Federal Register, Volume 74 Issue 56 (Wednesday, March 25, 2009)

[Federal Register Volume 74, Number 56 (Wednesday, March 25, 2009)]
[Rules and Regulations]
[Pages 12544-12551]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-6503]

-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 40

[Docket No. RM06-22-000; Order No. 706-B]

Mandatory Reliability Standards for Critical Infrastructure
Protection

Issued March 19, 2009.
AGENCY: Federal Energy Regulatory Commission.

ACTION: Order on Clarification.

-----------------------------------------------------------------------

SUMMARY: The Commission clarifies that the facilities within a nuclear
generation plant in the United States that are not regulated by the
U.S. Nuclear Regulatory Commission are subject to compliance with the
eight mandatory ``CIP'' Reliability Standards approved in Commission
Order No. 706.

DATES: Effective Date: This rule will become effective March 25, 2009.

FOR FURTHER INFORMATION CONTACT:
Jonathan First (Legal Information), Office of General Counsel, 888
First Street, NE., Washington, DC 20426, (202) 502-8529.
Regis Binder (Technical Information), Office of Electric Reliability,
888 First Street, NE., Washington, DC 20426, (301) 665-1601.

SUPPLEMENTARY INFORMATION: Before Commissioners: Jon Wellinghoff,
Acting Chairman; Suedeen G. Kelly, Marc Spiter, and Philip D. Moeller.
1. In this order, the Commission clarifies the scope of the Critical
Infrastructure Protection (CIP) Reliability Standards approved in Order
No. 706 \1\ to assure that no ``gap'' occurs in the applicability of
these Standards.\2\ In particular, each of the CIP Reliability
Standards provides that facilities regulated by the U.S. Nuclear
Regulatory Commission (NRC) are exempt from the Standard. It has come
to the attention of the Commission that NRC regulations do not extend
to all equipment within a nuclear power plant. Thus, to assure that
there is no ``gap'' in the regulatory process, the Commission clarifies
that the ``balance of plant'' equipment within a nuclear power plant in
the United States that is not regulated by the NRC is subject to
compliance with the CIP Reliability Standards approved in Order No.
706.
---------------------------------------------------------------------------

\1\ Mandatory Reliability Standards for Critical Infrastructure
Protection, Order No. 706, 122 FERC ] 61,040, order on reh'g, Order
No. 706-A, 123 FERC ] 61,174 (2008).
\2\ CIP Reliability Standards CIP-002-1 through CIP-009-1 (CIP
Reliability Standards) were approved by Order No. 706. Reliability
Standard CIP-001-1, which pertains to sabotage reporting, was not a
subject of Order No. 706 and does not include the exemption
statement that is the subject of this order.
---------------------------------------------------------------------------

I. Background

2. The North American Electric Reliability Corporation (NERC), the
Commission-certified Electric Reliability Organization (ERO), developed
the CIP Reliability Standards that require certain users, owners and
operators of the Bulk-Power System, including generator owners and
operators, to comply with specific requirements to safeguard critical
cyber assets. In January 2008, pursuant to section 215 of the Federal
Power Act (FPA),\3\ the Commission approved the CIP Reliability
Standards. In addition, pursuant to section 215(d)(5) of the FPA,\4\
the Commission directed the ERO to develop modifications to the CIP
Reliability Standards to address specific concerns identified by the
Commission.
---------------------------------------------------------------------------

\3\ 16 U.S.C. 824o (2006).
\4\ 16 U.S.C. 824o(d)(5)(2006).
---------------------------------------------------------------------------

3. Each CIP Reliability Standard includes an exemption for
facilities regulated by the NRC. For example, Reliability Standard CIP-
002-1 provides:

The following are exempt from Standard CIP-002: Facilities
regulated by the U.S. Nuclear Regulatory Commission * * *.\5\

4. In an April 8, 2008 public joint meeting of the Commission and
the NRC, staff of both Commissions discussed cyber security at nuclear
power plants. While indicating that the NRC has proposed regulations to
address cyber security at nuclear power plants, NRC staff raised a
concern regarding a potential gap in regulatory coverage.\6\ In
particular, NRC staff indicated that the NRC's proposed regulations on
cyber security would not apply to all systems within a nuclear power
plant. NRC staff explained:
---------------------------------------------------------------------------

\5\ Reliability Standard CIP-002-1, section 4.2 (Applicability).
\6\ In December 2008, the NRC approved a final rule that
included cyber security-related regulations applicable to nuclear
power plant licensees. The regulations, referred to herein as the
``NRC cyber security regulations,'' have not been published in the
Federal Register at this time and are not currently in effect. They
will be codified at 10 CFR 73.54. See Final Rulemaking--Power
Reactor Security Requirements, SECY-08-0099 (Jul. 9, 2008); Press
Release: NRC Approves Final Rule Expanding Security Requirements for
Nuclear Power Plants, (Dec. 17, 2008), available at http://www.nrc.gov/reading-rm/doc-collections/news/2008/08-227.html.

The NRC's cyber requirements are not going to extend to power
continuity systems. They do not extend directly to what is not
directly associated with reactor safety security or emergency
response. * * *
As a result, and when you look at the CIP standards that were
issued, there is a discrete statement in each of the seven or eight
standards where it specifically exempts facilities regulated by the
United States Nuclear Regulatory Commission from compliance with
those CIP Standards. So there is an issue there in the sense that
our regulations for cyber security go up to a certain point, and
end.\7\
---------------------------------------------------------------------------

\7\ April 8, 2008, Joint Meeting of the Nuclear Regulatory
Commission and Federal Energy Regulatory Commission, Tr. at 77-78.

