[Federal Register: August 6, 2007 (Volume 72, Number 150)]
[Proposed Rules]
[Page 43969-44013]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr06au07-28]
[[Page 43969]]
-----------------------------------------------------------------------
Part IV
Department of Energy
-----------------------------------------------------------------------
Federal Energy Regulatory Commission
-----------------------------------------------------------------------
18 CFR Part 39
Mandatory Reliability Standards for Critical Infrastructure Protection;
Proposed Rule
[[Page 43970]]
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
18 CFR Part 39
[Docket No. RM06-22-000]
Mandatory Reliability Standards for Critical Infrastructure
Protection
July 20, 2007.
AGENCY: Federal Energy Regulatory Commission, Department of Energy.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: Pursuant to section 215 of the Federal Power Act (FPA), the
Federal Energy Regulatory Commission (Commission), proposes to approve
eight Critical Infrastructure Protection (CIP) Reliability Standards
submitted to the Commission for approval by the North American Electric
Reliability Corporation (NERC). The CIP Reliability Standards require
certain users, owners, and operators of the Bulk-Power System to comply
with specific requirements to safeguard critical cyber assets. In
addition, pursuant to section 215(d)(5) of the FPA, the Commission
proposes to direct NERC to develop modifications to the CIP Reliability
Standards to address specific concerns identified by the Commission.
Approval of these standards will help protect the nation's Bulk-Power
System against potential disruptions from cyber attacks.
DATES: Comments are due October 5, 2007.
ADDRESSES: You may submit comments, identified by docket number by any
of the following methods:
Agency Web Site: http://ferc.gov. Follow the instructions
for submitting comments via the eFiling link found in the Comment
Procedures section of the preamble.
Mail/Hand Delivery: Commenters unable to file comments
electronically must mail or hand deliver an original and 14 copies of
their comments to the Federal Energy Regulatory Commission, Secretary
of the Commission, 888 First Street, NE., Washington, DC 20426. Please
refer to the Comment Procedures section of the preamble for additional
information on how to file paper comments.
FOR FURTHER INFORMATION CONTACT: Gary Cohen (Legal Information), Office
of the General Counsel, Federal Energy Regulatory Commission, 888 First
Street, NE., Washington, DC 20426, (202) 502-8321.
Paul Silverman (Legal Information), Office of the General Counsel,
Federal Energy Regulatory Commission, 888 First Street, NE.,
Washington, DC 20426, (202) 502-8683.
Regis Binder (Technical Issues), Office of Energy Markets and
Reliability, Federal Energy Regulatory Commission, 888 First Street,
NE., Washington, DC 20426, (202) 502-6460.
Jan Bargen (Technical Issues), Office of Energy Markets and
Reliability, Federal Energy Regulatory Commission, 888 First Street,
NE., Washington, DC 20426, (202) 502-6333.
SUPPLEMENTARY INFORMATION:
Table of Contents
Paragraph
Numbers
I. Background............................................... 2.
A. EPAct 2005 and Mandatory Reliability Standards....... 2.
B. Development of CIP Reliability Standards............. 7.
C. CIP Assessment....................................... 11.
II. Discussion.............................................. 13.
A. General Issues....................................... 13.
1. Cyber Security Challenges........................ 13.
2. Applicability.................................... 21.
3. Compliance Measured by Outcome................... 32.
4. Implementation Plan.............................. 42.
5. Issues Presented by Terminology.................. 50.
6. Guidance for Improving CIP Reliability Standards. 87.
B. Discussion of Each CIP Reliability Standard.......... 89.
1. CIP-002-1--Critical Cyber Asset Identification... 89.
2. CIP-003-1--Security Management Controls.......... 120.
3. CIP-004-1--Personnel and Training................ 149.
4. CIP-005-1--Electronic Security Perimeter(s)...... 176.
5. CIP-006-1--Physical Security of Critical Cyber 204.
Assets.............................................
6. CIP-007-1--Systems Security Management........... 223.
7. CIP-008-1--Incident Reporting and Response 265.
Planning...........................................
8. CIP-009-1--Recovery Plans for Critical Cyber 289.
Assets.............................................
C. Violation Risk Factors............................... 321.
1. Background....................................... 321.
2. Commission Proposal.............................. 324.
III. Information Collection Statement....................... 332.
IV. Environmental Analysis.................................. 339.
V. Regulatory Flexibility Act Certification................. 340.
VI. Comment Procedures...................................... 350.
VII. Document Availability.................................. 353.
Appendix A List of Commenters............................... ..........
Appendix B Violation Risk Factors: Proposed Dispositions.... ..........
Before Commissioners: Joseph T. Kelliher, Chairman; Suedeen G.
Kelly, Marc Spitzer, Philip D. Moeller, and Jon Wellinghoff.
1. Pursuant to section 215 of the Federal Power Act (FPA), the
Commission proposes to approve eight Critical Infrastructure Protection
(CIP) Reliability Standards submitted to the Commission for approval by
the North American Electric Reliability Corporation (NERC). The CIP
Reliability Standards require certain users, owners, and operators of
the Bulk-Power System to comply with specific requirements to safeguard
critical cyber assets.\1\ In
[[Page 43971]]
addition, pursuant to section 215(d)(5) of the FPA, the Commission
proposes to direct NERC to develop modifications to the CIP Reliability
Standards to address specific concerns identified by the Commission.
---------------------------------------------------------------------------
\1\ In the context of the CIP Reliability Standards, cyber
assets are programmable electronic devices and communication
networks including hardware, software, and data. See note 69, infra.
---------------------------------------------------------------------------
I. Background
A. EPAct 2005 and Mandatory Reliability Standards
2. On August 8, 2005, the Electricity Modernization Act of 2005,
which is Title XII, Subtitle A, of the Energy Policy Act of 2005 (EPAct
2005), was enacted into law.\2\ EPAct 2005 adds a new section 215 to
the FPA, which requires a Commission-certified Electric Reliability
Organization (ERO) to develop mandatory and enforceable Reliability
Standards, which are subject to Commission review and approval. Once
approved, the Reliability Standards may be enforced by the ERO subject
to Commission oversight, or the Commission can independently enforce
Reliability Standards.\3\
---------------------------------------------------------------------------
\2\ Energy Policy Act of 2005, Pub. L. No. 109-58, Title XII,
Subtitle A, 119 Stat. 594, 941 (2005), to be codified at 16 U.S.C.
824o.
\3\ 16 U.S.C. 824o(e)(3).
---------------------------------------------------------------------------
3. On February 3, 2006, the Commission issued Order No. 672,
implementing section 215 of the FPA.\4\ Pursuant to Order No. 672, the
Commission certified one organization, NERC, as the ERO.\5\ The
Reliability Standards developed by the ERO and approved by the
Commission will apply to users, owners and operators of the Bulk-Power
System, as set forth in each Reliability Standard.
---------------------------------------------------------------------------
\4\ Rules Concerning Certification of the Electric Reliability
Organization; Procedures for the Establishment, Approval and
Enforcement of Electric Reliability Standards, Order No. 672, 71 FR
8662 (Feb. 17, 2006), FERC Stats. & Regs. ] 31,204 (2006), order on
reh'g, Order No. 672-A, 71 FR 19814 (Apr. 18, 2006), FERC Stats. &
Regs. ] 31,212 (2006).
\5\ North American Electric Reliability Corp., 116 FERC ] 61,062
(ERO Certification Order), order on reh'g & compliance, 117 FERC ]
61,126 (ERO Rehearing Order) (2006), order on compliance, 118 FERC ]
61,030 (2007) (Jan. 2007 Compliance Order), appeal docket sub nom.
Alcoa, Inc. v. FERC, No. 06-1426 (D.C. Cir. Dec. 29, 2006).
---------------------------------------------------------------------------
4. Pursuant to section 215(d)(2) of the FPA and Sec. 39.5(c) of
the Commission's regulations, the Commission is required to give due
weight to the technical expertise of the ERO with respect to the
content of a Reliability Standard or to a Regional Entity organized on
an Interconnection-wide basis with respect to a proposed Reliability
Standard or a proposed modification to a Reliability Standard to be
applicable within that Interconnection.\6\
---------------------------------------------------------------------------
\6\ 18 CFR 39.5(c)(1), to be codified at 16 U.S.C.824o.
---------------------------------------------------------------------------
5. The ERO must file with the Commission each new or modified
Reliability Standard that it proposes to be made effective under
section 215 of the FPA. The Commission can then approve or remand the
Reliability Standard. The Commission also can, among other actions,
direct the ERO to modify an approved Reliability Standard to address a
specific matter if it considers this appropriate to carry out section
215 of the FPA.\7\ Only Reliability Standards approved by the
Commission will become mandatory and enforceable.
---------------------------------------------------------------------------
\7\ Section 215(d)(5) of the FPA.
---------------------------------------------------------------------------
6. On April 4, 2006, as modified on August 28, 2006, NERC submitted
to the Commission a petition seeking approval of 107 proposed
Reliability Standards. On March 16, 2007, the Commission issued a final
rule, Order No. 693, approving 83 of these 107 Reliability Standards
and directing other action related to these Reliability Standards.\8\
---------------------------------------------------------------------------
\8\ Mandatory Reliability Standards for the Bulk-Power System,
Order No. 693, 72 FR 16416 (Apr. 4, 2007), FERC Stats. & Regs. ]
31,242 (2007); reh'g pending.
---------------------------------------------------------------------------
B. Development of CIP Reliability Standards
7. In August 2003, NERC approved the Urgent Action 1200 standard,
which was the first comprehensive cyber security standard for the
electric industry. This voluntary standard applied to control areas
(i.e., balancing authorities), transmission owners and operators, and
generation owners and operators that perform defined functions.
Specifically, it established a self-certification process relating to
the security of system control centers of the applicable entities. The
Urgent Action 1200 standard remained in effect on a voluntary basis
until June 1, 2006, at which time the eight CIP Reliability Standards
that are the subject of the current rulemaking replaced the Urgent
Action 1200 standard.
8. On August 28, 2006, NERC submitted to the Commission for
approval the following eight proposed CIP Reliability Standards:\9\
---------------------------------------------------------------------------
\9\ The proposed Reliability Standards are not proposed to be
codified in the CFR and are not attached to the NOPR. They are,
however, available on the Commission's eLibrary document retrieval
system in Docket No. RM06-22-000 and are available on the ERO's Web
site, http://www.nerc.com/filez/standards/Reliability_Standards.html#Critical_Infrastructure_Protection
.
---------------------------------------------------------------------------
CIP-002-1--Cyber Security--Critical Cyber Asset
Identification: Requires a responsible entity to identify its critical
assets and critical cyber assets using a risk-based assessment
methodology.
CIP-003-1--Cyber Security--Security Management Controls:
Requires a responsible entity to develop and implement security
management controls to protect critical cyber assets identified
pursuant to CIP-002-1.
CIP-004-1--Cyber Security--Personnel & Training: Requires
personnel with access to critical cyber assets to have an identity
verification and a criminal check. It also requires employee training.
CIP-005-1--Cyber Security--Electronic Security Perimeters:
Requires the identification and protection of an electronic security
perimeter and access points. The electronic security perimeter is to
encompass the critical cyber assets identified pursuant to the risk-
based assessment methodology required by CIP-002-1.
CIP-006-1--Cyber Security--Physical Security of Critical
Cyber Assets: Requires a responsible entity to create and maintain a
physical security plan that ensures that all cyber assets within an
electronic security perimeter are kept in an identified physical
security perimeter.
CIP-007-1--Cyber Security--Systems Security Management:
Requires a responsible entity to define methods, processes, and
procedures for securing the systems identified as critical cyber
assets, as well as the non-critical cyber assets within an electronic
security perimeter.
CIP-008-1--Cyber Security--Incident Reporting and Response
Planning: Requires a responsible entity to identify, classify, respond
to, and report cyber security incidents related to critical cyber
assets.
CIP-009-1--Cyber Security--Recovery Plans for Critical
Cyber Assets: Requires the establishment of recovery plans for critical
cyber assets using established business continuity and disaster
recovery techniques and practices.
