[Federal Register Volume 85, Number 30 (Thursday, February 13, 2020)] [Rules and Regulations] [Pages 8161-8169] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2020-02173] ----------------------------------------------------------------------- DEPARTMENT OF ENERGY Federal Energy Regulatory Commission 18 CFR Part 40 [Docket No. RM18-20-000; ORDER NO. 866] Critical Infrastructure Protection Reliability Standard CIP-012- 1--Cyber Security--Communications Between Control Centers AGENCY: Federal Energy Regulatory Commission. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Federal Energy Regulatory Commission (Commission) approves Reliability Standard CIP-012-1 (Cyber Security--Communications between Control Centers). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization, submitted Reliability Standard CIP-012-1 for Commission approval in response to a Commission directive. In addition, the Commission directs NERC to develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers. DATES: This rule will become effective April 13, 2020. FOR FURTHER INFORMATION CONTACT: Vincent Le, (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6204, [email protected] Kevin Ryan, (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6840, [email protected] SUPPLEMENTARY INFORMATION: [[Page 8162]] 1. Pursuant to section 215(d)(2) of the Federal Power Act (FPA),\1\ the Commission approves Reliability Standard CIP-012-1 (Cyber Security--Communications between Control Centers). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted Reliability Standard CIP-012-1 for Commission approval in response to a Commission directive in Order No. 822.\2\ In Order No. 822, the Commission directed NERC, pursuant to section 215(d)(5) of the FPA, to develop modifications to the Reliability Standards to require responsible entities to implement controls to protect, at a minimum, communications links and sensitive bulk electric system data communicated between bulk electric system Control Centers ``in a manner that is appropriately tailored to address the risks posed to the bulk electric system by the assets being protected (i.e., high, medium, or low impact).'' \3\ --------------------------------------------------------------------------- \1\ 16 U.S.C. 824o(d)(2). \2\ Revised Critical Infrastructure Protection Reliability Standards, Order No. 822, 154 FERC ] 61,037, at P 53, order denying reh'g, Order No. 822-A, 156 FERC ] 61,052 (2016). \3\ 16 U.S.C. 824o(d)(5); Order No. 822, 154 FERC ] 61,037 at P 53. --------------------------------------------------------------------------- 2. Consistent with the directive in Order No. 822, Reliability Standard CIP-012-1 improves upon the currently-effective Critical Infrastructure Protection (CIP) Reliability Standards to mitigate cyber security risks associated with communications between bulk electric system Control Centers. Specifically, Reliability Standard CIP-012-1 supports situational awareness and reliable bulk electric system operations by requiring responsible entities to protect the confidentiality and integrity of Real-time Assessment \4\ and Real-time monitoring data transmitted between bulk electric system Control Centers. Accordingly, the Commission approves Reliability Standard CIP- 012-1 because it is largely responsive to the Commission's directive in Order No. 822 and improves the cyber security posture of responsible entities. We also approve the associated violation risk factors and violation severity levels, implementation plan, and effective date. --------------------------------------------------------------------------- \4\ The NERC Glossary defines Real-time Assessment as, ``An evaluation of system conditions using Real-time data to assess existing (pre-Contingency) and potential (post-Contingency) operating conditions. The assessment shall reflect applicable inputs including, but not limited to: Load, generation output levels, known Protection System and Special Protection System status or degradation, Transmission outages, generator outages, Interchange, Facility Ratings, and identified phase angle and equipment limitations. (Real-time Assessment may be provided through internal systems or through third-party services.)'' NERC Glossary of Terms Used in NERC Reliability Standards (July 3, 2018). --------------------------------------------------------------------------- 3. In addition, pursuant to section 215(d)(5) of the FPA, the Commission directs NERC to develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers. As discussed in the Notice of Proposed Rulemaking (NOPR), Reliability Standard CIP-012-1 does not require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers, as directed in Order No. 822.\5\ In the NOPR, the Commission indicated that it did not agree with NERC's assertion that currently-effective Reliability Standards address availability, and we are not persuaded by NOPR comments raising the same argument. Instead, pursuant to section 215(d)(5) of the FPA, we determine that the absence of a requirement that specifically pertains to the availability of communication links and data communicated between bulk electric system Control Centers represents a reliability gap in the CIP Reliability Standards that should be addressed by NERC. --------------------------------------------------------------------------- \5\ See Critical Infrastructure Protection Reliability Standard CIP-012-1--Cyber Security--Communication between Control Centers, Notice of Proposed Rulemaking, 167 FERC ] 61,055, at P 54 (2019) (NOPR). --------------------------------------------------------------------------- 4. The Commission, in the NOPR, also proposed to direct NERC to identify clearly the types of data that must be protected under Reliability Standard CIP-012-1. The NOPR expressed concern that Reliability Standard CIP-012-1 does not adequately identify the types of data covered by its requirements, due to, among other things, the fact that the term ``Real-time monitoring'' is not defined in the Reliability Standard or the NERC Glossary. After considering the NOPR comments, however, we determine not to direct the proposed modification based on the explanation of the types of data that must be protected set forth in the NOPR comments. I. Background A. Section 215 and Mandatory Reliability Standards 5. Section 215 of the FPA requires a Commission-certified ERO to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently.\6\ Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO,\7\ and subsequently certified NERC.\8\ --------------------------------------------------------------------------- \6\ 16 U.S.C. 824o(e). \7\ Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, 114 FERC ] 61,104, order on reh'g, Order No. 672-A, 114 FERC ] 61,328 (2006). \8\ North American Electric Reliability Corp., 116 FERC ] 61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006), aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009). --------------------------------------------------------------------------- B. Order No. 822 6. In Order No. 822, the Commission approved seven modified CIP Reliability Standards and directed NERC to develop additional modifications to the CIP Reliability Standards.