-
Start Preamble
AGENCY:
Federal Energy Regulatory Commission.
ACTION:
Notice of proposed rulemaking.
SUMMARY:
Pursuant to the section regarding Electric Reliability of the Federal Power Act, the Federal Energy Regulatory Commission (Commission) proposes to approve Reliability Standard CIP-014-1 (Physical Security). The North American Electric Reliability Corporation, the Commission-certified Electric Reliability Organization, submitted the proposed Reliability Standard for Commission approval in response to a Commission order issued on March 7, 2014. The purpose of proposed Reliability Standard CIP-014-1 is to enhance physical security measures for the most critical Bulk-Power System facilities and thereby lessen the overall vulnerability of the Bulk-Power System against physical attacks. The Commission proposes to approve Reliability Standard CIP-014-1. In addition, the Commission proposes to direct NERC to develop two modifications to the physical security Reliability Standard and seeks comment on other issues.
DATES:
Comments are due September 8, 2014. Reply comments are due September 22, 2014.
ADDRESSES:
Comments, identified by docket number, may be filed in the following ways:
- Electronic Filing through http://www.ferc.gov/: Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format.
- Mail/Hand Delivery: Those unable to file electronically may mail or hand-deliver comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE., Washington, DC 20426.
Instructions: For detailed instructions on submitting comments and additional information on the rulemaking process, see the Comment Procedures Section of this document
Start Further InfoFOR FURTHER INFORMATION CONTACT:
Regis Binder (Technical Information), Office of Electric Reliability, Division of Reliability Standards and Security, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, Telephone: (301) 665-1601, Regis.Binder@ferc.gov.
Matthew Vlissides (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426, Telephone: (202) 502-8408, Matthew.Vlissides@ferc.gov.
End Further Info End Preamble Start Supplemental InformationSUPPLEMENTARY INFORMATION:
1. Pursuant to section 215 of the Federal Power Act (FPA), the Start Printed Page 42735Commission proposes to approve Reliability Standard CIP-014-1 (Physical Security). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), submitted the proposed Reliability Standard for Commission approval in response to a Commission order issued on March 7, 2014.[1] The purpose of the proposed Reliability Standard CIP-014-1 is to enhance physical security measures for the most critical Bulk-Power System facilities and thereby lessen the overall vulnerability of the Bulk-Power System facilities against physical attacks. The Commission proposes to approve Reliability Standard CIP-014-1. In addition, the Commission proposes to direct NERC to develop two modifications to the physical security Reliability Standard. Further, the Commission seeks comment on other concerns regarding the proposed Reliability Standard, as discussed below.
I. Background
A. Section 215 and Mandatory Reliability Standards
2. Section 215 of the FPA requires the Commission to certify an ERO to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval.[2] Once approved, the Reliability Standards may be enforced in the United States by the ERO, subject to Commission oversight, or by the Commission independently.[3]
B. March 7 Order
3. In the March 7 Order, the Commission determined that physical attacks on the Bulk-Power System could adversely impact the reliable operation of the Bulk-Power System, resulting in instability, uncontrolled separation, or cascading failures. Moreover, the Commission observed that the current Reliability Standards do not specifically require entities to take steps to reasonably protect against physical security attacks on the Bulk-Power System. Accordingly, to carry out section 215 of the FPA and to provide for the reliable operation of the Bulk-Power System, the Commission directed NERC, pursuant to FPA section 215(d)(5), to develop and file for approval proposed Reliability Standards that address threats and vulnerabilities to the physical security of critical facilities on the Bulk-Power System.[4]
4. The March 7 Order indicated that the Reliability Standards should require owners or operators of the Bulk-Power System to take at least three steps to address the risks that physical security attacks pose to the reliable operation of the Bulk-Power System. Specifically, the March 7 Order directed that: (1) The Reliability Standards should require owners or operators of the Bulk-Power System to perform a risk assessment of their systems to identify their “critical facilities;” (2) the Reliability Standards should require owners or operators of the identified critical facilities to evaluate the potential threats and vulnerabilities to those identified facilities; and (3) the Reliability Standards should require those owners or operators of critical facilities to develop and implement a security plan designed to protect against attacks to those identified critical facilities based on the assessment of the potential threats and vulnerabilities to their physical security.
5. The March 7 Order stated that the risk assessment used by an owner or operator to identify critical facilities should be verified by an entity other than the owner or operator, such as by NERC, the relevant Regional Entity, a reliability coordinator, or another entity.[5] In addition, the March 7 Order indicated that the Reliability Standards should include a procedure for the verifying entity, as well as the Commission, to add or remove facilities from an owner's or operator's list of critical facilities.[6] The March 7 Order further stated that the determination of threats and vulnerabilities and the security plan should be reviewed by NERC, the relevant Regional Entity, the reliability coordinator, or another entity with appropriate expertise.
6. The March 7 Order stated that, because the three steps of compliance with the contemplated Reliability Standards could contain sensitive or confidential information that, if released to the public, could jeopardize the reliable operation of the Bulk-Power System, NERC should include in the Reliability Standards a procedure that will ensure confidential treatment of sensitive or confidential information but still allow for the Commission, NERC and the Regional Entities to review and inspect any information that is needed to ensure compliance with the Reliability Standards.
7. The Commission directed NERC to submit the proposed Reliability Standards to the Commission for approval within 90 days of issuance of the March 7 Order (i.e., June 5, 2014).
C. NERC Petition
8. On May 23, 2014, NERC petitioned the Commission to approve proposed Reliability Standard CIP-014-1 and its associated violation risk factors and violation severity levels, implementation plan, and effective date.[7] NERC maintains that the proposed Reliability Standard is just, reasonable, not unduly discriminatory, or preferential, and in the public interest. In addition, NERC asserts that the proposed Reliability Standard complies with the Commission's directives in the March 7 Order.