5. On September 18, 2008, the Commission issued an Order on
Proposed Clarification,\8\ explaining its concern that a gap may exist
in the regulatory process due to the provision in each of the CIP
Reliability Standards exempting ``facilities regulated by the U.S.
Nuclear Regulatory Commission.'' On the understanding that some
facilities within a nuclear power plant would not be subject to
compliance with cyber security regulations developed by the NRC, the
Commission proposed to clarify that the facilities

[[Page 12545]]

within a nuclear power plant in the United States that are not
regulated by the NRC are subject to compliance with the CIP Reliability
Standards approved in Order No. 706. The Commission explained its
proposal and sought comment on not only the Proposed Clarification, but
also two additional questions: (1) Whether a clear delineation exists
between those facilities in a nuclear power plant which relate to
safety and security, and the non-safety related ``balance of plant,''
and if a clear delineation does not exist, whether there is a need for
owners and/or operators of nuclear power plants to identify the
specific facilities that pertain to reactor safety, security or
emergency response and are subject to NRC jurisdiction, and the balance
of plant that is subject to the eight CIP Reliability Standards; and
(2) if nuclear power plants were to be required to implement the CIP
Reliability Standards, whether Table 3 of the implementation plan
approved in Order No. 706 should control the implementation
schedule.\9\
---------------------------------------------------------------------------

\8\ Mandatory Reliability Standards for Critical Infrastructure
Protection, Order on Proposed Clarification, 124 FERC ] 61,247
(2008) (Proposed Clarification).
\9\ Proposed Clarification, 124 FERC ] 61,247 at P 9.
---------------------------------------------------------------------------

6. The Proposed Clarification was published in the Federal
Register, 73 FR 55,459 (Sept. 25, 2008). In response, comments were
filed by 23 interested persons, 17 of which own and/or operate nuclear
power plants. A list of the commenters appears in the Appendix to this
Order. These comments have assisted the Commission and are addressed in
the discussion, below.

II. Discussion

7. For the reasons discussed below, the Commission finds that the
CIP Reliability Standards are applicable to all equipment within a
nuclear power plant located in the United States that will not be
subject to NRC's cyber security regulations. The thrust of many
comments is that the NRC regulates the entire nuclear power plant
including power continuity systems and, therefore, the Commission's
Proposed Clarification is unnecessary. The Commission is not persuaded
by these arguments, which either reference back to voluntary industry
standards developed by the nuclear industry, or mischaracterize the
nature and extent of NRC's regulations with regard to the entire
nuclear power plant. Indeed, NRC Staff comments reiterate that many
portions of a nuclear power plant are not regulated by NRC.
8. Nuclear power plants can have a significant effect on the
reliability of the Bulk-Power System. Prior to the enactment of section
215 of the FPA, the electric industry had voluntary cyber security
provisions and a system of self-certifications. However, Congress
imposed a framework for mandatory and enforceable Reliability
Standards, explicitly including cyber security, applicable to all
users, owners and operators of the Bulk-Power System. That framework
charges the Commission with the oversight of the development and
enforcement of the Reliability Standards.
9. In previous orders, the Commission has emphasized that the
application of the Reliability Standards must remain uniform and
consistent.\10\ This is necessary both to protect the reliability of
the Bulk-Power System and to ensure equity in the application of
Reliability Standards. The Commission has found that ``section 215
seeks to prevent an instability, an uncontrolled separation or a
cascading failure, whether resulting from either a sudden disturbance,
including a cybersecurity incident, or an unanticipated failure of the
system elements.'' \11\ Therefore, compliance monitoring must occur on
an ongoing and proactive basis. Due to the preventive aspect of section
215 and the requirements of the Reliability Standards, compliance
monitoring and enforcement of the Reliability Standards are not
triggered only by a past event or a cyber security incident. The ERO
and Regional Entities have several proactive monitoring processes,
including, but not limited to, spot checks and audits, to verify that
users, owners and operators are in compliance with the Reliability
Standards and to maintain the reliable operation of the Bulk-Power
System. This order balances the concerns expressed by commenters with
the Commission's responsibility for consistency, as well as rigor and
uniformity in the compliance monitoring and enforcement of the
Reliability Standards.
---------------------------------------------------------------------------

\10\ See Rules Concerning Certification of the Electric
Reliability Organization; and Procedures for the Establishment,
Approval, and Enforcement of Electric Reliability Standards, Order
No. 672, 71 FR 8662 (Feb. 17, 2006), FERC Stats. & Regs.,
Regulations Preambles 2006-2007 ] 31,204, at P 41 and P 290 (2006),
order on reh'g, Order No. 672-A, FERC Stats. & Regs., Regulations
Preambles 2006-2007 ] 31,212 (2006); Mandatory Reliability Standards
for the Bulk-Power System, Order No. 693, 72 FR 16416 (Apr. 4,
2007), FERC Stats. & Regs. ] 31,242 at P 298 (2007).
\11\ Order No. 693, FERC Stats. & Regs. ] 31,242 at P 24, order
on reh'g, Order No. 693-A, 120 FERC ] 61,053 (2007); see also 16
U.S.C. 824o(a)(4) (2006) (defining Reliable Operation).
---------------------------------------------------------------------------

10. In response to comments, we have refined certain aspects of the
Proposed Clarification. However, we continue to believe that a gap in
the application of appropriate cyber security standards would exist
absent our clarification in this Order.

A. Meaning of the Term ``Facility''

11. Before addressing our determination on the Proposed
Clarification, we discuss a terminology issue raised by NRC Staff, NEI
and other commenters. As mentioned above, the CIP Reliability Standards
exempt ``facilities regulated by the U.S. Nuclear Regulatory
Commission.'' The Proposed Clarification indicated that a nuclear power
plant consists of multiple ``facilities'' within its boundaries, some
but not all of which are regulated by the NRC. For example, we stated
that ``NRC's regulation of a nuclear power plant is limited to the
facilities that are associated with reactor safety or emergency
response.'' \12\
---------------------------------------------------------------------------

\12\ Proposed Clarification, 124 FERC ] 61,247 at P 6.
---------------------------------------------------------------------------