\9\ Specifically, the Commission directed that NERC, among other things, develop modifications to the CIP Reliability Standards to require that responsible entities implement controls to protect, at a minimum, communications links and sensitive bulk electric system data communicated between bulk electric system Control Centers ``in a manner that is appropriately tailored to address the risks posed to the bulk electric system by the assets being protected (i.e., high, medium, or low impact).'' \10\ The Commission observed that NERC, as well as other commenters in that proceeding, ``recognize that inter-Control Center communications play a critical role in maintaining bulk electric system reliability by . . . helping to maintain situational awareness and support reliable operations through timely and accurate communication between Control Centers.'' \11\ --------------------------------------------------------------------------- \9\ Order No. 822, 154 FERC ] 61,037 at PP 1, 3. \10\ Id. P 53. \11\ Id. P 54. --------------------------------------------------------------------------- 7. The Commission explained that Control Centers associated with responsible entities, including reliability coordinators, balancing authorities, and transmission operators, must be capable of receiving and storing a variety of bulk electric system data from their interconnected entities in order to adequately perform their reliability functions. The Commission, therefore, determined that ``additional measures to protect both the integrity and availability of sensitive bulk electric system data are warranted.'' \12\ --------------------------------------------------------------------------- \12\ Id. --------------------------------------------------------------------------- The Commission cautioned, however, that ``not all communication network components and data pose the same risk to bulk electric system reliability and may not require the same level of [[Page 8163]] protection.'' \13\ Therefore, the Commission determined that NERC should develop controls that reflect the risk being addressed in a reasonable manner. --------------------------------------------------------------------------- \13\ Id. P 56. --------------------------------------------------------------------------- C. NERC Petition and Reliability Standard CIP-012-1 8. On September 18, 2018, NERC submitted for Commission approval proposed Reliability Standard CIP-012-1 and the associated violation risk factors and violation severity levels, implementation plan, and effective date.\14\ NERC states that the purpose of Reliability Standard CIP-012-1 is to help maintain situational awareness and reliable bulk electric system operations by protecting the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between Control Centers. --------------------------------------------------------------------------- \14\ Reliability Standard CIP-012-1 is not attached to this final rule. The Reliability Standard is available on the Commission's eLibrary document retrieval system in Docket No. RM18- 20-000 and on the NERC website, www.nerc.com. --------------------------------------------------------------------------- 9. NERC states that Reliability Standard CIP-012-1 ``requires Responsible Entities to develop and implement a plan to address the risks posed by unauthorized disclosure (confidentiality) and unauthorized modification (integrity) of Real-time Assessment and Real- time monitoring data while being transmitted between applicable Control Centers.'' \15\ According to NERC, the required plan must include the following: (1) Identification of security protections; (2) identification of where the protections are applied; and (3) identification of the responsibilities of each entity in case a Control Center is owned or operated by different responsible entities.\16\ --------------------------------------------------------------------------- \15\ NERC Petition at 10. \16\ Id. at 3. --------------------------------------------------------------------------- 10. As noted above, the types of data within the scope of Reliability Standard CIP-012-1 consist of Real-time Assessment and Real-time monitoring data exchanged between Control Centers. NERC states that it is critical that this information is accurate since responsible entities operate and monitor the bulk electric system based on this Real-time information. NERC explains that Reliability Standard CIP-012-1 ``excludes other data typically transferred between Control Centers, such as Operational Planning Analysis data, that is not used by the Reliability Coordinator, Balancing Authority, and Transmission Operator in Real-time.'' \17\ --------------------------------------------------------------------------- \17\ Id. at 12. --------------------------------------------------------------------------- 11. NERC also indicates that data at rest and oral communications fall outside the scope of Reliability Standard CIP-012-1. Regarding data at rest, NERC states that the standard drafting team determined that since data at rest resides within BES Cyber Systems,\18\ it is already protected by the controls mandated by Reliability Standards CIP-003-6 through CIP-011-2. According to NERC, oral communications are out of scope of Reliability Standard CIP-012-1 ``because operators have the ability to terminate the call and initiate a new one via trusted means if they suspect a problem with, or compromise of, the communication channel.'' \19\ NERC notes that Reliability Standard COM- 001-3 requires reliability coordinators, balancing authorities, and transmission operators to have alternative interpersonal communication capability, which could be used if there is a suspected compromise of oral communication on one channel. --------------------------------------------------------------------------- \18\ BES Cyber System is defined as ``[o]ne or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.'' NERC Glossary. The acronym BES refers to the bulk electric system. \19\ NERC Petition at 14. --------------------------------------------------------------------------- D. Notice of Proposed Rulemaking 12. On April 18, 2019, the Commission issued a NOPR proposing to approve Reliability Standard CIP-012-1 as just, reasonable, not unduly discriminatory or preferential, and in the public interest.