9. NERC explains that proposed Reliability Standard CIP-014-1 “serves the vital reliability goal of enhancing physical security measures for the most critical Bulk-Power System facilities and lessening the overall vulnerability of the Bulk-Power System to physical attacks.” [8] NERC maintains that the “appropriate focus of the proposed Reliability Standard is Transmission stations and Transmission substations, which are uniquely essential elements of the Bulk-Power System.” [9] The proposed Reliability Standard is applicable to transmission owners that satisfy the Applicability Sections 4.1.1.1, 4.1.1.2, 4.1.1.3, or 4.1.1.4 and to transmission operators. NERC states that the transmission facilities covered by Applicability Sections 4.1.1.1 through 4.1.1.4 match the “Medium Impact” transmission facilities listed in Attachment 1 of Reliability Standard Start Printed Page 42736CIP-002-5.1.[10] According to NERC, the “standard drafting team determined that using the criteria for `Medium Impact' Transmission Facilities set forth in Reliability Standard CIP-002-5.1 is an appropriate applicability threshold as the Commission has acknowledged that it is [ ] a technically sound basis for identifying Transmission Facilities, which, if compromised, would present an elevated risk to the Bulk-Power System.” [11]
10. Proposed Reliability Standard CIP-014-1 has six requirements. Requirement R1 requires applicable transmission owners to perform risk assessments on a periodic basis to identify their transmission stations and transmission substations that, if rendered inoperable or damaged, could result in widespread instability, uncontrolled separation, or cascading within an Interconnection. Requirement R1 also requires transmission owners to identify the primary control center that operationally controls each of the identified transmission stations or transmission substations.
11. Requirement R2 requires that each applicable transmission owner have an unaffiliated third party with appropriate experience verify the risk assessment performed under Requirement R1. Requirement R2 states that the transmission owner must either modify its identification of facilities consistent with the verifier's recommendation or document the technical basis for not doing so. In addition, Requirement R2 requires each transmission owner to implement procedures for protecting sensitive or confidential information made available to third party verifiers or developed under the proposed Reliability Standard from public disclosure.
12. Requirement R3 requires the transmission owner to notify a transmission operator that operationally controls a primary control center identified under Requirement R1 of such identification to ensure that the transmission operator has notice of the identification so that it may timely fulfill its obligations under Requirements R4 and R5 to protect the primary control center.
13. Requirement R4 requires each applicable transmission owner and transmission operator to conduct an evaluation of the potential threats and vulnerabilities of a physical attack on each of its respective transmission stations, transmission substations, and primary control centers identified as critical in Requirement R1.
14. Requirement R5 requires each transmission owner and transmission operator to develop and implement documented physical security plans that cover each of their respective transmission stations, transmission substations, and primary control centers identified as critical in Requirement R1.
15. Requirement R6 requires that each transmission owner and transmission operator subject to Requirements R4 and R5 have an unaffiliated third party with appropriate experience review its Requirement R4 evaluation and Requirement R5 security plan. Requirement R6 states that the transmission owner or transmission operator must either modify its evaluation and security plan consistent with the recommendation, if any, of the reviewer or document its reasons for not doing so.
II. Discussion
16. Pursuant to FPA section 215(d)(2), we propose to approve proposed Reliability Standard CIP-014-1 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. In addition, the Commission proposes to approve the violation risk factors, violation severity levels, implementation plan, and effective date proposed by NERC.
17. The proposed Reliability Standard CIP-014-1 largely satisfies the directives in the March 7 Order concerning the development and submittal of proposed physical security Reliability Standards. However, as discussed below, the Commission proposes to direct NERC to develop a modification to the physical security Reliability Standard to allow applicable governmental authorities (i.e., the Commission and any other appropriate federal or provincial authorities) to add or subtract facilities from an applicable entity's list of critical facilities under Requirement R1. The Commission also proposes to direct NERC to modify the physical security Reliability Standard to remove the term “widespread.”
18. In addition to the proposed modifications to the physical security Reliability Standard, the Commission proposes to direct NERC to make an informational filing within six months of the effective date of a final rule in this proceeding addressing the possibility that, as described below, proposed Reliability Standard CIP-014-1 may not provide physical security for all “High Impact” control centers, as that term is defined in Reliability Standard CIP-002-5.1, necessary for the reliable operation of the Bulk-Power System. The Commission also proposes to direct NERC to make an informational filing within one year of the effective date of a final rule in this proceeding addressing possible resiliency measures that can be taken to maintain the reliable operation of the Bulk-Power System following the loss of critical facilities.
19. Below, the Commission discusses and seeks comment from NERC and interested entities on the following issues: (A) Providing for applicable governmental authorities to add or subtract facilities from an entity's list of critical facilities; (B) the standard for identifying critical facilities; (C) control centers; (D) exclusion of generators from the applicability section of the proposed Reliability Standard; (E) third-party recommendations; (F) resiliency; (G) violation risk factors and violation severity levels; and (H) implementation plan and effective date.