9. NERC stated that these Reliability Standards provide a
comprehensive set of requirements to protect the Bulk-Power System from
malicious cyber attacks.\10\ They require Bulk-Power System users,
owners, and operators to establish a risk-based vulnerability
assessment methodology and use that methodology to identify and
prioritize critical assets and critical cyber assets. Once the critical
cyber assets are identified, the CIP Reliability Standards require,
among other things, that the responsible entities establish plans,
[[Page 43972]]
protocols, and controls to safeguard physical and electronic access, to
train personnel on security matters, to report security incidents, and
to be prepared for recovery actions. Further, NERC explained that,
because of the expanded scope of facilities and entities covered by the
eight CIP Reliability Standards, and the investment in security
upgrades required in many cases, NERC has also developed an
implementation plan that provides for a three-year phase-in to achieve
full compliance with all requirements.\11\
---------------------------------------------------------------------------
\10\ NERC Filing at 24.
\11\ Id. at 24: Exhibit B (Implementation Plan for Cyber
Security Standards).
---------------------------------------------------------------------------
10. Each proposed Reliability Standard uses a common organizational
format that includes five sections, as follows: (A) Introduction, which
includes ``Purpose'' and ``Applicability'' sub-sections; (B)
Requirements; (C) Measures; (D) Compliance; and (E) Regional
Differences. In this NOPR, these section titles are capitalized when
referencing a designated provision of a Reliability Standard.
C. CIP Assessment
11. On December 11, 2006, the Commission released a ``Staff
Preliminary Assessment of the North American Electric Reliability
Corporation's Proposed Mandatory Reliability Standards on Critical
Infrastructure Protection'' (CIP Assessment). The CIP Assessment
identified staff's preliminary observations and concerns regarding the
eight proposed CIP Reliability Standards. The CIP Assessment described
issues common to a number of the proposed CIP Reliability Standards. It
also reviewed and identified issues regarding each individual CIP
Reliability Standard but did not make specific recommendations
regarding the appropriate action on a particular proposal.
12. Comments on the CIP Assessment were due by February 12, 2007.
Entities that filed comments are listed in Appendix A to this NOPR.
II. Discussion
A. General Issues
1. Cyber Security Challenges
13. The CIP Reliability Standards represent the most thorough
attempt to date to address cyber security issues that relate to the
Bulk-Power System. For many years the control systems for the Bulk-
Power System have operated in a stand-alone environment without
computer or communication links to an external Information Technology
(IT) infrastructure. However, over recent years, such stand-alone
enclaves have been increasingly connected to both the corporate
environment and the external world.
14. Modern computer and communication network interconnection
brings with it the potential for cyber attacks on these systems. These
concerns become particularly critical when several entities come under
attack simultaneously. The CIP Assessment identified ``defense in
depth'' as a widely recognized strategy to address cyber threats.
Defense in depth involves the layering of various defense mechanisms in
a way that either discourages an adversary from continuing an attack or
aids in early detection of cyber threats.
15. A major challenge to preserving system protection is that
changes occur rapidly in system architectures, technology, and threats.
As a result, cyber security strategies must comprise a layered,
interwoven approach to vigilantly protect the Bulk-Power System against
evolving cyber security threats.
16. Cyber security involves a careful balance of the technologies
available with the existing control equipment and the functions they
perform. Cyber security does have purely technical components, which
consist of the various available technologies to defend computer
systems. The task of balancing technical options comes into play as one
selects and combines the various available technologies into a
comprehensive architecture to protect the specific computer
environment.
17. A key to the successful cyber protection of the Bulk-Power
System will be the establishment of CIP Reliability Standards that
provide sound, reliable direction on how to choose among alternatives
to achieve an adequate level of security, and the flexibility to make
those choices. This conclusion is consistent with the lessons learned
from the August 2003 blackout occurring in the central and northeastern
United States. The identification of the causes of that and other
previous major blackouts helped determine where existing Reliability
Standards need modification or new Reliability Standards need to be
developed to improve Bulk-Power System reliability. The U.S.--Canada
Power System Blackout Task Force, in its Blackout Report, developed
specific recommendations for the improving the then-current voluntary
standards and development of new Reliability Standards.\12\
---------------------------------------------------------------------------
\12\ U.S.--Canada Power System Blackout Task Force, Final Report
on the August 14, 2003 Blackout in the United States and Canada:
Causes and Recommendations (April 2004) (Blackout Report). The
Blackout Report is available on the Internet at http://www.ferc.gov/industries/electric/indus-act/blackout.asp
.
---------------------------------------------------------------------------
18. Thirteen of the 46 Blackout Report Recommendations relate to
cyber security. They address topics such as the development of cyber
security policies and procedures; strict control of physical and
electronic access to operationally sensitive equipment; assessment of
cyber security risks and vulnerability at regular intervals; capability
to detect wireless and remote wireline intrusion and surveillance;
guidance on employee background checks; procedures to prevent or
mitigate inappropriate disclosure of information; and improvement and
maintenance of cyber forensic and diagnostic capabilities.\13\ The
proposed CIP Reliability Standards address these and related topics.
---------------------------------------------------------------------------
\13\ See Blackout Report at 163-169, Recommendations 32-44.
---------------------------------------------------------------------------
19. As we noted in Order No. 693, the Blackout Report
recommendations address key issues for assuring Bulk-Power System
reliability and represent a well-reasoned and sound basis for
action.\14\ Likewise, in this NOPR, the Commission recognizes the
merits of specific Blackout Report recommendations as a basis for
proposing certain modifications to the eight CIP Reliability Standards
that the Commission proposes to approve.
---------------------------------------------------------------------------
\14\ See Order No. 693 at P 234.
---------------------------------------------------------------------------
20. We recognize that the guidance and directives in the cyber
security Reliability Standards themselves must also strike a reasonable
balance. If the provisions are overly prescriptive they tend to become
a ``one size fits all'' solution, which does not suit this environment,
where systems vary greatly in architecture, technology, and risk
profile. However, if Reliability Standards lack sufficient detail, they
will provide little useful direction, thereby making compliance and
enforcement difficult, allow flawed implementation of security
mechanisms, and result in inadequate protection. The Commission will
evaluate the proposed CIP Reliability Standards in the context of the
above over-arching considerations.
2. Applicability
21. The Applicability section of each proposed CIP Reliability
Standard identifies the following 11 categories of responsible entities
that must comply
[[Page 43973]]
with the Reliability Standard: reliability coordinators, balancing
authorities, interchange authorities, transmission service providers,
transmission owners, transmission operators, generator owners,
generator operators, load serving entities, NERC, and Regional
Reliability Organizations.
22. The CIP Assessment raised two issues regarding applicability of
the CIP Reliability Standards. First, it stated that, although it is
likely that NERC and the Regional Entities \15\ are not directly
subject to mandatory Reliability Standards, their compliance with the
CIP Reliability Standards is important to the extent that they have
cyber communications with users, owners or operators of the Bulk-Power
System.\16\ The CIP Assessment suggested that NERC and Regional Entity
compliance could be required pursuant to NERC's Rules of Procedure.
Some commenters pointed out that NERC out-sources critical application
systems that are relied upon by many responsible entities, such as the
Interchange Distribution Calculator, and suggest that the out-source
provider should be contractually compelled to comply with the CIP
Reliability Standards, with NERC ultimately responsible for non-
compliance.\17\
---------------------------------------------------------------------------
\15\ In Order No. 693, at P 157, the Commission directed NERC to
remove all references to the Regional Reliability Organization and
replace them with a reference to the Regional Entity where
appropriate. This directive should apply to the CIP Reliability
Standards as well.
\16\ See CIP Assessment at 12-14.
\17\ E.g., ISO-NE, ISO/RTO Council, and SPP.
---------------------------------------------------------------------------
23. Second, the CIP Assessment raised concerns about the
appropriateness of a size threshold, below which small entities would
be exempt from compliance. It explained that, while the assets and
operations of a smaller entity may not have a major day-to-day
operational impact on the Bulk-Power System, such an entity can provide
a cyber gateway to compromise larger users, owners, or operators of the
Bulk-Power System. When attacked simultaneously with the facilities of
other small entities, the aggregate result could have an adverse impact
on the reliability of the Bulk-Power System. Thus, the CIP Assessment
suggested that a key to any determination of whether an entity should
be subject to the CIP Reliability Standards is whether or not it is a
user, owner, or operator of the Bulk-Power System and whether it has a
cyber connection to other users, owners or operators of the Bulk-Power
System. The CIP Assessment concluded that the CIP Reliability Standards
should apply to all users, owners, or operators regardless of size,
because a relatively small entity could have critical importance from a
cyber security perspective.
24. A number of commenters stated that the focus should be on those
entities that own or operate critical assets, rather than being
addressed in terms of ``large'' or ``small'' size of entities.\18\
These commenters warn that a blanket waiver that uniformly exempts
small entities from compliance with certain provisions of the proposed
CIP Reliability Standards therefore would not be appropriate. NERC and
other commenters maintain that applicability should not be determined
based on cyber connections but, rather by identifying those users,
owners and operators of the Bulk-Power System that own or operate
critical assets and associated critical cyber assets. Another group of
commenters urge that the Commission not impose the same compliance
obligations on smaller entities as on larger entities when a violation
by the smaller entity would not have a critical impact on the Bulk-
Power System. They maintain that adverse impacts on the grid from small
entities would be an uncommon occurrence and urge a case-by-case
approach to granting waivers from compliance with the CIP Reliability
Standards.\19\
---------------------------------------------------------------------------
\18\ E.g., Allegheny, California PUC, EEI, Georgia System, ISO-
NE, MidAmerican, NERC, ReliabilityFirst, Northeast Utilities, NRECA,
Ontario IESO, Tampa Electric, and Xcel.
\19\ E.g., APPA/LPPC and Santa Clara.
---------------------------------------------------------------------------
Commission Proposal
25. With regard to the applicability of the CIP Reliability
Standards to the ERO, NERC has modified its Rules of Procedure to
provide that the ERO will comply with each Reliability Standard that
identifies the ERO as an applicable entity.\20\ Similarly, the
delegation agreements between NERC and each of the eight Regional
Entities expressly state that the Regional Entity is committed to
comply with approved Reliability Standards.\21\ The Commission believes
that this approach is sufficient and, accordingly, does not propose any
additional measures or revisions on this issue.
---------------------------------------------------------------------------
\20\ See NERC Rules of Procedure, section 100.
\21\ See North American Electric Reliability Corp., 119 FERC ]
61,060 at P 4-5 (2007) (approving the delegation agreements and
directing certain modifications).
---------------------------------------------------------------------------
26. The Commission's determinations in Order No. 693 are relevant
to deciding the applicability of the CIP Reliability Standards to small
entities. In Order No. 693, the Commission approved NERC's compliance
registry process as a reasonable means ``to ensure that the proper
entities are registered and that each knows which Commission-approved
Reliability Standard(s) are applicable to it.'' \22\ Further, the
Commission approved NERC registry criteria that identify specific
categories of users, owners and operators of the Bulk-Power System and
criteria for registering entities within each of the categories.\23\
---------------------------------------------------------------------------
\22\ Order No. 693 at P 92, quoting ERO Certification Order, 116
FERC ] 61,062 at P 689.
\23\ Order No. 693 at P 93-95. NERC's Statement of Compliance
Registry Criteria (Revision 3), approved by the Commission in Order
No. 693, is available on NERC's Web site at: ftp://www.nerc.com/pub/sys/all_updl/ero/Statement_of_Compliance_
Registry--Criteria--
Rev3.pdf.
---------------------------------------------------------------------------
27. The Commission will also rely on the NERC registration process
to determine applicability with the CIP Reliability Standards. In other
words, an entity would be responsible to comply with the CIP
Reliability Standards if the entity is (1) registered by NERC under one
or more functional categories and (2) within a functional category for
which the entity is registered as identified in the Applicability
section of the CIP Reliability Standards. However, even though it is
the Commission's present intention to rely on the NERC registration
process to identify appropriate entities, we remain concerned about the
possibility of entities not identified by the registration process
becoming a weakness in the security of the Bulk-Power System. In this
regard, we note that, in Order No. 693, the Commission explained that,
``if there is an entity that is not registered and NERC later discovers
that the entity should have been subject to the Reliability Standards,
NERC has the ability to add the entity, and possibly other entities of
a similar class, to the registration list * * *.'' \24\ In addition, in
Order No. 693, the Commission indicated that it would further examine
applicability issues under section 215 of the FPA in a future
proceeding, and notes the same intention here.\25\
---------------------------------------------------------------------------
\24\ Order No. 693 at P 97.