\20\ The NOPR stated that Reliability Standard CIP-012-1 is largely responsive to the Commission's directive in Order No. 822 and improves the cyber security posture of the bulk electric system by requiring responsible entities to protect the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between bulk electric system Control Centers, which supports situational awareness and reliable bulk electric system operations. --------------------------------------------------------------------------- \20\ NOPR, 167 FERC ] 61,055 at P 1. --------------------------------------------------------------------------- 13. While proposing to approve Reliability Standard CIP-012-1, the Commission also proposed to direct NERC to develop modifications to the CIP Reliability Standards to address potential reliability gaps. First, the NOPR stated that Reliability Standard CIP-012-1 does not require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers as directed in Order No. 822. The NOPR explained that the Commission was not persuaded by NERC's explanation that certain currently-effective Reliability Standards address the issue of availability. Second, the NOPR raised a concern that Reliability Standard CIP-012-1 does not adequately identify the types of data covered by its requirements, due to, among other things, the fact that Real-time monitoring is not defined in the proposed Reliability Standard or the NERC Glossary.\21\ --------------------------------------------------------------------------- \21\ Id. P 16. --------------------------------------------------------------------------- 14. In response to the NOPR, eight entities submitted comments. A list of commenters appears in Appendix A. The discussion below addresses the proposals in the NOPR as well as the NOPR comments. II. Discussion 15. Pursuant to section 215(d)(2) of the FPA, the Commission approves Reliability Standard CIP-012-1 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. Reliability Standard CIP-012-1 largely addresses the Commission's directive in Order No. 822 because it will enhance existing protections for bulk electric system reliability by augmenting the currently-effective CIP Reliability Standards to mitigate cyber security risks associated with communications between bulk electric system Control Centers. Reliability Standard CIP-012-1 achieves this by requiring responsible entities to protect the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between bulk electric system Control Centers, thereby supporting situational awareness and reliable bulk electric system operations. 16. While the Commission approves Reliability Standard CIP-012-1, we also determine that the reliability risks identified in Order No. 822 will not be fully addressed with the implementation of the Reliability Standard. As discussed below, a significant cyber security risk associated with the protection of communications links and sensitive bulk electric system data communicated between bulk electric system Control Centers remains because Reliability Standard CIP-012-1 does not address the availability of communication links and data communicated between bulk electric system Control Centers. To address this gap, the Commission directs NERC, pursuant to section 215(d)(5) of the FPA, to develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers. 17. Below, we discuss the following issues: (A) Availability of bulk electric system communication links and data; and (B) scope of bulk electric system data that must be protected. [[Page 8164]] A. Availability of Bulk Electric System Communication Links and Data 1. NOPR 18. The NOPR stated that Reliability Standard CIP-012-1 does not address the availability component of the Commission's directive in Order No. 822. The NOPR identified this as a gap because ensuring timely and reliable access to and use of data is essential to the reliable operation of the bulk electric system. The NOPR indicated that the existing Reliability Standards cited in NERC's petition do not require responsible entities to protect the availability of sensitive bulk electric system data in a manner consistent with Order No. 822.\22\ In particular, the NOPR stated that the cited Reliability Standards either do not apply to communications between individual Control Centers or, while their effect may be to support availability, the Reliability Standards do not create an obligation to protect availability.\23\ --------------------------------------------------------------------------- \22\ Id. P 24. \23\ Id. --------------------------------------------------------------------------- 2. Comments 19. NERC, Trade Associations, Tri-State and IRC do not support a directive that addresses the availability of communication links and data communicated between bulk electric system Control Centers. Reclamation, Appelbaum, and Liu express support for the directive, while Bonneville offers qualified support. 20. Comments opposing the proposed directive largely reiterate the petition's assertion that currently-effective Reliability Standards adequately protect the availability of communication links and data communicated between bulk electric system Control Centers. For example, NERC contends that ``[w]hile IRO-002-5 and TOP-001-4 cover infrastructure within Control Centers, not between Control Centers, the requirements help protect the availability of data to be exchanged between Control Centers . . . [because] the data exchange infrastructure in scope of these requirements facilitates sending and receiving data between Control Centers.'' \24\ NERC explains that if ``an applicable entity lost capability of some of this data exchange infrastructure, the applicable entity could continue to send and receive data between Control Centers because of the redundant data exchange infrastructure within its Control Center.\25\ In addition, NERC states that Reliability Standards IRO-010-2 and TOP-003-3 require applicable entities to use a mutually agreeable security protocol between Control Centers. NERC explains that this supports availability by helping to ensure that conflicting protocols do not impede receipt of data between Control Centers. --------------------------------------------------------------------------- \24\ NERC Comments at 5. \25\ Id.; see also Trade Associations Comments at 6-8, Tri-state Comments at 3. --------------------------------------------------------------------------- 21. NERC also contends that Reliability Standard EOP-008-2 helps support the availability of communication links between Control Centers by requiring reliability coordinators to have backup Control Center facilities, or backup Control Center functionality for balancing authorities and transmission operators, in addition to their primary Control Centers. NERC explains that ``[t]hese backup facilities supply redundancy of some communication links and data exchange infrastructure and capabilities at the backup Control Center.'' \26\ NERC further explains that entities with geographically diverse primary and backup Control Centers may have communication links that are physically separate from one another. NERC concludes that although ``geographic diversity alone will not always provide redundancy of communication links, having backup Control Centers with different paths to communicate with other Control Centers helps support availability of communication links.'' \27\ --------------------------------------------------------------------------- \26\ NERC Comments at 7; see also Trade Associations Comments at 9-10. \27\ NERC Comments at 7. --------------------------------------------------------------------------- 22. In addition, comments opposing the directive maintain that it is premature to require protections for the availability of the communication links and data at issue. NERC states that it recognizes that ``there may be additional controls that could help address'' risks to the availability of data and communication links and commits to ``study the risks to availability of data and communication links between Control Centers and the current controls that support availability.'' \28\ Trade Associations, similarly, ``encourage[s] the Commission to consider directing NERC to study the issue [of telecommunications security] to identify specific availability vulnerabilities and potential mitigation methods.'' \29\ --------------------------------------------------------------------------- \28\ Id. at 8-9. \29\ Trade Associations Comments at 12. --------------------------------------------------------------------------- 23. IRC, while not supporting the proposed directive, ``acknowledges that [the Commission] could require additional actions by responsible entities to promote the availability of [bulk electric system] communication links to the extent possible through contracts with telecommunications providers.'' \30\ IRC recommends a best efforts approach similar to how supply chain risks are addressed under Reliability Standard CIP-013-1. Specifically, IRC suggests that ``NERC could adopt a standard that would require responsible entities, when negotiating these service contacts, to take reasonable steps or use best efforts to maximize the availability of communication links.'' \31\ --------------------------------------------------------------------------- \30\ IRC Comments at 3 (emphasis in original). \31\ Id. --------------------------------------------------------------------------- 24. Reclamation, in support of the Commission proposal, states that the availability of communication networks should encompass links between Control Centers owned by the same entity as well as Control Centers owned by different entities. Reclamation maintains that the requirements for electronic communications be parallel to the following requirements for oral communication contained in Reliability Standard COM-001-3: (1) Have electronic communication capability; (2) designate alternative electronic communication capability in the event of a failure of the primary communication capability; (3) test the alternate method of electronic communication; (4) notify the entity on the other end of the communication path if a failure is detected; and (5) establish mutually agreeable action to restore the electronic communication capability. 25. As an initial matter, Bonneville recommends delaying approval of Reliability Standard CIP-012-1 until NERC conducts a pilot project to study the most effective way to encrypt data while ensuring the data is available to responsible entities. However, if the Commission approves the Reliability Standard, Bonneville ``agrees with the Commission's proposal to address the availability of communication links and data communicated between Control Centers.'' \32\ Bonneville explains that maintaining the availability of the communication links includes addressing both redundancy and recovery. Therefore, Bonneville recommends that, if Reliability Standard CIP-012-1 is approved, ``the Commission order NERC to adopt modifications requiring Responsible Entities to have incident recovery plans/continuity of operation plans addressing planning for recovery time, capability, and capacity.'' \33\ Similarly, Appelbaum supports the proposed directive and contends that ``a requirement for a continuing operations plan for loss of critical data resulting for the loss of [[Page 8165]] Control Center functionality should be directed.'' \34\ --------------------------------------------------------------------------- \32\ Bonneville Comments at 5. \33\ Id. at 6. \34\ Appelbaum Comments at 7. --------------------------------------------------------------------------- 3. Commission Determination 26. We determine that modifications to the CIP Reliability Standards to address the availability of communication links and data communicated between bulk electric system control centers will enhance bulk electric system reliability. As the Commission stated in Order No. 822, bulk electric system Control Centers ``must be capable of receiving and storing a variety of sensitive bulk electric system data from interconnected entities.'' \35\ We are not persuaded by the contention in the petition and comments that currently-effective Reliability Standards adequately address the directive in Order No. 822 regarding availability. Instead, we determine that the Reliability Standards cited by NERC either do not apply to communications between Control Centers or do not create an obligation to protect the availability of data between Control Centers. Accordingly, the directed modifications to the CIP Reliability Standards are not duplicative of existing Reliability Standards. --------------------------------------------------------------------------- \35\ Order No. 822, 154 FERC ] 61,037 at P 54. --------------------------------------------------------------------------- 27. As the Commission explained in the NOPR, the existing Reliability Standards cited by NERC are not responsive to the availability directive in Order No. 822.\36\ Reliability Standards IRO- 002-5 and TOP-001-4 require responsible entities to have redundant and diversely routed data exchange infrastructure within the Control Center environment, but they do not address communications between individual Control Centers, which was the subject of the Commission's directive in Order No. 822.\37\ While it is true that the infrastructure associated with communications within Control Centers may be useful to data exchange between Control Centers, nothing in the cited Reliability Standards creates an obligation to maintain data availability between Control Centers. Similarly, Reliability Standards IRO-010-2 and TOP- 003-3 require responsible entities to have mutually agreeable security protocols for exchange of Real-time data, which may have the effect of contributing to greater availability; however, these requirements do not create an obligation, as directed in Order No. 822, to protect the availability of those communication capabilities and associated data by applying appropriate security controls. --------------------------------------------------------------------------- \36\ NOPR, 167 FERC ] 61,055 at P 24. \37\ NOPR, 167 FERC ] 61,055 at P 24; NERC Comments at 5 (``IRO- 002-5 and TOP-011-4 cover infrastructure within Control Centers, not between Control Centers''). --------------------------------------------------------------------------- 28. As the NOPR explained, creating an obligation to protect availability, while affording flexibility in terms of what data is protected and how, is distinct from relying on currently-effective Reliability Standards whose effect may be to support availability.