A. Applicable Governmental Authority's Ability To Add or Subtract Facilities From an Entity's List of Critical Facilities
March 7 Order
20. In the March 7 Order, the Commission stated that:
[T]he risk assessment used by an owner or operator to identify critical facilities should be verified by an entity other than the owner or operator. Such verification could be performed by NERC, the relevant Regional Entity, a Reliability Coordinator, or another entity. The Reliability Standards should include a procedure for the verifying entity, as well as the Commission, to add or remove facilities from an owner's or operator's list of critical facilities. Similarly, the determination of threats and vulnerabilities and the security plan should also be reviewed by NERC, the relevant Regional Entity, the Reliability Coordinator, or another entity with appropriate expertise. Finally, the Reliability Standards should require that the identification of the critical facilities, the assessment of the potential risks and vulnerabilities, and the security plans be periodically reevaluated and revised to ensure their continued effectiveness. NERC should establish a timeline for when such reevaluations should occur.[12]
NERC Petition
21. The proposed Reliability Standard does not include a procedure that allows the Commission to add or subtract facilities from an applicable entity's list of critical facilities under Requirement R1. Instead, NERC states that the Commission has the existing authority to enforce NERC Reliability Standards pursuant to FPA section Start Printed Page 42737215(e)(3).[13] NERC explains that a transmission owner must be able to demonstrate that its method for performing its risk assessment under Requirement R1 “was technically sound and reasonably designed to identify its critical Transmission stations and Transmission substations.” [14] NERC maintains that if “in the course of assessing an entity's compliance with the proposed Reliability Standard, NERC, a Regional Entity or [the Commission] finds that the entity's transmission analysis was patently deficient and that the Requirement R2 verification process did not cure those deficiencies, they could use their enforcement authority to compel Transmission Owners to re-perform the risk assessment using assumptions designed to identify the appropriate critical facilities.” [15]
Discussion
22. The proposed Reliability Standard does not include a procedure that allows the Commission to add or subtract facilities from an applicable entity's list of critical facilities. Accordingly, if the Commission determines through an audit of an applicable entity, or through some other means, that a critical facility does not appear on the entity's list of critical facilities, there is no provision in the proposed Reliability Standard to allow the Commission to require its inclusion. We agree with NERC that failure to identify a critical facility would be a violation of Requirement R1, and thus could subject the relevant applicable entity to compliance or enforcement actions. However, we believe that NERC's proposal is not an equally efficient or effective alternative to the directive in the March 7 Order. While the Commission anticipates that we would exercise such authority only rarely, we propose to direct NERC to modify the physical security Reliability Standard to include a procedure that would allow applicable governmental authorities to add or subtract facilities from an applicable entity's list of critical facilities.
23. As discussed above, we agree with NERC that an applicable entity's failure to develop an appropriate list of critical facilities consistent with Requirement R1, even if the list is verified by a third-party under Requirement R2, constitutes non-compliance with Requirement R1. According to NERC, the corrective action for non-compliance would be to require the applicable entity to correct and repeat the Requirement R1 assessment, with the expectation that the omitted facility would then be assessed as critical. While NERC appears to expect that correcting and re-performing the assessment would result in the applicable entity adding to its critical facilities list the previously omitted facility or facilities that the Commission thought critical, there is no guarantee that would happen in a timely manner, if at all. We are concerned that, as currently proposed, the Commission, NERC, or Regional Entities cannot “effectively require Transmission Owners to add or remove facilities” under Requirement R1.[16] Accordingly, we propose to determine that NERC's proposal does not satisfy the directive in the March 7 Order, either directly or in an equally efficient and effective manner. We therefore propose to direct that NERC develop a modification to the physical security Reliability Standard to include a procedure that would allow applicable governmental authorities, i.e., the Commission and any other appropriate federal or provincial authorities, to add or subtract facilities from an applicable entity's list of critical facilities.
24. The Commission seeks comment on this proposed directive.
B. Standard for Identifying Critical Facilities
March 7 Order
25. The March 7 Order stated that a critical facility is “one that, if rendered inoperable or damaged, could have a critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures on the Bulk-Power System.” [17]
NERC Petition
26. The proposed Reliability Standard states that its purpose is to “identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.” Requirement R1 of the proposed Reliability Standard states that the “initial and subsequent risk assessments shall consist of a transmission analysis or transmission analyses designed to identify the Transmission station(s) and Transmission substation(s) that if rendered inoperable or damaged could result in widespread instability, uncontrolled separation, or Cascading within an Interconnection.” In the technical guidance document appended to the proposed Reliability Standard, which is intended to assist applicable entities to identify critical facilities under Requirement R1, NERC indicates that, in performing its risk assessment to identify critical transmission stations and transmission substations, “[a]n entity could remove all lines, without regard to the voltage level, to a single Transmission station or Transmission substation and review the simulation results to assess system behavior to determine if Cascading of Transmission Facilities, uncontrolled separation, or voltage or frequency instability is likely to occur over a significant area of the Interconnection.” [18] The NERC petition also uses the term “uncontrollable impact” to describe the scope of the proposed Reliability Standard.[19]
Discussion
27. The Commission proposes to direct NERC to modify the physical security Reliability Standard to remove the term “widespread” as it appears in the proposed Reliability Standard in the phrase “widespread instability.” The phrase “widespread instability” is undefined by NERC and is inconsistent with the March 7 Order's explanation of “critical facility” and the definition of “reliable operation” in FPA section 215(a)(4).[20]
28. The phrase “widespread instability” in Requirement R1 could, depending on the meaning of “widespread,” narrow the scope (and number) of identified critical facilities under the proposed Reliability Standard beyond what was contemplated in the March 7 Order. The March 7 Order required the identification of facilities whose loss could result in instability, uncontrolled separation, or cascading failures, which is consistent with the definition of “reliable operation” in FPA section 215(a)(4). The term “widespread” is undefined and could potentially render the Reliability Standard unenforceable or could lead to an inadequate level of reliability by Start Printed Page 42738omitting facilities that are critical to the reliable operation of the Bulk-Power System.
29. Accordingly, pursuant to section 215(d)(5) of the FPA, we propose to direct that NERC develop a modification to Reliability Standard CIP-014-1 to remove the term “widespread” as it appears in the proposed standard in the phrase “widespread instability.” The Commission seeks comment on this proposal.
