[Federal Register Volume 77, Number 80 (Wednesday, April 25, 2012)] [Rules and Regulations] [Pages 24594-24611] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2012-9893] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM11-11-000; Order No. 761] Version 4 Critical Infrastructure Protection Reliability Standards AGENCY: Federal Energy Regulatory Commission, DOE. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: Under section 215 of the Federal Power Act, the Federal Energy Regulatory Commission (Commission) approves eight modified Critical Infrastructure Protection (CIP) Reliability Standards, CIP-002-4 through CIP-009-4, developed and submitted to the Commission for approval by the North American Electric Reliability Corporation (NERC), the Electric Reliability Organization certified by the Commission. The CIP Reliability Standards provide a cybersecurity framework for the identification and protection of ``Critical Cyber Assets'' to support the reliable operation of the Bulk-Power System. Reliability Standard CIP-002-4 requires the identification and documentation of Critical Cyber Assets associated with ``Critical Assets'' that support the reliable operation of the Bulk-Power System and introduces ``bright line'' criteria for the identification of Critical Assets. The Commission approves the related Violation Risk Factors, Violation Severity Levels with modifications, implementation plan, and effective date proposed by NERC. DATES: This rule will become effective June 25, 2012. FOR FURTHER INFORMATION CONTACT: Jan Bargen (Technical Information), Office of Electric Reliability, Division of Logistics and Security, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-6333, [email protected]. Edward Franks (Technical Information), Office of Electric Reliability, Division of Logistics and Security, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-6311, [email protected]. Kevin Ryan (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-6840, [email protected]. Matthew Vlissides (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, (202) 502-8408, [email protected]. SUPPLEMENTARY INFORMATION: 139 FERC ] 61,058 Before Commissioners: Jon Wellinghoff, Chairman; Philip D. Moeller, John R. Norris, and Cheryl A. LaFleur. [[Page 24595]] Issued April 19, 2012. 1. Under section 215 of the Federal Power Act (FPA),\1\ the Commission approves modified Critical Infrastructure Protection (CIP) Reliability Standards, CIP-002-4 through CIP-009-4. The ``Version 4'' CIP Reliability Standards were developed and submitted for approval to the Commission by the North American Electric Reliability Corporation (NERC), which the Commission certified as the Electric Reliability Organization (ERO) responsible for developing and enforcing mandatory Reliability Standards. The CIP Reliability Standards provide a cybersecurity framework for the identification and protection of ``Critical Cyber Assets'' that are associated with ``Critical Assets'' to support the reliable operation of the Bulk-Power System. --------------------------------------------------------------------------- \1\ 16 U.S.C. 824o (2006). --------------------------------------------------------------------------- 2. The Version 4 CIP Reliability Standards include ``bright line'' criteria for the identification of Critical Assets, which replace the risk-based assessment methodology developed and applied by applicable entities under the Version 3 CIP Reliability Standards. Version 4 includes other conforming modifications to the remaining CIP Reliability Standards, CIP-003-4 through CIP-009-4. 3. The Commission approves NERC's filing, as amended by its errata filing, with regard to the related Violation Risk Factors (VRFs), the Violation Severity Levels (VSLs) with modifications, the implementation plan, and effective date proposed by NERC. The Commission also approves the concurrent retirement of the currently effective Version 3 CIP Reliability Standards, CIP-002-3 to CIP-009-3. 4. In addition, the Commission determines that it is appropriate to impose a deadline by which time the ERO will submit for approval CIP Reliability Standards that are fully compliant with Order No. 706.\2\ NERC indicated that it anticipates filing the ``Version 5'' CIP Reliability Standards by the third quarter of 2012.\3\ Accordingly, we establish a deadline of 6 months from the end of the third quarter of 2012 (i.e., March 31, 2013). NERC must also submit reports at the beginning of each quarter in which the ERO is to explain whether it is on track to meet the deadline and describe the status of its CIP standard development efforts. --------------------------------------------------------------------------- \2\ Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC ] 61,040, denying reh'g and granting clarification, Order No. 706-A, 123 FERC ] 61,174 (2008), order on clarification, Order No. 706-B, 126 FERC ] 61,229 (2009), order denying clarification, Order No. 706-C, 127 FERC ] 61,273 (2009). \3\ NERC Reply Comments at 4. --------------------------------------------------------------------------- I. Background A. Mandatory Reliability Standards 5. Section 215 of the FPA requires a Commission-certified ERO to develop mandatory and enforceable Reliability Standards, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently.\4\ --------------------------------------------------------------------------- \4\ 16 U.S.C. 824o(e). --------------------------------------------------------------------------- 6. Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO,\5\ and subsequently certified NERC as the ERO.\6\ On January 18, 2008, the Commission issued Order No. 706 approving eight CIP Reliability Standards proposed by NERC. Pursuant to section 215(d)(5) of the FPA,\7\ the Commission directed NERC to develop modifications to the CIP Reliability Standards to address concerns discussed in Order No. 706. Subsequently, the Commission approved Version 2 and Version 3 of the CIP Reliability Standards, each version including changes responsive to some but not all of the directives in Order No. 706.\8\ --------------------------------------------------------------------------- \5\ Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, FERC Stats. & Regs. ] 31,204, order on reh'g, Order No. 672-A, FERC Stats. & Regs. ] 31,212 (2006). \6\ North American Electric Reliability Corp., 116 FERC ] 61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006), aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009). \7\ 16 U.S.C. 824o(d)(5). \8\ North American Electric Reliability Corp., 128 FERC ] 61,291 (2009), order denying reh'g and granting clarification, 129 FERC ] 61,236 (2009) (approving Version 2 of the CIP Reliability Standards); North American Electric Reliability Corp., 130 FERC ] 61,271 (2010) (approving Version 3 of the CIP Reliability Standards). --------------------------------------------------------------------------- B. NERC Petition 7. On February 10, 2011, NERC filed a petition seeking Commission approval of the Version 4 CIP Reliability Standards, CIP-002-4 to CIP- 009-4, and the concurrent retirement of the Version 3 CIP Reliability Standards, CIP-002-3 to CIP-009-3.\9\ In the petition, NERC states that the principal differences between Version 3 and Version 4 are found in CIP-002, where NERC replaced the risk-based assessment methodology for identifying Critical Assets with 17 uniform ``bright line'' criteria for identifying Critical Assets. Concerning the process of identifying the associated Critical Cyber Assets that are subject to the cyber security protections required by CIP-003 through CIP-009, NERC only made changes for certain generation Critical Assets. NERC submitted proposed VRFs and VSLs and an implementation plan governing the transition to Version 4. NERC proposed that the Version 4 CIP Reliability Standards become effective the first day of the eighth calendar quarter after applicable regulatory approvals have been received. --------------------------------------------------------------------------- \9\ NERC Petition at 1. The proposed Reliability Standards are not attached to the final rule. They are, however, available on the Commission's eLibrary document retrieval system in Docket No. RM11- 11-000 and are available on the ERO's Web site, www.nerc.com. Reliability Standards approved by the Commission are not codified in the Code of Federal Regulations. --------------------------------------------------------------------------- 8. On April 12, 2011, NERC made an errata filing correcting certain errors in the petition and furnishing corrected exhibits and the standard drafting team minutes. In the errata, NERC also replaced the VRFs and VSLs in the February 10, 2011 petition with new proposed VRFs and VSLs.\10\ --------------------------------------------------------------------------- \10\ NERC states that the Version 4 VRFs and VSLs are carried over in part from the VRFs and VSLs in the Version 3 CIP Reliability Standards. NERC Petition at 46. The Commission approved the Version 2 and 3 VRFs and VSLs in Docket Nos. RD10-6-001 and RD09-7-003 on January 20, 2011 but required NERC to make modifications in a compliance filing due by March 21, 2011. North American Electric Reliability Corporation, 134 FERC ] 61,045 (2011). The February 10, 2011 petition did not carry over the modified Version 3 VRFs and VSLs since it was filed before the March 21, 2011 compliance filing. NERC submitted new Version 4 VRFs and VSLs that carried over the modified Version 3 VRFs and VSLs in the April 12, 2012 errata. On June 6, 2011, NERC filed the March 21, 2011 compliance filing in the present docket, Docket No. RM11-11-000. --------------------------------------------------------------------------- 9. Reliability Standard CIP-002-4 requires each responsible entity to use the bright line criteria as a ``checklist'' to identify Critical Assets, initially and in an annual review, replacing the risk-based assessment methodology developed and applied by each registered entity required under the currently-effective Version 3 CIP Reliability Standards. As in past versions, each responsible entity will then identify the Critical Cyber Assets associated with its updated list of Critical Assets. If application of the bright line criteria results in the identification of Critical Cyber Assets, such assets become subject to the remaining CIP Reliability Standards. 10. In the petition, NERC states that CIP-002-4 addresses some, but not all, of the directives in Order No. 706. NERC explained that the standard drafting team limited the scope of requirements in the development of Version 4 ``as an interim step'' limited to the concerns raised by the Commission regarding [[Page 24596]] CIP-002.\11\ NERC maintains that it has taken a ``phased'' approach to meeting the Commission's directives from Order No. 706 and, according to NERC, the standard drafting team continues to address the remaining Commission directives. According to NERC, the team will build on the CIP-002-4 standard's establishment of uniform criteria for the identification of Critical Assets.\12\ --------------------------------------------------------------------------- \11\ NERC Petition at 6 (citing Order No. 706, 122 FERC ] 61,040 at P 236). \12\ NERC Petition at 6. --------------------------------------------------------------------------- C. Notice of Proposed Rulemaking 11. On September 15, 2011, the Commission issued a Notice of Proposed Rulemaking (NOPR) proposing to approve the Version 4 CIP Reliability Standards.\13\ The NOPR also proposed to approve the related VRFs, VSLs with modifications, and implementation schedule proposed by NERC. To underscore the need to achieve full compliance with the directives in Order No. 706, the NOPR proposed to set a deadline by which date the ERO would be required to submit to the Commission for approval CIP Reliability Standards that are fully compliant with Order No. 706. The NOPR also addressed certain directives in Order No. 706 that have not yet been met, which would need to be satisfied by the proposed deadline.\14\ --------------------------------------------------------------------------- \13\ Version 4 Critical Infrastructure Protection Reliability Standards, 76 FR 58,730 (Sept. 22, 2011), FERC Stats. & Regs. ] 32,679 (2011) (NOPR). \14\ NOPR, FERC Stats. & Regs. ] 32,679 at PP 40-61. --------------------------------------------------------------------------- 12. In response to the NOPR, comments were filed by 28 interested entities. NERC submitted reply comments clarifying its position on one issue. Below, we address the issues raised by these comments. The Appendix to this Final Rule lists the entities that filed comments on the NOPR. II. Discussion 13. As discussed below, the Commission approves the eight modified Version 4 CIP Reliability Standards, finding that they are just and reasonable, not unduly discriminatory or preferential and in the public interest. In addition, the Commission approves NERC's proposed VRFs, VSLs with modifications, and its proposed implementation plan. The Commission has also determined that it is appropriate to impose a deadline for the ERO to achieve full compliance with Order No. 706. NERC commented that it anticipates filing the Version 5 CIP Reliability Standards by the third quarter of 2012.\15\ We therefore establish a deadline of 6 months from the end of the third quarter of 2012 (i.e., March 31, 2013), to provide the ERO with time to address any unforeseen contingencies. In addition, the Commission directs the ERO to submit quarterly reports, at the beginning of each quarter, in which it is to both confirm that it is on track to meet the deadline and describe the status of its CIP Reliability Standards development efforts. --------------------------------------------------------------------------- \15\ NERC Reply Comments at 4. --------------------------------------------------------------------------- 14. Below we discuss the Commission's basis for approving Version 4 of the CIP Reliability Standards. In addition, we discuss comments regarding: (1) The bright line criteria used to identify Critical Assets that are contained in Attachment 1 of Reliability Standard CIP- 002-4; (2) the identification of Critical Assets that fall outside the scope of Attachment 1 by registered entities, Regional Entities, or ERO; (3) the implementation plan for the Version 4 CIP Reliability Standards; (4) compliance with Order No. 706; (5) the deadline for submitting CIP Reliability Standards that fully comply with Order No. 706; and (6) the VRFs and VSLs. A. The Commission Adopts the NOPR Proposal To Approve the Version 4 CIP Reliability Standards NERC Petition 15. NERC states that CIP-002-4 establishes clear and uniform criteria for identifying Critical Assets on the Bulk-Power System.\16\ According to NERC, CIP-002-4 achieves a specified reliability goal by requiring the identification and documentation of Critical Cyber Assets associated with Critical Assets that support the reliable operation of the Bulk-Power System. NERC maintains that the Reliability Standard ``improves reliability by establishing uniform criteria across all Responsible Entities for the identification of Critical Assets.'' \17\ Further, NERC states that CIP-002-4 contains a technically sound method to achieve its reliability goal by requiring the identification and documentation of Critical Assets through the application of the criteria set forth in Attachment 1 of CIP-002-4. --------------------------------------------------------------------------- \16\ NERC Petition at 38. \17\ Id. at 4. --------------------------------------------------------------------------- NOPR 16. In the NOPR, the Commission proposed to approve the Version 4 CIP Reliability Standards. Giving due weight to the ERO's petition, the NOPR stated that the Version 4 CIP Standards will result in the identification of certain types of Critical Assets that may not be identified under Version 3; uses bright line criteria to identify Critical Assets, eliminating the use of existing entity-defined risk- based assessment methodologies that, as currently applied, generally do not adequately identify Critical Assets; and provides a level of consistency and clarity regarding the identification of Critical Assets lacking under Version 3.