Comments
12. Commenters state that the term ``facility,'' as used in the
nuclear industry, refers to the entire nuclear power plant. For
example, NRC Staff comments that the term ``facility'' is defined by
the Atomic Energy Act of 1954 as a ``production or utilization
facility,'' and the term is commonly synonymous with the entire nuclear
power plant, ``that comprises the entire set of buildings, cooling
towers, assets, switchyards, systems, and equipment within the owner-
controlled area * * *.'' \13\ The NRC Staff asserts that the use of the
term ``facilities'' in the Proposed Clarification might effectively
exempt all portions of nuclear power plants from the CIP Reliability
Standards and thus not close the regulatory gap that the Commission
intended to address. Rather, the NRC Staff explains that, when
referring to discrete elements within a nuclear power plant, the NRC
generally uses the term, ``structures, systems and components.''
---------------------------------------------------------------------------

\13\ NRC Staff Comments at 1.
---------------------------------------------------------------------------

13. NEI, supported by a number of commenters, similarly states that
the Commission used the term ``facilities'' in a manner that is not
consistent with the use of the term in the nuclear industry. NEI states
that the nuclear industry typically uses the term ``facility'' to mean
the entire nuclear power plant, and that the equivalent in nuclear
parlance of ``facilities,'' as used by the Commission, are the
``structures, systems, components and networks (``SSC'') which provide
the various functions for plant operation and shut down.'' \14\
---------------------------------------------------------------------------

\14\ NEI Comments at 2.

---------------------------------------------------------------------------

[[Page 12546]]

Commission Determination
14. It appears that the use of the term ``facility'' in the
Proposed Clarification differs from the common use of that term in the
nuclear regulatory environment. For purposes of this order, we use the
term ``nuclear power plant'' to describe the entire nuclear generating
plant, including the entire set of buildings, cooling towers, assets,
switchyards, systems, and equipment within the owner-controlled area.
This term is consistent with NRC Staff's explanation.
15. NRC Staff states that it generally uses the term ``structures,
systems and components'' to refer to discrete elements of the nuclear
power plant regulated by the NRC, and suggests that the Commission uses
``facilities'' in an analogous way. We will use the term ``structures,
systems and components'' to reference any element of equipment, systems
or networks of equipment, or portions within a nuclear power plant
within an entity's ownership or control. NRC Staff follows its
description of what structures comprise a nuclear power plant with the
note, ``many of which are not directly regulated by the NRC.'' For
purposes of this order, we will use the term ``balance of plant'' to
reference those portions of the nuclear power plant to which NRC Staff
refers, as that term is defined by the NRC's regulations.\15\
---------------------------------------------------------------------------

\15\ The NRC's regulations define the Balance of Plant as: ``the
remaining systems, components, and structures that comprise a
complete nuclear power plant and are not included in the nuclear
steam supply system.'' The Nuclear Steam Supply System is defined as
consisting of ``the reactor core, reactor coolant system, and
related auxiliary systems including the emergency core cooling
system; decay heat removal system; and chemical volume and control
system.'' 10 CFR 170.3 (2008).
---------------------------------------------------------------------------

B. Regulatory Gap--Need for the Clarification

16. In the Proposed Clarification, the Commission explained that:

The plain meaning of the exemption language in the eight CIP
Reliability Standards at issue is that only those facilities within
a nuclear generation plant that are regulated by the NRC are exempt
from those Standards. The exemption language in the eight CIP
Reliability Standards neither states, nor implies, that all
facilities within a nuclear generation plant are exempt from the
Standards, regardless of whether they are subject to NRC regulation.
However, the Commission believes there is a need to assure that
there is no potential gap in the regulation of critical cyber assets
at nuclear generation plants.\16\
---------------------------------------------------------------------------

\16\ Proposed Clarification, 124 FERC ] 61,247 at P 7 (emphasis
in original). As discussed above, the term facilities as used in the
Proposed Clarification was intended to apply to structures, systems
and components within a nuclear power plant.

The Commission, thus, proposed to clarify that Reliability
Standards CIP-002-1 through CIP-009-1 apply to the facilities, i.e.,
structures, systems and components, within a nuclear power plant that
are not regulated by the NRC.
Comments
17. NRC Staff and NERC agree with the Commission that clarification
of the CIP Reliability Standards is needed. NEI and other stakeholders
in the nuclear industry oppose the clarification, arguing that it is
unnecessary because no regulatory gap exists since the NRC's
jurisdiction can reach all equipment at nuclear power plants that might
need cyber security protection.
18. NRC Staff comments that much of the equipment within the owner-
controlled area of the nuclear power plant is not directly regulated by
the NRC. Thus, NRC Staff supports the Commission's proposal and
suggests certain refinements to the proposal to provide additional
clarity to distinguish ``the scope of plant functions that are subject
to NRC requirements from those functions that are subject to applicable
FERC-regulated grid reliability requirements.'' \17\
---------------------------------------------------------------------------

\17\ NRC Comments at 1.
---------------------------------------------------------------------------

19. NERC states that it agrees with the Commission's understanding
of the delineation between those ``facilities'' within a nuclear power
plant whose functions are necessary and sufficient for reactor safety,
security or emergency response versus the portion of the rest of the
plant whose functions are necessary for Bulk-Power System reliability.
NERC agrees with the Commission that there is a need for more clarity
with regard to the applicability of CIP Reliability Standards to
nuclear power plants, and recommends an expedited modification to the
Standards.
20. NEI, and other commenters,\18\ many of which support NEI's
comments, assert that the Commission's Proposed Clarification is
unnecessary, as there is no regulatory gap in the oversight of critical
cyber assets at nuclear power plants. According to NEI and others, the
NRC regulates the entire nuclear power plant, including cyber security
for balance of plant systems that may be critical to Bulk-Power System
reliability. Commenters identify three sources of NRC's authority: the
nuclear industry's comprehensive security program developed by NEI (NEI
04-04), NRC's ``Maintenance Rule,'' and NRC's recently-promulgated
cyber security rules. In addition, NEI and others contend that
application of CIP Reliability Standards to nuclear power plants would
result in dual regulation of equipment, which would be complicated and
inefficient.
---------------------------------------------------------------------------