\25\ Id. at P 77.
---------------------------------------------------------------------------
28. Regarding our concern about small entities becoming a gateway
for cyber attacks, some commenters argue that the Commission should not
focus on cyber connections to determine applicability of the CIP
Reliability Standards. Others state that it would be uncommon for a
small entity to cause an adverse impact upon the grid. The Commission's
reliance upon the NERC registration process to determine the
applicability of the CIP Reliability Standards is in part based upon
our expectation that industry will use the ``mutual distrust'' posture
discussed below regarding CIP-
[[Page 43974]]
003-1. The term ``mutual distrust'' is used to denote how these
``outside world'' systems are treated by those inside the control
system. A mutual distrust posture requires each responsible entity that
has identified critical cyber assets to protect itself and not trust
any communication crossing an electronic security perimeter, regardless
of where that communication originates.
29. Similarly, the Commission is relying on the NERC registration
process to include all critical assets and associated critical cyber
assets. For example, if assets are important to the reliability of the
Bulk-Power System, such as black start units, we would expect that the
NERC registration process would identify the owners or operators of
those units as critical, and require them to register, even though the
facilities may be ``smaller'' or at low voltages. Demand side
aggregators might also need to be included in the NERC registration
process if their load shedding capacity would affect the reliability or
operability of the Bulk-Power System.
30. As discussed later, as an initial compliance step, each entity
that is responsible for compliance with the CIP Reliability Standards
must identify critical assets through the application of a risk-based
assessment as required by CIP-002-1. Whether that entity must comply
with the remainder of the requirements in the CIP Reliability Standards
would depend on the outcome of that assessment and the subsequent
identification of critical cyber assets, also required by CIP-002-1.
Thus, CIP-002-1 acts as a filter, determining which entities must
comply with the remaining CIP requirements (i.e., CIP-003-1 through
CIP-009-1).
31. The Commission agrees with the commenters that access to
information essential to the operation of critical cyber assets by out-
sourced entities that are not otherwise subject to the CIP Reliability
Standards presents a potential vulnerability to the Bulk-Power System.
We understand that, on occasion, NERC negotiates contracts with such
third party vendors, and the products developed by the vendors are then
used by responsible entities that, as owners of the critical cyber
assets, are ultimately responsible for their cyber security protection
under the CIP Reliability Standards. The Commission invites comment on
whether and how such out-sourced entities should be contractually
obligated to comply with the CIP Reliability Standards while satisfying
their other contractual obligations.
3. Compliance Measured by Outcome
a. Performance-Based Standards
32. The CIP Assessment expressed concern that the lack of
specificity within the proposed CIP Reliability Standards could result
in inadequate implementation efforts and inconsistent results.\26\
NERC, along with a number of other commenters, states that the CIP
Reliability Standards are not prescriptive, positing that the level of
specificity they embody is appropriate. NERC explains that the use of a
performance-based structure frames the CIP Reliability Standards in
terms of required results or outcomes with criteria for verifying
compliance, but without prescribing the methods for achieving the
required results. In other words, the specific means to achieve that
outcome are left to the discretion of the responsible entity. Such an
approach contrasts with a prescribed or design-based standard. NERC
concludes that, when taken together, the proposed Reliability Standards
constitute a comprehensive set of cyber security activities, stating
that it is more important that a pre-defined, desirable outcome is
achieved than prescribing the means to that end.
---------------------------------------------------------------------------
\26\ CIP Assessment at 3.
---------------------------------------------------------------------------
33. The Commission generally agrees that use of performance-based
standards is a part of the design of cyber security safeguards for the
Bulk-Power System's critical assets. However, as we indicated in Order
No. 672, performance-based standards may not always be appropriate, for
example, in situations where ``the `how' may be inextricably linked to
the Reliability Standard and may need to be specified to ensure the
enforceability of the standard.'' \27\ Accordingly, where necessary,
the Commission proposes to direct NERC to modify the CIP Reliability
Standards to address the ``how.'' Moreover, the Commission is concerned
that, while NERC explains that the CIP Reliability Standards are
performance-based, the CIP Reliability Standards do not provide a
mechanism to measure performance or otherwise determine whether a
responsible entity has met the goals of a particular requirement set
forth in the standards.
---------------------------------------------------------------------------
\27\ Order No. 672 at P 260. The Commission also explained that,
for some Reliability Standards, ``leaving out implementation
features could [inter alia] sacrifice necessary uniformity in
implementation * * *''.
---------------------------------------------------------------------------
34. The Commission believes that monitoring the performance of
responsible entities identified in the CIP Reliability Standards
involves three strategies. First, it is important that there be both
internal and external oversight of the responsible entity's activities.
While the proposed Reliability Standards embody internal management
oversight strategies, there should also be oversight that embodies a
wide-area view. Second, when flexibility is exercised in a way that
excepts an entity from a Requirement, such action should be monitored,
documented, and periodically revisited to determine consistency and
effectiveness of the implementation. Third, reporting certain wide-area
information and analysis to the Commission is vital to its role in
ensuring that approved CIP Reliability Standards achieve on an ongoing
basis an adequate level of cyber security protection to the Bulk-Power
System. These three strategies are applied in our discussion below of
various provisions of the CIP Reliability Standards.
b. Adequacy of Outcomes
35. The CIP Assessment explained that many of the Requirements in
the proposed CIP Reliability Standards consist of broad directives, and
that the Measures and Compliance provisions focus largely on proper
documentation. The Reliability Standards themselves do not explain the
interplay between the Requirements, on one hand, and the Measures and
Levels of Non-Compliance, on the other.
36. The CIP Assessment expressed the view that the focus of the
Measures and Compliance provisions on documentation could be
interpreted to suggest that possession of documentation can demonstrate
compliance, regardless of the quality of its contents. It suggested
that compliance with the CIP Reliability Standards must be understood
in terms of compliance with the Requirements, which, according to NERC,
define what an entity must do to be compliant and establishes an
enforceable obligation.
Comments
37. NERC and others do not share the CIP Assessment concern
regarding the focus on documentation.\28\ NERC and ReliabilityFirst
acknowledge the extensive use of documentation throughout the CIP
Reliability Standards, but note that the majority of this documentation
is used to demonstrate that the Requirements have been met. NERC
indicates that, while the ``mere possession of documentation'' does not
guarantee compliance, appropriate documentation is essential to
demonstrate that steps to comply with the Requirements have been taken
and will streamline after-the-
[[Page 43975]]
fact compliance audits. Similarly, EEI believes that the quality of the
documentation is an important factor for assessing compliance and
should be the subject of an audit. FirstEnergy and Santa Clara state
that it would be helpful for NERC to provide guidance on what
constitutes reasonable documentation.
---------------------------------------------------------------------------
\28\ E.g., ReliabilityFirst, APPA/LPPC, and SPP.
---------------------------------------------------------------------------
38. Others raise concerns regarding the emphasis on documentation.
For example, Duke Energy agrees with the CIP Assessment that the CIP
Reliability Standards rely heavily on documentation to verify
compliance. Duke Energy believes that the accumulation of documentation
to facilitate audits may prove to be less than optimum for the CIP
Reliability Standards and suggests that efforts to improve the CIP
Requirements should gradually focus less on documentation, and more on
the actual level of cyber security to be implemented by the responsible
entity. ISA Group states that the CIP Reliability Standards do not
specify clear Requirements and do not provide sufficient guidance. ISA
Group believes that the clarity and detail of the Levels of Non-
Compliance in terms of documentation give the impression that the
documentation is the focus of the CIP Reliability Standards.
Commission Proposal
39. The Commission agrees with NERC that, while documentation is
necessary, the documentation by itself does not satisfy the
Requirements of a Reliability Standard. Rather, implementation of the
substance of the Requirements is most important in determining
compliance. As we explained in Order No. 693, ``while Measures and
Levels of Non-Compliance provide useful guidance to the industry,
compliance will in all cases be measured by determining whether a party
met or failed to meet the Requirement given the specific facts and
circumstances of its use, ownership or operation of the Bulk-Power
System.'' \29\ Moreover, the Commission recognized that:
---------------------------------------------------------------------------
\29\ Order No. 693 at P 253.
The most critical element of a Reliability Standard is the
Requirements. As NERC explains, ``the Requirements within a standard
define what an entity must do to be compliant * * * [and] binds an
entity to certain obligations of performance under section 215 of
the FPA.'' If properly drafted, a Reliability Standard may be
enforced in the absence of specified Measures or Levels of Non-
Compliance.\30\
---------------------------------------------------------------------------
\30\ Id., quoting NOPR at P 105 (footnote omitted).
40. To reiterate, while documentation set forth in the Measures and
Levels of Non-Compliance plays an important role in assuring that a
responsible entity is able to demonstrate to an auditor or others that
it has complied with the substantive Requirement of a Reliability
Standard, adequate documentation does not substitute for substantive
compliance with the obligations and responsibilities set forth in the
Requirement.
41. Related, certain Requirements of the CIP Reliability Standards
obligate a responsible entity to develop and maintain a plan, policy or
procedure. However, such Requirements do not always explicitly require
implementation of the plan, policy or procedure.\31\ The Commission
interprets such provisions to include an implicit requirement to
implement the plan, policy or procedure; and to make a responsible
entity subject to a non-compliance action for failing to implement the
policy. Such an interpretation is reasonable to prevent the scenario in
which the ERO, Regional Entity or the Commission could assess a penalty
against a responsible entity for failure to develop a plan, policy or
procedure that satisfies the Requirements of the Reliability Standard,
but unable to assess a penalty against a responsible entity that has
developed an adequate plan but fails to implement it. Further, the
Commission proposes that the ERO, in developing modifications to the
CIP Reliability Standards, include explicitly in such Requirements that
a responsible entity must implement a plan, policy or procedure that it
is required to develop.
---------------------------------------------------------------------------
\31\ See, e.g., CIP-006-1, Requirement R1 (requiring a
responsible entity to ``create and maintain a `physical security
plan'' '); cf. CIP-003-1, Requirement R1 (requiring a responsible
entity to ``document and implement a cyber security policy'').
---------------------------------------------------------------------------
4. Implementation Plan
42. Unlike the Reliability Standards approved in Order No. 693,
which NERC formulated based on existing voluntary standards, the CIP
Reliability Standards are new and require applicable entities in many
cases to develop new cyber security systems and procedures, which will
take time to develop and implement. To address this task, NERC
developed an implementation plan that includes a proposed four-stage
schedule for implementing the proposed CIP Reliability Standards over a
three-year period.\32\
---------------------------------------------------------------------------
\32\ NERC August 28, 2006 Filing, Exhibit B ``Implementation
Plan for Cyber Security Standards'' (Implementation Plan).
---------------------------------------------------------------------------
43. The Implementation Plan sets out a proposed schedule for
accomplishing the various tasks associated with compliance with the CIP
Reliability Standards. The schedule gives a timeline by calendar
quarters for completing various tasks and prescribes milestones for
when a responsible entity must: (1) ``Begin work;'' (2) ``be
substantially compliant'' with a requirement; (3) ``be compliant'' with
a requirement; and (4) ``be auditably compliant'' with a requirement.
44. According to the implementation plan, ``auditably compliant''
must be achieved in 2009 for certain Requirements by certain
responsible entities, and in 2010 for the remainder.
CIP Assessment
45. The CIP Assessment suggested that it may be possible to assess
a responsible entity's level of compliance prior to the time when it
achieves its ``auditably compliant'' status. It noted that, if a
responsible entity is in the ``begin work'' phase, it has: (1)
Developed and approved a plan to address the Requirements of a
Reliability Standard; (2) identified and planned for necessary
resources; and (3) begun implementing the Requirements. These are
specific steps that an audit can examine. The CIP Assessment observed
that the difference between the ``compliant'' and ``auditably
compliant'' status for many of the Requirements is the accumulation of
12 months of compliance records. It sought comment on whether it would
be beneficial to audit a responsible entity at the ``begin work'' and
``compliant'' stages, even though the responsible entity may not have
the full 12 month accumulation of compliance records.