\18\ --------------------------------------------------------------------------- \18\ NOPR, FERC Stats. & Regs. ] 32,679 at P 21. --------------------------------------------------------------------------- Comments 17. Most commenters and NERC generally support the Commission's proposal to approve the Version 4 CIP Reliability Standards.\19\ Hydro- Qu[eacute]bec and NV Energy, however, oppose approval of Version 4,\20\ while the G&T Cooperatives support Version 4 for ``guidance purposes'' only pending submission of a ``Version 5'' of the CIP Reliability Standards.\21\ --------------------------------------------------------------------------- \19\ See, e.g., Trade Associates Comments at 2; FirstEnergy Comments at 1; KCP&L Comments at 2; PG&E Comments at 1; Tallahassee Comments at 1; Exelon Comments at 2; Dominion Comments at 3; NERC Comments at 3. \20\ Hydro-Qu[eacute]bec Comments at 6; NV Energy Comments at 2. \21\ G&T Cooperatives Comments at 3. --------------------------------------------------------------------------- 18. Hydro-Qu[eacute]bec opposes the bright line criteria because they capture assets based on factors such as voltages and amount of megawatts without assessing the asset's criticality to reliability. Hydro-Qu[eacute]bec states that the Commission should consider allowing the current risk-based assessment methodology and a bright line approach to coexist.\22\ --------------------------------------------------------------------------- \22\ Hydro-Qu[eacute]bec Comments at 3-4. --------------------------------------------------------------------------- 19. NV Energy believes that Version 4 unnecessarily expands the scope of the CIP Reliability Standards to facilities whose protection may offer only marginal value in preventing widespread cyber attacks on the bulk electric system.\23\ NV Energy asserts that no technical justification exists for the bright line criteria and, accordingly, NERC does not provide a sufficient basis to determine if Version 4 is just and reasonable or more effective than Version 3.\24\ --------------------------------------------------------------------------- \23\ NV Energy Comments at 2. \24\ Id. at 3-4. --------------------------------------------------------------------------- Commission Determination 20. The Commission approves the Version 4 CIP Reliability Standards pursuant to section 215(d) of the FPA. The Commission concludes that the Version 4 CIP Reliability Standards are just, reasonable, not unduly discriminatory or preferential, and in the public interest. For the reasons identified in the NOPR, we approve Version 4 because it: Identifies Critical Assets that may not be identified under Version 3; will eliminate the use of [[Page 24597]] existing entity-defined risk-based assessment methodologies that, as applied, generally do not adequately identify Critical Assets; and provides a level of consistency and clarity regarding the identification of Critical Assets lacking under Version 3. 21. With respect to the objections raised by Hydro-Qu[eacute]bec and NV Energy, we find them unpersuasive. Although NV Energy asserts that Version 4 will identify Critical Assets that do not require protection or whose protection only offers marginal benefits, as we stated in the NOPR, Version 4 will offer an increase in the overall protection for bulk electric system components that clearly require protection, including control centers.\25\ Recognizing that Version 4 is an ``interim step,'' our concern is that Version 4 does not provide enough protection to satisfy Order No. 706.\26\ --------------------------------------------------------------------------- \25\ NOPR, FERC Stats. & Regs. ] 32,679 at P 23 (``[T]he number of control centers identified as Critical Assets increases from 425 under Version 3 to 553 under Version 4, the latter figure representing 74 percent of all control centers.''). \26\ NERC Petition at 6. --------------------------------------------------------------------------- 22. We also find unpersuasive Hydro-Qu[eacute]bec and NV Energy's claim that the bright line criteria are based on arbitrary values (i.e., amounts of megawatts and voltages) without assessing the impact on reliability, or otherwise lack a technical justification. As discussed later in this final rule, the Commission finds that NERC offered an acceptable technical justification for the bright line criteria used to identify Critical Assets in Version 4. As indicated in the NOPR, we believe that Version 4 is an interim step towards full compliance with Order No. 706 and that implementation of Version 4 and concurrent retirement of Version 3, as proposed in the petition and reaffirmed by the ERO in its comments, is a step towards full compliance with Order No. 706.\27\ For the same reason, we reject the G&T Cooperatives' suggestion that Version 4 be approved for ``guidance purposes only.'' Nevertheless, we note that approval of the specific bright line approach to identifying Critical Assets adopted in Version 4 does not prejudge the manner in which cyber assets are identified for protection in Version 5 or subsequent revisions to the CIP Reliability Standards. --------------------------------------------------------------------------- \27\ NOPR, FERC Stats. & Regs. ] 32,679 at P 3. --------------------------------------------------------------------------- B. Bright Line Criteria for Identifying Critical Assets 23. Reliability Standard CIP-002-4 establishes criteria for identifying Critical Assets on the Bulk-Power System. Requirement R1 of Reliability Standard CIP-002-4, which pertains to the identification of Critical Assets, provides: The Responsible Entity shall develop a list of its identified Critical Assets determined through an annual application of the criteria contained in CIP-002-4 Attachment 1--Critical Asset Criteria. The Responsible Entity shall update this list as necessary, and review it at least annually. Attachment 1 to Reliability Standard CIP-002-4 provides seventeen criteria to be used by all responsible entities for the identification of Critical Assets pursuant to Requirement R1. The thresholds apply to specific types of facilities such as generating units, transmission lines and control centers. Reliability Standard CIP-002-4, Requirement R2 then requires responsible entities to develop a list of Critical Cyber Assets associated with the Critical Assets identified pursuant to Requirement R1. 1. Generation/Transmission NERC Petition 24. Several of the proposed criteria pertain to the identification of critical generation assets and critical transmission assets. Reliability Standard CIP-002-4, criterion 1.1 designates as Critical Assets: ``Each group of generating units (including nuclear generation) at a single plant location with an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW in a single Interconnection.'' Reliability Standard CIP-002-4, Requirement R2 qualifies criterion 1.1 by stating that: ``For each group of generating units (including nuclear generation) at a single plant location identified in Attachment 1, criterion 1.1, the only Cyber Assets that must be considered are those shared Cyber Assets that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed Attachment 1, criterion 1.1.'' 25. For transmission assets, criterion 1.6 designates as Critical Assets: ``Transmission Facilities operated at 500 kV or higher.'' Criterion 1.7 also designates as Critical Assets: ``Transmission Facilities operated at 300 kV or higher at stations or substations interconnected at 300 kV or higher with three or more other transmission stations or substations.'' 26. Reliability Standard CIP-002-4, criterion 1.2 provides that ``Each reactive resource or group of resources at a single location (excluding generation Facilities) having aggregate net Reactive Power nameplate rating of 1000 MVAR or greater'' shall be designated as a Critical Asset. Criterion 1.3 designates as Critical Assets: ``Each generation Facility that the Planning Coordinator or Transmission Planner designates and informs the Generator Owner or Generator Operator as necessary to avoid BES Adverse Reliability Impacts in the long-term planning horizon.'' Criterion 1.8 designates as Critical Assets: ``Transmission Facilities at a single station or substation location that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.'' Criterion 1.9 designates as Critical Assets: ``Flexible AC Transmission Systems (FACTS), at a single station or substation location, that are identified by the Reliability Coordinator, Planning Authority or Transmission Planner as critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies.'' Comments 27. Hydro-Qu[eacute]bec states that the term ``group of generating units'' used in criterion 1.1 is ambiguous because it could mean a generating station or a group of units sharing the same transformer. Hydro-Qu[eacute]bec also believes that the 15-minute period, established by CIP-002-4, Requirement R2, which states that ``the only Cyber Assets that must be considered are those shared Cyber Assets that could, within 15 minutes, adversely impact the reliable operation of any combination of units that in aggregate equal or exceed Attachment 1, criterion 1.1,'' needs further explanation because it is unclear how to determine whether operation is not reliable after 15 minutes. Finally, Hydro-Qu[eacute]bec contends that the term ``Flexible AC Transmission System (FACTS)'' in criterion 1.9 must be defined in the NERC Glossary of Terms.\28\ --------------------------------------------------------------------------- \28\ Hydro-Qu[eacute]bec Comments at 4-5. --------------------------------------------------------------------------- 28. NV Energy comments that the bright line criteria lack technical justification because they are primarily based on asset size (e.g., megawatts and voltage levels) to determine criticality. NV Energy maintains that size should not be dispositive to determining whether an asset is critical. NV Energy cites the 500 kV or higher size threshold for transmission facilities in criterion 1.6 as an example of a broad categorization that is likely to capture elements, such as NV Energy's radial facilities, whose function are not essential to the reliable operation of the [[Page 24598]] bulk electric system. NV Energy also identifies the 300 kV or higher threshold for transmission facilities interconnected at 300 kV or higher with three or more other transmission stations or substations in criterion 1.7 as another example. NV Energy asserts that other parameters, beyond the number of interconnections, must be evaluated to determine criticality. Finally, NV Energy states that the 1500 MW threshold in criterion 1.1 lacks technical justification.\29\ --------------------------------------------------------------------------- \29\ NV Energy Comments at 3-4. --------------------------------------------------------------------------- 29. ISO/RTO Council states that responsibility for identifying critical generation should not be shifted from generation owners under criterion 1.3, which it maintains allows a planning coordinator or transmission planner to designate critical generation facilities.\30\ Likewise, MISO maintains that criteria 1.3, 1.8, and 1.9 place undue burden on reliability coordinators, planning authorities/coordinators, and transmission planners by requiring them to designate facilities as Critical Assets.\31\ ISO/RTO Council and MISO believe that these authorities have insufficient guidance or data to designate facilities as Critical Assets in a uniform manner. MISO seeks remand of these criteria or, in the alternative, argues that these entities should be indemnified and have limited liability for decisions to designate or not designate facilities as Critical Assets. MISO also encourages the Commission to make clear that requiring these entities to make designations does not shift compliance obligations from the registered entity that owns or operates a facility identified under these criteria.\32\ --------------------------------------------------------------------------- \30\ ISO/RTO Council at 6. \31\ MISO Comments at 5. \32\ Id. at 7. --------------------------------------------------------------------------- 30. Further, MISO and ISO/RTO Council point to the lack of a mechanism for registered entities to challenge designations made by planning coordinators and transmission planners. MISO requests the establishment of such a mechanism.\33\ ISO/RTO Council states that the Commission ``needs to consider how to address the rights of Generator Owners or Generator Operators in the context of designation under the CIP Standards, or otherwise explain why the Generator Owner or Generator Operator has no rights to challenge the Planning Coordinator or Transmission Planner's determination.'' \34\ --------------------------------------------------------------------------- \33\ Id. at 8. \34\ ISO/RTO Council Comments at 13. --------------------------------------------------------------------------- Commission Determination 31. The Commission finds that the bright line criteria for designating generation and transmission assets as Critical Assets are acceptable and supported by the information contained in NERC's petition. 32. In response to Hydro-Qu[eacute]bec's comments, the Commission finds the term ``group of generating units,'' as used in criterion 1.1, to mean all generating units at a ``single plant location,'' as that term is defined in the ``Rationale and Implementation Reference Document'' for CIP-002-4 cited in the petition.\35\ ``Single plant location'' refers to a ``group of generating units occupying a defined physical footprint, often but not always, these units are surrounded by a common fence, have a common entry point, share common facilities such as warehouses, water plants and cooling sources, follow a similar naming convention (plant name--unit number) and fall under a common management organization.'' \36\ It is our understanding that the transformer used by a generating unit has no bearing under criterion 1.1 on whether a generating unit belongs to a ``group of generating units.'' --------------------------------------------------------------------------- \35\ NERC Petition at 9 (citing Rationale and Implementation Reference Document, http://www.nerc.com/docs/standards/sar/Project_2008-06_CIP-002-4_Guidance_clean_20101220.pdf). The Rationale and Implementation Reference Document, dated December 2010, was also submitted as part of the NERC filing. As found on the Commission's eLibrary system in Docket No. RM11-11-00, the Rationale and Implementation Reference Document is found in Exhibit E (Development Record of the proposed CIP Reliability Standard and the associated Implementation Plans) beginning at page 2141 of the PDF electronic file submitted by NERC. This Final Rule refers to the page numbers used within the Rationale and Implementation Reference Document. The Rational and Implementation Reference Document states that it ``provides guidance for Responsible Entities in the application of the criteria in CIP-002-4, Attachment 1. It provides clarifying notes on the intent and rationale of the Standards Drafting Team. It is not meant to augment, modify, or nullify any compliance requirements in the standard.'' Rationale and Implementation Reference Document at 1. \36\ Rationale and Implementation Reference Document at 8. --------------------------------------------------------------------------- 33. As for Hydro-Qu[eacute]bec's comments on the 15-minute trigger for CIP Reliability Standard coverage, NERC explains in its petition that ``[i]n specifying a 15-minute qualification, Requirement R2 includes only those Cyber Assets that would have a real-time impact on the reliable operation of the Bulk Electric System.'' \37\ Further, NERC explains that there may be generation facilities that, ``while essential to the reliability and operability of the generation facility, may not have real-time operational impact within the specified real-time operations impact window of 15 minutes,'' such as a cyber asset controlling the supply of coal fuel in a generation facility.