Quiero saber acerca de...

Federal Register / Vol. 86, No. 23 / Friday, February 5, 2021 / Proposed Rules cybersecurity posture substantially above levels required by CIP Reliability Standards to merit an incentive for such cybersecurity investments.55
a. Med/High Incentive 26. We propose to add 35.48b1i to the Commissions regulations to allow a public utility to receive incentive rate treatment for voluntarily applying the requirements for medium or high impact systems to low impact systems, and/or the requirements for high impact systems to medium impact systems Med/High Incentive.
27. Under the Med/High Incentive, a public utility seeking a cybersecurity incentive for a facility that is classified as a low impact BES Cyber System would invest in ways to make that facility meet all the requirement and sub-requirement protections applicable to medium or high impact BES Cyber Systems. Also, under the Med/High incentive, a public utility seeking a cybersecurity incentive for a facility classified as a medium impact BES
Cyber System would invest in ways to make that facility meet all the requirement and sub-requirement protections applicable to high impact BES Cyber Systems. The public utility could choose to apply the medium and/
or high impact requirements to some or all of its low or medium impact BES
Cyber Systems, and would receive incentives only for the investments it makes to apply the more stringent protections.
b. Hub-Spoke Incentive
jbell on DSKJLSW7X2PROD with PROPOSALS

28. We propose to add 35.48b1ii to the Commissions regulations to allow a public utility to receive incentive rate treatment for voluntarily ensuring that all external routable connectivity 56 to and from the low impact system connect to a high or medium impact BES Cyber System Hub-Spoke Incentive. Under the HubSpoke Incentive, a public utility is eligible for incentives if its investment applies CIP Reliability Standard security controls inherited from a high or medium impact BES Cyber System at locations containing low impact BES
Cyber Systems by ensuring all external routable connectivity to and from the 55 We do not propose that NERC will have any role in monitoring or reviewing the implementation of voluntary incentives or otherwise participating in this incentives program.
56 NERC defines external routable connectivity as the ability to access a BES Cyber System from a Cyber Asset that is outside of its associated Electronic Security Perimeter via a bi-directional routable protocol connection. NERC, Glossary of Terms Used in NERC reliability Standards 2020, https www.nerc.com/files/glossary_of_terms.pdf.

VerDate Sep<11>2014

16:29 Feb 04, 2021

Jkt 253001

low impact system connect to a high or medium impact BES Cyber System.
29. Under the Hub-Spoke Incentive, all the cyber communications to and from a low impact system location must connect to a medium or high impact BES Cyber System and the cyber communication security controls required for the medium or high impact BES Cyber System must be implemented on the low impact system.57 Therefore, the cyber communication would be protected at a higher security level before being transmitted to or received by the low impact BES Cyber System. Thus, low impact BES Cyber Systems would inherit the higher security posture of either the medium or high impact controls.
c. Other Considerations 30. Nothing in this proposal modifies a public utilitys obligation to comply with all the mandatory NERC Reliability Standard obligations for its low, medium, and high impact BES Cyber Systems. A public utility requesting incentive rate treatment for voluntarily applying the CIP Reliability Standards requirements, as discussed above, will not be subject to penalties from the Commission for failing to voluntarily follow the CIP Reliability Standards.
However, if the Commission approves a public utilitys request for cybersecurity incentives pursuant to either the Med/
High or Hub-Spoke Incentive and the public utility subsequently ceases to implement the CIP Reliability Standards consistent with the order approving the application, we propose that the public utility would not be able to receive the incentive for the period during which it is not implementing the CIP Reliability Standards consistent with the order approving the application.
31. Additionally, since the NERC CIP
Incentives Approach is based on a public utility making voluntary cybersecurity investments based on the CIP Reliability Standards as they exist at the time of the investment, we propose that the determination of the types of cybersecurity incentives that a public utility would be eligible for would reflect the currently enforceable version of the CIP Reliability Standards at the time the public utility submits a request for incentives. As discussed in section IV.E.1 Incentive Duration, where NERC publicly announces that it is considering making certain cybersecurity activities or investments mandatory through issuing a standard 57 See
PO 00000

proposed 35.48b1ii.

Frm 00007

Fmt 4702

Sfmt 4702

8315

authorization request,58 a public utility would still be eligible to receive incentives until the requirements become mandatory and enforceable.
2. NIST Framework Approach 32. We propose to add 35.48b2 to the Commissions regulations to provide that a public utility may receive incentive rate treatment for implementing certain security controls included in the NIST Framework NIST
Framework Approach. The Commission would evaluate a public utilitys application for cybersecurity investments that implement security controls in the NIST Framework to determine whether the cybersecurity investments go above and beyond the CIP Reliability Standards and are eligible for incentives. Through the NIST Framework Approach, public utilities have the flexibility of nonprescriptive implementation options to go above and beyond the CIP Reliability Standards.
33. Although the NIST Framework contains many types of security controls, we propose to limit eligibility for cybersecurity incentives to the types of controls that are most likely to provide a significant benefit to the cybersecurity of Commissionjurisdictional transmission facilities, not just the BES. In the White Paper, Commission staff identified five types of security controls included in the NIST
Framework that may be considered for incentives under the NIST Framework approach: 1 Automated and continuous monitoring; 2 access control; 3 data protection; 4 incident response; and 5 physical security of cyber systems. Commission staff also acknowledged that, given the continuous and rapid changes in cybersecurity risks, the Commission may need to periodically update the types of security controls eligible for incentives.59 In proposing the NIST
Framework Approach, we propose to initially only consider incentives that fall within the first type of security controls, automated and continuous monitoring. For example, continuous monitoring tools that utilize automated features for pulling information from a variety of sources or that allow for data consolidation into Security Information and Event Management tools would 58 A standard authorization request is the form used to document the scope and reliability benefit of a proposed project for one or more new or modified Reliability Standards or definitions, as well as document the benefit of retiring one or more approved Reliability Standards. NERC, Standard Authorization Request SAR, https
www.nerc.com/pa/Stand/Pages/SARs.aspx.
59 White Paper at 19.

E:FRFM05FEP1.SGM

05FEP1