\38\ The comments do not offer a new or persuasive reason to alter this view. For example, the Trade Associations repeat the line of reasoning in the NERC petition by ``encourag[ing] the Commission to focus holistically on the broad requirements contained with [the] IRO and TOP standards, which focus on the performance requirements necessary to support Real-time monitoring and Real-time Assessments.'' \39\ In this circumstance, we disagree with that approach because, as the Commission observed in Order No. 822, ``NERC and other commenters recognize that inter-Control Center communications play a critical role in maintaining bulk electric system reliability by, among other things, helping to maintain situational awareness and reliable bulk electric system operations through timely and accurate communication between Control Center.'' \40\ Thus, the holistic view urged by Trade Associations does not address the gap recognized by the Commission in Order No. 822. --------------------------------------------------------------------------- \38\ NOPR, 167 FERC ] 61,055 at P 24; NERC Comments at 6-7 (stating that alarms, recovery plans, and the ability to disable data encryption also support data availability). \39\ Trade Associations Comments at 8. \40\ Order No. 822, 154 FERC ] 61,037 at P 54. --------------------------------------------------------------------------- 29. The contention in NERC's comments that Reliability Standard EOP-008-2 could also help maintain the availability of communication links between bulk electric system Control Centers, rests on the same reasoning that the ancillary benefits of an existing Reliability Standard addresses the reliability gap identified by the Commission and concomitant availability directive in Order No. 822. While we agree that a requirement to maintain a backup Control Center arguably provides a level of redundancy for a responsible entity's overall operations, it does not require redundant and diversely routed communication paths between either the primary and backup Control Centers or third-party Control Centers. 30. In addition, we do not agree that it is premature to require protections for the availability of the communication links and data communicated between bulk electric system Control Centers. While NERC and Trade Associations advocate further study of the risks associated with availability, we conclude that the risks associated with losing the availability of either data or communication links between bulk electric system Control Centers is supported by the existing record and warrants a directive to modify the CIP Reliability Standards.\41\ --------------------------------------------------------------------------- \41\ See Appelbaum Comments at 7, Bonneville Comments at 5, IRC Comments at 3, Dr. Liu Comments at 1, Reclamation Comments at 1. --------------------------------------------------------------------------- 31. We address several related issues raised in the comments. Commenters raise a concern that directing NERC to address requirements for certain aspects of availability, in particular redundancy and diverse routing, could have significant impacts on responsible entities using third-party telecommunications providers. Specifically, Trade Associations notes that responsible entities ``may not have sufficient control over the design of these networks to ensure that such requirements are met.'' \42\ Without control over these networks, commenters suggest that the only options for addressing availability would be to construct costly private networks or implement less secure internet-based connections.\43\ --------------------------------------------------------------------------- \42\ Trade Associations Comments at 12. \43\ See, e.g., id., Tri-State Comments at 2. --------------------------------------------------------------------------- 32. We are not persuaded by these arguments. Rather, as IRC correctly notes in its discussion of the challenges raised in securing third-party telecommunications networks, while the Commission lacks jurisdiction over telecommunication service providers that may own and operate the communication links between bulk electric system Control Centers, the Commission has the authority to require responsible entities to take actions to promote the availability of communication links through service contracts with network providers.\44\ For example, entities could enter into service contracts with telecommunication service providers that include an agreed-upon quality of service commitment to maintain the availability of the data exchange capability to minimize the availability risk. Such arrangements would mirror the approach in Reliability Standard CIP-013-1 (Cyber Security-- Supply Chain Risk Management), which also involved non-jurisdictional entities.\45\ NERC should likewise consider allowing responsible entities to contract with telecommunication service providers to minimize the risk of loss of [[Page 8166]] availability of communication links and data communicated between bulk electric system Control Centers in cases where communications between Control Centers are managed by a third party. --------------------------------------------------------------------------- \44\ IRC Comments at 3. \45\ The currently-approved supply chain risk management Reliability Standard exempts communication networks and data links between discrete Electronic Security Perimeters. See NERC Reliability Standard CIP-013-1, Applicability Section 4.2.3.2. --------------------------------------------------------------------------- 33. We agree with Reclamation's comment that protections for the availability of communication links and data communicated between bulk electric system Control Centers should encompass both entity-owned and third-party owned Control Centers. The intent of the Commission's directive is for NERC to address the risks associated with the availability of communication links and data communicated between all bulk electric system Control Centers, which will require coordination between neighboring responsible entities. 34. We reject Bonneville's recommendation that the Commission delay approval of Reliability Standard CIP-012-1 to allow for a pilot project on encryption. The record in this proceeding does not support a delay, and Bonneville's request conflicts with the implementation plan proposed by NERC.