\38\ We believe that NERC has provided adequate explanation and justification of this provision. To the extent that Hydro- Qu[eacute]bec seeks specific advice on how to implement the Requirement, Hydro- Qu[eacute]bec should raise the issue with the relevant Regional Entity or NERC. --------------------------------------------------------------------------- \37\ NERC Petition at 12. \38\ Id. --------------------------------------------------------------------------- 34. With respect to Hydro-Qu[eacute]bec's comment that the term ``Flexible AC Transmission System (FACTS)'' should be defined in the NERC Glossary of Terms, the Commission observes that the term is defined in the North American Energy Standards Board (NAESB) Wholesale Electric Industry Glossary,\39\ which is recognized in the NERC Rules of Procedure as a reference.\40\ Moreover, Hydro-Qu[eacute]bec's comment does not suggest a lack of understanding of what the term means such that Hydro-Qu[eacute]bec could not apply criterion 1.9. --------------------------------------------------------------------------- \39\ Available at www.naesb.org/pdf/weq_glossary072804w3.doc. \40\ NERC Rules of Procedure, Appendix 3A Standards Process Manual, at 22 (effective date January 31, 2012). --------------------------------------------------------------------------- 35. The Commission disagrees with NV Energy's comments that the bright line criteria lack a technical justification because they are primarily based on asset size. While it is true that the standard establishes thresholds based on asset size, NERC articulated a basis for those values. For example, for the 1500 MW threshold in criterion 1.1, the petition states that the standard drafting team derived that number ``from the most significant Contingency Reserves operated in various Balancing Authorities in all regions * * * [u]sing this number and data reported by the U.S. Energy Information Administration [], the team determined that approximately 146 generators in the United States would be classified as Critical Assets using this criterion * * * [t]his accounts for 29 percent of the installed generator capacity in the United States.'' \41\ Moreover, as discussed above, the 15-minute trigger in CIP-002-4, Requirement R2, is a qualification to the asset size thresholds in criterion 1.1 and is meant to include only ``Cyber Assets that would have a real-time impact on the reliable operation of the Bulk Electric System.'' \42\ Considering the ERO's pleadings and affording due weight to the ERO's technical expertise, the [[Page 24599]] Commission accepts the ERO's justification for approval of the bright line criteria in Attachment 1.\43\ --------------------------------------------------------------------------- \41\ NERC Petition at 15. \42\ Id. at 12. \43\ 16 U.S.C. 824o(d)(2). --------------------------------------------------------------------------- 36. The Commission disagrees with MISO's and ISO/RTO Council's comment that criteria 1.3, 1.8, and 1.9 require reliability coordinators, planning coordinators/authorities, and transmission planners to review a registered entity's Critical Asset list or designate assets as Critical Assets. Instead, these criteria use the product of planning actions taken by reliability coordinators, planning coordinators/authorities, and transmission planners pursuant to other non-CIP Reliability Standards--these planning actions are, put simply, not made in conjunction with the application of CIP-002-4. The Commission also disagrees with MISO and ISO/RTO Council's comments that reliability coordinators, planning coordinators, and transmission planners should have the same liability protection as an entity externally reviewing Critical Asset lists, as was discussed in Order No. 706-A.\44\ --------------------------------------------------------------------------- \44\ Order No. 706-A, 123 FERC ] 61,174 at P 53. --------------------------------------------------------------------------- 37. Criteria 1.3, 1.8, and 1.9 require a responsible entity to identify generation and transmission facilities as Critical Assets when they have been determined as ``necessary to avoid BES Adverse Reliability Impacts in the long-term planning horizon'' (criterion 1.3) or ``critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies'' (criteria 1.8 and 1.9). 38. First, this is not a discretionary action based on what a reliability coordinator, planning coordinator/authority, or transmission planner subsequently considers ``necessary'' to avoid adverse impacts. Rather, reliability coordinators, planning coordinators/authorities, and transmission planners make these underlying determinations as part of their compliance obligations associated with other (non-CIP) Reliability Standards. NERC developed a Rationale and Implementation Reference Document that provides guidance on implementation of the Attachment 1 criteria and supports our finding. This reference document associates criterion 1.3 with Reliability Standards TPL-003 and TPL-004: ``If it is determined through system studies that a unit must run in order to preserve the reliability of the BES, such as due to a category C3 contingency as defined in TPL-003 or a category D contingency as defined in TPL-004, then that unit must be classified as a Critical Asset [under criterion 1.3].'' \45\ Similarly, the Rationale and Implementation Reference Document associates criteria 1.8 and 1.9 with Reliability Standard FAC- 014-2: ``Parts 1.8 and 1.9 include those Transmission Facilities that have been identified as critical to the derivation of IROLs and their associated contingencies, as specified by FAC-014-2, Establish and Communicate System Operating Limits, R5.1.1 and R5.1.3.'' \46\ --------------------------------------------------------------------------- \45\ Rationale and Implementation Reference Document at 10. \46\ Id. at 13. --------------------------------------------------------------------------- 39. Second, during development of the Version 4 CIP Reliability Standards, the standard drafting team addressed this issue in responding to a comment concerning criteria 1.3 that ``[n]o entity should be able to simply `designate' another as having critical assets.'' \47\ The standard drafting team responded by stating that ``[t]he burden for identifying Critical Assets is with the Responsible Entity that is the asset owner * * * [t]he Planning Authority and/or Transmission Planner are not designating the asset as critical for CIP purposes; they are determining the unit to be necessary to avoid Adverse Reliability Impacts based on other NERC reliability standards.'' \48\ --------------------------------------------------------------------------- \47\ NERC Petition, Exhibit E, at 1548 of PDF electronic file. \48\ Id. --------------------------------------------------------------------------- 40. Third, transmission planners and planning authorities/ coordinators cannot have a compliance obligation to designate Critical Assets under Reliability Standard CIP-002-4 because they are not identified as Applicable Entities under the Reliability Standard.\49\ --------------------------------------------------------------------------- \49\ Section 302 of the NERC Rules of Procedure states that ``Applicability--Each Reliability Standard shall clearly identify the functional classes of entities responsible for complying with the Reliability Standard, with any specific additions or exceptions noted * * *.'' NERC Rules of Procedure at 3 (effective date January 31, 2012). --------------------------------------------------------------------------- 41. In sum, under CIP-002-4, the responsible entity is required, and thus bears the compliance obligation, to apply the bright line criteria in Attachment 1 of CIP-002-4 to designate Critical Assets. We therefore reject the contention that reliability coordinators, planning coordinators/authorities, and transmission planners designate Critical Assets under the bright line criteria. We also disagree that CIP-002-4 imposes an undue burden on reliability coordinators, planning coordinators/authorities, and transmission planners because, as discussed above, determining whether an asset is ``necessary to avoid BES Adverse Reliability Impacts in the long-term planning horizon'' (criterion 1.3) or ``critical to the derivation of Interconnection Reliability Operating Limits (IROLs) and their associated contingencies'' is associated with existing Reliability Standards. However, the Commission does agree with MISO and ISO/RTO Council that additional clarity could be provided to ensure uniformity in implementation of criterion 1.3. To address the concerns of uniform implementation, the Commission believes that responsible entities would benefit from the ERO's guidance. 42. We deny MISO and ISO/RTO Council's request that the Commission require an appeals process to challenge determinations made by planning coordinator and transmission planners pursuant to other Reliability Standards. An appeals process is neither necessary nor appropriate because the determinations by planning coordinator and transmission planners are made for purposes unrelated to cybersecurity. It is true that those determinations will be used by responsible entities when applying the bright line criteria in CIP-002-4. However, as discussed above, the responsible entities, and not planning coordinators and transmission planners, are ultimately responsible for compliance with the CIP Reliability Standards. Accordingly, we reject MISO and ISO/RTO Council's suggestion to direct NERC to develop an appeals process for determinations made by planning coordinators and transmission planners in the context of other Reliability Standards in this final rule approving the Version 4 CIP Reliability Standards. 2. Blackstart/Must Run Units NERC Petition 43. Reliability Standard CIP-002-4, criterion 1.3 designates as a Critical Asset: ``Each generation Facility that the Planning Coordinator or Transmission Planner designates and informs the Generator Owner or Generator Operator as necessary to avoid BES Adverse Reliability Impacts in the long-term planning horizon.'' Reliability Standard CIP-002-4, criterion 1.4 designates as a Critical Asset: ``Each Blackstart Resource identified in the Transmission Operator's restoration plan.'' Comments 44. ISO/RTO Council comments that criterion 1.4 pertaining to blackstart resources appears to conflict with the NERC Statement of Registry Criteria. ISO/RTO Council observes that while criterion 1.4 identifies as a Critical Asset ``[e]ach Blackstart Resource identified in the Transmission Operator's restoration [[Page 24600]] plan,'' the Registry Criteria provide for registration of ``any generator, regardless of size, that is a blackstart unit material to and designated as part of a transmission operator entity's restoration plan * * *'' \50\ ISO/RTO Council suggests that ``some Regional Entities may have determined that certain blackstart units are not material to the Transmission Operator's restoration plan, and are therefore, presumably not covered'' by the Reliability Standards.\51\ Thus, ISO/RTO Council seeks clarification whether criterion 1.4 is meant to apply to blackstart units ``covered'' by the Registry Criteria or all blackstart resources and, if the latter, whether a revision to the Registry Criteria is appropriate. --------------------------------------------------------------------------- \50\ NERC Statement of Compliance Registry Criteria (Revision 5.0) at 8 (Oct. 16, 2008) (emphasis added). \51\ ISO/RTO Council Comments at 14. --------------------------------------------------------------------------- 45. MISO comments that designating must run units as Critical Assets pursuant to criterion 1.3 may create an incentive for generation owners and generation operators to remove such units from service prior to their designation as Critical Assets.\52\ --------------------------------------------------------------------------- \52\ MISO Comments at 9. --------------------------------------------------------------------------- Commission Determination 46. With regard to ISO/RTO Council's comments, we note that NERC developed the Registry Criteria to identify users, owners and operators of the bulk electric system that are candidates for compliance registration. NERC does not apply the Registry Criteria to register particular assets.\53\ Moreover, whether NERC should revise the Registry Criteria is beyond the scope of this proceeding.\54\ That being said, it is not clear to us whether any substantive distinction is to be made between criterion 1.4, which implicates each blackstart resource identified in a restoration plan, and the Registry Criteria, which identifies as a candidate for registration the owner or operator of ``a blackstart unit material to and designated as part of a * * * restoration plan.'' We leave it to NERC to consider whether a blackstart unit identified in a transmission operator's restoration plan could ever be considered immaterial to that plan and, if so, whether a clarification or revision to one or more documents is appropriate. --------------------------------------------------------------------------- \53\ Order No. 706, 122 FERC ] 61,040 at P 50 (``the NERC registry process is designed to identify and register entities for compliance with Reliability Standards, and not identify lists of assets''). \54\ Order No. 706, 122 FERC ] 61,040 at P 49. --------------------------------------------------------------------------- 47. We disagree with MISO that designating a ``must run'' unit as a Critical Asset may create an incentive for generation owners and generation operators to remove units from service prior to their designation as Critical Assets. The Commission is willing to consider rate filings to address this concern. For example, the Commission conditionally accepted a proposal filed by PJM to allow generators to recover costs related to compliance with mandatory NERC CIP Reliability Standards.\55\ Specifically, the Commission conditionally approved PJM's proposal in order to provide additional means for blackstart service providers to recover incremental costs associated with providing blackstart service.\56\ Finally, MISO can compensate ``must run'' generation units under System Support Agreements to prevent generators deemed as ``must run'' from being removed from service. --------------------------------------------------------------------------- \55\ PJM Interconnection, L.L.C., 138 FERC ] 61,020 (2012). \56\ Id. P 47. --------------------------------------------------------------------------- 3. Control Centers/Control Systems NERC Petition 48. Reliability Standard CIP-002-4, criteria 1.14-1.17 define the control centers and back up control centers that are treated as Critical Assets. Specifically, criterion 1.14 identifies as a bright line for Critical Assets ``[e]ach control center or backup control center used to perform the functional obligations of the Reliability Coordinator.'' Criterion 1.15 pertains to control centers or backup control centers used to control generation at multiple plant locations, equal to or exceeding 1500 MW. Criteria 1.16 and 1.17 include as Critical Assets control centers or backup control centers used to perform the functional obligations of transmission operators and balancing authorities, respectively. NOPR 49. In the NOPR, the Commission expressed concern, based on survey data supplied by NERC, that the Reliability Standard CIP-002-4 criteria would still leave a significant number of control centers unprotected.\57\ --------------------------------------------------------------------------- \57\ NOPR, FERC Stats. & Regs. ] 32,679 at P 56. --------------------------------------------------------------------------- Comments 50. Commenters hold diverging views on whether the Version 4 CIP Reliability Standards adequately protect control centers and control systems (i.e., control systems not housed in control centers). G&T Cooperatives believe that Version 4 goes too far, while SPP RE and, to a lesser extent, MISO believe that it does not go far enough.\58\ NERC, PG&E, and the Trade Associations acknowledge the NOPR's concern that CIP Version 4 does not protect some control centers/common control systems, but they anticipate that a future Version 5 CIP Reliability Standards will protect more Critical Assets.