UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION NORTH AMERICAN ELECTRIC ) Docket No. RD13-_____ RELIABILITY CORPORATION ) PETITION OF THE NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION FOR APPROVAL OF CRITICAL INFRASTRUCTURE PROTECTION RELIABILITY STANDARDS VERSION 5 Gerald W. Cauley Charles A. Berardesco President and Chief Executive Officer Senior Vice President and General Counsel North American Electric Reliability Holly A. Hawkins Corporation Assistant General Counsel 3353 Peachtree Road, N.E. Willie L. Phillips Suite 600, North Tower Attorney Atlanta, GA 30326 North American Electric Reliability (404) 446-2560 Corporation (404) 446-2595– facsimile 1325 G Street, N.W., Suite 600 Washington, D.C. 20005 (202) 400-3000 (202) 644-8099– facsimile [email protected] [email protected] [email protected] Counsel for North American Electric Reliability Corporation January 31, 2013 TABLE OF CONTENTS I. Executive Summary………………………………………………………………………….. 3 II. Notices and Communications………………………………………………………………... 7 III. Background and Regulatory Framework.....……………………………………………….. 7 IV. Justification for Approval of the Proposed Modifications to Reliability Standards…….. 8 a. Basis for Approval of Proposed Reliability Standard b. CIP Version 5 presents significant improvements to previous CIP standards c. New Proposed Reliability Standards CIP-010-1and CIP-011-1 d. Proposed Definitions of Terms Used in CIP Version 5 e. Enforceability of the Proposed CIP Version 5 Reliability Standards f. Violation Risk Factor and Violation Severity Level Assignments g. NERC Reliability Standards Development Procedure V. CIP Version 5 Satisfies All FERC Directives and Concerns …………………………….. 30 a. Order No. 706 Directives b. Application of NIST Framework c. Regional Perspective VI. Summary of the Reliability Standard Development Proceedings………………….…….. 41 VII. CIP Version 5 Implementation Plan……………………………………………………… 42 VIII. Conclusion…………………………………………………………………………….….… 44 Exhibit A — Proposed CIP Version 5 Reliability Standards submitted for Approval and associated modifications to the Glossary of Terms used in NERC Reliability Standards Exhibit B — Implementation Plan for Proposed CIP Version 5 Reliability Standards submitted for Approval Exhibit C — Standard Drafting Team Roster for Project 2008-06 - Cyber Security Order 706 Version 5 CIP Standards Exhibit D — Consideration of Comments Reports Exhibit E — Table of VRFs and VSLs Proposed for Approval and Analysis of how VRFs and VSLs Were Determined Using Commission Guidelines Exhibit F — Record of Development of Proposed CIP Version 5 Reliability Standards Exhibit G — Order No. 672 Criteria for Approving Proposed Reliability Standards Exhibit H — Consideration of Issues and Directives i UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION NORTH AMERICAN ELECTRIC ) Docket No. RD13-____ RELIABILITY CORPORATION ) PETITION OF THE NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION FOR APPROVAL OF CRITICAL INFRASTRUCTURE PROTECTION RELIABILITY STANDARDS VERSION 5 The North American Electric Reliability Corporation (“NERC”)1 hereby requests that the Federal Energy Regulatory Commission (“FERC” or the “Commission”) approve, in accordance with Section 215(d)(1) of the Federal Power Act (“FPA”)2 and Section 39.5 of the Commission’s regulations, 18 C.F.R. § 39.5 (2012), the following ten proposed Critical Infrastructure Protection (“CIP”) Reliability Standards (“CIP Version 5”) and find that they are just, reasonable, not unduly discriminatory or preferential and in the public interest: • CIP–002–5 — Cyber Security — BES Cyber System Categorization • CIP–003–5 — Cyber Security — Security Management Controls • CIP–004–5 — Cyber Security — Personnel and Training • CIP–005–5 — Cyber Security — Electronic Security Perimeter(s) • CIP–006–5 — Cyber Security — Physical Security of BES Cyber Systems • CIP–007–5 — Cyber Security — Systems Security Management • CIP–008–5 — Cyber Security — Incident Reporting and Response Planning • CIP–009–5 — Cyber Security — Recovery Plans for BES Cyber Systems • CIP–010–1 — Cyber Security — Configuration Change Management and Vulnerability Assessments • CIP–011–1 — Cyber Security — Information Protection 1 NERC was certified by the Commission as the electric reliability organization (“ERO”) in accordance with Section 215 of the Federal Power Act in its order issued on July 20, 2006 in Docket No. RR06-1-000. North American Electric Reliability Corp., 116 FERC ¶ 61,062 (2006) (“ERO Certification Order”). 