Comments
46. A number of commenters agree that some type of assessment,
although not necessarily in the form of an audit, is both possible and
potentially beneficial prior to the time an entity achieves ``auditably
compliant'' status.\33\ NERC agrees that there is a benefit to ensuring
that responsible entities are moving timely toward ``auditably
compliant'' status. While NERC believes that audits at an interim stage
are not possible, it states that it plans to monitor progress through
self-certification without assessing penalties. Other commenters oppose
interim audits, stating that they could interfere with implementation
plans and lead to penalties for non-compliance.\34\
---------------------------------------------------------------------------
\33\ E.g., Santa Clara, SPP, APPA/LPPC, NERC, Allegheny, Georgia
Operators, ISO RTO Council, MidAmerican, SoCal Edison, and NRECA.
\34\ E.g., ATC, EEI, National Grid, Tampa Electric, and
FirstEnergy.
---------------------------------------------------------------------------
[[Page 43976]]
Commission Proposal
47. The Commission proposes to approve NERC's Implementation Plan,
including the proposed timelines for achieving compliance. NERC
indicates that the proposed timelines were developed with input from
all sectors of the electric industry. Further, while some responsible
entities have already installed the necessary equipment and software to
address cyber security, the Commission recognizes that many responsible
entities must purchase and install new equipment and software to
achieve compliance. Based on these considerations, the Commission
believes that the timetable proposed by NERC sets reasonable deadlines
for industry compliance.
48. However, the Commission is concerned whether the industry will
be fully prepared for compliance upon reaching the implementation
deadline and will take reasonable action to protect the Bulk-Power
System during this interim period. The Commission believes that NERC's
plans to require self-certification during the interim period are
helpful. NERC, however, does not indicate the interval for self-
certification. We believe that an annual certification would not allow
adequate monitoring of progress and propose to direct that the ERO
develop a self-certification process with more frequent certifications,
either tied to target dates in the schedule or perhaps quarterly or
semi-annual certifications. While we agree with NERC that an entity
should not be subject to a monetary penalty if it is unable to certify
that it is on schedule, such an entity should explain to the ERO the
reason it is unable to self-certify. The ERO and the Regional Entities
should then work with such an entity either informally or, if
appropriate, by requiring a remedial plan to assist such an entity in
achieving full compliance in a timely manner. Further, the ERO and the
Regional Entities should provide informational guidance, upon request,
to assist a responsible entity in assessing its progress in reaching
``auditably compliant'' status.
49. To further address our concerns about the period prior to when
responsible entities achieve full compliance with the CIP Reliability
Standards, the Commission also proposes to direct the ERO to add a
cyber security assessment to NERC's existing readiness reviews. In this
readiness assessment process, the ERO should assist in the
identification of best practices and deficiencies of the reviewed
entities, both to help them prepare for implementation of the CIP
Reliability Standards and to assess the status of their compliance
efforts. The readiness reviews will also help the Commission to
evaluate the potential effectiveness of the cyber security Reliability
Standards before they are implemented by disclosing the progress made
by reviewed entities in their CIP Reliability Standards implementation
efforts.
5. Issues Presented by Terminology
a. Business Judgment
NERC Proposal
50. Each of the proposed CIP Reliability Standards incorporates the
concept of ``reasonable business judgment'' as a guide for determining
what constitutes appropriate compliance with those Reliability
Standards. The Purpose statement of Reliability Standard CIP-002-1
provides that:
These standards recognize the differing roles of each entity in
the operation of the Bulk Electric System, the criticality and
vulnerability of the assets needed to manage Bulk Electric System
reliability, and the risks to which they are exposed. Responsible
entities should interpret and apply Standards CIP-002 through CIP-
009 using reasonable business judgment.
Each of the subsequent CIP Reliability Standards includes a
statement that ``Responsible Entities should interpret and apply the
Reliability Standard using reasonable business judgment.''
51. NERC's Glossary of Terms Used in Reliability Standards (NERC
glossary) does not define the term ``reasonable business judgment,''
and the CIP Reliability Standards do not otherwise suggest how the term
is to be interpreted. NERC's Frequently Asked Questions (FAQ) document
that accompanies the CIP Reliability Standards provides the only
available guidance on the issue.\35\ It states that the phrase is meant
``to reflect--and to inform--any regulatory body or ultimate judicial
arbiter of disputes regarding interpretation of these Standards--that
responsible entities have a significant degree of flexibility in
implementing these Standards.'' The FAQ document notes that there is a
long history of judicial interpretation of the business judgment rule
and suggests that this history is relevant to the use of this rule in
the context of the CIP Reliability Standards. The document goes on to
say:
---------------------------------------------------------------------------
\35\ NERC included the FAQ document in its August 28, 2006
filing. The FAQ document is also available at ftp://www.nerc.com/pub/sys/all_updl/standards/sar/Revised_CIP-002-009_FAQs_06Mar06.pdf
.
Courts generally hold that the phrase indicates reviewing
tribunals should not substitute their own judgment for that of the
entity under review other than in extreme circumstances. A common
formulation indicates the business judgment of an entity--even if
incorrect in hindsight--should not be overturned as long as it was
made (1) in good faith (not an abuse or indiscretion), (2) without
improper favor or bias, (3) using reasonably complete (if imperfect)
information as available at the time of the decision, (4) based on a
rational belief that the decision is in the entity's business
interest. This principle, however, does not protect an entity from
---------------------------------------------------------------------------
simply failing to make a decision.
CIP Assessment
52. The CIP Assessment acknowledged the importance of flexibility
and discretion in implementing cyber security strategies. However, it
expressed skepticism about the appropriateness of the business judgment
rule in this context, given the unusually broad discretion it permits.
The CIP Assessment thus expressed concern that such an approach to
flexibility and discretion would unduly compromise the effectiveness of
the CIP Reliability Standards and the ability to enforce compliance
with them.
53. The CIP Assessment sought comment on: (1) Specific examples of
the differing roles of entities in relationship to their potential
impact on cyber security risks to Bulk-Power System reliability; (2)
alternatives to reliance on the reasonable business judgment rule that
would allow for recognition of differing roles of entities,
vulnerability of assets, and exposure to risk but also permit effective
enforcement of the CIP Reliability Standards; and (3) the ramifications
of removing the ``reasonable business judgment'' language from the
proposed CIP Reliability Standards while an alternative approach is
developed using the ERO's Reliability Standards development process.
Comments
54. A number of commenters stress the importance of flexibility and
discretion in implementing the CIP Reliability Standards, but agree
that it would not be reasonable to give the term ``business judgment''
the meaning it has in the context of corporate fiduciary
responsibility.\36\ Other commenters state that the use of reasonable
business judgment was not meant to allow entities to evade application
of the CIP Reliability Standards, but they acknowledge that legal
precedent
[[Page 43977]]
suggests that inclusion of the term could increase the potential for
disputes.\37\ These commenters support the use of alternative terms to
acknowledge the need for flexibility and discretion, such as
``reasonableness,'' ``good utility practice,'' or ``good engineering
practices.''
---------------------------------------------------------------------------
\36\ E.g., California PUC, APPA/LPPC, EPSA, and Progress Energy.
\37\ E.g., Duke, Progress Energy, Xcel, and National Grid.
---------------------------------------------------------------------------
55. Other commenters argue that the ``reasonable business
judgment'' language is essential to provide balance in the
implementation of the CIP Reliability Standards and should not be
removed. Some indicate that use of the term was intended to allow
consideration of cost or business implications of an action.\38\ For
instance, NERC states that, if business considerations are left out of
account, the CIP Reliability Standards would describe an impossibly
high level of technical content, and the cost of implementing such a
solution would approach an infinite amount of time, money, and
resources. Commenters also state that use of reasonable business
judgment allows every entity the flexibility to make the best choice
for its unique situation.\39\ Finally, some commenters believe that the
term reasonable business judgment will ensure that the CIP Reliability
Standards are enforceable by permitting development of a record of
industry practices over time that provides a body of reasonable,
industry cyber security practices.\40\
---------------------------------------------------------------------------
\38\ E.g., NERC, Southern, and PG&E.
\39\ E.g., NERC, NU, PJM, Santa Clara, and Cleveland Public
Power.
\40\ E.g., IRC and Tampa Electric.
---------------------------------------------------------------------------
56. Some commenters argue that use of the term ``reasonable
business judgment'' was not intended to trigger the exculpatory
``business judgment rule'' as used in connection with the actions of
corporate directors.\41\ They contend the term was intended as a
``reasonableness'' standard that was meant to add a defined and
objective measure for assessing an entity's actions in implementing the
CIP Reliability Standards based on the entity's particular system and
assets. EEI argues that while the NERC FAQ accurately describes
traditional use of the reasonable business judgment rule in the context
of corporate law, it does not articulate how this language is being
used in the context of cyber security standards. EEI also states that
it is unlikely that the FAQ document would control interpretation of
the CIP Reliability Standards.
---------------------------------------------------------------------------
\41\ E.g., Arizona Public Service, EEI, Progress Energy, SoCal,
TEC, Duke, ReliabilityFirst and National Grid.
---------------------------------------------------------------------------
57. Finally, some commenters acknowledge that the traditional
corporate business judgment rule does grant officers and directors
broad discretion, but also contains elements that temper this
discretion.\42\ To receive the benefit of the rule, a business decision
must be made on an informed basis, in good faith and in honest belief
that the action taken was in the best interests of the company. In
addition, the person making the decision must act with the care that an
ordinarily prudent person would reasonably be expected to exercise in a
like position with similar circumstances. The commenters argue that
these requirements permit the term reasonable business judgment to be
adapted to the cyber security context.
---------------------------------------------------------------------------
\42\ E.g., EEI and Progress Energy.
---------------------------------------------------------------------------
Commission Proposal
58. For the reasons discussed below, the Commission proposes to
direct the ERO to modify the CIP Reliability Standards to remove
references to the ``reasonable business judgment'' language before
compliance audits start in 2009.
59. The Commission agrees with commenters that flexibility and
discretion are essential in implementing the CIP Reliability Standards
and that implementing those Reliability Standards must be done on the
basis of the specific facts and circumstances applicable in the
individual case at hand. Cyber security problems do not lend themselves
to one-size-fits-all solutions. In addition, the Commission
acknowledges that cost can be a valid consideration in implementing the
CIP Reliability Standards. However, the Commission believes that the
traditional concept of reasonable business judgment is ill suited to
the task of implementing an appropriate program of cyber security
pursuant to FPA section 215. The concept of reasonable business
judgment addresses the issue of whether a decision-making process
conforms to certain standards. It was developed specifically to address
the issue of how courts should approach business decisions made by a
company's officers or directors, and the answer it provides is based on
certain assumptions about how our economic system operates and who is
most likely to have the knowledge and expertise needed to make
appropriate business decisions. However, the concept of reasonable
business judgment takes on a very different meaning when removed from
its original context and applied to a different factual situation where
very different assumptions apply. As explained below, when transferred
to the realm of cyber security or Bulk-Power System reliability
generally, recourse to reasonable business judgment is inconsistent
with the purpose of FPA section 215.
60. Cyber standards are essential to protecting the Bulk-Power
System against attacks by terrorists and others seeking to damage the
grid. Because of the interconnected nature of the grid, an attack on
one system can affect the entire grid. It is therefore unreasonable to
allow each user, owner or operator to determine compliance with the CIP
Reliability Standards based on its own ``business interests.'' Business
convenience cannot excuse compliance with mandatory Reliability
Standards.
61. While some commenters argue that references to reasonable
business judgment in the CIP Reliability Standards were not intended to
trigger the traditional corporate business judgment rule, the FAQ
document can be read to suggest the contrary. In fact, the FAQ document
states explicitly that ``reasonable business judgment'' means what the
courts have said it means in the corporate context. It states that the
phrase has an almost 200 year history in the common law nations and
notes that ``[c]ourts generally hold that the phrase indicates
reviewing tribunals should not substitute their own judgment for that
of the entity under review other than in extreme circumstances.'' The
FAQ document then goes on to list the elements of reasonable business
judgment as the courts generally define it. The FAQ document nowhere
states or suggests that the meaning and significance of reasonable
business judgment is subject to some modification or qualification in
the context of implementing and complying with the CIP Reliability
Standards.