\59\ --------------------------------------------------------------------------- \58\ G&T Cooperatives Comments at 11-12; SPP RE Comments at 5-6; MISO Comments at 11. \59\ NERC Comments at 14-15; PG&E Comments at 14; Trade Associations Comments at 7-8. --------------------------------------------------------------------------- 51. G&T Cooperatives believe that the Version 4 bright line criteria need additional work, which is why they support allowing a future Version 5 to supersede Version 4 before it becomes effective. Specifically, G&T Cooperatives state that criteria 1.14, 1.16, and 1.17 ``sweep in control centers and backup control centers, without regard to their size or potential impact on the [bulk electric system].'' \60\ G&T Cooperatives maintain that the bright line criteria should be revisited to ensure that they capture only those assets that should be covered in order to protect bulk electric system reliability.\61\ --------------------------------------------------------------------------- \60\ G&T Cooperatives Comments at 11. \61\ G&T Cooperatives Comments at 10-13. --------------------------------------------------------------------------- 52. SPP RE states that criteria 1.14-1.17 are insufficient because they do not consider interconnectivity of control centers or address the possibility that a small network-connected control center not deemed a Critical Asset could be used to compromise larger control centers. SPP RE believes that, at a minimum, all balancing authority and transmission operator control centers should be declared Critical Assets. SPP RE also encourages the Commission to consider requiring NERC to modify the bright line criteria to classify a control center as a Critical Asset if it is network-connected to other control centers.\62\ --------------------------------------------------------------------------- \62\ SPP RE Comments at 5-6. --------------------------------------------------------------------------- 53. With respect to common control systems, SPP RE believes that individual resources that do not qualify as Critical Assets under the bright line criteria can still pose a reliability risk if they have a common control system. SPP RE notes that under Version 4, a registered entity must designate its control center or generation facility as a Critical Asset in order to bring an associated common control system into scope. SPP RE believes that the bright line criteria may not ensure that all common control systems are identified, however. Criterion 1.1 designates as Critical Assets groups of generating units at a single plant location with an aggregate highest rated net Real Power capability equal to or exceeding 1500 MW. Criterion 1.15 designates as Critical Assets: ``Each control center or backup control center used to control generation at multiple plant locations, for any generation Facility or group of [[Page 24601]] generation Facilities identified in criteria 1.1, 1.3, or 1.4. Each control center or backup control center used to control generation equal to or exceeding 1500 MW in a single Interconnection.'' SPP RE states that criterion 1.1 adequately protects the common control systems of generating units at a single plant location with aggregate real power equal to or exceeding 1500 MW. However, SPP RE believes that criterion 1.15 does not clearly apply to control centers and common control systems that control generation that equals or exceeds 1,500 MW in the aggregate regardless of the individual plant size requirements set forth in criterion 1.1.\63\ --------------------------------------------------------------------------- \63\ Id. at 6-7. --------------------------------------------------------------------------- 54. MISO expresses concern with Version 4's treatment of control centers. MISO asks for clarification whether Version 4 intentionally omitted ``data centers'' associated with control centers from the bright line criteria and whether registered entities have the discretion to designate them as Critical Assets. Because control centers often work in tandem with an associated data center, MISO recommends allowing registered entities to designate data centers as Critical Assets.\64\ --------------------------------------------------------------------------- \64\ MISO Comments at 10-11. --------------------------------------------------------------------------- 55. NERC and PG&E acknowledge the NOPR's concern that Version 4 does not fully address the Order No. 706 directives pertaining to control centers. NERC and PG&E temper this concern, however, by pointing to the lack of an accepted definition of ``control centers'' and the fact that some control centers in the generation context only communicate with generators that fall below the NERC Registration Criteria for generators. NERC and PG&E suggest that cyber assets at these generator locations are unlikely to have a greater impact on reliability than much larger single-unit generators merely because the smaller units have a control center. In any case, NERC and PG&E explain that under a future Version 5 every control center will be protected and will receive a ``medium'' or ``high'' level of security under a new three-tiered structure. Further, NERC and PG&E state that several Version 5 requirements will apply to control centers regardless of whether they are classified as medium or high.\65\ NERC also states that ``cyber misuse'' will be a consideration under the classification process in CIP Version 5 and that the CIP Version 5 drafting team has proposed a definition of ``control center.'' \66\ --------------------------------------------------------------------------- \65\ NERC Comments at 14-15; PG&E Comments at 13-14. \66\ NERC Comments at 15. --------------------------------------------------------------------------- 56. The Trade Associations likewise recognize the NOPR's concern regarding control centers but state that control centers and control systems are being considered in the Version 5 project. The Trade Associations also state that appropriate prioritization and tailored application of mandatory requirements will be needed in addressing control centers and control systems given the widely varying circumstances and configurations in which these facilities are used.\67\ --------------------------------------------------------------------------- \67\ Trade Associations Comments at 7-8. --------------------------------------------------------------------------- Commission Determination 57. The Commission recognizes the diverging views among commenters regarding the protection of control centers and control systems afforded under the Version 4 CIP Reliability Standards. In Order No. 706, we stated that ``it is difficult to envision a scenario in which a reliability coordinator, transmission operator or transmission owner control center or backup control center would not properly be identified as a critical asset.'' \68\ The Commission maintains this view. However, as we observed in the NOPR, the percentage of control centers to be identified as Critical Assets under Version 4 is 74 percent, which is an improvement over the number currently identified under Version 3.\69\ Therefore, it is reasonable to approve Version 4 because it will ensure that more control centers are identified as Critical Assets than are identified under Version 3. However, we continue to expect comprehensive protection of all control centers and control systems as NERC works to comply with the requirements of Order No. 706. --------------------------------------------------------------------------- \68\ Order No. 706, 122 FERC ] 61,040 at P 280. \69\ NOPR, FERC Stats. & Regs. ] 32,679 at P 23. --------------------------------------------------------------------------- 58. We agree with SPP RE that the CIP Reliability Standards should consider interconnectivity of control centers and the strategy of classifying a control center as a Critical Asset if it is network- connected to other control centers. The Commission also finds merit in MISO's comment that responsible entities should be allowed to designate data centers as Critical Assets because of their inherent connectivity to the control centers or control systems they support. Therefore, we expect NERC to address these approaches as it works to comply with the requirements of Order No. 706.\70\ --------------------------------------------------------------------------- \70\ See, e.g., Order No. 706, 122 FERC ] 61,040 at PP 280-281. --------------------------------------------------------------------------- C. NOPR Questions on Critical Asset Identification 1. Flexibility To Identify Critical Assets That Fall Outside of the CIP Version 4 Bright Line Criteria NOPR 59. In the NOPR, the Commission stated that under the currently- effective Reliability Standard CIP-002-3, a responsible entity that applies its risk-based assessment methodology considers specific types of assets identified in Requirement R1, as well as ``any additional assets that support the operation of the Bulk Electric System that the Responsible Entity deems appropriate to include its assessment.'' \71\ The Commission invited comment on whether a registered entity retains the same flexibility under Version 4 to identify assets that, although outside of the bright line criteria for identifying Critical Assets, are essential to Bulk-Power System reliability. --------------------------------------------------------------------------- \71\ NOPR, FERC Stats. & Regs. ] 32,679 at P 31. --------------------------------------------------------------------------- Comments 60. NERC states that, in developing Version 4, the drafting team considered adding criteria that would allow entities to identify additional facilities falling outside of the bright line criteria, but determined not to include the provision. However, NERC adds that ``registered entities are permitted to apply any or all of the requirements in the CIP standards to assets that do not meet the bright-line thresholds.'' \72\ --------------------------------------------------------------------------- \72\ NERC Comments at 4. --------------------------------------------------------------------------- 61. The Trade Associations and FirstEnergy believe that registered entities do not have the flexibility to identify Critical Assets that fall outside the bright line criteria such that they would be subject to mandatory and enforceable compliance obligations and should not have such flexibility because it would detract from the consistency afforded by the bright line criteria.\73\ The Trade Associations, however, state that registered entities have the discretion to identify facilities as Critical Assets provided those facilities are not subject to compliance obligations.\74\ --------------------------------------------------------------------------- \73\ Trade Associations Comments at 4-5; FirstEnergy Comments at 2. \74\ Trade Association Comments at 5. --------------------------------------------------------------------------- 62. PG&E comments that appropriate flexibility exists under Version 4 to allow the identification of Critical Assets essential to the bulk electric system. In particular, PG&E cites to criterion 1.3, which would require a planning coordinator or transmission planner to identify a generation facility [[Page 24602]] as ``critical'' if ``necessary to avoid BES Adverse Reliability Impacts in the long-term planning horizon.'' \75\ Likewise, PG&E indicates that criterion 1.8 provides that a reliability coordinator, planning authority, and transmission planner has authority to designate certain transmission facilities critical to the derivation of IROLs as critical. PG&E also believes that industry should be encouraged to apply any or all of the CIP Reliability Standards to assets that do not meet the bright line criteria, ``even beyond a compliance and audit program.'' \76\ --------------------------------------------------------------------------- \75\ PG&E Comments at 5. \76\ Id. --------------------------------------------------------------------------- 63. SPP RE encourages the Commission to require NERC to restore the ``other'' criterion to the bright line criteria.\77\ MISO likewise believes that registered entities should have the flexibility to identify more Critical Assets because the bright line criteria create a minimum regulatory floor on which to build.\78\ --------------------------------------------------------------------------- \77\ SPP RE Comments at 5. \78\ MISO Comments at 11. --------------------------------------------------------------------------- 2. NERC or Regional Entities' Ability To Identify Critical Assets That Fall Outside of the CIP Version 4 Bright-Line Criteria NOPR 64. In the NOPR, the Commission invited comment on whether NERC and/or Regional Entities would have the ability, either in an event- driven investigation or compliance audit, to identify specific assets that fall outside the bright-line criteria yet are still essential to Bulk-Power System reliability and should be subject prospectively to compliance with the CIP Reliability Standards, and if so, on what basis should that decision be made.\79\ --------------------------------------------------------------------------- \79\ NOPR, FERC Stats. & Regs. ] 32,679 at P 31. --------------------------------------------------------------------------- Comments 65. NERC states that the Version 4 CIP Reliability Standards are an interim step and that the future Version 5 CIP Reliability Standards will refine the bright line criteria, with the intent of categorizing assets (to be termed ``BES Cyber Systems'') as low, medium or high impact to Bulk-Power System reliability. NERC states that, in the interim, it has the authority under Section 810 of the NERC Rules of Procedure to issue an Alert to recommend specific actions. According to NERC, it can use the Alerts ``as a tool to address assets that NERC and Regional Entities later determine should be treated as critical but to not fall into the CIP Version 4 criteria.'' \80\ --------------------------------------------------------------------------- \80\ NERC Comments at 4-7. --------------------------------------------------------------------------- 66. The Trade Associations, Dominion, FirstEnergy and other commenters oppose identification of Critical Assets outside of the bright line process by NERC or Regional Entities as detracting from the clarity afforded by the bright line criteria. The Trade Associations and Tallahassee opine that the Commission should not undermine the bright line criteria by granting Regional Entities discretion to designate Critical Assets that are otherwise excluded by application of the bright line criteria.\81\ SPP RE states that it is not appropriate to apply arbitrarily criteria not found in the CIP Reliability Standards to require additional cyber systems to be subject to the CIP Reliability Standards.\82\ Dominion states that if such a mechanism is necessary, it should not be done in the compliance audit context.\83\ --------------------------------------------------------------------------- \81\ Trade Association Comments at 5-6; Tallahassee Comments at 4-5. \82\ SPP RE Comments at 4. \83\ Dominion Comments at 4-5. --------------------------------------------------------------------------- 67. MISO supports review of Critical Asset designations by NERC and Regional Entities given its belief that criteria 1.3, 1.8, and 1.9 require reliability coordinators, planning authorities/authorities and transmission planners to identify certain Critical Assets. MISO maintains that the lack of guidance for applying these criteria leaves room for substantial discretion, which may undermine the consistent identification of Critical Assets absent Regional Entity or NERC review.\84\ --------------------------------------------------------------------------- \84\ MISO Comments at 4. --------------------------------------------------------------------------- Commission Determination 68. We agree with NERC and others that registered entities can voluntarily apply any or all of the requirements in the CIP Reliability Standards to assets that fall outside the bright line criteria.\85\ As MISO described it, Version 4's bright line criteria establish a ``regulatory floor'' for cybersecurity, which must be followed by all registered entities.