C. Control Centers
March 7 Order
30. The March 7 Order stated that a “critical facility is one that, if rendered inoperable or damaged, could have a critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures on the Bulk-Power System.” [21] The March 7 Order, while not mandating that a minimum number of facilities be deemed critical under the physical security Reliability Standards, explained that the “Commission expects that critical facilities generally will include, but not be limited to, critical substations and critical control centers.” [22]
NERC Petition
31. NERC states that the proposed Reliability Standard addresses the protection of primary control centers, which NERC defines as facilities that “operationally control[] a Transmission station or Transmission substation when the electronic actions from the control center can cause direct physical actions at the identified Transmission station or Transmission substation, such as opening a breaker.” [23]
32. NERC maintains that “[c]ontrol centers that provide back-up capability and control centers that cannot operationally control a critical Transmission station or Transmission substation do not present similar direct risks to Real-time operations if they are the target of a physical attack,” and thus they are not covered by the proposed Reliability Standard.[24] NERC explains that the destruction of a back-up control center would “have no direct reliability impact in Real-time as the entity can continue operating . . . from its primary control center.” [25] With respect to control centers that do not physically operate Bulk-Power System facilities, such as control centers operated by reliability coordinators, NERC states that, while “certain monitoring and oversight capabilities might be lost as a result of a physical attack on such control centers, the Transmission Owner or Transmission Operator that operationally controls the critical Transmission station or Transmission substation would be able to continue operating its transmission system to prevent widespread instability, uncontrolled separation, or Cascading within an Interconnection.” [26]
33. NERC acknowledges that certain control centers categorized as “High Impact” or “Medium Impact” under Reliability Standard CIP-002-5.1 (Cyber Security—BES Cyber System Categorization) would not be covered control centers under the proposed Reliability Standard.[27] NERC explains that this:
Reflects the different nature of cyber security risks and physical security risks at control centers . . . [a] primary cyber security concern for control centers is the corruption of data or information and the potential for operators to take action based on corrupted data or information . . . [and] [t]his concern exists at control centers that operationally control Bulk-Power System facilities and those that do not. As such, there is no distinction in CIP-002-5.1 between these control centers . . . however, such a distinction is appropriate in the physical security context.[28]
34. NERC points out that Reliability Standard CIP-006-5 already requires physical security protections that are “designed to restrict physical access to locations containing High and Medium Impact Cyber Systems,” which include control centers and backup control centers for reliability coordinators, balancing authorities, transmission operators and generation operators irrespective of their ability to operationally control Bulk-Power System facilities.[29]
Discussion
35. The Commission proposes to direct NERC to make an informational filing within six months of the effective date of a final rule in this proceeding indicating whether the development of Reliability Standards that provide physical security for all “High Impact” control centers, as that term is defined in Reliability Standard CIP-002-5.1, is necessary for the reliable operation of the Bulk-Power System.
36. Proposed Reliability Standard CIP-014-1, Requirement R1.2 requires applicable transmission owners to “identify the primary control center that operationally controls each Transmission station or Transmission substation identified in the Requirement R1 risk assessment.” Thus the proposed Reliability Standard, while addressing transmission owners' primary control centers, does not encompass transmission owner back-up control centers or any control centers owned or operated by other functional entity types, such as reliability coordinators, balancing authorities, and generator operators.
37. Primary and back-up control centers of functional entities other than transmission owners and operators identified as “High Impact” may warrant assessment and physical security controls under this Reliability Standard because a successful attack could prevent or impair situational awareness, especially from a wide-area perspective, or could allow attackers to distribute misleading and potentially harmful data and operating instructions that could result in instability, uncontrolled separation, or cascading failures.
38. NERC's petition recognizes that Reliability Standard CIP-006-5 (Cyber Security—Physical Security of BES Cyber Systems) already requires certain physical security protections for applicable primary and backup control centers of reliability coordinators, balancing authorities, transmission operators, and generator operators. Reliability Standard CIP-006-5 applies to primary and backup control centers containing BES Cyber Systems that are “High Impact” or “Medium Impact,” as defined in Reliability Standard CIP-002-5.1, Attachment 1. “High Impact” facilities include the control centers and backup control centers of reliability coordinators and certain balancing authorities, transmission operators, and generator operators. The “Medium Impact” categorization applies to all transmission operator primary and backup control centers not categorized as “High Impact” and to primary and backup control centers for certain generator operators and balancing authorities.
39. The proposed informational filing should address whether there is a need for consistent treatment of “High Impact” control centers for cybersecurity and physical security purposes through the development of Reliability Standards that afford physical protection to all “High Impact” control centers. The Commission notes that the development of physical security protections for all “High Impact” control centers would not be Start Printed Page 42739without precedent because, as noted above, Reliability Standard CIP-006-5 already requires that “High Impact” control centers have some physical protections, including restrictions on physical access, to protect BES Cyber Assets. However, the security measures required by Reliability Standard CIP-006-5 may not be comparable to those required by proposed Reliability Standard CIP-014-1, and thus may not be sufficient to “deter, detect, delay, assess, communicate, and respond to potential threats and vulnerabilities” as required in Requirement R5 of the proposed Reliability Standard. Further, Reliability Standard CIP-006-5 does not require an “unaffiliated third party review” of the evaluation and security plan required by proposed Reliability Standard CIP-014-1.
40. The Commission seeks comment on this proposal.
D. Generators
March 7 Order
41. The March 7 Order did not direct NERC to make the physical security Reliability Standards applicable to specific functional entity types. The March 7 Order stated that “some of the requirements imposed by these newly proposed Reliability Standards may best be performed by the owner and other activity may best be performed by the operator,” and that NERC should clearly indicate which entity is responsible for each requirement.[30] With regard to the applicable types of facilities, the Commission stated that it “is not requiring NERC to adopt a specific type of risk assessment, nor is the Commission requiring that a mandatory number of facilities be identified as critical facilities under the Reliability Standards.” [31]
NERC Petition
42. In explaining why the proposed Reliability Standard does not include generator owners and generator operators as applicable entities, the standard drafting team found that:
It was not necessary to include Generator Operators and Generator Owners in the Reliability Standard. First, Transmission stations or Transmission substations interconnecting generation facilities are considered when determining applicability. Transmission Owners will consider those Transmission stations and Transmission substations that include a Transmission station on the high side of the Generator Step-up transformer (GSU) using Applicability Section 4.1.1.1 and 4.1.1.2 . . . Second, the transmission analysis or analyses conducted under Requirement R1 should take into account the impact of the loss of generation connected to applicable Transmission stations or Transmission substations. Additionally, the [Commission] order does not explicitly mention generation assets and is reasonably understood to focus on the most critical Transmission Facilities.[32]
43. NERC explains that generator owners and generator operators were not included in the applicability section because, “while the loss of a generator facility due to a physical attack may have local reliability effects, the loss of the facility is unlikely to have the widespread, uncontrollable impact” contemplated in the March 7 Order.[33] NERC maintains that a “generation facility does not have the same critical functionality as certain Transmission stations and Transmission substations due to the limited size of generating plants, the availability of other generation capacity connected to the grid, and planned resilience of the transmission system to react to the loss of a generation facility.” [34]
Discussion
44. The Commission proposes to approve the applicability section of the proposed Reliability Standard without the inclusion of generator owners and generator operators. Omitting generator owners and generator operators from the applicability section is consistent with the March 7 Order. The March 7 Order explained that the “number of facilities identified as critical will be relatively small compared to the number of facilities that comprise the Bulk-Power System.” [35] We affirm this understanding and approach to physical security. The directive from the March 7 Order was intended to fill a recognized gap in the reliable operation of the Bulk-Power System. From that perspective, it is reasonable to focus attention on the most critical facilities in order to provide the most effective use of resources while adequately addressing the identified reliability gap.