62. Moreover, as the FAQ document makes clear, compliance turns on
whether a decision was ``based on a rational belief that the decision
is in the entity's business interest.'' That test is fundamentally
incompatible with Congress' decision to adopt a regime of mandatory
Reliability Standards. As we stated above, the vulnerability of one
entity can pose risks to the entire grid. We therefore cannot allow
each user, owner or operator to determine compliance based on its own
parochial business interests. The purpose of section 215 is to protect
the national interest in grid reliability.
63. The business judgment rule was adopted in a context that is
simply not appropriate for mandatory Reliability Standards. The
business judgment rule recognizes that officers and directors
[[Page 43978]]
must have wide latitude if a company is to be managed properly and
efficiently and that it is not in the interest of shareholders to
create incentives for officers and directors to be overly cautious.\43\
Courts have noted that shareholders voluntarily undertake the risk of
bad business judgments and investors who are adverse to such risk have
alternative investment opportunities available to them.\44\ In the
context of section 215, however, these principles do not apply. The
issue under section 215 is not whether the management of a business is
acting in the interest of its own shareholders, but rather whether an
entity is taking appropriate action to avert risks that could threaten
the entire grid.
---------------------------------------------------------------------------
\43\ Cramer v. General Telephone and Electronics Corp., 582 F.2d
259 (3d Cir. 1978); Joy v. North, 692 F.2d 880 (2d Cir. 1982).
\44\ Joy v. North, 692 F.2d 880 (2d Cir. 1982).
---------------------------------------------------------------------------
64. It is also notable that the business judgment rule is invoked,
in the corporate governance context, only in extreme circumstances.
Generally, to find an officer or director liable there must be evidence
establishing that he or she acted fraudulently, in bad faith, or with
gross or culpable negligence.\45\ Some cases refer to unconscionable
conduct, illegal or oppressive acts, willful abuse of discretionary
power or neglect of duty, and recklessness as situations that fall
outside reasonable business judgment.\46\ While the FAQ document does
not explain this point clearly, it does allude to it when it notes that
the ``[c]ourts generally hold that the phrase indicates reviewing
tribunals should not substitute their own judgment for that of the
entity under review other than in extreme circumstances.'' (Emphasis
supplied).
---------------------------------------------------------------------------
\45\ In Re Bal Harbour Club, Inc., 316 F.3d 1192 (11th Cir.
2003) (Bal Harbour); Froelich v. Senior Campus Living LLC, 355 F.3d
802 (4th Cir. 2004); Poth v. Rassey, 281 F. Supp. 2d (E.D. Va. 2003)
(Poth v. Rassey).
\46\ Bal Harbour; Poth v. Rassey; Gray v. Manhattan Medical
Center, Inc., (18 P.3d 291 (Kan. 2001); G & N Aircraft, Inc. v.
Boehm, 743 N.E.2d 227 (Ind. 2001).
---------------------------------------------------------------------------
65. These criteria are plainly inappropriate for mandatory CIP
Reliability Standards. For example, if an inadequate cyber plan caused
a grid-wide disturbance or blackout, a violation could be established
only in ``extreme circumstances'' where there was ``unconscionable
conduct'' or ``recklessness'' or, as discussed above, where the
entity's plan was not consistent with its ``own business interest.''
These highly deferential legal standards are not compatible with a
mandatory reliability regime under section 215 of the FPA. We therefore
propose to direct NERC to delete references to ``reasonable business
judgment'' from the CIP Reliability Standards.
66. We wish to stress, however, that, even though we propose to
delete the business judgment rule, we believe flexibility in the
application of the CIP Reliability Standards remains appropriate.
First, as discussed throughout this NOPR, the CIP Reliability Standards
contain specific provisions that explicitly permit various alternative
courses of action. More importantly, however, the CIP Reliability
Standards do not simply allow the exercise of flexibility and
discretion, they require it. Even with the various revisions and
additions that the Commission is proposing in this NOPR, the CIP
Reliability Standards constitute a relatively brief document, and the
Requirements it contains are largely performance based. These
Requirements for the most part are quite general and do not dictate
specific solutions to cyber-security problems. Responsible entities
therefore must interpret and apply them to their specific
circumstances. The CIP Assessment explained:
The task of balancing technical options comes into play as one
selects and combines the various available technologies into a
comprehensive architecture to protect the specific computer
environment. The key to success is possessing cyber security
standards that provide reliable direction on how to choose among
alternatives to achieve an adequate level of security.\47\
\47\ CIP Assessment at 8.
---------------------------------------------------------------------------
67. Based on our careful consideration of this issue as discussed
above, pursuant to section 215(d)(5) of the FPA and Sec. 39.5(f) of
our regulations, the Commission proposes to direct that the ERO modify
each of the proposed CIP Reliability Standards to remove references to
the ``reasonable business judgment'' language before compliance audits
start in 2009.
b. ``Technical Feasibility'' and ``Acceptance of Risk''
68. Two CIP Reliability Standards contain language that provides
exceptions from compliance with a Requirement. This language takes two
forms: one focuses on technical feasibility, and the other focuses on
acceptance of risk.
69. Some provisions require a responsible entity to take action
``where technically feasible.'' \48\ The NERC glossary does not define
the term ``technically feasible,'' and the Reliability Standards
themselves do not specify how an entity is to determine whether an
action is technically feasible. NERC's FAQ document provides the
following guidance on the meaning of the phrase ``where technically
feasible:''
\48\ The ``technically feasible'' phrase is found in CIP-005-1,
Requirements R2.4, R2.6, R3.1, R3.2 and CIP-007-1, Requirements R4,
R5.3, R6, R6.3. Additionally, CIP-007, Requirement R2.3 uses
``technical limitations'' to similar effect.
---------------------------------------------------------------------------
Technical feasibility refers only to engineering possibility and
is expected to be a ``can/cannot'' determination in every
circumstance. It is also intended to be determined in light of the
equipment and facilities already owned by the responsible entity.
The responsible entity is not required to replace any equipment in
order to achieve compliance with the Cyber Security Standards. When
existing equipment is replaced, however, the responsible entity is
expected to use reasonable business judgment to evaluate the need to
upgrade the equipment so that the new equipment can perform a
particular specified technical function in order to meet the
requirements of these standards.\49\
\49\ FAQ Document at 1.
---------------------------------------------------------------------------
Technical feasibility is here related to reasonable business
judgment, but only in a situation where equipment is being replaced.
Otherwise, the FAQ document treats technical feasibility in terms of
objective engineering judgments regarding what is possible with
existing equipment.
70. Some Requirements in the CIP Reliability Standards permit an
entity not to take the actions specified in the Requirement if they
``document compensating measures applied to mitigate risk exposure or
an acceptance of risk.'' \50\ The Reliability Standards do not provide
explicit guidance on the circumstances in which it is appropriate to
accept the risk of non-compliance.
---------------------------------------------------------------------------
\50\ See CIP-007-1, Requirements R2.3, R3.2, and R4.1.
---------------------------------------------------------------------------
CIP Assessment
71. In the discussion of specific Reliability Standards, the CIP
Assessment expressed concern about the need to reference technical
feasibility, either because the action in question appeared to be
clearly technically feasible or because of the extremely limited number
of situations in which technical feasibility could become an issue.\51\
---------------------------------------------------------------------------
\51\ See, e.g., CIP Assessment at 26-27, 32-33.
---------------------------------------------------------------------------
72. The CIP Assessment noted that acceptance of risk raised special
concern in a cyber environment. Where there are interconnected control
systems, an acceptance of a cyber risk by one entity would actually be
tantamount to an acceptance of risk on behalf of all entities connected
with it because the first entity can serve as a gateway to the others
as noted above. The entity that initially accepts the risk
[[Page 43979]]
becomes a ``weak link'' in the chain. The CIP Assessment noted that
there is no provision in the proposed CIP Reliability Standards for
oversight or consideration of the broader impacts of risk acceptance in
individual cases. It sought comment on the appropriateness of risk
acceptance and suggested that, if this concept is appropriate, clear
guidance is needed to explain the limited circumstances in which it is
appropriate.
Comments
73. NERC states that the term ``technical feasibility'' is intended
to be very limited in scope. It defines the term as the physical
ability of in-place equipment or software to conform directly to some
Requirement in the Reliability Standards or the ability of in-place
equipment or software to perform its required function if modified in a
way that would most directly conform to some Requirement. The term is
used to prevent penalizing responsible entities unnecessarily in
situations where they cannot change immediately or prudently to comply
with a Requirement. NERC states that where the concept of technical
feasibility applies, the responsible entity should document the
technical issue and its mitigation plans or strategies.
74. Many commenters \52\ emphasize that the phrase ``where
technically feasible'' is intended to permit flexibility, to permit the
application of the Reliability Standards to a wide variety of
situations, and to allow compliance with the Reliability Standards to
evolve over time as technologies change. Some commenters note that in
many cases it is not feasible to enhance equipment without replacing
it. In some cases, off-the-shelf solutions are not available for
various parts of the system.
---------------------------------------------------------------------------
\52\ E.g., National Grid; ISO/RTO Council; PJM, Ontario IESO,
SPP, and ISO-NE.
---------------------------------------------------------------------------
75. ISA Group states that the phrase ``where technically feasible''
could be eliminated entirely from the CIP Reliability Standards and
replaced with an exception mechanism that requires a decision to invoke
technical feasibility to be explicit and reviewable. The exception
mechanism should require that there be alternative mitigation that
provides the level of security that would otherwise have been achieved.
California PUC argues that the phrase ``technically feasible'' should
be removed unless there is a serious question about the actual
feasibility of a requirement being imposed.
76. Most commenters support the ``acceptance of risk'' terminology
with certain qualifications. NERC states that the concept of risk
acceptance recognizes that flexibility and judgment are required to
make prudent decisions, but does not allow an entity to do nothing. It
also contends that acceptance of risk is a fundamental tenet of an
audit process, which recognizes that not all systems or implementations
can be perfect. Other commenters state that acceptance of risk is
needed to allow for flexibility and that it can be workable if
decisions to accept risk are documented, compensating or mitigating
action is taken, and decisions to accept risk are transparent and
subject to review and oversight.\53\ Some commenters state that any
invocation of the risk acceptance provision should be subject to a
sunset date or plan to achieve compliance.\54\ In contrast, Wisconsin
Electric states that acceptance of risk could seriously endanger
reliability and supports removal of the option to accept risk.
---------------------------------------------------------------------------
\53\ E.g., Allegheny, MidAmerican and National Grid.
\54\ E.g., MidAmerican and Allegheny.
---------------------------------------------------------------------------
Commission Proposal
77. For the reasons discussed below, pursuant to section 215(d)(5)
of the FPA and Sec. 39.5(f) of our regulations, the Commission
proposes to direct that the ERO: (1) interpret the term ``technical
feasibility'' narrowly as applying to the technical characteristics of
existing assets and having no relation to the considerations of
business judgment discussed above; (2) treat instances where technical
feasibility is invoked as exceptions that require certain alternative
courses of action; (3) eliminate the ``acceptance of risk'' option from
the CIP Reliability Standards; and (4) develop an annual report that
quantifies, on a wide-area basis, the frequency with which responsible
entities invoke ``technical feasibility'' or other provisions that
produce the same outcome. The reason the Commission believes these
proposed safeguards are necessary, as well as additional details
regarding these proposals, are provided below.
Technical Feasibility
78. The Commission acknowledges that, in the near term, exceptions
from compliance based on the concept of ``technical feasibility'' may
be appropriate in a limited set of circumstances.\55\ However,
responsible entities should not be permitted to invoke technical
feasibility on the basis of ``reasonable business judgment,'' as NERC's
FAQ suggests. We have already discussed the concerns that reasonable
business judgment can create for effective cyber security. Nor should a
responsible entity be able to except itself unilaterally from a
Requirement of a mandatory Reliability Standard with no oversight.
Unless invocation of the technical feasibility exception is carefully
circumscribed, substantial opportunity for abuse, difficulty in
enforcement and the continued allowance of unacceptable reliability
risks could result.
---------------------------------------------------------------------------
\55\ For example, it is understandable that some older
``legacy'' systems are not capable of utilizing certain cyber
protection strategies needed to fully comply with the Requirements
of these CIP Reliability Standards. In such a case, the responsible
entity could be granted an exception upon the satisfactory submittal
of a mitigation plan leading to compliance, by a date certain.