\86\ Nothing in Version 4 prevents registered entities from applying the protections required by the CIP Reliability Standards to additional assets that they deem critical. At the same time, we agree that assets not identified by the bright line criteria are not subject to a compliance obligation or to addition by the Commission, NERC, or a Regional Entity. We are persuaded that the clarity and addition of Critical Assets effected by the bright line criteria render Version 4 an improvement over Version 3. --------------------------------------------------------------------------- \85\ NERC Comments at 4. \86\ MISO Comments at 11. --------------------------------------------------------------------------- 69. We expect NERC to continue to work towards a version of the CIP Reliability Standards that will largely eliminate the risk of gaps in the identification of Critical Assets.\87\ In Section E of this Final Rule, we discuss the directive in Order No. 706 regarding external review in an effort to provide the ERO with guidance in developing future versions of the CIP Reliability Standards. --------------------------------------------------------------------------- \87\ NERC Petition at 4. --------------------------------------------------------------------------- D. Implementation Plan NERC Petition 70. NERC proposed an implementation plan for existing Critical Assets and an implementation plan for newly identified Critical Assets and newly registered entities. For existing Critical Assets, NERC proposed an effective date for full compliance with the Version 4 CIP Standards of the first day of the eighth calendar quarter after applicable regulatory approvals have been received. The implementation plan for newly identified Critical Assets and newly registered entities specifies how responsible entities are to handle newly identified Critical Cyber Assets, as well as how newly registered entities are to implement the CIP Reliability Standards after the effective date for Version 4. NOPR 71. In the NOPR, the Commission proposed to approve both the effective date and the implementation plan for CIP-002-4 based upon a belief that the proposed implementation plan establishes reasonable deadlines for industry compliance.\88\ --------------------------------------------------------------------------- \88\ NOPR, FERC Stats. & Regs. ] 32,679 at P 39. --------------------------------------------------------------------------- Comments 72. Comments varied regarding NERC's proposed implementation plan. NERC, PG&E and Exelon support the CIP Version 4 implementation plan. PG&E comments that the two year time frame, commencing from Commission approval, is reasonable. The Trade Associations support the implementation plan. However, they also urge the Commission to avoid a ``one size fits all'' approach, explaining that there are ``complexities'' of implementing ``[CIP Versions] 3 to 4 to 5.'' \89\ According to the Trade Associations, some entities may face significant challenges as the result of approval of Version 4 potentially followed so closely in time by the approval of Version 5. The Trade [[Page 24603]] Associations ask for coordination among NERC, the regions and registered entities to achieve compliance in an efficient and orderly manner. NERC and Exelon acknowledge that there could be concerns with implementing CIP Version 5 soon after Version 4 becomes effective, but note that CIP Version 5-related implementation issues could be revisited after CIP Version 5 is filed.\90\ --------------------------------------------------------------------------- \89\ Trade Associations Comments at 13. \90\ NERC Comments at 10; Exelon Comments at 3. --------------------------------------------------------------------------- 73. G&T Cooperatives, ISO/RTO Council, SPP RE, ITC, Dominion, and FirstEnergy oppose and/or recommend modifying the CIP Version 4 implementation plan in anticipation of a future CIP Version 5 filing. G&T Cooperatives state that CIP Version 4 should be approved for ``guidance purposes'' only, thus delaying implementation, so that it may be superseded by CIP Version 5.\91\ G&T Cooperatives believe that CIP Version 5 should become effective on the date that CIP Version 4 would otherwise become effective. Therefore, G&T Cooperatives believe that NERC no longer intends that CIP Version 4 should go into effect in advance of CIP Version 5. --------------------------------------------------------------------------- \91\ G&T Cooperatives Comments at 10. --------------------------------------------------------------------------- 74. ISO/RTO Council asks that the Commission provide guidance to NERC on how to exercise discretion on enforcement and implementation issues given the potential overlap and possible conflict with CIP Version 5.\92\ SPP RE suggests that the Commission allow entities to ``early adopt'' CIP Version 5.\93\ ITC recommends keeping CIP Version 4 in effect for at least three years so registered entities can collect a full three-year audit cycle's worth of data, which would avoid ``frequent and abrupt changes'' and could help later when implementing CIP Version 5.\94\ Dominion recommends allowing registered entities to discontinue implementation of CIP Version 4, while remaining compliant with CIP Version 3, if CIP Version 5 is approved by the Commission before the CIP Version 4 mandatory compliance date.\95\ --------------------------------------------------------------------------- \92\ ISO/RTO Council Comments at 15. \93\ SPP RE Comments at 7. \94\ ITC Comments at 4. \95\ Dominion Comments at 3. --------------------------------------------------------------------------- 75. In its reply comments, NERC reiterates that it supports implementation of CIP Version 4 as filed. NERC rejects the G&T Cooperatives' suggestion that NERC no longer intends that CIP Version 4 should go into effect in advance of CIP Version 5. NERC states that it recognizes the concerns raised by industry regarding the interplay between CIP Version 4 and CIP Version 5. However, NERC states that ``until CIP Version 5 and an appropriate implementation plan is fully vetted and approved by the industry, the NERC Board of Trustees, and FERC, there is no basis to determine at this juncture that the CIP Version 4 standards should not be implemented.'' \96\ --------------------------------------------------------------------------- \96\ NERC Reply Comments at 3. --------------------------------------------------------------------------- Commission Determination 76. The Commission adopts the NOPR proposal and approves both the effective date and the implementation plan for CIP-002-4 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. The comments opposing NERC's proposed implementation plan for CIP-002-4 are all based upon concerns that the approval of CIP Version 4 may be followed very closely in time by a future Version 5 of the CIP Reliability Standards. We understand the commenters' interest in careful coordination, so that the industry can achieve compliance in an efficient and orderly manner as the industry moves from Version 3 to Version 5, via the interim Version 4. These concerns, however, do not provide a basis on which to reject the NOPR proposal. 77. While G&T Cooperatives, ISO/RTO Council, SPP RE, ITC, Dominion, and FirstEnergy outline various proposed solutions to a potential overlap between CIP Version 4 and a future Version 5 of the CIP Reliability Standards, the commenters ignore one critical fact--the only version of the CIP Reliability Standards at issue in this proceeding is Version 4. There is no proposed Version 5 of the CIP Reliability Standards before the Commission at this time, so any concerns raised about implementation of Version 5 are beyond the scope of this proceeding. To the extent that the development of Version 5 raises actual implementation concerns, such concerns should be raised when NERC submits Version 5 for approval. This proceeding is not the appropriate forum to determine how to coordinate the implementation of the CIP Version 4 Reliability Standards with possible future versions of the CIP Reliability Standards that have not yet been developed or submitted for approval to the Commission. E. Compliance With Order No. 706 78. In the petition, NERC stated that the standard drafting team ``limited the scope of requirements in the development of CIP-002-4 through CIP-009-4 as an interim step to address the more immediate concerns raised in FERC Order No. 706, paragraph 236.'' \97\ NERC further stated that the standard drafting team is continuing its effort to address the remaining outstanding Order No. 706 directives. NERC explained that its phased approach to meeting the Order No. 706 directives has ``consistently built upon prior versions of the CIP-002 through CIP-009 standards to enhance the reliability of the Bulk Electric System.'' \98\ In that light, the Commission discussed certain outstanding Order No. 706 directives in the NOPR and proposed giving guidance to aid in the development of the next version of the CIP Reliability Standards. --------------------------------------------------------------------------- \97\ NERC Petition at 6. \98\ Id. --------------------------------------------------------------------------- 79. In their comments, the Trade Associations seek clarification as to whether the issues discussed in Section B of the NOPR (i.e., connectivity, control centers, and NERC and Regional Entity review of Critical Asset lists) should be viewed merely as encouragement to address those issues in CIP Version 5 or as new directives beyond what was required in Order No. 706.\99\ The Trade Associations explain that it is their expectation that the final rule will not include any further directives. Instead, the Trade Associations encourage the Commission to allow development of CIP Version 5 to move forward without introducing any new uncertainties in a final rule on CIP Version 4. Based on the comments in response to the NOPR, we determine not to issue new directives at this time beyond what is required to comply with Order No. 706. Consistent with the NOPR proposal, we provide guidance for future versions of the CIP Reliability Standards regarding the issues of connectivity, application of the National Institute of Standards and Technology (NIST) Framework, and provision of a regional perspective. --------------------------------------------------------------------------- \99\ Trade Association Comments at 10. --------------------------------------------------------------------------- 1. Connectivity NOPR 80. In the NOPR, the Commission stated that: In light of recent cybersecurity vulnerabilities, threats and attacks that have exploited the interconnectivity of cyber systems, the Commission seeks comments regarding the method of identification of Critical Cyber Assets to ensure sufficiency and accuracy. The Commission recognizes that control systems that support Bulk-Power System reliability are ``only as secure as their weakest links,'' and that a single vulnerability opens the computer network and all other networks with which it is interconnected to potential malicious activity. Accordingly, the Commission believes that any criteria adopted for the [[Page 24604]] purposes of identifying a Critical Cyber Asset under CIP-002 should be based upon a Cyber Asset's connectivity and its potential to compromise the reliable operation of the Bulk-Power System, rather than focusing on the operation of any specific Critical Asset(s). [Footnotes omitted.] \100\ --------------------------------------------------------------------------- \100\ NOPR, FERC Stats. & Regs. ] 32,679 at P 43. The Commission invited comment on this approach. Comments 81. NERC comments that, while it does not believe that the connectivity issue was raised in Order No. 706, the CIP Version 5 standards drafting team recognizes the importance of the matter and is considering it in the development of Version 5.\101\ However, NERC does not believe that connectivity can be addressed in CIP Version 5 by the time it is submitted to the NERC Board of Trustees for approval.\102\ NERC notes that CIP Version 5 will eliminate the blanket exemption for non-routably connected cyber systems, ``and instead move[s] the connectivity attribute to specific requirements.'' \103\ NERC adds that the CIP Version 5 drafting team has proposed to apply electronic security perimeter protections ``of some form'' to include all bulk electric system Cyber Systems.\104\ --------------------------------------------------------------------------- \101\ NERC Comments at 11. \102\ Id. \103\ Id. \104\ Id. --------------------------------------------------------------------------- 82. SPP RE states that neither CIP Version 4 nor CIP Version 5 consider all possible communication paths between a given cyber asset and any assets that support a reliability function. According to SPP RE, the Version 4 standards define bright line criteria based on size of the asset, and the draft Version 5 standards would rate cyber systems based on their span of control, but fail to consider interconnectivity and the potential for a small system to be used as a vector of attack against other systems.\105\ SPP RE explains that control center cyber systems routinely exchange data with reliability coordinators, over wide area networks.\106\ --------------------------------------------------------------------------- \105\ SPP RE Comments at 3-5. \106\ Id. at 3-4. --------------------------------------------------------------------------- 83. ISO/RTO Council states that the Commission's concerns with connectivity could be addressed by requiring certain asset owners and operators to take a ``mutual distrust'' posture.\107\ MISO supports considering the connectivity issue but also encourages the Commission to evaluate the costs and benefits of this approach. --------------------------------------------------------------------------- \107\ ISO/RTO Council Comments at 17. --------------------------------------------------------------------------- 84. PG&E states that issues pertaining to connectivity are being addressed in CIP Version 5.\108\ The Trade Associations state that they understand the Commission's concerns regarding connectivity. But taken together with the NOPR's ``weakest link'' statements, the Trade Associations are concerned these views could imply that everything needs to be protected.\109\ The Trade Associations believe that the ``weakest link'' concept articulated in the NOPR needs to be fleshed out in more detail and that Commission staff should work with the CIP Version 5 standard drafting team to discuss these issues. The Trade Associations also maintain that the CIP Version 5 standard drafting team is currently working on addressing the Commission's directives in Order No. 706 and that no further directives regarding connectivity, or otherwise, should be made in the final rule approving CIP Version 4. According to the Trade Associations, any directives in the final rule would serve to prejudge CIP Version 5. --------------------------------------------------------------------------- \108\ PG&E Comments at 9. \109\ Trade Associations Comments at 18. --------------------------------------------------------------------------- Commission Determination 85. The Commission appreciates the comments on whether cyber connectivity should be a basis for the identification of Critical Cyber Assets, or their equivalent, in future versions of the CIP Reliability Standards. We have raised concerns relating to the use of cyber connectivity as a basis for applying the CIP Reliability Standards during and since the approval of Version 1. For example, in Order No. 706, we stated that ``NERC's compliance [with the CIP Reliability Standards] is necessary in light of its interconnectivity with other entities that own and operate critical assets.'' \110\ Similarly, in finding that an ``N minus 1'' criterion is not an appropriate risk- based assessment methodology for identifying Critical Assets, we noted that a cyber attack can strike multiple assets simultaneously.\111\ The cyber connectivity of Bulk-Power System assets increases the risk of a multiple asset cyber attack. The CIP Reliability Standards should reflect this risk. --------------------------------------------------------------------------- \110\ Order No. 706, 122 FERC ] 61,040 at P 47. \111\ Id. P 256. --------------------------------------------------------------------------- 86. In that light, we support the elimination of the blanket exemption for non-routable connected cyber systems as highlighted in NERC's comments.\112\ A continued blanket exemption in Version 5 would not adequately address risk. --------------------------------------------------------------------------- \112\ NERC Comments at 11. --------------------------------------------------------------------------- 87. In addition, we support the concept of applying electronic security perimeter protections ``of some form'' to all bulk electric system cyber systems.