2 16 U.S.C. § 824o (2012). 1 NERC also requests approval of the proposed definitions of terms used in the proposed CIP Version 5, the associated implementation plan, and the proposed Violation Risk Factors (“VRFs”) and Violation Severity Levels (“VSLs”).3 This filing also addresses all remaining standards-related issues and directives from Order No. 706.4 Additionally, NERC requests that CIP Version 5 become effective on the first day of the eighth calendar quarter after a final rule is issued in this docket. The requested effective date: (1) is just and reasonable; (2) properly balances the urgency to implement the standards with time allowed to develop necessary procedures, software, facilities, staffing or other relevant capabilities; and (3) allows applicable entities adequate time to ensure compliance with the requirements in accordance with Order No. 672.5 After a successful industry ballot with the CIP Version 5 standards achieving approval ranging from to 78.59% to 95.67%, the NERC Board of Trustees approved the CIP Version 5 standards and related documents on November 26, 2012. Exhibit A to this filing sets forth the proposed CIP Version 5 standards and associated modifications to the Glossary of Terms used in NERC Reliability Standards. Exhibit B contains the Implementation Plan for CIP Version 5. Exhibit C contains the Standard Drafting Team Roster for Project 2008-06 Cyber Security Order 706, which is the technical team responsible for developing CIP Version 5. Exhibit D contains the Consideration of Comments Reports for CIP 3 Unless otherwise specified, capitalized terms used herein have the meanings specified in the NERC Glossary of Terms, available at: http://www.nerc.com/files/Glossary_of_Terms.pdf. 4 Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC ¶ 61,040, denying reh’g and granting clarification, Order No. 706-A, 123 FERC ¶ 61,174 (2008), order on clarification, Order No. 706-B, 126 FERC ¶ 61,229 (2009), order denying clarification, Order No. 706-C, 127 FERC ¶ 61,273 (2009) (“Order No. 706”). 5 Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment, Approval, and Enforcement of Electric Reliability Standards, Order No. 672, FERC Stats. & Regs. ¶ 31,204 at P 333, order on reh’g, Order No. 672-A, FERC Stats. & Regs. ¶ 31,212 (2006) (“In considering whether a proposed Reliability Standard is just and reasonable, FERC will consider also the timetable for implementation of the new requirements, including how the proposal balances any urgency in the need to implement it against the reasonableness of the time allowed for those who must comply to develop the necessary procedures, software, facilities, staffing or other relevant capability.”). 2 Version 5. Exhibit E contains a table of CIP Version 5 VRFs and VSLs proposed for approval and Commission guideline analyses. Exhibit F contains the development record for CIP Version 5. Exhibit G addresses the Order No. 672 Criteria for Approving Proposed Reliability Standards. Exhibit H contains the Consideration of Issues and Directives. NERC is also filing the proposed CIP Version 5 standards and associated documents for approval with applicable governmental authorities in Canada. I. EXECUTIVE SUMMARY The White House and U.S. Congress have acknowledged that cybersecurity threats are increasing in number and sophistication. President Barack Obama declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cybersecurity.”6 Defense Secretary Leon Panetta warned that the nation is facing the possibility of a “cyber-Pearl Harbor” and is “increasingly vulnerable to foreign computer hackers who could dismantle the nation’s power grid….”7 Congress has also considered cybersecurity legislation “that would establish security standards to prevent large-scale cyber-attacks on the nation’s critical infrastructure,” — including the electrical grid.8 Recognizing the importance of the Bulk Power System, Congress has vested the ERO with the responsibility of developing mandatory Reliability Standards, including cybersecurity standards. Taking into consideration four years of experience since the first NERC CIP Cyber 6 National Security Council, Cyber Security, http://www.whitehouse.gov/administration/eop/nsc/cybersecurity. 