45. Accordingly, we propose to accept NERC's justification for excluding generator owners and operators because it is in keeping with the March 7 Order's focus on protecting the most critical facilities. NERC explains that a generation facility “does not have the same critical functionality as certain Transmission stations and Transmission substations due to the limited size of generating plants, the availability of other generation capacity connected to the grid, and planned resilience of the transmission system to react to the loss of a generation facility.” [36] Also, as NERC points out, Requirement R1 mandates a transmission analysis that accounts for transmission owner or transmission operator-owned substations that connect generating stations to the Bulk-Power System with step-up transformers. The Commission seeks comment on this proposal. In addition, while we propose to accept the applicability section of the proposed Reliability Standard, we note that NERC's proposed omission of generator owners and generator operators could potentially exempt substations owned or operated by generators. The Commission seeks comment on the potential reliability impact of excluding generator owned or operated substations.
E. Third-Party Recommendations
March 7 Order
46. In the March 7 Order, the Commission stated that “the risk assessment used by an owner or operator to identify critical facilities should be verified by an entity other than the owner or operator . . . [and] [s]imilarly, the determination of threats and vulnerabilities and the security plan should also be reviewed by NERC, the relevant Regional Entity, the Reliability Coordinator, or another entity with appropriate expertise.” [37]
NERC Petition
47. Requirement R2 of the proposed Reliability Standard requires transmission owners to have their risk assessments verified by an unaffiliated third party. Requirement R6, likewise, requires each transmission owner and transmission operator to have its vulnerability and threat assessment(s) along with its security plan(s) for any critical facilities reviewed by an unaffiliated third party.
48. Regarding how an applicable entity is supposed to address any recommendations by a third-party verifier, the proposed Reliability Standard, in Requirement R2.3, states that the transmission owner must either Start Printed Page 42740(a) “modify its identification . . . consistent with the recommendation” or (b) “document the technical basis for not modifying the identification in accordance with the recommendation.” Similarly, Requirement R6.3 explains the procedure for considering any recommendations from the reviewing entity as to the threat assessments and security plans: the applicable entity must either (a) “modify its evaluation or security plan(s) consistent with the recommendation” or (b) “document the reason(s) for not modifying the evaluation or security plan(s) consistent with the recommendation.”
49. NERC states that “[r]equiring documentation of the technical basis for not modifying the identification in accordance with the recommendation will help ensure that a Transmission Owner meaningfully considers the verifier's recommendations and follows those recommendations unless it can technically justify its reasons for not doing so. To comply with Part 2.3, the technical justification must be sound and based on acceptable approaches to conducting transmission analyses.” [38] The NERC petition contains a similar explanation for the third-party review (Requirement R6) of the threat assessments and security plans mandated in Requirements R4 and R5.[39]
Discussion
50. We propose to approve the proposed Reliability Standard, including the third-party verification and review method proposed by NERC in Requirements R2 and R6. Failure to provide a written, technically justifiable reason for rejecting a third-party recommendation would render the applicable entity non-compliant. With that understanding, we propose to approve NERC's proposal regarding third-party verification and review in Requirements R2 and R6 of the proposed Reliability Standard as an equally efficient and effective alternative to the directive in the March 7 Order.
51. The Commission seeks comment on this proposal.
F. Resiliency
March 7 Order
52. In the March 7 Order, the Commission stated that the development of physical security Reliability Standards “will help provide for the resiliency and reliable operation of the Bulk-Power System. To that end, the proposed Reliability Standards should allow owners or operators to consider resiliency of the grid in the risk assessment when identifying critical facilities, and the elements that make up those facilities, such as transformers that typically require significant time to repair or replace. As part of this process, owners or operators may consider elements of resiliency such as how the system is designed, operated, and maintained, and the sophistication of recovery plans and inventory management.” [40]
NERC Petition
53. The proposed Reliability Standard mentions resiliency in Requirement R5, stating in Requirement R5.1 that the physical security plans that entities develop shall include, among other attributes: “Resiliency or security measures designed collectively to deter, detect, delay, assess, communicate, and respond to potential physical threats and vulnerabilities identified during the evaluation conducted in Requirement R4.” The NERC petition describes Requirement R5.1, with regard to resiliency, as referring to “steps an entity may take that, while not specifically targeted as hardening the physical security of the site, help to decrease the potential adverse impact of a physical attack . . . including modifications to system topology or the construction of a new Transmission station . . . that would lessen the criticality of the facility.” [41]
Discussion
54. The NERC petition describes resiliency measures that could be included in the required physical security plans. However, specific resiliency measures are not required by the proposed Reliability Standard, which is consistent with the March 7 Order. Instead, the proposed Reliability Standard allows the security plans to be flexible in order to meet different threats and protect varying Bulk-Power System configurations.
55. Resiliency is as, or even more, important than physical security given that physical security cannot protect against all possible attacks. In the case of the loss of a substation, the Bulk-Power System may depend on resiliency to minimize the impact of the loss of facilities and restore blacked-out portions of the Bulk-Power System as quickly as possible. Some entities may implement resiliency measures rather than security measures, such as by adding facilities or operating procedures that reduce or eliminate the importance of existing critical facilities. Such measures could significantly improve reliability and resiliency.