\113\ Because electronic communications between functional entities and their associated systems are essential to the operation of the Bulk-Power System, it is important for each distinct system to be protected at its boundary by an electronic security perimeter. The use of electronic security perimeters, as required under the CIP Reliability Standards, is commonly referred to as zoned security in the information security industry.\114\ Security zones are established to ensure that a compromise in one security zone does not lead to a compromise in another security zone across a security perimeter.\115\ The Commission is encouraged by NERC's comments that its standard drafting team is considering ways to address connectivity issues and electronic perimeter protections surrounding all BES Cyber Systems. --------------------------------------------------------------------------- \113\ Id. \114\ A ``security zone'' is defined by the ISA99 Committee on Industrial Automation and Control Systems Security as a ``grouping of logical or physical assets that share common security requirements.'' Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts, and Models, ISA-99.00.01- 2007. \115\ A ``security perimeter'' is defined by the ISA99 Committee on Industrial Automation and Control Systems Security as a ``boundary (logical or physical) of the domain in which a security policy or security architecture applies, i.e. the boundary of the space in which security services protect system resources.'' Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts, and Models, ISA-99.00.01-2007. --------------------------------------------------------------------------- 88. We also agree with SPP RE that the CIP Reliability Standards should consider communication paths between a given cyber asset and other assets that support a reliability function.\116\ As noted by SPP RE, cyber security standards that categorize cyber systems based upon the size or scope of the assets that they control ``fail to consider the interconnectivity of the BES Cyber Systems and the potential for a small control center system to be used as a vector of attack against a larger control center system.'' \117\ As noted by SPP RE, ``[c]ontrol center BES Cyber Systems routinely exchange operational data with each other as required by NERC Reliability Standard TOP-005-2a.'' \118\ As further noted by SPP RE, connectivity is important to address because of the required communications from control centers to and between reliability coordinators under the Interconnection Reliability Operations and Coordination Standards.\119\ The Commission agrees that cyber connectivity is important to address [[Page 24605]] when developing future versions of the CIP Reliability Standards. That being said, we acknowledge the concern of Trade Associations that the ``connectivity'' and ``weakest link'' concepts could possess different meanings to various stakeholders.\120\ Thus, addressing connectivity should include reaching a common understanding of the term. Further, we understand and agree with the Trade Associations' concern that protection should be applied in a reasonable manner.\121\ --------------------------------------------------------------------------- \116\ SPP RE Comments at 3-4. \117\ Id. \118\ Id. \119\ Id. \120\ Trade Associations Comments at 18. \121\ Id. --------------------------------------------------------------------------- 89. Recognizing the importance of addressing cyber connectivity in future versions of the CIP Reliability Standards, we encourage NERC to consider the benefits of a ``mutual distrust'' posture, or similar strategies, put forth by the ISO/RTO Council \122\ and as directed by the Commission in Order No. 706.\123\ In Order No. 706, the Commission used the term ``mutual distrust'' to denote how ``outside world'' systems are treated by those inside the control system.\124\ Specifically, a mutual distrust posture requires each responsible entity that has identified critical cyber assets to protect itself and not trust any communication crossing an electronic security perimeter, regardless of where that communication originates.\125\ --------------------------------------------------------------------------- \122\ ISO/RTO Council Comments at 17. \123\ Order No. 706, 122 FERC ] 61,040 at P 412 (``The Commission therefore directs the ERO to provide guidance, regarding the issues and concerns that a mutual distrust posture must address in order to protect a responsible entity's control system from the outside world.''). \124\ Id. P 33. \125\ Id. n.24. --------------------------------------------------------------------------- 90. Applying electronic security perimeter protections ``of some form'' to bulk electric system cyber systems covered by the CIP Reliability Standards will support the adoption of a ``mutual distrust'' posture. This posture will encourage asset owners and operators to employ sound network architectural design, thus segmenting their systems into distinct security zones protected by managed interfaces that will allow only trusted access. The managed interfaces, or electronic security perimeter access points, are intended to restrict or prohibit network access and information flow to bulk electric system cyber systems covered by the CIP Reliability Standards from unidentified, unauthenticated, and unauthorized connectivity to ensure security. Multiple electronic security perimeters can be established to protect cyber assets and adopted as part of a defense in depth strategy to limit the propagation of a threat.\126\ --------------------------------------------------------------------------- \126\ ``Defense in depth'' is defined by the ISA99 Committee on Industrial Automation and Control Systems Security as the ``provision of multiple security provisions, especially in layers, with the intent to delay if not prevent an attack. NOTE: Defense in depth implies layers of security and detection, even on single systems, and provides the following features: attackers are faced with breaking through or bypassing each layer without being detected; a flaw in one layer can be mitigated by capabilities in other layers; system security becomes a set of layers within the overall network security.'' Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts, and Models, ISA- 99.00.01-2007. --------------------------------------------------------------------------- 91. Having considered the feedback to our question on cyber connectivity, we continue to believe that criteria adopted for the purpose of identifying Critical Cyber Assets under CIP-002 should include a cyber asset's ``connectivity'' and its potential to compromise the reliable operation of the Bulk-Power System. Therefore, we expect Version 5 to address these issues. 2. Application of NIST Framework NOPR 92. In the NOPR, the Commission elaborated on the Order No. 706 guidance regarding the consideration of the NIST Framework when developing CIP Reliability Standards.\127\ The NOPR explained that the NIST Framework recognizes that all connected assets require a baseline level of protection to prevent attackers from gaining a foothold to launch further, even more devastating attacks on other critical systems.\128\ The Commission invited comment on this approach. --------------------------------------------------------------------------- \127\ NOPR, FERC Stats. & Regs. ] 32,679 at PP 46-52. \128\ Id. P 51. --------------------------------------------------------------------------- Comments 93. NERC, PG&E, SPP RE, and MISO support applying aspects of the NIST Framework to the CIP Reliability Standards, which could lead to more bulk electric system components being protected, though at different levels depending on their criticality. NERC and PG&E state that the CIP Version 5 standard drafting team has incorporated four key features of the NIST Framework into the draft CIP Version 5.\129\ NERC states, however, that the NIST standards/guidelines should not be adopted in total because elements of the NIST standards/guidelines, which are meant to help federal agencies to manage risks to their information systems in support of their unique missions, are inapplicable to the power sector.\130\ NERC and MISO point out that the NIST Framework allows for applicable NIST concepts to be tailored and incorporated into the CIP Reliability Standards, which has been the approach of the standard drafting team in developing CIP Version 5. --------------------------------------------------------------------------- \129\ NERC Comments at 13; PG&E Comments at 11-12. \130\ NERC Comments at 12-13. --------------------------------------------------------------------------- Commission Determination 94. The Commission finds the feedback provided on the potential application of the NIST Framework to the CIP Reliability Standards to be useful. We agree with the commenters that support applying applicable features of the NIST Framework to Version 5 of the CIP Reliability Standards. As stated in the NOPR, we believe that the NIST Framework could provide beneficial input into the CIP Reliability Standards.\131\ In its comments, NERC states that a standards drafting team is incorporating four key features of the NIST Framework into the Version 5 CIP Reliability Standards: (1) Ensuring that all BES Cyber Systems associated with the Bulk-Power System, based on their function and impact, receive some level of protection; (2) customizing protection to the mission of the cyber systems subject to protection; (3) applying a tiered approach to security controls that specifies the level of protection appropriate for systems based upon their importance to the reliable operation of the Bulk-Power System; and (4) using the concept of the BES Cyber System.\132\ We view the approach of incorporating these applicable features of the NIST Framework into the CIP Reliability Standards as a positive step in improving cyber security for the Bulk-Power System. --------------------------------------------------------------------------- \131\ NOPR, FERC Stats. & Regs. ] 32,679 at P 46. \132\ NERC Comments at 13-14. NERC comments that the next version of the CIP Reliability Standards replaces the identification of ``Critical Assets'' with the categorization of ``BES Cyber Systems.'' Specifically, NERC states that ``BES Cyber Systems will be characterized as `High Impact,' `Medium Impact,' or `Low Impact' based on the impact of the cyber system to the reliable operation of the bulk power system * * * [t]his characterization makes use of a bright-line concept similar to Version 4, but requires responsible entities to determine the impact of loss, compromise or misuse of a given BES Cyber System using a bright-line impact filter.'' NERC Comments at 7. --------------------------------------------------------------------------- 95. NIST standards are used by industry generally as a reference and can be applied by the ERO to the Bulk-Power System.\133\ Therefore, we [[Page 24606]] continue to encourage NERC and industry to include aspects of the NIST Framework and standards into subsequent versions of the CIP Reliability Standards to better protect the Bulk-Power System. Similar to our approach in Order No. 706, we continue to urge NERC to look to relevant NIST standards for guidance in developing effective cybersecurity standards for the electric industry.\134\ --------------------------------------------------------------------------- \133\ For example, NIST SP800-82 provides a detailed Guide to Industrial Control Systems Security that is relevant to the electric power industry. Specifically, NIST SP800-82 includes recommendations to assist in the protection of Supervisory Control and Data Acquisition systems, Distributed Control Systems, and other control system configurations such as Programmable Logic Controllers. See National Institute of Standard and Technology, Guide to Industrial Control Systems (ICS) Security (NIST SP900-82) (2011), http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf. \134\ Order No. 706, 122 FERC ] 61,040 at P 233 (directing the ERO ``to consult with federal entities that are required to comply with both CIP Reliability Standards and NIST standards on the effectiveness of the NIST standards and on implementation issues and [to] report these findings to the Commission''). --------------------------------------------------------------------------- 3. Regional Perspective NOPR 96. In the NOPR, the Commission highlighted the Order No. 706 directive for NERC to ``develop a process of external review and approval of critical asset lists based on a regional perspective.'' \135\ The NOPR explained the Commission's concern that a lack of a regional review of a registered entity's identification of cyber assets might result in a reliability gap. In addition, the Commission discussed concerns regarding cyber systems spanning multiple regions: --------------------------------------------------------------------------- \135\ NOPR, FERC Stats. & Regs. ] 32,679 at PP 59-61 (citing Order No. 706, 122 FERC ] 61,040 at P 329). This problem may be exacerbated by any future revisions to the CIP Reliability Standards that opt to reserve a high level of independent authority to the registered entity to categorize and prioritize its cyber assets. Looking forward, it will be essential for NERC and the Regional Entities to actively review the designation of cyber assets that are subject to the CIP Reliability Standards, including those which span regions, in order to determine whether additional cyber assets should be protected.\136\ --------------------------------------------------------------------------- \136\ Id. P 61. --------------------------------------------------------------------------- Comments 97. NERC states that the bright line criteria adopted under Version 4 of the CIP Reliability Standards provide certainty and clarity as to the assets that should be identified as critical. NERC explains that the CIP Reliability Standard drafting team is further refining the bright line criteria and anticipates that the next version of the CIP Reliability Standards will characterize ``BES Cyber Systems'' (in lieu of cyber assets) with ``high,'' ``medium,'' or ``low'' impact on Bulk- Power System reliability. According to NERC, ``[t]his characterization makes use of a bright line concept similar to Version 4, but requires responsible entities to determine the impact of loss, compromise or misuse of a given BES Cyber System using a bright line impact filter.'' \137\ --------------------------------------------------------------------------- \137\ NERC Comments at 7. NERC states in its comments that the CIP standard drafting team is considering the adoption of the term ``BES Cyber Systems'' in the next version of the CIP Reliability Standards. Our discussion below uses the term ``cyber assets'' to include any cyber asset or systems that the ERO eventually designates as needing cyber security protections under the CIP Reliability Standards. --------------------------------------------------------------------------- 98. The Trade Associations state that they cannot support the NOPR proposal on redesignation of assets based on a ``regional view'' without specific information about the mechanics of the proposal or the nature of the perceived reliability gap. According to the Trade Associations, registered entities are in the best position to determine which of their cyber assets are critical to the operation of Critical Assets and therefore subject to CIP compliance. The Trade Associations contend that NERC and the Regional Entities have the opportunity to review a registered entity's approach to developing its list of Critical Cyber Assets in the context of a compliance audit or other compliance monitoring process. 99. FirstEnergy states that the bright line criteria should be the sole methodology for identifying Critical Assets and that allowing the ERO or Regional Entities the ability to add assets that fall outside the bright line criteria undermines the purpose of the bright line criteria.