---------------------------------------------------------------------------
79. Therefore, the Commission proposes to require the ERO to
establish a structure to require accountability from those who rely on
``technical feasibility'' as the basis for an exception. Such a
structure would require a responsible entity to: (1) Develop and
implement interim mitigation steps to address the vulnerabilities
associated with each exception; (2) develop and implement a remediation
plan to eliminate the exception, including interim milestones and a
reasonable completion date; and (3) obtain written approval of these
steps by the senior manager assigned with overall responsibility for
leading and managing the entity's implementation of, and adherence to,
the CIP Reliability Standards as provided in CIP-003-1, Requirement R2.
This proposed structure should include a review by senior management of
the expediency and effectiveness of the manner in which a responsible
entity has addressed each of these three proposed conditions. In
addition, the Commission proposes to require a responsible entity to
report and justify to the ERO and the Regional Entity for approval each
exception and its expected duration. In situations where any of the
proposed conditions are not satisfied, the ERO or the Regional Entity
would inform the responsible entity that its claim to an exception
based on technical feasibility is insufficient and therefore not
approved. Failure to timely rectify the deficiency would invalidate the
exception for compliance purposes.
80. The Commission believes that it is important that the ERO,
Regional Entities and the Commission understand the circumstances and
manner in which responsible entities invoke the technical feasibility
provision as well as other provisions that function as an exception to
the CIP Reliability Standards. The Commission,
[[Page 43980]]
therefore, proposes to direct the ERO to submit an annual report that
would include, at a minimum, the frequency of the use of such
provisions, the circumstances or justifications that prompt their use,
the interim mitigation measures used to address the vulnerabilities,
and the milestone schedule to eliminate them and to bring the entities
into compliance to eliminate future reliance on the exception. The
Commission expects that the report would not provide a level of detail
so as to contain critical energy infrastructure information, but would
include sufficient information such that it is clear that the
mitigation measures have addressed the interim vulnerabilities and the
milestone schedules will be sufficient to bring the entities into
compliance by a date certain in a timely manner. The report should
include aggregated information with sufficient detail for the
Commission to understand the frequency in which specific provisions are
being invoked as well as mitigation and remediation plans over time and
by region. Such information would allow the Commission to evaluate
whether to initiate the development of additional Reliability Standards
or require new Reliability Standards and/or modifications to existing
Reliability Standards.
81. The Commission also seeks comment on additional categories of
information that should be included in the content of this report that
would be useful for the Commission, as well as the ERO and Regional
Entities, in evaluating the invocation of technical feasibility and
similar provisions, and the impact on protection of critical assets.
82. The Commission proposes to direct the ERO to consider making
``technically feasible,'' and derivative forms of that phrase as used
in the CIP Reliability Standards, defined terms in NERC's glossary,
pursuant to the prior clarifications, without any reference to
reasonable business judgment.
Acceptance of Risk
83. The Commission has several concerns regarding the references to
``acceptance of risk'' that appear in the CIP Reliability Standards. As
proposed by NERC, there are no controls or limits on a responsible
entity's use of this exception. For example, a responsible entity may
invoke the ``acceptance of risk'' exception without any explanation,
mitigation efforts, evaluation of the potential ramifications of
accepting the risk, or other accountability. In essence, the phrase
``or an acceptance of risk'' allows a responsible Entity to opt out of
certain provisions of a mandatory Reliability Standard at its
discretion.
84. Further, there is no requirement that a responsible entity
communicate to a responsible authority information related to the
potential vulnerabilities created by a decision to accept risk and how
they could affect Bulk-Power System reliability. The resulting
uncertainty concerning who had invoked ``acceptance of risk'' and in
what connection would mean that neither the ERO, Regional Entities nor
others would know whether adequate cyber security precautions are in
place to protect critical assets. The possibility that appropriate
security measures for critical assets have not been implemented due to
acceptance of risk and that no corresponding compensating or mitigating
steps have been taken presents an undue and unacceptable risk to Bulk-
Power System reliability.
85. Moreover, the Commission believes the acceptance of risk
language does not serve any justifiable purpose. To the extent that an
entity would invoke this exception because compliance is not
technically feasible, it should rely on that exception, which with the
Commission's proposal would have specific safeguards and limitations.
To the extent that a responsible entity would invoke the acceptance of
risk language because its business preference is not to expend
resources on cyber vulnerability, we believe that is inappropriate for
all the reasons discussed previously. A responsible entity should not
be able to jeopardize critical assets of others, and create a
significant and unknown risk to Bulk-Power System reliability, simply
because it is willing to ``accept the risk'' that its own assets may be
compromised.
86. Accordingly, the Commission proposes to direct that the ERO
remove the ``acceptance of risk'' language from the CIP Reliability
Standards.
6. Guidance for Improving CIP Reliability Standards
87. Several commenters discussed the proposed CIP Reliability
Standards in relation to other standards that exist for governmental
and industrial cyber security. MITRE and NIST suggest that more
advanced cyber security standards have been developed that could
provide a model in future improvements to the CIP Reliability
Standards. In particular, they point to NIST Special Publication 800-53
Revision 1, Recommended Security Controls for Federal Information
Systems (SP 800-53). MITRE believes that the relevant NIST
publications, including Federal Information Processing Standards (FIPS)
199, FIPS 200, and SP 800-53, constitute a comprehensive and coherent
basis for cyber security in the electric power sector. NIST recommends
that the Commission consider a planned transition to cyber security
standards that are identical to, consistent with, or based on SP 800-53
and related NIST standards and guidelines.
Commission Proposal
88. The Commission declines to propose at this time that NERC
incorporate any provisions of the NIST standards into the CIP
Reliability Standards. However, the Commission expects NERC to monitor
the development and implementation of the NIST standards to determine
if they contain provisions that will better protect the Bulk-Power
System.\56\ Several federal entities, such as the Tennessee Valley
Authority and Western Area Power Administration, are subject to both
the NIST standards and the Reliability Standards, and therefore are
likely to have unique insights into the NIST standards. The Commission
expects the ERO to seek and consider comments from those federal
entities on the effectiveness of the NIST standards and on any
implementation issues. Any provisions that will better protect the
Bulk-Power System should be addressed in the ERO's Reliability
Standards development process. The Commission may revisit this issue in
future proceedings as part of an evaluation of existing Reliability
Standards or the need for new Reliability Standards, or as part of
assessing NERC's performance of its responsibilities as the ERO.\57\
---------------------------------------------------------------------------
\56\ The Commission is also aware that the Instrumentation,
Systems, and Automation Society (ISA) is developing cyber security
standards, referred to as ISA SP-99, and that other infrastructure
sectors are considering adopting the ISA standards for their control
systems.
\57\ See Order No. 672 at P 186-91.
---------------------------------------------------------------------------
B. Discussion of Each CIP Reliability Standard
1. CIP-002-1--Critical Cyber Asset Identification
89. Reliability Standard CIP-002-1 deals with the identification of
critical cyber assets. The NERC glossary defines ``cyber assets'' as
``programmable electronic devices and communication networks including
hardware, software, and data.'' It defines ``critical cyber assets'' as
``cyber assets essential to the reliable operation of critical
assets.'' NERC defines ``critical assets'' as ``facilities, systems,
and equipment which, if destroyed, degraded, or otherwise rendered
unavailable, would
[[Page 43981]]
affect the reliability or operability of the Bulk Electric System.''
\58\
---------------------------------------------------------------------------
\58\ ``The term `reliable operation' means operating the
elements of the bulk-power system within equipment and electric
system thermal, voltage, and stability limits so that instability,
uncontrolled separation, or cascading failures of such system will
not occur as a result of a sudden disturbance, including a
cybersecurity incident, or unanticipated failure of system
elements.'' EPAct 2005, section 215(a)(4).
---------------------------------------------------------------------------
90. As the first step in identifying critical cyber assets, CIP-
002-1 requires each responsible entity to develop a risk-based
assessment methodology to use in identifying its critical assets.
Requirement R1 specifies certain types of assets that an assessment
must consider for critical asset status and also allows the
consideration of additional assets that the responsible entity deems
appropriate. Requirement R2 requires the responsible entity to develop
a list of critical assets based on an annual application of the risk-
based assessment methodology. Requirement R3 provides that the
responsible entity must use the list of critical assets to develop a
list of associated critical cyber assets that are essential to the
operation of the critical assets. CIP-002-1 requires an annual re-
evaluation and approval by senior management of the lists of critical
assets and critical cyber assets.
91. The CIP Assessment emphasized that, while CIP-002-1 through
CIP-009-1 function as an integrated whole, CIP-002-1 is a key to the
success of the cyber security framework that these Reliability
Standards seek to create.\59\ The CIP Assessment also stressed that,
because CIP-002-1 addresses the assessment methodology and process for
identifying critical assets and critical cyber assets, it represents
the critical first step that can fundamentally affect the chances for
successful implementation of the remaining CIP Reliability Standards.
The methodology and process used by a responsible entity must be
stringent and rigorous. Otherwise, a responsible entity may fail to
identify some facilities that are critical to effective cyber
protection and, as a consequence, leave them vulnerable to an attack
that could threaten the reliability of the Bulk-Power System.
---------------------------------------------------------------------------
\59\ CIP Assessment at 16-17.
---------------------------------------------------------------------------
92. The Commission proposes to approve Reliability Standard CIP-
002-1 as mandatory and enforceable. In addition, the Commission
proposes to direct the ERO to develop modifications to this Reliability
Standard. In our discussion below, the Commission addresses its
concerns in the following topic areas regarding CIP-002-1: (1) The
proper risk-based assessment methodology for identifying critical
assets and associated critical cyber assets; (2) internal approval of
the risk assessment; (3) oversight of critical asset identification;
and (4) interdependency analysis.
a. Risk-Based Assessment Methodology
93. As mentioned above, CIP-002-1 requires each responsible entity
to develop a risk-based assessment methodology to identify critical
assets.
CIP Assessment
94. The CIP Assessment noted that, while CIP-002-1 requires use of
a risk-based assessment methodology, it does not provide direction on
the nature and scope of that methodology, its basic features or the
issues it should address. The CIP Assessment expressed concern that the
absence of such direction could result in the Requirement being
unevenly executed, which could result in inconsistency and
inefficiency. It stated that, due to this lack of direction, the
Reliability Standard does not provide a basis for evaluating whether
the risk-based assessment methodology adopted by a particular entity
will permit effective identification of all critical assets.
95. The CIP Assessment explained that proper risk-based assessment
methodology is essential to achieve sufficient scope and implementation
of critical infrastructure protection. Requirement R4 specifically
contemplates the circumstance that a ``Responsible Entity may determine
that it has no Critical Assets or Critical Cyber Assets,'' and
correspondingly requires that a signed and dated record of management
approval of the list of critical assets and critical cyber assets be
kept ``even if such lists are null.'' The CIP Assessment pointed out,
however, that a small entity whose operations may not have a major,
day-to-day operational impact on the Bulk-Power System can have
critical importance from a cyber security perspective, especially as a
gateway to larger entities or when attacked simultaneously with other
entities. The absence of adequate direction on what constitutes a
proper risk-based assessment methodology may potentially result in
entities improperly identifying a limited or ``null set'' of critical
assets and critical cyber assets. This result could have serious
adverse effects for Bulk-Power System reliability.
Comments
96. Commenters generally agree that CIP-002-1 plays a crucial role
because whether a responsible entity must comply with the substance of
the remaining CIP Reliability Standards depends on whether it
identifies critical cyber assets pursuant to CIP-002-1. Commenters also
agree that the risk assessment methodology is the key to a responsible
entity accurately identifying its critical assets and critical cyber
security assets.
97. While some commenters agree with the CIP Assessment that the
Requirement for the risk-based assessment methodology would benefit
from additional guidance or specificity, the majority disagree. Among
those who support the need for more specificity, Arizona Public Service
expresses concern that CIP-002-1, as proposed, may place a responsible
entity in the position of not having enough guidance on whether its
risk-based methodology will result in the identification of all
critical assets.
98. Ontario IESO agrees that the CIP Assessment's reasons for
concern are valid, which stem from the fact that many assessments will
be performed by entities not previously subject to compliance with NERC
Reliability Standards, and from the potential disagreement between
entities on what constitutes a critical asset. It also shares the
concern that some entities may avoid declaring critical assets to avoid
further compliance obligations with the CIP Reliability Standards.