\18\ E.g., AEP, Ameren, Arizona Public Service, Dominion, Duke,
Entergy, Exelon, FirstEnergy, Luminant, PG&E, PPL Companies, PSEG,
and Wolf Creek.
---------------------------------------------------------------------------

Nuclear Industry Cyber Security Guideline, NEI 04-04
21. NEI and other commenters \19\ argue that the application of CIP
Reliability Standards is not warranted because the nuclear industry has
made a binding commitment to implement a comprehensive cyber security
program developed by NEI and endorsed by NRC.\20\ NEI explains that,
pursuant to this program, existing digital assets at nuclear power
plants are analyzed for cyber vulnerabilities and necessary mitigation
plans are established and implemented. According to NEI, all nuclear
power plants implemented NEI 04-04 on or before May 1, 2008.
---------------------------------------------------------------------------

\19\ E.g., AEP, Arizona Public Service, Duke, Exelon, Luminant,
PG&E, PSEG, Southern and Wolf Creek.
\20\ NEI Comments at 5-8, citing to NEI 04-04 Revision 1,
``Power Security Program for Nuclear Reactors'' (April 2006) (NEI
04-04).
---------------------------------------------------------------------------

22. NEI explains that, in February 2002, the NRC issued Order EA-
02-026, ``Interim Safeguards and Security Compensation Measures for
Nuclear Power Plants,'' \21\ which included required actions to address
cyber security concerns. According to NEI, as a ``supplement'' to
implementation of this NRC order, the nuclear industry committed to
implement NEI 04-04, which was designed to protect plant systems,
including all those pertinent to balance of plant. NEI states that
implementation of the NEI 04-04 cyber security program extends to plant
generation equipment up to and including the first breaker out from the
main transformer to the switchyard breaker. According to NEI, in
response to a system vulnerability identified in 2007, both industry
and NRC relied on NEI 04-04 in determining that the first breaker out
from the transformer to the switchyard is within the boundary of the
nuclear power plant.\22\
---------------------------------------------------------------------------

\21\ All Operating Power Licensees; Order Modifying Licenses, 67
FR 9792 (Mar. 4, 2002).
\22\ NEI Comments at 6.
---------------------------------------------------------------------------

23. NEI states that, in 2005, NRC staff endorsed NEI 04-04 as an
acceptable method for establishing and maintaining a cyber security
program at nuclear power plants. It cites to the NRC Inspection Manual,
which states that a performance deficiency can exist if a licensee
fails to meet a self-imposed standard. Thus, NEI contends that, because
licensees have self-imposed NEI 04-04 through a binding initiative, NRC

[[Page 12547]]

has the regulatory authority to inspect and enforce the program's
requirements.\23\
---------------------------------------------------------------------------

\23\ Exelon, Luminant and Progress Energy also claim that NEI
04-04 is mandatory and enforceable by NRC. Likewise, APS contends
that compliance with NEI 04-04 is not voluntary because, through NEI
membership, all nuclear power plants are contractually bound to
follow the program.
---------------------------------------------------------------------------

24. NEI and other commenters, including Duke, Entergy and Exelon,
contend that NRC's current oversight is adequate and the existing cyber
security program is ``functionally equivalent'' to the CIP Reliability
Standards.
NRC's Maintenance Rule
25. NEI, Exelon and Southern argue that NRC regulates the ``balance
of plant,'' and focus on NRC's ``Maintenance Rule'' in particular to
support their argument.\24\ The Maintenance Rule requires a licensee to
implement a monitoring program that includes both safety related and
non-safety related structures, systems and components.\25\ The
Maintenance Rule identifies as within the scope of the monitoring
program, structures, systems and components:
---------------------------------------------------------------------------

\24\ In addition, numerous commenters state that they support
NEI's comments. E.g., EEI, AEP, Arizona Public Service, Dominion,
Kansas City and PG&E.
\25\ Requirements for Monitoring the Effectiveness of
Maintenance at Nuclear Power Plants, 56 FR 31306 (Jul. 10, 1991)
(Maintenance Rule). See also 10 CFR 50.65.

(b)(2)(i) That are relied upon to mitigate accidents or
transients or are used in plant emergency operating procedures; or
(b)(2)(ii) Whose failure could prevent safety-related structures,
systems, and components from fulfilling their safety-related
function; or (b)(2)(iii) Whose failure could cause a reactor scram
or actuation of a safety-related system.\26\
---------------------------------------------------------------------------

\26\ 10 CFR 50.65(b)(2)(i)-(iii). NRC's Glossary defines a
``scram'' as ``[t]he sudden shutting down of a nuclear reactor,
usually by rapid insertion of control rods, either automatically or
manually by the reactor operator. May also be called a reactor
trip.'' NERC Glossary, available at http://www.nrc.gov/reading-rm/basic-ref/glossary.

NEI states that NRC may take enforcement action for violations of
the Maintenance Rule, and includes examples of citations for failures
of non-safety systems. According to NEI, implementing guidance for the
Maintenance Rule, developed by industry and endorsed by NRC, provides
further evidence that structures, systems and components pertaining to
the balance of plant must be monitored.\27\
---------------------------------------------------------------------------

\27\ NEI Comments at 4, citing NUMARC 93-01, ``Industry
Guideline for Monitoring the Effectiveness of Maintenance at Nuclear
Power Plants,'' and NRC Regulatory Guide 1.160.
---------------------------------------------------------------------------

26. NEI thus argues that:

The NRC regulates any [structure, system or component] in a
nuclear power plant that has both a direct or indirect impact on
safety, security, or emergency response systems. The NRC's
regulations extend to all systems that could cause a reactor scram,
diminish the ability to mitigate the consequences of a reactor
scram, or cause the actuation of a safety system. These are the same
systems that constitute the balance of the plant for Continuity of
Operations purposes.\28\
---------------------------------------------------------------------------

\28\ NEI Comments at 5.