\138\ Tallahassee states that the Commission should not undermine the value of the bright line criteria by granting the Regional Entities the discretion to designate assets as critical if the assets are not otherwise identified by the bright line criteria. --------------------------------------------------------------------------- \138\ FirstEnergy Comments at 2. --------------------------------------------------------------------------- 100. SPP RE, for its part, states that it is not appropriate to apply arbitrarily criteria not listed in the CIP Reliability Standards to require additional cyber assets to be subject to the CIP Reliability Standards. SPP RE states that the appropriate way to address any concern that the bright line criteria do not capture all assets that should be protected is to modify the bright line criteria to address any deficiency. Commission Determination 101. In Order No. 706, the Commission explained the need for external review of the Critical Asset lists in the context of an earlier version of the CIP Reliability Standards that required registered entities to apply individualized risk-based methodologies to identify Critical Assets.\139\ Further, as indicated in the NOPR in the immediate proceeding, the Commission's concerns are ``exacerbated by any future revisions to the CIP Reliability Standards that opt to reserve a high level of independent authority to the registered entity to categorize and prioritize its cyber assets.'' \140\ --------------------------------------------------------------------------- \139\ Order No. 706, 122 FERC ] 61,040 at PP 298, 322. \140\ NOPR, FERC Stats. & Regs. ] 32,679 at P 61. --------------------------------------------------------------------------- 102. We agree with commenters that the adoption of appropriate, bright line criteria for Critical Asset identification may obviate the need for an external review. We believe that there is less need for external review where application of bright line criteria results in an objective, consistently applied approach to the identification of cyber assets. As discussed above, NERC anticipates the development of tiered, bright line criteria in the next version of the CIP Reliability Standards. Whether this development ultimately eliminates the need for an external review process as directed in Order No. 706 will depend on the discretion allowed to individual registered entities in identifying and characterizing assets or systems. 103. However, even with the adoption of clear and objective criteria, we believe that there remains a need for an entity with a regional perspective, presumably the ERO or a Regional Entity, to have the opportunity to identify or adjust the characterization of cyber assets in some circumstances. For example, an event may reveal that a specific cyber asset has a greater impact than previously recognized. In such circumstance, an objective third party should have the opportunity to designate a cyber asset prospectively as critical or recharacterize the impact of a cyber asset for compliance purposes.\141\ Likewise, it is possible that a technological development or newly discovered vulnerability could justify a case- specific adjustment. --------------------------------------------------------------------------- \141\ Order No. 706, 122 FERC ] 61,040 at P 325. --------------------------------------------------------------------------- 104. We agree with SPP RE that a modification of one or more of the bright line criteria is an appropriate response to a generic change in risk or impact of a category of cyber assets. Accordingly, as a reasonable application of the Order No. 706 directive that an entity with a regional approach have oversight of Critical Asset identification, NERC and the regions--or another designated third party--should have the authority in some circumstances, such as those discussed above, to designate a cyber asset as critical or adjust the [[Page 24607]] ``impact'' characterization. In addressing the Order No. 706 directives, NERC should develop appropriate provisions to implement this limited opportunity for review. F. Deadline for Addressing Order No. 706 Directives NERC Petition 105. In the petition, NERC states that the standard drafting team is continuing to address the outstanding Order No. 706 directives.\142\ NERC notes that the next version of the CIP Reliability Standards ``will build on the CIP-002-4 standards' establishment of uniform criteria for the identification of Critical Assets.'' \143\ --------------------------------------------------------------------------- \142\ NERC Petition at 6. \143\ Id. --------------------------------------------------------------------------- NOPR 106. In the NOPR, the Commission invited comment on whether a reasonable deadline should be established for NERC to satisfy the outstanding directives in Order No. 706 pertaining to the CIP Reliability Standards based on NERC's current development timeline for CIP Version 5.\144\ Based on the then current NERC timeline, the NOPR proposed that the CIP Version 5 filing be made by the end of the third quarter of 2012. --------------------------------------------------------------------------- \144\ NOPR, FERC Stats. & Regs. ] 32,679 at P 67. --------------------------------------------------------------------------- Comments 107. Comments varied as to the imposition of a deadline for NERC to file CIP Version 5. Most comments support at least a soft filing date coupled with periodic informational filings on the status of CIP Version 5. While some comments support a hard deadline, that support is qualified. 108. NERC, ISO/RTO Council, PG&E, and Dominion offer qualified support for a deadline. NERC supports the proposed deadline, provided: the CIP Version 4 Final Rule does not add to or expand on the Order No. 706 directives; NERC is able to use its standard development process; and CIP Version 5 only requires one successive ballot.\145\ PG&E likewise believes that the proposed deadline is attainable provided the CIP Version 4 Final Rule does not expand on the Order No. 706 directives.\146\ ISO/RTO Council states that a deadline is reasonable as long as there is sufficient time for stakeholder input.\147\ However, ISO/RTO Council is skeptical about the current development timeline. Dominion also supports a hard deadline as long as CIP Version 5 is developed through the normal NERC standard development process.\148\ --------------------------------------------------------------------------- \145\ NERC Comments at 8-9. \146\ PG&E Comments at 8. \147\ ISO/RTO Comments at 16. \148\ Dominion Comments at 4. --------------------------------------------------------------------------- 109. The Trade Associations, AMP, Exelon, FirstEnergy, and KCP&L do not support a hard deadline for filing CIP Version 5.\149\ The Trade Associations, supported by FirstEnergy and KPC&L, and AMP believe that the development schedule for CIP Version 5 is aggressive and may need to be revised. The Trade Associations caution that an artificial deadline may increase the risk that some complex technical issues may not be fully resolved in Version 5. The Trade Associations and Exelon support a ``realistic goal'' or ``target date'' for filing CIP Version 5 coupled with periodic informational filings marking NERC's progress.\150\ AMP supports requiring NERC to make periodic informational filings as well.\151\ The Trade Associations state that if the Commission deems a deadline necessary, it should be set for the first quarter of 2013. --------------------------------------------------------------------------- \149\ Trade Associations Comments at 13-14; AMP Comments at 4-5; Exelon Comments at 3-4; FirstEnergy Comments at 3-4; KCP&L Comments at 2. \150\ Trade Associations Comments at 15. \151\ AMP Comments at 5. --------------------------------------------------------------------------- Commission Determination 110. We adopt our NOPR proposal to establish a deadline for compliance with the outstanding Order No. 706 CIP directives. Given the elapse of time since the issuance of Order No. 706, we believe that it is appropriate to set a reasonable deadline for completion of the next version of the CIP Reliability Standards, which, according to NERC, is expected to address the outstanding Order No. 706 directives.\152\ The setting of a deadline responds to the finding in the January 2011 Audit Report of the Department of Energy's Inspector General that ``the CIP standards implementation approach and schedule approved by the Commission were not adequate to ensure that systems-related risks to the Nation's power grid were mitigated or addressed in a timely manner.'' \153\ --------------------------------------------------------------------------- \152\ NOPR, FERC Stats. & Regs. ] 32,679 at P 65 n.65. \153\ NOPR, FERC Stats. & Regs. ] 32,679 at P 65 (citing Department of Energy Inspector General Audit Report, Federal Energy Regulatory Commission's Monitoring if Power Grid Cybersecurity at 2 (January 2011)). --------------------------------------------------------------------------- 111. We recognize, as numerous commenters discuss, that the current schedule for completing CIP Version 5 is aggressive. We also understand that the volume of industry discussion is high and we agree that industry input should not be artificially rushed or curtailed. In its reply comments, NERC indicated that it anticipates filing the Version 5 CIP Reliability Standards by the third quarter of 2012.\154\ Accordingly, to allow for sufficient time beyond what NERC estimates, we establish a deadline that is 6 months from the end of the third quarter of 2012 (i.e., March 31, 2013). NERC must also submit reports at the beginning of each quarter in which the ERO is to explain whether it is on track to meet the deadline and describe the status of its standard development efforts. --------------------------------------------------------------------------- \154\ NERC Reply Comments at 4. --------------------------------------------------------------------------- G. Violation Severity Levels and Violation Risk Factors NERC Petition 112. As amended on April 12, 2011, the petition includes proposed VRFs and VSLs for each Requirement of the Version 4 CIP Reliability Standards, CIP-002-4 to CIP-009-4. NOPR 113. In the NOPR, the Commission stated that the VSLs for Requirements R1 and R2 of CIP-002-4 do not adequately address the failure to properly identify either Critical Assets or Critical Cyber Assets.\155\ Specifically, NERC proposed to assign a ``Severe VSL'' for a violation of Requirement R1 if a responsible entity does not develop a list of its identified Critical Assets ``even if such list is null.'' NERC did not propose to assign a VSL for a violation of Requirement R1 when a responsible entity fails to identify a Critical Asset that falls within any of the Critical Asset criteria in Attachment 1, or fails to include an identified Critical Asset in its Critical Asset list. NERC further proposed to assign a ``Severe VSL'' to a responsible entity's violation of Requirement R2 only when it fails to include in its list of Critical Cyber Assets a Critical Cyber Asset it has identified. NERC did not propose to assign a VSL for a violation of Requirement R2 resulting from a responsible entity's failure to identify as a Critical Cyber Asset a cyber asset that qualifies as a Critical Cyber Asset. The Commission therefore proposed to direct the ERO to modify the VSLs for CIP-002-4, Requirements R1 and R2, to address a failure to identify either Critical Assets or Critical Cyber Assets. --------------------------------------------------------------------------- \155\ NOPR, FERC Stats. & Regs. ] 32,679 at pp. 35-36. --------------------------------------------------------------------------- Comments 114. NERC and PG&E agree with the NOPR proposal to direct modifications to the VSLs for Requirements R1 and R2 of CIP-002-4 to ensure that lists of identified Critical Assets are [[Page 24608]] complete.\156\ Accordingly, NERC states that the VSLs for Requirements R1 and R2 should be modified to include the word ``complete'' in front of the list in the VSL language.\157\ --------------------------------------------------------------------------- \156\ NERC Comments at 7-8; PG&E Comments at 6-7. \157\ The VSL for Requirement R1, for example, would read: ``The Responsible Entity did not develop a complete list of its identified Critical Assets even if such list is null.'' (emphasis added). --------------------------------------------------------------------------- Commission Determination 115. The Commission approves the VRFs and VSLs proposed by NERC subject to the modifications discussed above. As NERC now agrees, the Commission directs modifications to the ``Severe VSL'' for Requirements R1 and R2 to include the word ``complete.'' The modified VSLs will address situations where a responsible entity fails to identify or include one or more Critical Assets that fall within the Critical Asset criteria in Attachment 1 in its Critical Assets list pursuant to Requirement R1, or where a Responsible Entity fails to identify or include one or more Critical Cyber Assets in its Critical Cyber Asset list pursuant to Requirement R2. III. Information Collection Statement 116. The Office of Management and Budget (OMB) regulations require approval of certain information collection requirements imposed by agency rules.\158\ Upon approval of a collection(s) of information, OMB will assign an OMB control number and expiration date. Respondents subject to the filing requirement of this rule will not be penalized for failing to respond to these collections of information unless the collections of information display a valid OMB control number. The Paperwork Reduction Act (PRA) \159\ requires each federal agency to seek and obtain OMB approval before undertaking a collection of information directed to ten or more persons, or continuing a collection for which OMB approval and validity of the control number are about to expire.\160\ --------------------------------------------------------------------------- \158\ 5 CFR 1320.11. \159\ 44 U.S.C. 3501-3520 (2006). \160\ 44 U.S.C. 3502(3)(A)(i), 44 U.S.C. 3507(a)(3). --------------------------------------------------------------------------- 117. The Commission is submitting these reporting and recordkeeping requirements to OMB for its review and approval under section 3507(d) of the PRA. The Commission solicited comments on the need for this information, whether the information will have practical utility, the accuracy of provided burden estimates, ways to enhance the quality, utility, and clarity of the information to be collected, and any suggested methods for minimizing the respondent's burden, including the use of automated information techniques. The Commission received two comments regarding burden and cost estimates. Comments 118. Hydro-Qu[eacute]bec and NV Energy claim that the cost estimates included in the NOPR for Version 4 are inaccurate and incomplete.\161\ NV Energy states that the estimate does not include the significant burden of the additional security requirements that will be required by the identification of more Critical Assets and related Critical Cyber Assets. NV Energy comments that the cost estimate does not consider such matters as increased background checking, personnel risk assessments, cyber security training programs, and increased complexity of cyber security perimeters. --------------------------------------------------------------------------- \161\ Hydro-Qu[eacute]bec Comments at 6; NV Energy Comments at 6-7. --------------------------------------------------------------------------- Commission Determination 119. After a review of the comments on the Commission's cost estimate, we maintain the cost estimate provided in the NOPR. While we recognize that implementing the Reliability Standards is not without cost, the benefits to reliability must be recognized. In response to Hydro-Qu[eacute]bec and NV Energy's concerns, we note that the estimate provided in the NOPR addresses the potential for an incremental increase in costs across the industry and does not address the full cost of implementing the CIP Reliability Standards by an entity. We anticipate that the savings associated with the change from the entity- specific risk-based assessment methodology, which had to be reviewed and updated each year, to a bright-line approach will offset some, if not all, of the incremental cost increase for entities that have previously identified a Critical Cyber Asset. With regards to NV Energy's comments, we note that the proposed revisions to the Version 4 CIP Reliability Standards address the manner for the identification of Critical Assets, and do not revise current requirements pertaining to background checking, personnel risk assessments, cyber security training programs, and cyber security perimeters. 