ....... 1, 2
tity shall use anti-virus software and other malicious
software (‘‘malware’’) prevention tools, where tech-
nically feasible, to detect, prevent, deter, and miti-
gate the introduction, exposure, and propagation of
malware on all Cyber Assets within the Electronic
Security Perimeter(s).
CIP–007–1 ........... R4.1 .................... The Responsible Entity shall document and imple- LOWER ......... MEDIUM ....... 1, 2
ment anti-virus and malware prevention tools. In the
case where anti-virus software and malware pre-
vention tools are not installed, the Responsible Enti-
ty shall document compensating measure(s) applied
to mitigate risk exposure or an acceptance of risk.
CIP–007–1 ........... R4.2 .................... The Responsible Entity shall document and imple- LOWER ......... MEDIUM ....... 1, 2
ment a process for the update of anti-virus and
malware prevention ‘‘signatures.’’ The process must
address testing and installing the signatures.
CIP–007–1 ........... R5.1.3 ................. The Responsible Entity shall review, at least annually, LOWER ......... MEDIUM ....... 1, 2
user accounts to verify access privileges are in ac-
cordance with Reliability Standard CIP–003 Re-
quirement R5 and Reliability Standard CIP–004 Re-
quirement R4.
CIP–007–1 ........... R5.2.1 ................. The policy shall include the removal, disabling, or re- LOWER ......... MEDIUM ....... 1, 2
naming of such accounts where possible. For such
accounts that must remain enabled, passwords
shall be changed prior to putting any system into
service.
CIP–007–1 ........... R5.2.3 ................. Where such accounts must be shared, the Respon- LOWER ......... MEDIUM ....... 1, 2
sible Entity shall have a policy for managing the use
of such accounts that limits access to only those
with authorization, an audit trail of the account use
(automated or manual), and steps for securing the
account in the event of personnel changes (for ex-
ample, change in assignment or termination).

posal determination
CIP–007–1 ........... R6.1 .................... The Responsible Entity shall implement and docu- LOWER ......... MEDIUM ....... 1, 2
ment the organizational processes and technical
and procedural mechanisms for monitoring for secu-
rity events on all Cyber Assets within the Electronic
Security Perimeter.
CIP–007–1 ........... R6.2 .................... The security monitoring controls shall issue auto- LOWER ......... MEDIUM ....... 1, 2
mated or manual alerts for detected Cyber Security
Incidents.
CIP–007–1 ........... R6.3 .................... The Responsible Entity shall maintain logs of system LOWER ......... MEDIUM ....... 1, 2
events related to cyber security, where technically
feasible, to support incident response as required in
Reliability Standard CIP–008.
CIP–007–1 ........... R8.2 .................... A review to verify that only ports and services re- LOWER ......... MEDIUM ....... 1, 3
quired for operation of the Cyber Assets within the
Electronic Security Perimeter are enabled;
CIP–007–1 ........... R8.3 .................... A review of controls for default accounts; and LOWER ......... MEDIUM ....... 1, 3
CIP–007–1 ........... R8.4 .................... Documentation of the results of the assessment, the LOWER ......... MEDIUM ....... 1, 2, 3
action plan to remediate or mitigate vulnerabilities
identified in the assessment, and the execution sta-
tus of that action plan.
[FR Doc. E7–14710 Filed 8–3–07; 8:45 am]

BILLING CODE 6717–01–P

Proposed Rule: Electric Utilities (Federal Power Act) : Critical Infrastructure Protection Mandatory Reliability Standards

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Proposed Rule: Electric Utilities (Federal Power Act) : Critical Infrastructure Protection Mandatory Reliability Standards

Încărcat de

Drepturi de autor:

Formate disponibile

Monday,

(2006). proposed to be codified in the CFR and are not

developed to improve Bulk-Power and Recommendations (April 2004) (Blackout

invites comment on whether and how compliance, appropriate documentation

(requiring a responsible entity to ‘‘create and penalties for non-compliance.34

existing readiness reviews. In this say:

prepare for implementation of the CIP 009_FAQs_06Mar06.pdf. Progress Energy.

38 E.g., NERC, Southern, and PG&E.

54 E.g., MidAmerican and Allegheny.

equipment and electric system thermal, voltage, and

61 CIP Assessment at 17–18.

Progress Energy, and Xcel.

communications between electricity sector this issue is worthy of consideration and

protected, and revocations always Commission Proposal area of responsibility—the equipment it

interconnection points. Both the required cyber security policy in a. Training

81 An architecture with a mutual distrust posture 82 CIP Assessment at 23.

completion of their personnel risk with CIP–004–1 when acting

Standards. Clara agree with NERC. Recommendation 32.

Commission discusses the problems accomplished. In addition, they and security.99

100 FERC Stats. & Regs. ¶ 31,204 at P 260.

102 See Blackout Report at 165–166,

CIP Reliability Standards, CIP–008–1 remains

the retention period for logs mentioned learned. Recommendation 42.

119 See May 18 Order at P 9 (providing the

Number of Number of Hours per Total annual

Totals ................................................................................................. ........................ ........................ ........................ 1,125,400

135 See Energy Information Administration

Allegheny ............................................................ Allegheny Power and Allegheny Energy Supply Company.

139 Id. at P 107.

Progress Energy ................................................. Progress Energy, Inc.

APPENDIX B.—VIOLATION RISK FACTORS: PROPOSED DISPOSITIONS

tractors and service vendors, are trained within 90

APPENDIX B.—VIOLATION RISK FACTORS: PROPOSED DISPOSITIONS—Continued

actual unauthorized accesses. These alerts shall

APPENDIX B.—VIOLATION RISK FACTORS: PROPOSED DISPOSITIONS—Continued

APPENDIX B.—VIOLATION RISK FACTORS: PROPOSED DISPOSITIONS—Continued

[FR Doc. E7–14710 Filed 8–3–07; 8:45 am]

S-ar putea să vă placă și