According to NEI, the failure of a structure, system or component
as the result of a cyber security breach affects the reliability of
equipment operation and is consequently within the scope of the
Maintenance Rule. Ameren, which owns and operates a nuclear power
plant, comments that it is unable to identify any structures, systems
or components that are not currently subject to cyber security
regulation by the NRC that could impact electric reliability.
NRC Cyber Security Regulations
27. NEI explains that NRC has proposed regulations that would
specifically address cyber security at nuclear power plants.\29\
According to NEI, Exelon, Progress Energy and Southern, NRC's cyber
security regulations would apply to both safety functions and ``support
systems and equipment which if compromised would adversely impact
safety, security or emergency preparedness functions.'' \30\ Further,
the NRC regulations would require licensees to identify the cyber
security assets they will protect under the program, and the list of
identified assets becomes the basis for inspection by NRC Staff. NEI
states that most balance of plant systems support both nuclear safety
and continuity of operations.
---------------------------------------------------------------------------

\29\ See supra n. 6.
\30\ To be codified at 10 CFR 73.54(a)(1)(iv).
---------------------------------------------------------------------------

28. NEI contends that there are ``few, if any,'' systems within the
boundary of a typical nuclear power plant that support only continuity
of operations. Thus, according to NEI, since the failure of such
systems could cause a reactor scram or actuation of a safety system,
the proposed NRC regulation would apply and there would be no
regulatory gap. NEI also claims that, as with all NRC regulation, the
requirements of 10 CFR 73.54 would be assessed, inspected and enforced.
Dual Regulation
29. NEI, EEI and other commenters \31\ express concern that if the
Commission issues its Proposed Clarification, dual regulation will
result and cause overlapping requirements, contradictory requirements,
duplicate inspections and recordkeeping, and duplicate worker training
and qualifications. They assert that confusion and conflicts will
result with respect to applicability of regulations if the Commission's
clarification separates digital assets within a nuclear power plant
into some that are subject to NRC regulations and others that are
subject to CIP Reliability Standards. AEP states that the proposed
application of the CIP Reliability Standards could result in increased
costs and complexity without a commensurate increase in reliability or
protection.
---------------------------------------------------------------------------

\31\ E.g., Ameren, Exelon, Progress Energy, PPL and PSEG.
---------------------------------------------------------------------------

30. NEI, EEI and other commenters \32\ argue the most effective way
to eliminate any potential gap in regulatory oversight is to maintain a
single set of regulations for the entire nuclear power plant under the
jurisdiction of the NRC. IESO/Hydro One assert that nuclear power
plants should only be regulated by one entity, and cyber security at
nuclear power plants must be under the jurisdiction of the NRC or the
Canadian nuclear authority.
---------------------------------------------------------------------------

\32\ E.g., Arizona Public Service, Entergy, PSEG, Dominion,
Exelon, Luminant, Ontario Power, Southern, Wolf Creek, and PG&E.
---------------------------------------------------------------------------

Commission Determination
31. As discussed below, the Commission is not persuaded by the
nuclear industry commenters' arguments that the NRC regulates all
balance of plant equipment within a nuclear power plant.
Voluntary Industry Standard NEI 04-04
32. The nuclear industry's development of a cyber security program
under NEI 04-04 is commendable. However, compliance with NEI 04-04 is
voluntary. As mandated by the Energy Policy Act of 2005, the Commission
must ensure that the Commission-certified ERO develops Reliability
Standards and provides for consistent monitoring and enforcement of
such standards. The nuclear industry's voluntary commitment to NEI 04-
04 does not satisfy the Energy Policy Act's mandate and is not adequate
assurance that the reliability of the Bulk-Power System is protected.
Therefore, the Commission cannot rely upon NEI 04-04 to meet its
obligations under the Energy Policy Act of 2005.
33. While NEI maintains that NEI 04-04 is subject to NRC regulatory
and enforcement authority, NRC Staff has disavowed this position with
regard to non-safety security and emergency preparedness related cyber
security

[[Page 12548]]

assets within a nuclear power plant.\33\ While NEI characterizes NEI
04-04 as a ``supplement'' to NRC Order EA-02-026, the NRC order did not
mandate the development and implementation of the industry-developed
program. We understand that, on occasion, NRC Staff will endorse an
industry-developed program or guidance document as one acceptable
manner to comply with NRC regulations. The industry-developed cyber
security program, however, was not developed as a means to comply with
an NRC regulation. Thus, while the NRC Staff simply endorsed NEI 04-04
as ``an acceptable method for establishing and maintaining a cyber
security program at nuclear power plants,'' \34\ the scope of this
endorsement falls short of documenting that NEI 04-04 is mandatory and
enforceable by the NRC.
---------------------------------------------------------------------------

\33\ NRC Staff Comments at 1.
\34\ NEI Comments, Appendix E (December 23, 2005 letter from
NRC, Director, Office of Nuclear Security and Incident Response to
NEI, Vice President, Nuclear Operations).
---------------------------------------------------------------------------

34. Further, we do not agree with commenters' claims that NEI 04-04
is mandatory because entities have made a contractually binding
commitment to NEI to implement the program. Again, while such proactive
commitments by industry are laudable, they do not and cannot substitute
for a government regulation subject to compliance and enforcement,
including civil penalties for non-compliance.
NRC Regulations
35. The Commission also rejects the claim of NEI and other
commenters that there is no regulatory gap and the Commission's
clarification is unnecessary because relevant NRC regulations apply to
all structures, systems and components within a nuclear power plant,
both safety and non-safety related, including the equipment in the
balance of plant.
36. Commenters point to NRC's Maintenance Rule, which requires
nuclear power plant licensees to monitor the effectiveness of
maintenance activities for safety-significant plant equipment. In
promulgating the Maintenance Rule, NRC explained that, while it
considered having the rule apply to all structures, systems and
components in a nuclear power plant, including the balance of plant,
the final rule was more limited.\35\ While the Maintenance Rule
expressly includes both safety related and non-safety related (i.e.,
balance of plant) structures, systems and components, NRC limited the
scope of the rule to include only those balance of plant structures,
systems and components ``whose failure could most directly threaten
public health and safety.'' \36\ This limitation is set forth in
subsection (b) of the Maintenance Rule, which describes the scope of
the maintenance monitoring program required pursuant to subsection (a)
of the rule. In sum, the Maintenance Rule contemplates that there will
be balance of plant structures, systems and components that are not
subject to the rule.
---------------------------------------------------------------------------