Ontario IESO emphasizes that an essential feature of a good assessment
is the quality of the judgments that necessarily must be applied.
Rather than making modifications to provide more explicit direction,
Ontario IESO suggests that much of the concern associated with critical
asset identification could be addressed by modifying the Reliability
Standard to require that the responsible entity consult with its
reliability coordinator, and granting the reliability coordinator the
authority to make the final determination of critical assets within its
territory.
99. NERC and others oppose including additional specificity,
claiming that CIP-002-1 is specifically written to allow each
responsible entity the flexibility to implement it as it applies to the
specific circumstances within each organization, and at each location
containing critical cyber assets.\60\ These commenters are concerned
that a Commission directive to include additional guidance would
restrict the needed flexibility. For example, APPA argues that the
proposed provisions provide an adequate basis for evaluating the
methodology, stating that prescribing a national-level ``one size fits
all'' risk-based assessment methodology would
[[Page 43982]]
require a costly effort to comply, but would not result in measurable
cyber security improvements. APPA adds that every entity's risk-based
assessment will be subject to challenge by an audit team from time-to-
time, which will include review by peer technical experts who share the
goal of preventing any successful attack on critical assets. AMP-Ohio
suggests that it would be inappropriate to divide the Bulk Electric
System into a large number of small, discrete and in some cases rather
isolated pieces and then to assign responsibility to each of these
small pieces to determine what is or is not critical to the reliable
operation of the Bulk Electric System.
---------------------------------------------------------------------------
\60\ E.g., ReliabilityFirst, EEI, EPSA, and APPA.
---------------------------------------------------------------------------
Commission Proposal
100. Most commenters on the CIP Assessment acknowledge the
importance of CIP-002-1 in ensuring that an appropriate set of critical
assets is identified. However, many commenters oppose any modification
to CIP-002-1 to provide additional specificity regarding the risk
assessment methodology for identifying critical assets, based on
concerns that such specificity will impede the needed flexibility that
is currently provided by the Reliability Standard.
101. The Commission recognizes the commenters' concerns and is
mindful of the need for flexibility in the risk assessment process to
take into account the individual circumstances of a responsible entity.
Yet, the Commission is concerned that, without some additional
guidance, each responsible entity will have to devise its own
assessment methodology without sufficient assurance that the
methodology is adequate to identify the types of assets necessary to
protect the reliability of the Bulk-Power System. As explained by
Ontario IESO, many responsible entities performing the risk assessment
have not previously been subject to compliance with NERC's Reliability
Standards. Further, there is a potential for disagreement among
responsible entities regarding what constitutes a critical asset.
102. The Commission also is concerned that the risk assessment
methodologies required by CIP-002-1 must place the proper emphasis on
the possible consequences from an outage of a particular asset.
Generically, risk assessments include consideration of both consequence
(in this case, the effect of loss of availability of an asset on the
reliable operation of the Bulk-Power System) and threat (the likelihood
that an outage will occur, naturally or by malicious act). However, in
this context we believe that the consequence of an outage should be the
controlling factor. We note that the definition of ``critical assets''
is focused on the criticality of the assets, not the likelihood of an
outage.
103. Accordingly, the Commission proposes to direct NERC to develop
modifications to CIP-002-1 to provide some basic guidance on the
content or considerations to be applied in a risk assessment
methodology. We are not proposing that NERC develop specific details of
a methodology that must be applied in all circumstances. However, the
Commission believes that responsible entities would benefit from NERC
providing some common understanding regarding the scope, purpose and
basic direction of the risk assessment methodology. For example, the
Reliability Standard should indicate that a proper risk-based
assessment methodology to identify critical assets should examine (1)
the consequences of the loss of the asset to the Bulk-Power System and
(2) the consequence to the Bulk-Power System if an adversary gains
control of the asset for intentional misuse. Such guidance could also
address how a generation owner, or even a partial owner of generation,
without a wide-area reliability perspective, should approach a risk-
based assessment.
104. Further, we are concerned that relatively smaller registered
entities, such as some resources, load-serving entities, and demand
side aggregators, may have difficulty in determining whether a
particular asset is ``critical'' for Bulk-Power System reliability,
since, for example, the impact of their facilities may be dependent on
their connection with a transmission owner or operator. We believe that
such an entity may want to perform an accurate assessment but lack the
regional view to make a determination on its own. Thus, we propose that
the ERO and Regional Entities provide reasonable technical support to
such entities that would assist them in determining whether their
assets are critical to the Bulk-Power System.
105. Accordingly, pursuant to section 215(d)(5) of the FPA and
Sec. 39.5(f) of our regulations, the Commission proposes to direct
that the ERO develop modifications to CIP-002-1 through its Reliability
Standards development process to provide additional guidance as to the
features and functionality of an adequate risk-based assessment
methodology, as discussed above.
b. Internal Approval of Risk Assessment
106. Requirement R4 of CIP-002-1 requires that a senior manager
``or delegate(s)'' must approve annually the list of critical assets
and critical cyber assets. The CIP Assessment suggested that that this
senior management involvement should be extended to approving the risk-
based assessment methodology developed pursuant to Requirement R1.\61\
Several commenters disagree,\62\ stating that this approval is implied
by the requirement for senior management approval of the critical asset
list and the critical cyber asset list. Other commenters generally
believe that senior management approval of the risk-based assessment
methodology would be a benefit.\63\
---------------------------------------------------------------------------
\61\ CIP Assessment at 17-18.
\62\ NERC, ReliabilityFirst, and Santa Clara.
\63\ E.g., APPA/LPPC, FirstEnergy, National Grid, Progress
Energy, and Xcel.
---------------------------------------------------------------------------
Commission Proposal
107. The Commission believes that senior management approval of the
risk-based assessment methodology has clear benefits that exceed any
additional burden placed on the responsible entities, and the rigor
that the senior management approval would encourage is worth the
effort. As explained in the CIP Assessment, since a poor methodology
will likely result in an inadequate identification of critical assets
and critical cyber assets, senior management awareness and approval of
the chosen risk-based assessment methodology is of critical
importance.\64\ It is not clear to the Commission that, as some
commenters suggest, senior management approval of the risk-based
assessment methodology is implicit in the requirement that senior
management approve the critical asset list and critical cyber asset
list. Commenters did not object to the concept, but only believed that
it might be redundant. We believe this additional layer of oversight is
important and should be made explicit. The Commission also notes that
requiring this senior management approval helps to implement the
Blackout Report's Recommendation 43, which calls for establishing
``clear authority and ownership for physical and cyber security.'' \65\
---------------------------------------------------------------------------
\64\ CIP Assessment at 18.
\65\ See Blackout Report at 169, Recommendation 43.
---------------------------------------------------------------------------
108. Thus, pursuant to section 215(d)(5) of the FPA and Sec.
39.5(f) of our regulations, the Commission proposes to direct that the
ERO develop a modification to CIP-002-1 through its Reliability
Standards development process to include a requirement that a senior
manager annually review and approve the risk-based assessment
methodology.
[[Page 43983]]
c. Oversight of Critical Assets Identification
109. The CIP Assessment emphasized the underlying importance that
each responsible entity develop accurate lists of critical assets and
critical cyber assets. Several commenters note that responsible
entities currently lack a wide-area view that would enable them to
better assess the risks associated with certain assets.\66\ They
suggest that guidance or oversight from an external organization could
help ensure that responsible entities have properly identified critical
assets from a regional perspective. Cleveland Public Power suggests
that the Regional Entities should assume this role. Similarly, AMP-Ohio
recommends that the Regional Entities should be responsible for
identifying critical assets, with input from reliability coordinators
and transmission planners. EPSA indicates that independent system
operators (ISOs) and regional transmission organizations (RTOs) could
provide guidance to individual companies in assessing critical assets
and their vulnerability, in coordination with NERC and the Commission.
---------------------------------------------------------------------------
\66\ E.g., AMP-Ohio, EPSA, and Cleveland Public Power.
---------------------------------------------------------------------------
110. NERC, however, opposes regional oversight, stating that ``[i]t
is not the function of the standards to implement an oversight or
hierarchical organization for determining risks or vulnerabilities.''
\67\ NERC suggests that regional perspective is gained through
information sharing forums such as the Electricity Sector Information
Sharing and Analysis Center (ESISAC) \68\ and NERC's Critical
Infrastructure Protection Committee.
---------------------------------------------------------------------------
\67\ NERC Comments, Attachment 1 at 17 (in response to a CIP
Assessment suggestion regarding the need for regional perspective in
CIP-003-1).
\68\ The Electric Sector Information Sharing and Analysis Center
was created based on a recommendation of Presidential Decision
Directive 63, which defined specific infrastructures critical to the
national economy and public well-being. ESISAC serves the
Electricity Sector by facilitating communications between
electricity sector participants, governmental entities, and other
critical infrastructures. It is the job of the ESISAC to promptly
disseminate threat indications, analyses, and warnings, together
with interpretations, to assist electricity sector participants to
take protective actions. NERC is functioning as the operator of the
ESISAC.
---------------------------------------------------------------------------
Commission Proposal
111. The Commission disagrees with commenters that suggest that the
responsibility for identifying critical assets should be placed on the
Regional Entities or another organization instead of the categories of
applicable entities currently identified in CIP-002-1. Such an approach
would shift primary responsibility away from the asset owner or
operator. We believe that such a shift would not improve the
identification of critical assets, but more likely overwhelm the
Regional Entities.
112. On the other hand, the Commission believes that a formal or
systematic approach to external oversight of the identification of
critical assets would assure a wide-area view. Such an approach, on a
regional basis, would better ensure that responsible entities are
identifying similar assets. Even taking into account the individual
circumstances of a responsible entity, we would expect certain trends
in critical asset identification within a class of responsible
entities, such as generator owners or transmission owners. If the vast
majority of transmission owners, for example, identified a certain
asset as critical, and a few did not, this result could be due to the
unique circumstances of those transmission owners or from a flawed
risk-based assessment methodology. However, without external oversight
using a wide-area view, such trends or deviations would never be
identified prior to an incident or audit, perhaps precluding a
necessary adjustment to a particular critical asset list. In addition,
a wide-area view would help to ensure that assets that have regional
importance, such as for reactive power supply, are included as critical
assets.
113. NERC suggests that such issues can be addressed through
existing forums for the voluntary exchange of information on cyber
security issues. The Commission believes that this matter is too
important to leave to voluntary mechanisms. Accordingly, pursuant to
section 215(d)(5) of the FPA and Sec. 39.5(f) of our regulations, the
Commission proposes to direct that the ERO develop a modification to
CIP-002-1 through its Reliability Standards development process to
include a mechanism for the external review and approval of critical
asset lists based on a regional perspective. While we propose that the
Regional Entities should be responsible for this function, we will not
exclude the possibility of a critical asset review process that allows
for participation of other organizations, such as transmission planners
and reliability coordinators.
114. Moreover, we note that the definition of ``critical cyber
assets'' encompasses data.\69\ Thus, marketing or other data essential
to the proper operation of a critical asset, and possibly the computer
systems that produce or process that data, would be considered critical
cyber assets subject to the CIP Reliability Standards. Therefore, the
Commission proposes to direct the ERO to develop guidance on the steps
that would be required to apply the CIP Reliability Standards to such
data and to include computer systems that produce the data.
---------------------------------------------------------------------------
\69\ The NERC Glossary defines ``Critical Cyber Assets'' as
``Cyber Assets essential to the reliable operation of critical
assets.'' It defines ``Cyber Assets'' as ``programmable electronic
devices and communication networks including hardware, software, and
data.'' Therefore, marketing data or other system data that are
essential to the proper operation of the critical asset may confer
critical cyber asset status to those data and the computer systems
that process them.