56. According to the NERC petition, the NERC Board of Trustees expects NERC management to monitor and assess the implementation of the proposed Reliability Standard on an ongoing basis.[42] According to NERC, this effort includes: The number of assets identified as critical under the proposed Reliability Standard; the defining characteristics of the assets identified as critical; the scope of security plans (i.e., the types of security and resiliency measures contemplated under the various security plans); the timelines included in the security plan for implementing the security and resiliency measures; and industry progress in implementing the proposed Reliability Standard. NERC explains that this information could be used to provide regular updates to Commission staff.[43] The Commission proposes to rely on NERC's ongoing assessment of the proposed Reliability Standard's implementation and to require NERC to make such information available to Commission staff upon request.
57. In addition, the Commission proposes to direct NERC to submit an informational filing that addresses the resiliency of the Bulk-Power System when confronted with the loss of critical facilities. The informational filing should explore what steps can be taken, in addition to those required by the proposed Reliability Standard, to maintain the reliable operation of the Bulk-Power System when faced with the loss or degradation of critical facilities. In this regard, we note that NERC issued a report on severe impact resilience in 2012.[44] The filing proposed here could draw on NERC's 2012 report but should also reflect subsequent work and development on this topic, particularly non-confidential information regarding supply chain, transporting and other logistical issues for equipment such as large transformers. The Commission proposes to direct NERC to submit the informational filing within one year after the effective date of the final rule in this proceeding. The Commission seeks comment on this proposal.
G. Violation Risk Factors and Violation Severity Levels
58. Each requirement of proposed Reliability Standard CIP-014-1 includes one violation risk factor and has an Start Printed Page 42741associated set of at least one violation severity level. The ranges of penalties for violations will be based on the sanctions table and supporting penalty determination process described in the Commission-approved NERC Sanction Guidelines, according to the NERC petition. The Commission proposes to approve the proposed violation risk factors and violation severity levels for the requirements proposed in Reliability Standard CIP-014-1 as consistent with the Commission's established guidelines.[45]
H. Implementation Plan and Effective Date
59. The NERC petition proposes that proposed Reliability Standard CIP-014-1 become effective the “first day of the first calendar quarter that is six months beyond the date that this standard is approved by applicable regulatory authorities.” In other words, the effective date of the proposed Reliability Standard would be the first day of the first calendar quarter that is six months after the effective date of a final rule in this proceeding approving the proposed Reliability Standard.[46] NERC states that the initial risk assessment required under Requirement R1 must be completed by or before the effective date of the proposed Reliability Standard.[47] As described in the requirements of the proposed Reliability Standard, NERC also identifies when Requirements R2, R3, R4, R5, and R6 must be complied with following the effective date of the proposed Reliability Standard. The Commission proposes to approve NERC's implementation plan and effective date for proposed Reliability Standard CIP-014-1.
III. Information Collection Statement
60. The Office of Management and Budget (OMB) regulations require approval of certain information collection requirements imposed by agency rules. Upon approval of a collection(s) of information, OMB will assign an OMB control number and an expiration date. Respondents subject to the filing requirements of an agency rule will not be penalized for failing to respond to these collections of information unless the collections of information display a valid OMB control number. The Paperwork Reduction Act (PRA) requires each federal agency to seek and obtain OMB approval before undertaking a collection of information directed to ten or more persons, or contained in a rule of general applicability.
61. The Commission is submitting these reporting requirements to OMB for its review and approval under section 3507(d) of the PRA. Comments are solicited on the Commission's need for this information, whether the information will have practical utility, ways to enhance the quality, utility, and clarity of the information to be collected, and any suggested methods for minimizing the respondent's burden, including the use of automated information techniques.
62. The Commission based its paperwork burden estimates on the NERC compliance registry as of May 28, 2014. According to the registry, there are 357 transmission owners and 197 transmission operators. The NERC compliance registry also shows that there are only 19 transmission operators that are not also registered as a transmission owner.
63. The following table shows the Commission's burden and cost estimates, broken down by requirement and year:
Requirements in reliability standard CIP-014-1 over Number of respondents Number of responses per respondent Total number of responses Average burden hours and cost per response 48 Total burden hours and total cost Years 1-3 (1) (2) (1)*(2)=(3) (4) (3)*(4) Year 1: R1 357 1 357 20 $1,220 7,140 $435,540 R2 357 1 357 34 $2,342 12,138 $836,094 R3 2 1 2 1 $128 2 $256 R4 32 1 32 80 $4,880 2,560 $156,160 R5 32 1 32 320 $19,520 10,240 $624,640 R6 32 1 32 304 $18,812 9,728 $601,984 Record Retention 359 1 359 2 $64 718 $22,976 Year 2: Record Retention 359 1 359 2 $64 718 $22,976 Year 3: R1 30 1 30 20 $1,220 600 $36,600 R2 30 1 30 34 $2,342 1,029 $70,260 R3 2 1 2 1 $128 2 $256 R4 32 1 32 80 $4,880 2,560 $156,160 R5 32 1 32 80 $4,880 2,560 $156,160 R6 32 1 32 134 $8,442 4,288 $270,144 Start Printed Page 42742 Record Retention 359 1 359 2 $64 718 $22,976 Year 1 Total 42,526 $2,677,650 Year 2 Total 718 $22,976 Year 3 Total 11,748 $712,556 Total 54,992 $3,413,182 64. In arriving at the figures in the above table, the Commission made the following assumptions:
a. Requirement R1: We assume that responsible entities will complete the required risk assessment at approximately the same time as they complete the assessments required under the existing TPL Reliability Standards. Accordingly, the burden for proposed Reliability Standard CIP-014-1 only represents the documentation required in addition to what entities currently prepare. Conservatively, we assume that in the first year all transmission owners and transmission operators will complete the required risk assessment.[49] In the third year, we assume that only 30 transmission operators will be required to do another risk assessment and that the entities with critical facilities after the first risk assessment will still have critical facilities after the second risk assessment.
b. Requirement R5: We assume that developing physical security plans in the first year will be more time consuming than in later years because in later years the plans will likely only need to be updated.