\35\ Maintenance Rule, 56 FR 31306 at 31314-15. NRC indicated
that this limitation of the scope was in part a reaction to
commenter concerns that ``many [structures, systems or components]
in the [balance of plant] have no nexus to public health and safety
* * *.'' Id. at 31315.
\36\ Id. at 31315. NRC explained that this scope is consistent
with NRC's authority pursuant to sections 161 and 182 of the Atomic
Energy Act to protect the public health and safety related to
nuclear power plant safety. Id. at 31314-15. See also Pacific Gas &
Electric Corp. v. State Energy Resources & Conservation and
Development Commission, 461 U.S. 190, 210 n.22 (1983) (concluding
that the Atomic Energy Act did not displace other agencies'--
Federal, state and local--jurisdiction over the generation, sale and
transmission of electric energy, as the NRC's jurisdiction was
limited to the protection of the public's health and safety from the
particular risks posed by nuclear material); English v. General
Electric Co., 496 U.S. 76, 82 (1990) (finding ``NRC * * * is
concerned primarily with public health and safety'').
---------------------------------------------------------------------------

37. NEI and other commenters also claim that the NRC's then-
proposed, and now recently approved, cyber security regulations
demonstrate that there is, in fact, no regulatory gap. However, as
indicated by the NRC Staff's comments, the NRC cyber security
regulations have limited application to balance of plant. The NRC cyber
security regulations will apply to safety-related functions, security
functions, emergency preparedness and ``support systems and equipment
which, if compromised, would adversely impact safety security and
emergency preparedness functions.'' \37\
---------------------------------------------------------------------------

\37\ See supra n. 6, to be codified at 10 CFR 73.54(a)(1)(iv).
---------------------------------------------------------------------------

38. We disagree with nuclear industry commenters that contend that
this latter provision is so broad as to include the entire balance of
plant. Rather, similar to the Maintenance Rule, this provision
identifies a subset of non-safety structures, systems and components
that are subject to the NRC cyber security regulations. The remainder
of the balance of plant equipment will not be subject to the NRC cyber
security regulations. NRC Staff apprised the Commission of this
limitation and the potential for a regulatory gap at a public meeting
of the two commissions, when stating ``The NRC's cyber requirements are
not going to extend to power continuity systems. They do not extend
directly to what is not directly associated with reactor safety,
security or emergency response.'' \38\
---------------------------------------------------------------------------

\38\ Proposed Clarification Order, 124 FERC ] 61,247 at P 5,
quoting April 8, 2008, Joint Meeting of the NRC and the Commission,
Tr. at 77-78. Likewise, in its written comments, NRC staff explains
that ``[t]he NRC regards `facility' as referring to the entire power
generating plant, that comprises the entire set of buildings,
cooling towers, assets, switchyards, systems and equipment within
the owner-controlled area, many of which are not directly regulated
by the NRC.'' NRC Staff Comments at 1 (emphasis added).
---------------------------------------------------------------------------

Dual Regulation
39. Numerous nuclear industry commenters raise concerns that the
Commission's proposal would result in nuclear power plant licensees
having to comply with two sets of regulations, both NRC regulations and
CIP Reliability Standards. According to commenters, this would likely
cause overlapping requirements, contradictory requirements, duplicate
inspections and other burdens.
40. The Commission is not persuaded by these comments. First, the
Commission believes that the possible burden, confusion and
inefficiency is speculative, and may well be overstated by commenters.
We note that no commenter states that any of the CIP Reliability
Standards conflict with the NRC's cyber security regulations. While
transition issues will invariably occur, it is possible that, for
example, nuclear power plant licensees can minimize any possible burden
by developing a single operating manual that integrates both NRC
regulations and CIP Reliability Standards. In any case, commenters have
not set forth an adequate justification for the Commission and the ERO
to forego their authority so that certain critical cyber assets are not
subject to any mandatory oversight. In addition, we believe that
concerns over possible contradictory requirements or duplicative
inspections may be addressed through further regulatory coordination,
discussed below.

C. Delineation of Equipment Within a Nuclear Power Plant and
Modification of the Exemption Text

41. In the Proposed Clarification, the Commission requested
comments on whether there is a clear delineation between equipment
within a nuclear power plant that pertains to reactor safety, security
or emergency response and the non-safety portion of the balance of
plant. The Commission asked whether there is a need for owners and/or
operators of nuclear power plants to identify the specific facilities
that pertain to reactor safety, security or emergency response and
subject to NRC regulation, and the balance of plant that

[[Page 12549]]

is subject to the CIP Reliability Standards.
Comments
42. NEI, Exelon and others \39\ assert that there is a clear
delineation between equipment within a nuclear power plant related to
safety and security and equipment that constitutes balance of plant.
NEI comments that under the existing nuclear cyber security programs,
all digital assets have been identified and evaluated, and cyber
security risk parameters have been established for assets which are
nuclear-significant and those needed to maintain continuity of
operation. Similarly, Exelon and Southern explain that, due to various
designs of nuclear power plants, the delineation may vary from plant to
plant. Therefore, each licensee identifies the structures, systems, and
components that are ``nuclear significant'' and those that impact
continuity of power, i.e., Bulk-Power System reliability. NEI, Exelon,
Southern and other commenters maintain that this delineation is not
relevant since NRC cyber security regulations apply to the balance of
plant.
---------------------------------------------------------------------------

\39\ E.g., Dominion, Duke, Luminant, PG&E, Southern and Wolf
Creek.
---------------------------------------------------------------------------