120. Burden Estimate: The principal differences in the existing information collection requirements and the burden imposed by the Reliability Standards in this Final Rule are triggered by the changes in Reliability Standard CIP-002-4. The previous risk-based assessment methodology for identifying Critical Assets is being replaced by 17 uniform ``bright line'' criteria for identifying Critical Assets (in CIP-002-4, Attachment 1, ``Critical Asset Criteria''). Reliability Standard CIP-002-4 requires each responsible entity to use the bright line criteria as a ``checklist'' to identify Critical Assets, initially and in an annual review, instead of performing the more technical and individualized risk analysis involved in complying with the previously- effective CIP Reliability Standards. As in past versions of these Standards, each Responsible Entity will then identify the Critical Cyber Assets associated with its updated list of Critical Assets. If application of the bright line criteria results in the identification of new Critical Cyber Assets, such assets become subject to the remaining standards (approved CIP-003-4, CIP-004-4, CIP-005-4, CIP-006- 4, CIP-007-4, CIP-008-4, and CIP-009-4), and the information collection requirements contained therein. 121. We estimate that the burden associated with the annual review of the assets (by the estimated 1,501 applicable entities) will be simplified by the ``Critical Asset Criteria'' in Reliability Standard CIP-002-4. Rather than each entity annually reviewing and updating a risk-based assessment methodology that frequently required technical analysis and judgment decisions, the bright line criteria will provide a straightforward checklist for all entities to use. Thus, we estimate that the revised Reliability Standard will reduce the burden associated with the annual review, as well as provide a consistent and clear set of criteria for all entities to follow. 122. The estimated changes to burden as contained in the Final Rule in RM11-11 follow. [[Page 24609]] -------------------------------------------------------------------------------------------------------------------------------------------------------- Annual Burden Hrs. FERC-725B Data Collection (per Number of Respondents Average Number of Average Number of Effect of Final Rule upon Version 4) \162\ Annual Responses Per Burden Hours Per in RM11-11, on Total Implementation of Respondent Response \163\ Annual Hours RM11-11 (1)................... (2)................... (3)................... (1) x (2) x (3)....... ................... -------------------------------------------------------------------------------------------------------------------------------------------------------- Entities that (previously and now) 345 [no change]....... 1..................... 1,880 [reduction of 40 reduction of 13,800 648,600 will identify at least one hours from 1,920 to hours. Critical Cyber Asset [category a]. 1,880 hours] hours. Entities that (previously and now) 1,144 [reduction of 12 1..................... 120 [no change]....... reduction of 1,440 137,280 will not identify any Critical entities from 1,156 hours [for the 12 Cyber Assets [category b]. to 1,144]. entities]. Entities that will newly identify a increase of 12 1..................... 3,840 \165\........... increase of 46,080.... 46,080 Critical Asset/Critical Cyber [formerly 0]. Asset due to the requirements in RM11-11 \164\ [category c]. Net Total...................... 1,501................. ...................... ...................... +30,840............... 831,960 -------------------------------------------------------------------------------------------------------------------------------------------------------- The revisions to the cost estimates based on requirements of this Final Rule are:Each entity that has identified Critical Cyber Assets has a reduction of 40 hours (345 entities x 40 hrs. @$96/hour = $1,324,800 reduction). --------------------------------------------------------------------------- \162\ The NERC Compliance Registry as of September 28, 2010 indicated that 2,079 entities were registered for NERC's compliance program. Of these, 2,057 were identified as being U.S. entities. Staff concluded that of the 2,057 U.S. entities, approximately 1,501 were registered for at least one CIP related function. According to an April 7, 2009 memo to industry, NERC noted that only 31 percent of entities responding to an earlier survey reported that they had at least one Critical Asset, and only 23 percent reported having a Critical Cyber Asset. Staff applied the 23 percent (an estimate unchanged for Version 4 standards) to the 1,501 figure to estimate the number of entities that identified Critical Cyber Assets under Version 3 CIP Standards. \163\ Calculations for figures prior to applying reductions: Respondent category b: 3 employees x (working 50 percent) x (40 hrs/week) x (2 weeks) = 120 hours. Respondent category c: 20 employees x (working 50 percent) x (40 hrs/week) x (8 weeks) = 3200 hours (working 20 percent) x (3200 hrs) = 640 hours. Total = 3840. Respondent category a: 50 percent of 3840 hours (category d) = 1920. \164\ We estimate 12 (or 1%) of the existing entities that formerly had no identified Critical Cyber Assets will have them under the Reliability Standards. This Final Rule does not affect the burden for the 6 new U.S. Entities that were estimated to newly register or otherwise become subject to the CIP Standards each year in FERC-725B, and therefore are not included in this chart. \165\ This estimated burden estimate applies only to the first three-year audit cycle. In subsequent audit cycles these entities will move into category a, or be removed from the burden as an entity that no longer is registered for a CIP related function. --------------------------------------------------------------------------- 12 Entities that formerly had not identified Critical Cyber Assets, but now will have them, has [cir] A reduction of 120 hours and an increase of 3,840 hours (for a net increase of 3,720 annual hours), giving 12 entities x 3,720 hrs. @ $96/hour = $4,285,440. [cir] Storage costs = 12 entities @ $15.25/entity = $183. Total Net Annual Cost for the FERC-725B requirements contained in the Final Rule in RM11-11= $2,960,823 ($4,285,440 + $183 - $1,324,800). The estimated hourly rate of $96 is the average cost of legal services ($230 per hour), technical employees ($40 per hour) and administrative support ($18 per hour), based on hourly rates from the Bureau of Labor Statistics (BLS) and the 2009 Billing Rates and Practices Survey Report.\166\ The $15.25 per entity for storage costs is an estimate based on the average costs to service and store 1 GB of data to demonstrate compliance with the CIP Standards.\167\ --------------------------------------------------------------------------- \166\ Bureau of Labor Statistics figures were obtained from http://www.bls.gov/oes/current/naics2_22.htm, and 2009 Billing Rates figure were obtained from http://www.marylandlawyerblog.com/2009/07/average_hourly_rate_for_lawyer.html. Legal services were based on the national average billing rate (contracting out) from the above report and BLS hourly earnings (in-house personnel). It is assumed that 25 percent of respondents have in-house legal personnel. \167\ Based on the aggregate cost of an advanced data protection server. --------------------------------------------------------------------------- Title: Mandatory Reliability Standards, Version 4 Critical Infrastructure Protection Standards. Action: Revised Collection FERC-725B. OMB Control No.: 1902-0248. Respondents: Businesses or other for-profit institutions; not-for- profit institutions. Frequency of Responses: On Occasion. Necessity of the Information: This Final Rule approves the requested modifications to Reliability Standards pertaining to critical infrastructure protection. The Reliability Standards help ensure the reliable operation of the Bulk-Power System by providing a cybersecurity framework for the identification and protection of Critical Assets and associated Critical Cyber Assets. As discussed above, the Commission approves NERC's proposed Version 4 CIP Standards pursuant to section 215(d)(2) of the FPA because they represent an improvement to the previously-effective CIP Reliability Standards. Internal Review: The Commission has reviewed the proposed Reliability Standards and made a determination that its action is necessary to implement section 215 of the FPA. 123. Interested persons may obtain information on the reporting requirements by contacting the following: Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426 [Attention: Ellen Brown, Office of the Executive Director, email: [email protected], phone: (202) 502-8663, fax: (202) 273-0873]. 124. Comments concerning this information collection can be sent to the Office of Management and Budget, Office of Information and Regulatory Affairs, Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission, phone: (202) 395-4718, fax: (202) 395-7285]. IV. Environmental Analysis 125. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a [[Page 24610]] significant adverse effect on the human environment.\168\ The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended.\169\ The actions taken here fall within this categorical exclusion in the Commission's regulations. --------------------------------------------------------------------------- \168\ Regulations Implementing the National Environmental Policy Act, 52 FR 47897 (Dec. 17, 1987), Order No. 486, FERC Stats. & Regs., Regulations Preambles 1986-1990 ] 30,783 (1987). \169\ 18 CFR 380.4(a)(2)(ii). --------------------------------------------------------------------------- V. Regulatory Flexibility Act 126. The Regulatory Flexibility Act of 1980 (RFA) \170\ generally requires a description and analysis of final rules that will have significant economic impact on a substantial number of small entities. The RFA mandates consideration of regulatory alternatives that accomplish the stated objectives of a proposed rule and that minimize any significant economic impact on a substantial number of small entities. The Small Business Administration's (SBA) Office of Size Standards develops the numerical definition of a small business.\171\ The SBA has established a size standard for electric utilities, stating that a firm is small if, including its affiliates, it is primarily engaged in the transmission, generation and/or distribution of electric energy for sale and its total electric output for the preceding twelve months did not exceed four million megawatt hours.\172\ --------------------------------------------------------------------------- \170\ 5 U.S.C. 601-612. \171\ 13 CFR 121.101. \172\ 13 CFR 121.201, Sector 22, Utilities & n.1. --------------------------------------------------------------------------- 127. This Final Rule may have a significant economic impact on some small entities. The Commission estimates that 12 of the total small entities applicable to this final rule will experience a total one-time impact of $4,285,623 (an average of $357,135 per entity). However, the Commission has determined that 12 small entities is not a ``substantial number'' in terms of the total number of regulated small entities under this Final Rule. The Final Rule applies to the all NERC Registered Entities listed in the ``Applicability'' section of Reliability Standard CIP-002-4.\173\ This list includes reliability coordinators, balancing authorities, interchange authorities, transmission service providers, transmission owners, transmission operators, generator owners, generator operators, load serving entities and regional entities. Using the NERC registry, the Commission found that the number of small entities applicable to this rule is 306. The Commission does not consider 12 out of 306 (3.9%) to be a substantial number. --------------------------------------------------------------------------- \173\ See Reliability Standard CIP-002-4, http://www.nerc.com/files/CIP-002-4.pdf. --------------------------------------------------------------------------- 128. In the September 15, 2011 NOPR, the Commission requested comment on the potential implementation cost and subsequent cost increases that could be experienced by such small entities. No comments were received. 129. Based on the foregoing, the Commission certifies that the modified Reliability Standards will not have a significant impact on a substantial number of small entities. Accordingly, no regulatory flexibility analysis is required. VI. Document Availability 130. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the Internet through FERC's Home Page (http://www.ferc.gov) and in FERC's Public Reference Room during normal business hours (8:30 a.m. to 5 p.m. Eastern time) at 888 First Street NE., Room 2A, Washington, DC 20426. 131. From FERC's Home Page on the Internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number excluding the last three digits of this document in the docket number field. 132. User assistance is available for eLibrary and the FERC's Web site during normal business hours from FERC Online Support at 202-502- 6652 (toll free at 1-866-208-3676) or email at [email protected], or the Public Reference Room at (202) 502- 8371, TTY (202) 502-8659. Email the Public Reference Room at [email protected]. VII. Effective Date and Congressional Notification 133. These regulations are effective June 25, 2012. The Commission has determined, with the concurrence of the Administrator of the Office of Information and Regulatory Affairs of OMB, that this rule is not a ``major rule'' as defined in section 351 of the Small Business Regulatory Enforcement Fairness Act of 1996. List of Subjects in 18 CFR Part 40 Electric power, Electric utilities, Reporting and recordkeeping requirements. By the Commission. Nathaniel J. Davis, Sr., Deputy Secretary. Appendix Commenters ------------------------------------------------------------------------ Abbreviation Commenter ------------------------------------------------------------------------ AMP....................................... American Municipal Power, Inc. Constellation............................. Constellation Energy Group, Inc. (intervened w/o comment). Dominion.................................. Dominion Resources Services, Inc. Exelon.................................... Exelon Corporation. FirstEnergy............................... FirstEnergy Service Company. G&T Cooperatives.......................... Associated Electric Cooperative, Inc.; Basin Electric Power Cooperative; and Tri-State Generation and Transmission Association, Inc. Hydro-Qu[eacute]bec....................... Hydro-Qu[eacute]bec Trans[Eacute]nergie. ISO/RTO Council........................... The ISO/RTO Council. ITC....................................... International Transmission Company d/b/a ITCTransmission, Michigan Electric Company, LLC, ITC Midwest LLC and ITC Great Plains LLC. KCP&L..................................... Kansas City Power & Light Company and KCP&L Greater Missouri Operations Company. MISO...................................... Midwest Independent Transmission System Operator, Inc. NERC...................................... North American Electric Reliability Corporation. PG&E...................................... Pacific Gas and Electric Company. NV Energy................................. Sierra Pacific Power Company and Nevada Power Company. [[Page 24611]] SPP RE.................................... Southwest Power Pool Regional Entity. Tallahassee............................... City of Tallahassee, Florida. Trade Associations........................ American Public Power Association; Electricity Consumers Resource Council; Edison Electric Institute; Electric Power Supply Association; National Rural Electric Cooperative Association; and Transmission Access Policy Study Group. ------------------------------------------------------------------------ [FR Doc. 2012-9893 Filed 4-24-12; 8:45 am] BILLING CODE 6717-01-P