7 Elizabeth Bumiller and Thom Shanker, Panetta Warns of Dire Threat of Cyberattack on U.S., The New York Times, October 11, 2012, http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of- cyberattack.html?pagewanted=all. 8 Ed O’Keefe and Ellen Nakashima, Cybersecurity Bill Fails in Senate, The Washington Post, August 2, 2012, http://www.washingtonpost.com/world/national-security/cybersecurity-bill-fails-in- senate/2012/08/02/gJQADNOOSX_story.html. 3 Security Reliability Standards were implemented, as well as applicable FERC directives, NERC developed the proposed CIP Version 5 standards to better protect the reliability of the nation’s Bulk Electric System (“BES”)9 from cyber-attacks. The proposed CIP Version 5 standards were overwhelmingly supported by industry, with the industry ballot averaging nearly 90% approval. The standards also present a significant improvement over the existing CIP Version 310 and the Commission-approved CIP Version 4 standards.11 For this reason, NERC seeks swift action by the Commission to approve the proposed CIP Version 5 standards as discussed in this petition. With respect to concerns expressed by Responsible Entities regarding the transition from CIP Version 3 to Version 4 to Version 5 Reliability Standards, NERC understands that the transition could be complicated. For this reason, NERC stands ready to work with industry to address transition issues as they arise. The proposed implementation plan for CIP Version 5, included with this filing as Exhibit B, provides language that would allow entities to transition from CIP Version 3 to CIP Version 5, thereby bypassing implementation of CIP Version 4 completely upon Commission approval. The proposed implementation plan specifically states: Notwithstanding any order to the contrary, CIP-002-4 through CIP-009-4 do not become effective, and CIP-002-3 through CIP-009-3 remain in effect and are not retired until the effective date of the Version 5 CIP Cyber Security Standards under this implementation plan. 9 In this petition, the terms “Bulk Power System” and “Bulk Electric System” are used interchangeably. “Bulk Electric System” is defined in the NERC Glossary of Terms, and generally includes facilities operated at voltages at and above 100 kV. See NERC Glossary of Terms Used in Reliability Standards at 2. “Bulk-Power System” is defined in section 215 of the FPA, and does not include a voltage threshold. See 16 U.S.C. 824o(a)(1). 10 North American Electric Reliability Corporation, 130 FERC ¶ 61,271 (March 31, 2010) (“In this order, we approve the modified CIP Reliability Standards, with an effective date of October 1, 2010.”) 11 See Version 4 Critical Infrastructure Protection Reliability Standards, Order No. 761, 139 FERC ¶ 61,058 (2012)(Noting CIP Version 4 Implementation date of April 1, 2014). 4 Prompt Commission approval of the CIP Version 5 standards and the implementation plan would reduce uncertainty among Responsible Entities regarding implementation of the CIP standards. Therefore, NERC reiterates its request for prompt Commission action approving the CIP Version 5 standards and associated implementation plan. Additionally, to help the industry implement the CIP Version 4 and 5 standards, NERC will initiate a series of industry workshops that will be presented across North America beginning in 2013. The improvements included in CIP Version 5 reflect a maturity of the NERC CIP program. While the general framework of the proposed standards follow the organization of the previous CIP versions, a new process is introduced in proposed CIP-002-05 for identifying and classifying BES Cyber Systems according to “Low-Medium-High” impact.12 Once BES Cyber Systems are identified, a Responsible Entity must then comply with proposed CIP-003-5 to CIP- 011-1, according to specific criteria relating to impact and other characteristics such as communications connectivity. As such, NERC and its stakeholders have proposed the most comprehensive set of mandatory cybersecurity standards ever utilized on a widespread basis in the electric industry. Key features of the comprehensive approach taken in CIP Version 5 include: • Utilizing a National Institute of Standards and Technology (“NIST”) based approach to categorize all cyber systems which impact the BES as “Low- Medium-High” (at the system level) and requiring at least a minimum classification of “Low Impact” for all BES Cyber Systems. • Building on the implementation experience from prior CIP Reliability Standard versions. • Addressing all applicable directives in Order No. 706. • Eliminating unnecessary documentation requirements to allow entities to focus on the reliability and security of the Bulk Power System. 