65. Title: FERC-725U, Mandatory Reliability Standards: Reliability Standard CIP-014-1.
Action: Proposed collection of information.
OMB Control No: To be determined.
Respondents: Business or other for profit, and not for profit institutions.
Frequency of Responses: Ongoing.
Necessity of the Information: The proposed Reliability Standard CIP-014-1, if adopted, would implement the Congressional mandate of the Energy Policy Act of 2005 to develop mandatory and enforceable Reliability Standards to better ensure the reliability of the nation's Bulk-Power System. Specifically, the proposal would ensure that applicable entities with critical Bulk-Power System facilities develop and implement physical security plans to address physical security threats and vulnerabilities that could result in instability, uncontrolled separation, or cascading within an Interconnection.
Internal review: The Commission has reviewed the proposed Reliability Standard and has determined that the proposed Reliability Standard is necessary to ensure the reliability and integrity of the Nation's Bulk-Power System.
66. Interested persons may obtain information on the reporting requirements by contacting: Federal Energy Regulatory Commission, 888 First Street NE., Washington, DC 20426 [Attention: Ellen Brown, Office of the Executive Director, email: DataClearance@ferc.gov, Phone: (202) 502-8663, fax: (202) 273-0873]. Comments on the requirements of this rule may also be sent to the Office of Information and Regulatory Affairs, Office of Management and Budget, Washington, DC 20503 [Attention: Desk Officer for the Federal Energy Regulatory Commission]. For security reasons, comments should be sent by email to OMB at oira_submission@omb.eop.gov. Comments submitted to OMB should include Docket Number RM14-15-000.
IV. Environmental Analysis
67. The Commission is required to prepare an Environmental Assessment or an Environmental Impact Statement for any action that may have a significant adverse effect on the human environment.[50] The Commission has categorically excluded certain actions from this requirement as not having a significant effect on the human environment. Included in the exclusion are rules that are clarifying, corrective, or procedural or that do not substantially change the effect of the regulations being amended.[51] The actions proposed here fall within this categorical exclusion in the Commission's regulations.
V. Regulatory Flexibility Act
68. The Regulatory Flexibility Act of 1980 (RFA) [52] generally requires a description and analysis of proposed rules that will have significant economic impact on a substantial number of small entities.
69. The Small Business Administration (SBA) recently revised its size standard (effective January 22, 2014) for electric utilities from a standard based on megawatt hours to a standard based on the number of employees, including affiliates.[53] Under SBA's new size standards, transmission Start Printed Page 42743owners and transmission operators likely come under the following category and associated size threshold: Electric bulk power transmission and control, at 500 employees.[54]
70. Based on U.S. economic census data, the approximate percentage of small firms in this category is 57 percent.[55] Currently, the Commission does not have information concerning how the economic census data compares with entities registered with NERC and is unable to estimate the number of small transmission owners and transmission operators using the new SBA definition. However, the Commission recognizes that proposed Reliability Standard CIP-014-1 only applies to transmission owners and transmission operators that own and/or operate certain critical Bulk-Power System facilities. The Commission believes that the proposed Reliability Standard will be applicable to a relatively small group of large entities and that an even smaller subset of large entities will have to comply with each of the requirements in the proposed Reliability Standard.
71. Based on the above, the Commission certifies that proposed Reliability Standard CIP-014-1 will not have a significant impact on a substantial number of small entities. Accordingly, no initial regulatory flexibility analysis is required. The Commission seeks comment on this proposal.
VI. Comment Procedures
72. The Commission invites interested persons to submit comments on the matters and issues proposed in this notice to be adopted, including any related matters or alternative proposals that commenters may wish to discuss. Comments are due September 8, 2014. Reply comments are due September 22, 2014. Comments must refer to Docket No. RM14-15-000, and must include the commenter's name, the organization they represent, if applicable, and their address in their comments.
73. The Commission encourages comments to be filed electronically via the eFiling link on the Commission's Web site at http://www.ferc.gov. The Commission accepts most standard word processing formats. Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format. Commenters filing electronically do not need to make a paper filing.
74. Commenters that are not able to file comments electronically must send an original of their comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE., Washington, DC 20426.
75. All comments will be placed in the Commission's public files and may be viewed, printed, or downloaded remotely as described in the Document Availability section below. Commenters on this proposal are not required to serve copies of their comments on other commenters.
VII. Document Availability
76. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the Internet through the Commission's Home Page (http://www.ferc.gov) and in the Commission's Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE., Room 2A, Washington, DC 20426.
77. From the Commission's Home Page on the Internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number excluding the last three digits of this document in the docket number field.
78. User assistance is available for eLibrary and the Commission's Web site during normal business hours from the Commission's Online Support at 202-502-6652 (toll free at 1-866-208-3676) or email at ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502-8371, TTY (202) 502-8659. Email the Public Reference Room at public.referenceroom@ferc.gov.
Start SignatureIssued: July 17, 2014.
By direction of the Commission.
Nathaniel J. Davis, Sr.,
Deputy Secretary.
Footnotes
1. Reliability Standards for Physical Security Measures, 146 FERC ¶ 61,166 (2014) (March 7 Order).
Back to Citation3. Id. 824o(e).
Back to Citation4. Id. 824o(d)(5).
Back to Citation5. March 7 Order, 146 FERC ¶ 61,166 at P 11.
Back to Citation6. Id.
Back to Citation7. NERC explains that, to meet the 90-day deadline in the March 7 Order, the NERC Standards Committee approved waivers to the Standard Processes Manual to shorten the comment and ballot periods for the Standards Authorization Request and draft Reliability Standard. NERC Petition at 13-14. Proposed Reliability Standard CIP-014-1 is not attached to the notice of proposed rulemaking. The complete text of proposed Reliability Standard CIP-014-1 is available on the Commission's eLibrary document retrieval system in Docket No. RM14-15-000 and is posted on the ERO's Web site, available at http://www.nerc.com.
Back to Citation8. NERC Petition at 15-16.
