AGENCY:

Federal Energy Regulatory Commission.

ACTION:

Order on proposed clarification.

SUMMARY:

The Commission is proposing to clarify that the facilities within a nuclear generation plant in the United States that are not regulated by the U.S. Nuclear Regulatory Commission are subject to compliance with the eight mandatory “CIP” Reliability Standards approved in Commission Order No. 706.

DATES:

Comments are due October 20, 2008.

ADDRESSES:

You may submit comments, identified by docket number by any of the following methods:

• Agency Web Site: http://ferc.gov. Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format.
• Mail/Hand Delivery: Commenters unable to file comments electronically must mail or hand deliver an original and 14 copies of their comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street, NE., Washington, DC 20426.

FOR FURTHER INFORMATION CONTACT:

Jonathan First (Legal Information), Office of General Counsel, 888 First Street, NE., Washington, DC 20426, (202) 502-8529.

Regis Binder (Technical Information), Office of Electric Reliability, 888 First Street, NE., Washington, DC 20426, (202) 502-6460.

SUPPLEMENTARY INFORMATION:

Before Commissioners: Joseph T. Kelliher, Chairman; Suedeen G. Kelly, Marc Spitzer, Philip D. Moeller, and Jon Wellinghoff.

1. In this order, the Commission proposes to clarify the scope of the eight Critical Infrastructure Protection (CIP) Reliability Standards ^[1] approved in Order No. 706 to assure that no “gap” occurs in the applicability of these Standards.^[2] In particular, each of the eight CIP Reliability Standards provides that facilities regulated by the U.S. Nuclear Regulatory Commission (NRC) are exempt from the Standard. It has come to the attention of the Commission that the NRC does not regulate all facilities within a nuclear generation plant. Thus, to assure that there is no “gap” in the regulatory process, the Commission proposes to clarify that the facilities within a nuclear generation plant in the United States that are not regulated by the NRC are subject to compliance with the eight CIP Reliability Standards approved in Order No. 706.

2. Comments on the Commission's proposed clarification are due 30 days from the date of issuance of this order, after which the Commission intends to issue a further order on the matter.

Background

3. The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), developed eight CIP Reliability Standards that require certain users, owners and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets. In January 2008, pursuant to section 215 of the Federal Power Act (FPA),^[3] the Commission approved the eight CIP Reliability Standards. In addition, pursuant to section 215(d)(5) of the FPA,^[4] the Commission directed the ERO to develop modifications to the CIP Reliability Standards to address specific concerns identified by the Commission.

4. Each of the eight CIP Reliability Standards includes an exemption for facilities regulated by the NRC. For example, Reliability Standard CIP-002-1 provides:

The following are exempt from Standard CIP-002: Facilities Regulated by the U.S. Nuclear Regulatory Commission. * * * [^[5] ]

5. In an April 8, 2008 public joint meeting of the Commission and the NRC, staff of both Commissions discussed cyber security at nuclear generation plants. While NRC staff indicated that the NRC has proposed regulations to address cybersecurity at nuclear generation plants,^[6] NRC staff raised a concern regarding a potential gap in regulatory coverage. In particular, NRC staff indicated that the NRC's proposed regulations on cybersecurity would not apply to all systems within a nuclear generation plant. NRC staff explained:

The NRC's cyber requirements are not going to extend to power continuity systems. They do not extend directly to what is not directly associated with reactor safety security or emergency response. * * *

As a result, and when you look at the CIP standards that were issued, there is a discrete statement in each of the seven or eight standards where it specifically exempts facilities regulated by the United States Nuclear Regulatory Commission from compliance with those CIP Standards. So there is an issue there in the sense that our regulations for cyber security go up to a certain point, and end.[^[7] ]

Discussion

6. The Commission shares the concern raised at the April 8, 2008 joint meeting. It appears that the NRC's regulation of a nuclear generation plant is limited to the facilities that are associated with reactor safety or emergency response.^[8] The Commission believes that a nuclear generation plant will likely include critical assets and critical cyber assets that are not safety related and, therefore, not regulated by the NRC. For example, facilities that pertain to the “continuity of operation” of a nuclear generation plant may be Start Printed Page 55460necessary for the generation of electricity that affects the reliability of Bulk-Power System but not have a role in reactor safety. The Commission understands that such facilities would not be subject to compliance with cyber security regulations developed by the NRC.

7. The Commission believes that the plain meaning of the exemption language in the eight CIP Reliability Standards at issue is that only those facilities within a nuclear generation plant that are regulated by the NRC are exempt from those Standards. The exemption language in the eight CIP Reliability Standards neither states, nor implies, that all facilities within a nuclear generation plant are exempt from the Standards, regardless of whether they are subject to NRC regulation. However, the Commission believes there is a need to assure that there is no potential gap in the regulation of critical cyber assets at nuclear generation plants and to assure that there is no misunderstanding of the scope of the exemption in the CIP Reliability Standards. The Commission, therefore, proposes to clarify that Reliability Standards CIP-002-1 through CIP-009-1 apply to the facilities within a nuclear generation plant that are not regulated by the NRC.

8. To be clear, the Commission's intent is to eliminate a potential gap in the regulation of critical assets and critical cyber assets at nuclear generation plants in the United States. The Commission reaffirms the language of the CIP Reliability Standards—and respects the jurisdiction of the NRC—and does not intend that those Standards apply to facilities within a nuclear generation plant that are regulated by the NRC. This should allay concerns that a specific facility is subject to “dual” regulation by both the Commission and NRC as to cyber security.

9. In addition to comments on the proposed clarification, the Commission seeks comment on the following two related matters:

Whether there is a clear delineation between those facilities within a nuclear generation plant that pertain to reactor safety security or emergency response and the non-safety portion or, as NRC refers to it, the “balance of plant.” For example, the generator itself in a nuclear generation plant would seem to be under the CIP Reliability Standards, but the motors that operate nuclear reactor control rods would seem to be under NRC regulation. If the delineation is not clear, is there a need for owners and/or operators of nuclear generation plants to identify the specific facilities that pertain to reactor safety security or emergency response and subject to NRC regulation, and the balance of plant that is subject to the eight CIP Reliability Standards?

In Order No. 706, the Commission approved NERC's “(Revised) Implementation Plan for Cyber Security Standards CIP-001-1 through CIP-009-1” for the eight cybersecurity Reliability Standards. The implementation plan provides a staggered approach to implementation that includes three tables with separate timelines for various industry segments. Table 3, which applies to generation owners and generation operators, requires achieving compliance with the requirements of the CIP Reliability Standards by December 31, 2009. The only requirement that has a different compliance date in Table 3 is CIP-003-1 Requirement R2, which must be complied with by June 30, 2008. The Commission seeks comment on whether Table 3 for generation owners and generation operators should control the implementation schedule of the CIP Reliability Standards to the facilities within a nuclear generation plant that the NRC does not regulate.

10. Comments on the Commission's proposed clarification are due 30 days from the date of issuance of this order, after which the Commission intends to issue a further order on the matter.

The Commission orders: The Commission directs that this order be published in the Federal Register. Comments on the Commission's proposed clarification are due 30 days from the date of issuance of this order.

Footnotes