\46\ Moreover, the standard drafting team addressed the Commission's finding on this issue in Order No. 822. In Order No. 822, the Commission stated ``that any lag in communication speed resulting from implementation of protections should only be measurable on the order of milliseconds and, therefore, will not adversely impact Control Center communications . . . [but that] technical issues should be considered by the standard drafting team . . . e.g., by making certain aspects of the revised CIP Standards eligible for Technical Feasibility Exceptions.'' \47\ In response, NERC stated that the standard drafting team ``developed an objective-based rather than prescriptive requirement . . . [that] will allow Responsible Entities flexibility in mitigating the risks posed . . . in a manner suited to each of their respective operational environments.'' \48\ Accordingly, we determine not to delay approval of Reliability Standard CIP-012-1. --------------------------------------------------------------------------- \46\ See NERC Petition at Exhibit B. \47\ Order No. 822, 154 FERC ] 61,037 at P 62. \48\ NERC Petition, Exhibit D (Consideration of Issues and Directives) at 7. --------------------------------------------------------------------------- 35. We agree with Bonneville and Appelbaum that maintaining the availability of communication networks and data should include provisions for incident recovery and continuity of operations in a responsible entity's compliance plan. We recognize that the redundancy of communication links cannot always be guaranteed; responsible entities should therefore plan for both recovery of compromised communication links and use of backup communication capability should it be needed for redundancy (i.e., satellite or other alternate backup communications). 36. Accordingly, pursuant to section 215(d)(5) of the FPA, we direct that NERC develop modifications to the CIP Reliability Standards to require protections regarding the availability of communication links and data communicated between bulk electric system Control Centers, as discussed above. B. Scope of Bulk Electric System Data That Must Be Protected 1. NOPR 37. The NOPR observed that Reliability Standard CIP-012-1 requires the protection of Real-time Assessment and Real-time monitoring data. The Commission explained that that while Real-time Assessment is defined in the NERC Glossary, Real-time monitoring data is not defined. Accordingly, the NOPR expressed concern that Reliability Standard CIP- 012-1 does not clearly indicate the types of data to be protected. To address this, the Commission proposed to direct that NERC develop modifications to the CIP Reliability Standards to clearly identify the types of data that must be protected, including whether a NERC Glossary definition of Real-time monitoring would assist with implementation and compliance. 2. Comments 38. Appelbaum and Reclamation support the development of one or more definitions. Specifically, Reclamation recommends that the Commission direct NERC to develop definitions for the terms: (1) Real- time monitoring data; (2) Real-time data; (3) BES Data; (4) Operational Data; (5) System Planning Data; (6) availability and (7) Real-time monitoring. Appelbaum supports requiring a definition of Real-time monitoring given its importance to triggering alarms that system operators respond to and because it is an input to automatic dispatch. 39. NERC and other commenters maintain that a directive is unnecessary because the terms Real-time Assessment and Real-time monitoring are clear. NERC states that the ``language used in proposed Reliability Standard CIP-012-1, `Real-time Assessment and Real-time monitoring data,' is sufficient to identify the data as described in TOP-003-3 and IRO-010-2.'' \49\ Specifically, NERC explains that since the IRO and TOP Reliability Standards are the only currently-effective Reliability Standards that use the phrase Real-time monitoring and the term Real-time Assessment, ``[c]ompliance with these standards defines the data that is used in Real-time monitoring and Real-time Assessments.'' \50\ NERC concludes that by ``using this language that is only referenced in the IRO and TOP Reliability Standards families, proposed CIP-012-1 brings the data identified pursuant to TOP-003-3 and IRO-010-2 into scope.'' \51\ --------------------------------------------------------------------------- \49\ NERC Comments at 10. \50\ Id. \51\ Id. --------------------------------------------------------------------------- 40. Trade Associations and IRC concur with NERC that the scope of data subject to the requirements of proposed Reliability Standard CIP- 012-1 is adequately clear. According to Trade Associations, responsible Entities and NERC understand that the types of data covered in CIP-012- 1 is the data specified for Real-time Assessment and Real-time monitoring under TOP-003 and IRO-010. Similarly, IRC notes that ``all responsible entities must already know the universe of data needed for Real-time Assessment and Real-time monitoring activities in order to comply with NERC Reliability Standards TOP-003-3 and IRO-010-2.'' \52\ Regarding the concern raised in the NOPR that the term Real-time monitoring is not defined, IRC states that it ``sees no reason that the term should be presumed to mean something different from what it means in other places where it is used in the NERC Reliability Standards.''\53\ --------------------------------------------------------------------------- \52\ IRC Comments at 4. \53\ Id. --------------------------------------------------------------------------- 41. While Bonneville does not take a position on the NOPR proposal, it notes a concern over ``creating a compliance requirement to identify how different types of information are protected.'' \54\ Bonneville states that, generally, the use of the same data exchange infrastructure will result in all data using that infrastructure receiving the same protection regardless of data type. Therefore, Bonneville avers that, if the Commission directs NERC to define the scope of data to be protected, then ``a Responsible Entity should have the option to show that all data types are protected at the highest level using the same security protocols, without having to identify and show how specific types of data are protected.'' \55\ --------------------------------------------------------------------------- \54\ Reclamation Comments at 6. \55\ Id. --------------------------------------------------------------------------- 3. Commission Determination 42. In view of the comments, we determine not to adopt the NOPR [[Page 8167]] proposal to direct modifications to define the scope of data covered by Reliability Standard CIP-012-1. NERC, Trade Associations and IRC agree that Reliability Standard CIP-012-1 requires the protection of Real- time Assessment and Real-time monitoring data identified under Reliability Standards TOP-003-3 and IRO-010-2. This point is also confirmed in the Technical Rationale document for Reliability Standard CIP-012-1.