43. IESO/Hydro One assert that it is not possible, from either a
procedural or technical standpoint, to establish a clear demarcation
between facilities that relate to reactor safety or emergency response,
and those that relate to reliability of the electric grid since the
nuclear plant system is an interconnected and complex model. Breaking
up this model would be confusing and technically difficult, according
to IESO/Hydro One. Ontario Power notes that there are no ``balance of
plant'' concerns in Canada since the Canadian Nuclear Safety Commission
has jurisdiction over the entire nuclear power plant.
44. FirstEnergy asserts that, notwithstanding the ability to
delineate between equipment, the Commission's inquiry is premised on
the incorrect assumption that a line can be drawn between safety-
related facilities regulated by the NRC and non-safety-related
facilities that are not directly regulated by the NRC. FirstEnergy
comments that, in fact, much equipment within a nuclear power plant
that is categorized as balance of plant may have an indirect impact on
safety or emergency response. It maintains that any attempt to separate
equipment into two groupings for the purpose of creating two cyber
security regulatory schemes would be technically challenging,
potentially unsafe, and beyond the Commission's general expertise. PSEG
and Ameren provide similar comments, and Ameren suggests that the
delineation of the specific structures, systems and components
regulated by NRC and the Commission should occur on a plant-by-plant
basis with an opportunity for the owner or operator to obtain guidance
as to whether its categorization is acceptable.
45. On a related matter, several commenters recommend changes to
the exemption provision of the CIP Reliability Standards to better
delineate the scope of NRC's regulations. NERC states that the
delineation provided by its proposed revised exemption language for the
Applicability sections of the CIP Reliability Standards is clear and
adequately addresses the delineation issues raised by the Commission.
For example, NERC proposes to expedite a modification to the exemption
provision of the CIP Reliability Standards to reflect that ``digital
computer and communications systems and networks within a U.S. nuclear
power plant * * * that are regulated and enforced by the U.S. Nuclear
Regulatory Commission are exempt from the requirements of this
standard.'' \40\ Other commenters also recommend changes to the
exemption provision of the CIP Reliability Standards to clarify which
equipment would be subject to NRC's cyber security regulations, as
opposed to the CIP Reliability Standards. NRC Staff proposes to clarify
the exemption as follows: ``[a]ll portions of a nuclear power plant * *
* that fall within the regulatory jurisdiction and authority pertaining
to cyber security of the NRC are exempt from the CIP Reliability
Standards. * * *'' \41\
---------------------------------------------------------------------------

\40\ NERC Comments at 3.
\41\ NRC Staff Comments at 1.
---------------------------------------------------------------------------

46. NEI recommends that the Commission direct NERC to modify the
exemption language in the CIP Reliability Standards to state:

Nuclear safety-related and important-to-safety systems and
networks, security systems and networks, emergency preparedness
systems and networks including offsite communications, and support
systems and equipment which if compromised would adversely impact
safety, security or emergency preparedness functions regulated by
the U.S. Nuclear Regulatory Commission or the Canadian Nuclear
Safety Commission.\42\
---------------------------------------------------------------------------

\42\ NEI Comments at 14.

47. APS, Luminant, PG&E and Wolf Creek offer variations on the NEI
proposal. For example, APS supports NEI's suggested change to existing
CIP exemption language but would follow the ``adversely impact
safety,'' phrase with the additional phrase ``plant reliability
(continuity of power).''
Commission Determination
48. Based on the comments of NEI and other commenters, we
understand that nuclear power plant licensees maintain a clear
delineation between equipment within a nuclear power plant that
pertains to reactor safety, security or emergency response, and
equipment that pertains to balance of plant. Further, as discussed
above, the NRC's cyber security regulations may apply to certain
equipment within the balance of plant in some respects. However, it
appears that the delineation of which balance of plant equipment may be
subject to the NRC cyber security regulations is not yet fully
accomplished and will likely be articulated separately for each nuclear
power plant, with the line of regulatory demarcation differing from
plant to plant. Moreover, while NRC Staff indicates that there are
``many'' components of balance of plant that will not be subject to the
NRC cyber security regulations, NEI and other industry commenters
assert that there are few, if any.
49. To resolve this matter in a manner that assures that no
regulatory gap occurs, and also provides certainty to nuclear power
plant licensees, the Commission requires that all balance of equipment
within a nuclear power plant is subject to the CIP Reliability
Standards. This approach provides clarity and certainty because, as
indicated above, nuclear power plant licensees understand a clear
delineation between equipment within a nuclear power plant that
pertains to reactor safety, security or emergency response, and
equipment that pertains to balance of plant. This is certainly with the
scope of the Commission's and ERO's authority pursuant to section
215(b) of the FPA.\43\
---------------------------------------------------------------------------

\43\ 16 U.S.C. 824o(b). Section 215(b) of the FPA sets forth the
Commission's jurisdiction over all ``users, owners and operators of
the bulk-power system.''
---------------------------------------------------------------------------

50. Further, a nuclear power plant licensee may seek an exception
from the ERO to the extent that the licensee believes that specific
equipment within the balance of plant is subject to NRC cyber security
regulations. If the ERO grants the exception, that equipment within the
balance of plant would not be subject to compliance with the CIP
Reliability Standards. We would expect that the ERO would make such
determinations with the consultation of

[[Page 12550]]

NRC and oversight of Commission staff. Thus, to further the development
of this ERO process, the ERO should consider the appropriateness of
developing a memorandum of understanding with the NRC, or revising
existing agreements, to address such matters as NRC staff consultation
in the exception application process and sharing of Safeguard
Information. The Commission believes that with the above two-part
approach, i.e., subjecting all balance of plant equipment within a
nuclear power plant to the CIP Reliability Standards, with exceptions
allowed via a process implemented by the ERO, nuclear power plant
licensees will have a bright-line rule that eliminates the potential
regulatory gap and provides certainty; and a plant-specific equipment
exception process to avoid dual regulation where appropriate.
51. While balance of plant equipment will be subject to the CIP
Reliability Standards, this does not mean that every such asset must
meet all of the requirements of the CIP Reliability Standards. For
example, such equipment should be considered pursuant to Reliability
Standard CIP-002-1 to identify critical cyber assets.
52. With regard to the recommended changes to the exemption
language of the CIP Reliability Standards, we believe that the above
discussion adequately addresses our concerns. We leave to the
discretion of the ERO whether a modification to further refine the
exemption language, to reflect the findings of this order, is needed.