Back to Citation9. Id. at 18. NERC states that, although the terms “Transmission stations” and “Transmission substations” are sometimes used interchangeably, the proposed Reliability Standard uses the term “Transmission substation” to refer to a facility contained within a physical border (e.g., a fence or wall) that contains one or more autotransformers. Id. According to NERC, the term “Transmission station,” as used in the proposed Reliability Standard, refers to a facility that functions as a switching station or switchyard but does not contain autotransformers. Id. at 18-19.
Back to Citation10. Id. at 25 (citing Reliability Standard CIP-002-5.1 (Cyber Security — BES Cyber System Categorization), Attachment 1 (Impact Rating Criteria)).
Back to Citation11. Id.
Back to Citation12. March 7 Order, 146 FERC ¶ 61,166 at P 11.
Back to Citation13. NERC Petition at 37.
Back to Citation14. Id.
Back to Citation15. Id.
Back to Citation16. Id.
Back to Citation17. March 7 Order, 146 FERC ¶ 61,166 at P 6.
Back to Citation18. NERC Petition, Exhibit A (Proposed Reliability Standard) at 23.
Back to Citation19. NERC Petition at 22.
Back to Citation20. “[A facility] that, if rendered inoperable or damaged, could have a critical impact on the operation of the interconnection through instability, uncontrolled separation or cascading failures on the Bulk-Power System.” March 7 Order, 146 FERC ¶ 61,166 at P 6; 16 U.S.C. 824o(a)(4) (“The term `reliable operation' means operating the elements of the bulk-power system within equipment and electric system thermal, voltage, and stability limits so that instability, uncontrolled separation, or cascading failures of such system will not occur as a result of a sudden disturbance, including a cybersecurity incident, or unanticipated failure of system elements.”).
Back to Citation21. March 7 Order, 146 FERC ¶ 61,166 at P 6.
Back to Citation22. Id. P 6, n.6.
Back to Citation23. NERC Petition at 19.
Back to Citation24. Id.
Back to Citation25. Id. at 20.
Back to Citation26. Id. at 20-21.
Back to Citation27. Reliability Standard CIP-002-5.1 (Cyber Security—BES Cyber System Categorization), Attachment 1 (Impact Rating Criteria).
Back to Citation28. Id. at 22 n.55.
Back to Citation29. Id. at 21.
Back to Citation30. March 7 Order, 146 FERC ¶ 61,166 at P 6, n.4.
Back to Citation31. Id. P 6.
Back to Citation32. NERC Petition, Exhibit A (Proposed Reliability Standard) at 23. The standard drafting team provided the following example: “a Transmission station or Transmission substation identified as a Transmission Owner facility that interconnects generation will be subject to the Requirement R1 risk assessment if it operates at 500 kV or greater or if it is connected at 200 kV-499 kV to three or more other Transmission stations or Transmission substations and has an `aggregate weighted value' exceeding 3000 according to the table in Applicability Section 4.1.1.2.” Id. at 23.
Back to Citation33. NERC Petition at 22.
Back to Citation34. Id.
Back to Citation35. March 7 Order, 146 FERC ¶ 61,166 at P 12.
Back to Citation36. NERC Petition at 22.
Back to Citation37. March 7 Order, 146 FERC ¶ 61,166 at P 11.
Back to Citation38. NERC Petition at 36.
Back to Citation39. Id. at 50.
Back to Citation40. March 7 Order, 146 FERC ¶ 61,166 at P 7.
Back to Citation41. NERC Petition at 42.
Back to Citation42. NERC Petition at 14-15.
Back to Citation43. Id.
Back to Citation44. See NERC, Severe Impact Resilience: Considerations and Recommendations (May 2012), available at http://www.nerc.com/comm/OC/SIRTF%20Related%20Files%20DL/SIRTF_Final_May_9_2012-Board_Accepted.pdf.
Back to Citation45. North American Electric Reliability Corp., 135 FERC ¶ 61,166 (2011).
Back to Citation46. NERC Petition, Exhibit B (Implementation Plan) at 1.
Back to Citation47. Id.
Back to Citation48. The estimates for cost per response are derived using the following formula: Average Burden Hours per Response * XX per Hour = Average Cost per Response. The hourly cost figures are based on wages plus benefits for engineers ($61/hr), attorneys ($128/hr), and administrative staff ($32/hr). These figures are based on Bureau of Labor Statistics wage and benefit data obtainable at http://www.bls.gov/oes/current/naics3_221000.htm and http://www.bls.gov/news.release/ecec.nr0.htm.
Back to Citation49. While it is likely that only large transmission owners and transmission operators will have critical facilities under Requirement R1, the Commission's estimate includes all transmission owners and operators because reliable data on what percentage of large owners and operators control critical facilities is unavailable.
Back to Citation50. Regulations Implementing the National Environmental Policy Act, Order No. 486, 52 FR 47897 (Dec. 17, 1987), FERC Stats. & Regs. Regulations Preambles 1986-1990 ¶ 30,783 (1987).
Back to Citation53. SBA Final Rule on “Small Business Size Standards: Utilities,” 78 FR 77,343 (Dec. 23, 2013).
Back to Citation54. 13 CFR 121.201, Sector 22, Utilities.
Back to Citation55. Data and further information are available on the SBA Web site. See SBA Firm Size Data, available at http://www.sba.gov/advocacy/849/12162.
Back to Citation[FR Doc. 2014-17231 Filed 7-22-14; 8:45 am]
BILLING CODE 6717-01-P
Document Information
- Published:
- 07/23/2014
- Department:
- Federal Energy Regulatory Commission
- Entry Type:
- Proposed Rule
- Action:
- Notice of proposed rulemaking.
- Document Number:
- 2014-17231
- Dates:
- Comments are due September 8, 2014. Reply comments are due September 22, 2014.
- Pages:
- 42734-42743 (10 pages)
- Docket Numbers:
- Docket No. RM14-15-000
- PDF File:
- 2014-17231.pdf
- CFR: (1)
- 18 CFR 40