12 BES Cyber Systems, discussed herein, is a proposed addition to the Glossary of Terms used in NERC Reliability Standards. 5 • Providing guidance and context within each CIP Version 5 standard. The identification of cyber assets has evolved through the various CIP Reliability Standards versions. Building on the prior “Risk-Based Assessment Methodology” in CIP-002-3 and the “Bright-line Criteria” in CIP-002-4, the proposed CIP Version 5 standards focus on all cyber system assets that have an impact on Bulk Power System reliability, and characterizes that impact as either high, medium or low. In Order No. 761, the Commission directed NERC to file CIP Version 5 addressing all remaining directives from Order No. 706, by March 31, 2013. With the strong support of industry, and the efforts of the diverse standard drafting team, this petition satisfies the Commission’s directives two months prior to the Commission-required due date. 6 II. NOTICES AND COMMUNICATIONS Notices and communications with respect to this filing may be addressed to the following:13 Gerald W. Cauley Charles A. Berardesco* President and Chief Executive Officer Senior Vice President and General Counsel North American Electric Reliability Holly A. Hawkins* Corporation Assistant General Counsel 3353 Peachtree Road, N.E. Willie L. Phillips* Suite 600, North Tower Attorney Atlanta, GA 30326 North American Electric Reliability Corporation (404) 446-2560 1325 G Street, N.W., Suite 600 (404) 446-2595– facsimile Washington, D.C. 20005 (202) 400-3000 (202) 644-8099– facsimile [email protected] [email protected] [email protected] III. BACKGROUND AND REGULATORY FRAMEWORK By enacting the Energy Policy Act of 2005 (“EPAct 2005”),14 Congress entrusted the Commission with the duties of approving and enforcing rules to ensure the reliability of the Nation’s Bulk Power System, and with the duty of certifying an electric reliability organization (“ERO”) that would be charged with developing and enforcing mandatory Reliability Standards, subject to Commission approval. Section 215 of the FPA states that all users, owners, and operators of the Bulk Power System in the United States will be subject to Commission- approved Reliability Standards, which include requirements for the operation of existing Bulk Power System facilities and cybersecurity protection.15 13 Persons to be included on the Commission’s service list are indicated with an asterisk. NERC requests waiver of the Commission’s rules and regulations to permit the inclusion of more than two people on the service list. 14 16 U.S.C. § 824o (2012). 15 See Section 215(b)(1)(“All users, owners and operators of the bulk-power system shall comply with reliability standards that take effect under this section.”). 7 IV. JUSTIFICATION FOR APPROVAL OF THE PROPOSED RELIABILITY STANDARDS In this section we will discuss the following: a) the basis for approval of the proposed Reliability Standards; b) significant improvements to previous CIP standards; c) new proposed Reliability Standards CIP-010-1and CIP-011-1; d) proposed definitions of glossary terms used in CIP Version 5; e) enforceability of the proposed CIP Version 5; f) VRF and VSL assignments; and g) NERC Reliability Standards Development Procedure. This section summarizes the development of proposed CIP Version 5 and demonstrates that the proposed modifications meet the criteria for approval established by the Commission. That is, the modifications and enhancements provided in CIP Version 5 ensure that the proposed standards are just, reasonable, not unduly discriminatory or preferential and in the public interest.16 The proposed CIP Version 5 standards, which were overwhelmingly approved by industry, are a significant improvement over the existing CIP standards and help protect the reliability of the BES. Thus, given the strong industry support for these improvements, NERC respectfully requests that the Commission expeditiously approve the proposed CIP Version 5 standards, as presented in Exhibit A. a. Basis for Approval of Proposed Reliability Standards Section 39.5(a) of the Commission’s regulations requires the ERO to file with the Commission for its approval each Reliability Standard that the ERO proposes to become mandatory and enforceable in the United States, and each modification to a Reliability Standard that the ERO proposes to be made effective. The Commission has the regulatory responsibility to approve standards that protect the reliability of the Bulk Power System and to ensure that such 16 See Order No. 672. 8
Description: