Federal Register - February 5, 2021
Versión en texto ¿Qué es?Dateas es un sitio independiente no afiliado a entidades gubernamentales. La fuente de los documentos PDF aquí publicados es la entidad gubernamental indicada en cada uno de ellos. Las versiones en texto son transcripciones no oficiales que realizamos para facilitar el acceso y la búsqueda de información, pero pueden contener errores o no estar completas.
Fuente: Federal Register
8320
Federal Register / Vol. 86, No. 23 / Friday, February 5, 2021 / Proposed Rules
pursuant to the Commissions approval and the corresponding FERC accounts used. In addition, the annual informational filings must describe what parts of its network were upgraded or expanded i.e., which substations, control centers, automated and continuous monitoring equipment in addition to the nature i.e., describing hardware purchase and actual cost of the various capital investments. For incentives where the Commission allows deferral of expenses as regulatory assets, annual informational filings should describe such expenses in sufficient detail to demonstrate that such expenses are specifically related to implementing the cybersecurity incentives described in this NOPR and not for ongoing costs including system maintenance, surveillance, and other labor costs, either in the form of employee salaries or third-party service contracts.
63. We preliminarily find that the proposed reporting requirements are necessary to provide the Commission with an understanding of the costs of various types of cybersecurity investments in order to more precisely target future incentives or other policies.
However, based on the qualities of such investments, as well as the likely higher sensitivity of the information, we propose to require different reporting requirements under this proposal than those proposed under the Transmission Incentives NOPR.
64. Several aspects of cybersecurity necessitate reporting different information that the Commission has
required for conventional transmission facilities receiving incentives pursuant to FPA section 219. First, cybersecurity investments are not observable. Unlike conventional transmission facilities, such as a new transmission line, it is not readily apparent if, and when, such investments are completed and serving customers. Therefore, it is important to confirm the completion of cybersecurity investments by establishing additional reporting requirements. Second, certain cybersecurity investments may require public utilities to undertake subsequent actions or make expenditures to maintain the status for which they receive incentives. Annual reports enable public utilities to demonstrate that they have undertaken such actions or expenditures.
65. Finally, we propose that both the initial and annual informational filings provide a summary of the costs incurred to achieve the higher level of security, including supporting documentation that provides a narrative explanation of the nature of the expenses proposed for deferred cost recovery, and inclusion in rate base as a regulatory asset, including the specific accounts under the Commissions Uniform System of Accounts initially charged for the incurred expenses.
66. Also, the Commission may conduct periodic verification to assess cybersecurity investments and expenses for which it has approved incentives.
The Commission could perform such verifications through multiple means i.e., directing further informational filings, audits, etc.. The annual
informational filings will inform the Commission on how and when the additional verification is warranted.
a. NERC CIP Incentives Approach 67. To demonstrate that a public utility has implemented the requirements for the Med/High incentive and to ensure that the recipient continues to adhere to these requirements, we propose that the informational filing would describe implementation of the enhanced security controls, as applicable, in all the topics covered by the CIP Reliability Standards. Below is a table of currently effective and Commission-approved CIP
Reliability Standards and examples of supporting documentation a public utility may provide to demonstrate incentive adherence to each CIP
Reliability Standard. For the first informational filing, we would expect the public utility to provide documents, as indicated below, plus any additional documentation needed to demonstrate voluntary application of identified CIP
Reliability Standards to facilities that are not currently subject to those requirements.76 For each subsequent annual informational filing, the public utility would only need to provide an updated version of the supporting documentation showing any changes from the prior informational filing as well as information on any period of time during the reported year where the public utility ceased to voluntarily apply identified CIP Reliability Standards to facilities that are not currently subject to those requirements.
jbell on DSKJLSW7X2PROD with PROPOSALS
SUPPORTING DOCUMENTATION DEMONSTRATING INCENTIVE ADHERENCE
Topic
Standard
Documentation
BES Cyber System Categorization
Management Controls
CIP002 77
CIP003
Personnel and Training
CIP004
Electronic Security Perimeters
CIP005
Physical Security of BES Cyber Systems
CIP006
Systems Security Management
CIP007
Incident Reporting and Response
Backup and Recovery Plans
Configuration Change Management
CIP008
CIP009
CIP010
Information Protection
Communications between Control Centers.
CIP011
CIP012 78
List of the categorization of BES Cyber Systems included in the incentive.
Senior Management approval of revised cyber security policies; updates to delegation procedures.
Cyber security training program and quarterly reinforcement; personnel risk assessment program; access management program, and timely access revocation processes.
Establishment of ESPs and management of electronic access points; remote access management.
Physical security plans; visitor control program; PACS maintenance and testing procedures.
Ports and services management; security patch management; malicious code prevention methods; security event monitoring; system access controls.
Cyber security incident response plan, implementation, and testing procedures.
System recovery plans, implementation, and testing procedures.
System baseline configurations; configuration monitoring; vulnerability assessment processes.
Information protection procedures; cyber asset reuse and disposal methods.
Plans mitigating the risks posed by unauthorized disclosure and unauthorized modification of Real-time Assessment and Real-time monitoring data while being transmitted between any applicable Control Centers; and evidence of the associated security protections implemented and used.
76 The information requested is similar to the information FERC staff reviews during a NERC CIP
Reliability Standards audit.
VerDate Sep<11>2014
16:29 Feb 04, 2021
Jkt 253001
77 CIP002 actions are not eligible for the incentive since it is a mandatory requirement for all BES assets.
PO 00000
Frm 00012
Fmt 4702
Sfmt 4702
78 CIP0121: Communications between Control Centers will be subject to enforcement on July 1, 2022.
E:FRFM05FEP1.SGM
05FEP1