\56\ We are persuaded that responsible entities must know the types of data needed for Real-time Assessment and Real-time monitoring activities in order to comply with Reliability Standards TOP-003-3 and IRO-010-2. --------------------------------------------------------------------------- \56\ NERC Petition, Exhibit F (Technical Rationale) at 1-2. --------------------------------------------------------------------------- 43. With this understanding, we are satisfied that the data protected under Reliability Standard CIP-012-1 is the same data identified under Reliability Standards TOP-003-3 and IRO-010-2. We determine that this clarification addresses the concern in the NOPR that not defining the types of data that must be protected under Reliability Standard CIP-012-1 could result in uneven compliance and enforcement. In addition, we agree with Bonneville that responsible entities may show that all data types are protected at the highest level using the same security protocols, without having to identify and show how specific types of data are protected, so long as the security protocols are reasonable. III. Information Collection Statement 44. The FERC-725B information collection requirements contained in this final rule are subject to review by the Office of Management and Budget (OMB) under section 3507(d) of the Paperwork Reduction Act of 1995.\57\ OMB's regulations require approval of certain information collection requirements imposed by agency rules.\58\ Upon approval of a collection of information, OMB will assign an OMB control number and expiration date. Respondents subject to the filing requirements of this rule will not be penalized for failing to respond to the collection of information unless the collection of information displays a valid OMB control number. --------------------------------------------------------------------------- \57\ 44 U.S.C. 3507(d). \58\ 5 CFR 1320. --------------------------------------------------------------------------- 45. The Commission received no comments on the validity of the burden and cost estimates in the NOPR. The Commission is updating the burden estimates and labor costs contained in the NOPR. The Commission in this final rule corrected an error from the NOPR in the row ``Identification of Security Protection Application (if not owned by same Responsible Entity) (Requirement R1.3)'' where the total number of hours was understated by 100,000, and all calculations based upon this error. 46. The Commission is submitting these reporting and recordkeeping requirements to OMB for its review and approval under section 3507(d) of the PRA. Comments are solicited on the Commission's need for this information, whether the information will have practical utility, the accuracy of the provided burden estimate, ways to enhance the quality, utility, and clarity of the information to be collected, and any suggested methods for minimizing the respondent's burden, including the use of automated information techniques. 47. The Commission bases its paperwork burden estimates on the changes in paperwork burden presented by Reliability Standard CIP-012- 1. 48. The NERC Compliance Registry, as of December 2019, identifies approximately 1,482 unique U.S. entities that are subject to mandatory compliance with Reliability Standards. Of this total, we estimate that 719 entities will face an increased paperwork burden under proposed Reliability Standard CIP-012-1. Based on these assumptions, we estimate the following reporting burden: --------------------------------------------------------------------------- \59\ We consider the filing of an application to be a ``response.'' \60\ The hourly cost for wages plus benefits is based on the average of the occupational categories for 2018 found on the Bureau of Labor Statistics website (http://www.bls.gov/oes/current/naics2_22.htm): Information Security Analysts (Occupation Code: 15-1122): $61.494 Computer and Mathematical (Occupation Code: 15-0000): $63.54 Legal (Occupation Code: 23-0000): $142.86 Computer and Information Systems Managers (Occupation Code: 11- 3021): $98.81. These various occupational categories' wage figures are averaged as follows: $61.494/hour + $63.54/hour + $142.86/hour + $98.81/hour) / 4 = $91.70/hour. The resulting wage figure is rounded to $92.00/ hour for use in calculating wage figures in the final rule in Docket No. RM18-20-000. \61\ This includes the record retention costs for the one-time and the on-going reporting documents. FERC-725B--Modifications Due to the Final Rule in Docket No. RM18-20-000 -------------------------------------------------------------------------------------------------------------------------------------------------------- Number of Number of responses \59\ Total number Avg. burden hrs. & cost per Total annual burden hours & total respondents per respondent of responses response \60\ annual cost (1) (2) (1) x (2) = (4).......................... (3) x (4) = 5 (3) -------------------------------------------------------------------------------------------------------------------------------------------------------- Implementation of Documented 719 1 719 128 hrs.; $11,776............ 92,032 hrs.; $8,466,944. Plan(s) (Requirement R1) \61\. Document Identification of 719 1 719 40 hrs.; $3,680.............. 28,560 hrs.; $2,645,920. Security Protection (Requirement R1.1) \61\. Identification of Security 719 1 719 20 hrs.; $1,840.............. 14,280 hrs.; $1,322,960. Protection Application (if owned by same Responsible Entity) (Requirement R1.2) \61\. Identification of Security 719 1 719 160 hrs.; $14,720............ 14,240 hrs.; $10,583,680. Protection Application (if not owned by same Responsible Entity) (Requirement R1.3) \61\. Maintaining Compliance (ongoing, 719 1 719 83 hrs.; $7,636.............. 59,677 hrs.; $5,490,284. starting in Year 2). ---------------------------------------------------------------------------------------------------------------------- Total (one-time, in Year 1).. .............. .............. 2,876 ............................. 250,212 hrs.; $23,019,504. Total (ongoing, starting in .............. .............. 719 ............................. 59,677 hrs.; $5,490,284. Year 2). -------------------------------------------------------------------------------------------------------------------------------------------------------- [[Page 8168]] 49. The one-time burden (in Year 1) for the FERC-725B information collection will be averaged over three years:250,212 hours / 3 = 83,404 hours/year over Years 1-3 The number of one-time responses for the FERC-725B information collection is also averaged over Years 1-3: 2,876 responses / 3 = 959 responses/year 50. The average annual number (for Years 1-3) of responses and burden for one-time and ongoing burden will total: 1,678 responses [959 responses (one-time) + 719 responses (ongoing)] 143,081 burden hours [83,404 hours (one-time) + 59,677 hours (ongoing)] hours (ongoing)] 51. Title: Mandatory Reliability Standards for Critical Infrastructure Protection [CIP] Reliability Standards. Action: Revisions to FERC-725B information collection. OMB Control No.: 1902-0248. Respondents: Businesses or other for-profit institutions; not-for- profit institutions. Frequency of Responses: One-time and Ongoing. Necessity of the Information: This final rule approves the requested modifications to Reliability Standards pertaining to critical infrastructure protection. As discussed above, the Commission approves NERC's proposed Reliability Standard CIP-012-1 pursuant to section 215(d)(2) of the FPA because they improve upon the currently-effective suite of cyber security Reliability Standards. Internal Review: The Commission has reviewed the proposed Reliability Standard and made a determination that its action is necessary to implement section 215 of the FPA. 52. Interested persons may obtain information on the reporting requirements by contacting the following: Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426 [Attention: Ellen Brown, Office of the Executive Director, email: [email protected], phone: (202) 502-8663, fax: (202) 273-0873]. 