---------------------------------------------------------------------------
115. The Commission is concerned that all critical assets are
identified, and interprets the phrase, ``[t]he risk-based assessment
shall consider the following assets:'' in Requirement R1.2 to mean that
a responsible entity must be able to show, based on the risk-based
assessment methodology used, why specific assets were or were not
chosen as critical assets. The Commission is also concerned that
sufficient rigor is applied in examining whether control systems are
determined to be critical assets. While it seems obvious that an
evaluation of a control system for critical asset status would consider
the potential loss of operability of the control center due to power or
communications failure, we also believe that such an evaluation should
include an examination of any misuse of the control system, the impact
this misuse could have on any electric facilities that the responsible
entity controls, and the combined impact of such facilities. Therefore,
the Commission proposes to direct the ERO to modify Requirement R1.2 to
clarify the requirement to show why specific assets were or were not
chosen as critical assets, and to require the consideration of misuse
of control systems.
d. Interdependency
116. The CIP Assessment noted that CIP-002-1 does not address the
issue of interdependency with other infrastructures and explained that
there may be occasions where an electric sector asset, while not
critical to Bulk-Power System reliability, may be crucial to the
operation of another critical infrastructure.\70\ The CIP Assessment
asked (1) whether this issue is appropriate for inclusion in CIP-002-1
and (2) whether this topic is an area for future coordination and
collaboration with other industries and government agencies.
---------------------------------------------------------------------------
\70\ CIP Assessment at 17.
---------------------------------------------------------------------------
117. Commenters generally agree that this issue is worthy of
consideration and coordination and cooperation could be
[[Page 43984]]
advantageous. However, most commenters consider the topic outside the
scope of CIP-002-1.\71\ By contrast, one commenter posits that there is
a clear need to articulate that this type of interdependency analysis
should be part of the responsible entity's determination of critical
assets.\72\
---------------------------------------------------------------------------
\71\ E.g., APPA/LPPC, Duke, EEI, Georgia System, National Grid,
NERC, ReliabilityFirst, SPP, Xcel, SoCal Edison, Progress Energy,
and MidAmerican.
\72\ ISA Group.
---------------------------------------------------------------------------
Commission Proposal
118. Reliability Standard CIP-002-1 pertains to the identification
of assets critical to Bulk-Power System reliability. While broader
interdependency issues cannot be ignored, the Commission intends to
revisit this matter through future proceedings and with other agencies.
This work will help to inform the electric sector and this Commission
about the need for future Reliability Standards, especially when the
interdependent infrastructures affect generating capabilities, such as
through fuel transportation.
e. Commission Proposal Summary
119. In summary,\73\ the Commission proposes to approve Reliability
Standard CIP-002-1 as mandatory and enforceable. In addition, the
Commission proposes to direct the ERO, pursuant to section 215(d)(5) of
the FPA and Sec. 39.5(f) of our regulations, to develop modifications
to CIP-002-1 through its Reliability Standards development process
that: (1) Provide some basic guidance on the content or considerations
to be applied in a risk-based assessment methodology; (2) include a
requirement that a senior manager annually review and approve the risk-
based assessment methodology; (3) include a mechanism for the external
review and approval of critical asset lists based on a regional
perspective; and (4) modify Requirement R1.2 to (a) clarify the
requirement to show why specific assets were or were not chosen as
critical assets and (b) require the consideration of misuse of control
systems.
---------------------------------------------------------------------------
\73\ This summary should be read in conjunction with the
discussion above.
---------------------------------------------------------------------------
2. CIP-003-1--Security Management Controls
120. Reliability Standard CIP-003-1 seeks to ensure that each
responsible entity has minimum security management controls in place to
protect critical cyber assets identified pursuant to CIP-002-1. To
achieve this goal, a responsible entity first must develop a cyber
security policy that represents management's commitment and ability to
secure its critical cyber assets. The responsible entity must designate
a senior manager to lead and direct the responsible entity's cyber
security program. This senior manager will also be the person
authorized to approve any exception set out in the entity's cyber
security policy.
121. Further, a responsible entity must implement an information
protection program to identify, classify and protect sensitive
information concerning critical cyber assets, as well as an access
control program to designate who may have access to such information.
Finally, the responsible entity must establish a change control and
configuration management program to oversee changes made to the
critical cyber assets' hardware or software.
122. The Commission proposes to approve Reliability Standard CIP-
003-1 as mandatory and enforceable. In addition, we propose to direct
the ERO to develop modifications to this Reliability Standard. In our
discussion below, the Commission addresses its concerns in the
following topic areas regarding CIP-003-1: (1) Adequacy of policy
guidance; (2) discretion to grant exceptions; (3) leadership; (4)
access authorization; (5) change control and configuration management;
and (6) interconnected networks.
a. Adequacy of Policy Guidance
123. Requirement R1 of Reliability Standard CIP-003-1 directs the
responsible entity to ``document and implement a cyber security policy
that represents management's commitment and ability to secure its
critical cyber assets.'' The only guidance that is given with regard to
the nature and scope of the cyber security policy is that it
``addresses the Requirements in CIP-002-1 through CIP-009-1, including
the provisions for emergency situations.'' The Requirement also
requires that a senior manager annually review and approve the policy.
124. The CIP Assessment stated that senior management involvement
should improve the prioritization of control system security within the
entity, including allocation of resources.\74\ It explained that, since
many of the Requirements in the CIP Reliability Standards leave
considerable discretion to each responsible entity, the scope and
thoroughness of the cyber security policies could vary widely. Thus,
the CIP Assessment expressed concern that, because Requirement R1 does
not address the policy's adequacy, this Requirement could actually mask
certain security vulnerabilities.
---------------------------------------------------------------------------
\74\ CIP Assessment at 19.
---------------------------------------------------------------------------
125. APPA/LPPC are not convinced that the variation allowed in
cyber security policies means that plans lack a sufficient level of
protection. They believe that the Reliability Standard allows an
appropriate level of variation as to how specific requirements will be
met. Likewise, Georgia System does not share the CIP Assessment's
concern that Requirement R1 could allow responsible entities to mask
vulnerabilities, positing that it is in a utility's self-interest to
take actions that improve reliability. Thus, it does not see a need for
any additional guarantee that the involvement of senior management will
result in improvements to the responsible entity's cyber security
policy.
Commission Proposal
126. The Commission acknowledges that details of particular
security policies will vary due to the different cyber architectures
and equipment used by the responsible entities. However, in addition to
consideration of every Requirement in Reliability Standards CIP-002-1
through CIP-009-1, the Commission expects that responsible entities'
security policies will address issues that are not currently reflected
in the CIP Reliability Standards, but are important to the security of
the control system. For instance, currently data networks and
communication networks are not covered by any CIP Reliability Standard.
Yet these networks play an important role in the proper functioning of
the control systems. The Commission would expect a security policy for
control systems to address the responsible entity's actions to protect
communication networks. Other possible topics for guidance here are the
appropriate use of defense in depth strategy; the use of wireless
communications for control systems; uninterruptible power supplies; and
heating, ventilation, and air-conditioning equipment for critical cyber
assets. We note that Recommendation 34 of the Blackout Report states
that ``grid-related organizations should have a planned and documented
security strategy, governance model, and architecture for EMS [energy
management systems] automation systems.'' \75\
---------------------------------------------------------------------------
\75\ See Blackout Report at 165, Recommendation 34.
---------------------------------------------------------------------------
127. The Commission proposes to direct the ERO to modify CIP-003-1
to provide additional guidance for the topics and processes that the
required cyber security policy should address to ensure that the
responsible entity
[[Page 43985]]
reasonably protects its critical cyber assets.
b. Discretion to Grant Exceptions
128. Requirement R3 of CIP-003-1 provides that a responsible entity
must document as an exception, with senior manager authorization, each
instance where a responsible entity cannot conform to its security
policy developed pursuant to Requirement R1. Documentation of the
exception must include ``an explanation as to why the exception is
necessary and any compensating measures, or a statement accepting
risk.'' An exception to the cyber security policy must be documented
within 30 days of senior management approval. An authorized exception
must be reviewed and approved annually to ensure that the exception is
still required and valid.
129. The CIP Assessment expressed concern that this provision
allows for broad discretion and may serve as a disincentive for
upgrading to control systems that fully comply with cyber security
Reliability Standards.\76\ With regard to a responsible entity's option
to ``accept the risk,'' it pointed out that, for interconnected control
systems of various entities, acceptance of risk by one entity is
actually an acceptance of risk for all those that are interconnected.
Yet, other entities may not be aware of the vulnerability, particularly
absent any oversight or regional perspective of the risks or
vulnerabilities that may exist.
---------------------------------------------------------------------------
\76\ CIP Assessment at 20.
---------------------------------------------------------------------------
130. Most commenters believe that it is appropriate to provide
latitude for management to document exceptions to the responsible
entity's established policies, select alternative and mitigating
solutions, and ultimately accept residual risk. APPA/LPPC expect that
the exercise of discretion will be one of the areas that will draw the
most attention from auditors.
131. Others, such as California PUC agree with the CIP Assessment's
concern that the broad discretion allowed for exceptions could act as a
disincentive for upgrading control systems. California PUC also agrees
that acceptance of the risk in a cyber environment is actually an
acceptance of risk for all connected entities because the entity that
initially accepts the risk becomes the ``weak link'' in the chain.
Santa Clara suggests that a responsible entity that makes exceptions
and ``accepts risks'' is responsible for communicating such exceptions
to its Regional Entity, which can then evaluate the overall ``risk,''
if any, to the bulk electric system. The Regional Entity, in turn, can
then communicate appropriately to any interconnected entities so that
they might take any necessary action.
Commission Proposal
132. The Commission is concerned that CIP-003-1 allows a
responsible entity too much latitude in excusing itself from compliance
with its cyber security policy. While there may be valid reasons for
exceptions to a cyber security policy, and it is helpful that
exceptions must be explained in writing and approved by a designated
senior manager, the Commission does not believe that the ``exceptions''
provision provides sufficient rigor or external accountability
regarding the decision of a responsible entity to except itself from
the cyber security policy. Accordingly, the Commission proposes to
direct that NERC develop a modification to Requirement R3 of CIP-003-1
to require a responsible entity to periodically submit to the Regional
Entity the documentation of exceptions to the cyber security policy.
The Commission believes that the external review of this documentation
will provide added assurance that each responsible entity adequately
justifies the exceptions to its cyber security policy.
133. In addition, the Commission believes that there is a
distinction between situations where a responsible entity excepts
itself from its cyber security policy, rather than from specific
Requirements of the CIP Reliability Standards based on technical
feasibility. An exception to a cyber security policy provision does not
also excuse compliance with a Requirement of a CIP Reliability
Standard. Generally, a responsible entity has no authority to excuse
itself from compliance with a mandatory Reliability Standard. As
discussed above in section II.B.1.6, the CIP Reliability Standards do
include several Requirements that allow an exception based on technical
feasibility. However, the Commission has proposed to direct NERC to
modify such provisions so that a responsible entity can only invoke the
technical feasibility exception after fulfilling specific conditions
including receiving approval from the ERO or the relevant Regional
Entity. In contrast, an exception to a cyber security policy would
require only senior manager approval and after-the-fact reporting to
the Regional Entity. Accordingly, the Commission proposes to direct
NERC to clarify that the exceptions mentioned in Reliability Standard
CIP-003-1, Requirements R2.3 and R3, do not except responsible entities
from the requirements of the CIP Reliability Standards.
c. Leadership
134. The CIP Assessment notes that senior management involvement in
security issues is important to ensure that responsible entities
achieve compliance as quickly as possible and to ensure that it
exercises any necessary discretion in an appropriate manner.\77\
---------------------------------------------------------------------------
\77\ CIP Assessment at 20.
---------------------------------------------------------------------------
135. While National Grid concurs with the CIP Assessment, it also
suggests that given the wide variety of critical assets, critical cyber
assets and physical security requirements, no single senior manager has
the expertise or authority to ensure compliance with all of the CIP
Reliability Standards.
Commission Proposal
136. The Commission's view is that Requirement R2 of CIP-003-1
should be interpreted to require the designation of a single manager
who has direct and comprehensive responsibility for the implementation
and ongoing compliance with the CIP Reliability Standards. While this
senior manager must have authority to delegate tasks and
responsibilities within the entity's management structure, we believe
that the senior manager must remain accountable for the responsible
entity's compliance with the CIP Reliability Standards. In our view, it
is essential to make clear both the ``authority and ownership'' for
security, as Recommendation 43 of the Blackout Report states.\78\
Therefore, the Commission proposes to direct the ERO to modify CIP-003-
1, to make clear the senior manager's ultimate responsibility.
---------------------------------------------------------------------------
\78\ See Blackout Report at 169, Recommendation 43.
---------------------------------------------------------------------------
d. Access Authorization
137. Requirement