D. Regulatory Coordination

53. NRC Staff recommends the development of a memorandum of
understanding to outline scope, clarify agency roles and
responsibilities, and provide specific technical requirements related
to the application and administration of regulations pertaining to the
protection of critical digital assets at nuclear power plants.
Similarly, NEI, EEI and other commenters urge a coordinated approach to
cyber security oversight at nuclear power plants to avoid redundancies
and avoid unnecessary burdens on licensees.
54. Further, EEI, Exelon and the PSEG Companies request that the
Commission consider the roles of the ERO and the NRC in the
application, enforcement and administration of the CIP Reliability
Standards as applied to nuclear power plants, including considering the
implications of the Safeguards Information requirements set forth in 10
CFR 73.22.
Commission Determination
55. We agree that it is advisable for the two commissions to
coordinate their respective cyber security-related activities with
regard to nuclear power plants. However, for purposes of this
proceeding, we need not resolve this question regarding the need for a
memorandum of understanding between the two commissions.

E. Implementation Schedule

56. The Proposed Clarification requested comment on an appropriate
implementation schedule timetable for owners and operators of nuclear
power plants to comply with the CIP Reliability Standards. In Order No.
706, the Commission approved NERC's staggered implementation schedule
for the CIP Reliability Standards. Table 3 of NERC's Implementation
Plan for Cyber Security Standards CIP-002-1 through CIP-009-1 defines
the implementation schedule for Responsible Entities that were required
to register during 2006. Under Table 3, Responsible Entities must be
Auditably Compliant with CIP-002-1 through CIP-009-1 by December 31,
2010.\44\
---------------------------------------------------------------------------

\44\ Proposed Clarification, 124 FERC ] 61,247 at P 9.
---------------------------------------------------------------------------

57. NERC supports the application of Table 3 of the CIP Reliability
Standards implementation plan to determine an appropriate compliance
schedule.\45\ In contrast, numerous nuclear industry commenters \46\
argue that the Table 3 implementation schedule should not apply to
nuclear power plants. Rather, many of the nuclear industry commenters
suggest that the Commission should direct NERC to work with
stakeholders to develop an appropriate timeframe for owners and
operators of nuclear power plants to achieve full compliance with the
CIP Reliability Standards.
---------------------------------------------------------------------------

\45\ Order No. 706, Mandatory Reliability Standards for Critical
Infrastructure Protection, 122 FERC ] 61,040, at P 77-90 (2008).
\46\ E.g., Ameren, Dominion, Duke, EEI, Exelon, FirstEnergy,
IESO/Hydro One, Ontario Power, PG&E, PPL, PSEG, Southern and Wolf
Creek.
---------------------------------------------------------------------------

58. NEI recommends a schedule similar to Table 4 of NERC's
Implementation Plan for Cyber Security Standards, which pertains to
compliance deadlines for newly registered entities. Exelon proposes a
``begin work'' date of December 31, 2008, with an auditable compliance
deadline of December 31, 2011.
Commission Determination
59. The Commission finds that it is not appropriate to dictate the
schedule contained in Table 3 of NERC's Implementation Plan, i.e., a
December 2010 deadline for auditable compliance, for nuclear power
plants to comply with the CIP Reliability Standards. Instead of
requiring nuclear power plants to implement the CIP Reliability
Standards on a fixed schedule at this time, we agree to allow more
flexibility.
60. Rather than the Commission setting an implementation schedule,
we agree with commenters that the ERO should develop an appropriate
schedule after providing for stakeholder input. Accordingly, we direct
the ERO to engage in a stakeholder process to develop a more
appropriate timeframe for nuclear power plants' full compliance with
CIP Reliability Standards. Further, we direct NERC to submit, within
180 days of the date of issuance of this order, a compliance filing
that sets forth a proposed implementation schedule.
The Commission orders:
(A) The CIP Reliability Standards are clarified, as discussed in
the body of this order.
(B) The ERO is hereby directed to establish a stakeholder process
to determine the appropriate implementation timetable for nuclear power
plants, and submit a compliance filing to the Commission within 180
days of the date of issuance of this order, as discussed in the body of
this order.

By the Commission.
Kimberly D. Bose,
Secretary.

Appendix--Commenters

AEP--American Electric Power Service Corporation.
Arizona Public Service--Arizona Public Service Company.
Detroit Edison--Detroit Edison Company.
Dominion--Dominion Resources, Inc.
Duke--Duke Energy Corporation.
EEI--Edison Electric Institute.
Entergy--Entergy Services, Inc.
Exelon--Exelon Corporation.
FirstEnergy--FirstEnergy Service Company.
IESO/Hydro One--Independent Electricity System Operator of Ontario
(IESO) and Hydro One Networks, Inc.
Kansas City--Kansas City Power & Light Company.
Luminant--Luminant Generation Company LLC.
NERC--North American Electric Reliability Corporation.
NEI--Nuclear Energy Institute.
Ontario Power--Ontario Power Generation, Inc.
PG&E--Pacific Gas & Electric.
PPL Companies--PPL Companies (PPL Electric Utilities Corporation,
PPL Susquehanna, LLC, and PPL EnergyPlus, LLC).
Progress Energy--Progress Energy, Inc.
PSEG Companies--PSEG Companies (Public Service Electric and Gas
Company, PSEG

[[Page 12551]]

Energy Resources and Trade LLC, and PSEG Power LLC).
Southern--Southern Nuclear Operating Company.
Union Electric/Ameren--Union Electric Company and Ameren Services
Company.
NRC Staff--U.S. Nuclear Regulatory Commission Staff.
Wolf Creek--Wolf Creek Nuclear Operating Corporation.

[FR Doc. E9-6503 Filed 3-24-09; 8:45 am]
BILLING CODE 6717-01-P