53. Please send comments concerning the collection of information and the associated burden estimate to the Commission, and to the Office of Management and Budget, Office of Information and Regulatory Affairs, 725 17th Street NW, Washington, DC 20503, Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission]. For security reasons, comments to OMB should be submitted by email to: [email protected]. Comments submitted to OMB should include FERC-725B (OMB Control No. 1902-0248). IV. Environmental Analysis 54. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment.\62\ The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended.\63\ The actions proposed herein fall within this categorical exclusion in the Commission's regulations. --------------------------------------------------------------------------- \62\ Regulations Implementing the National Environmental Policy Act of 1969, Order No. 486, FERC Stats. & Regs. ] 30,783 (1987). \63\ 18 CFR 380.4(a)(2)(ii). --------------------------------------------------------------------------- V. Regulatory Flexibility Act Analysis 55. The Regulatory Flexibility Act of 1980 (RFA) generally requires a description and analysis of proposed and final rules that will have significant economic impact on a substantial number of small entities.\64\ The Small Business Administration's (SBA) Office of Size Standards develops the numerical definition of a small business.\65\ The SBA revised its size standard for electric utilities (effective January 22, 2014) to a standard based on the number of employees, including affiliates (from the prior standard based on megawatt hour sales).\66\ --------------------------------------------------------------------------- \64\ 5 U.S.C. 601-12. \65\ 13 CFR 121.101. \66\ 13 CFR 121.201, Subsection 221. --------------------------------------------------------------------------- 56. Reliability Standard CIP-012-1 is expected to impose an additional burden on 719 entities \67\ (reliability coordinators [RC], generator operators [GOP], generator owners [GO], transmission operators [TOP], balancing authorities [BA], and transmission owners [TO]). --------------------------------------------------------------------------- \67\ Public utilities may fall under one of several different categories, each with a size threshold based on the company's number of employees, including affiliates, the parent company, and subsidiaries. These entities may be included in the SBA categories for: Hydroelectric Power Generation, Fossil Fuel Electric Power Generation, Nuclear Electric Power Generation, Solar Electric Power Generation, Wind Electric Power Generation Geothermal Electric Power Generation, Biomass Electric Power Generation, Other Electric Power Generation, Biomass Electric Power Generation, or Electric Bulk Power Transmission and Control. These categories have thresholds for small entities varying from 250-750 employees. For the analysis in this final rule, we are using a conservative threshold of 750 employees. --------------------------------------------------------------------------- 57. Of the 719 affected entities discussed above, we estimate that approximately 82% percent of the affected entities are small entities. We estimate that each of the 590 small entities to whom the modifications to Reliability Standard CIP-012-1 apply will incur one- time, non-paperwork cost in Year 1 of approximately $17,051, plus paperwork cost in Year 1 of $32,016, giving a total cost in Year 1 of $49,067. In Year 2 and Year 3, each entity will incur only the ongoing annual paperwork cost of $7,594. We do not consider the estimated costs for these 590 small entities to be a significant economic impact. 58. Accordingly, we certify that Reliability Standard CIP-012-1 will not have a significant economic impact on a substantial number of small entities. VI. Effective Date and Congressional Notification 59. This final rule is effective April 13, 2020. The Commission has determined, with the concurrence of the Administrator of the Office of Information and Regulatory Affairs of OMB, that this rule is not a ``major rule'' as defined in section 351 of the Small Business Regulatory Enforcement Fairness Act of 1996. This final rule is being submitted to the Senate, House, and Government Accountability Office. VII. Document Availability 60. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the internet through the Commission's Home Page (http://www.ferc.gov) and in the Commission's Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE, Room 2A, Washington, DC 20426. 61. From the Commission's Home Page on the internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number of this document, excluding the last three digits, in the docket number field. 62. User assistance is available for eLibrary and the Commission's website during normal business hours from the Commission's Online Support at (202)502-6652 (toll free at 1-866-208-3676) or email at [email protected], or the Public Reference Room at (202) 502- 8371, TTY (202) 502-8659. Email the Public Reference Room at [email protected]. [[Page 8169]] By the Commission. Issued: January 23, 2020. Kimberly D. Bose, Secretary. Note: The following Appendix will not appear in the Code of Federal Regulations. Appendix--Commenters ------------------------------------------------------------------------ Abbreviation Commenter ------------------------------------------------------------------------ Appelbaum.............................. Jonathan Appelbaum. Bonneville............................. Bonneville Power Administration. IRC.................................... ISO/RTO Council. Dr. Liu................................ Dr. Chen-Ching Liu. NERC................................... North American Electric Reliability Corporation. Reclamation............................ Bureau of Reclamation. Trade Associations..................... American Public Power Association, Edison Electric Institute, National Rural Electric Cooperative Association. Tri-State.............................. Tri-State Generation and Transmission Association, Inc. ------------------------------------------------------------------------ [FR Doc. 2020-02173 Filed 2-12-20; 8:45 am] BILLING CODE 6717-01-P