Je veux savoir à propos de…

Federal Register / Vol. 86, No. 23 / Friday, February 5, 2021 / Proposed Rules high impact systems to low impact systems. The second approach was based on a public utility voluntarily implementing portions of the NIST
Framework. Commission staff suggested that the two approaches could be used independently or in combination.39

jbell on DSKJLSW7X2PROD with PROPOSALS

III. Need for Reform 17. We recognize that the energy sector faces numerous and complex cybersecurity challenges. These growing threats come at a time of both great change in the operation of the transmission system and an increase in the number and nature of attack methods.40 Encouraging utilities to address cybersecurity of the Bulk-Power System is uniquely important given the degree to which components of the Bulk-Power System are digitally interconnected with one another and the ever-expanding risks posed by adversaries create challenges for those tasked with defending those interconnections from cyber exploitation. In addition, a cybersecurity breach could have exponential effects on the Bulk-Power System. As the operating environment continues to change, there is the potential for increased vulnerabilities and amplification of cybersecurity threats to the Bulk-Power System. For example, as the Commission has previously explained, the global supply chain affords significant benefits to customers, including low cost, interoperability, rapid innovation, and a variety of product features.41 Despite these benefits, the global supply chain creates opportunities for adversaries to directly or indirectly affect the management or operation of companies with potential risks to end users that could introduce new unintended threats to the system and necessitate rapid mitigating actions.42 Further, the COVID19 national emergency 43
39 Commission staff noted that, under this potential approach, although a public utility could request a combination of incentives for its facility containing multiple assets, each individual asset would be eligible for only one cybersecurity incentive at a time.
40 See, e.g., Eversource Energy Serv. Co., Comments, Docket No. Public Law 193000, at 29
30 filed June 26, 2019 noting that market operations are becoming increasingly more complex at the same time that there is an increasing cybersecurity threat to the operation and control of the transmission system.
41 See, e.g. Revised Critical Infrastructure Protection Reliability Standards, Notice of Proposed Rulemaking, 80 FR 43354, 152 FERC 61,054, at PP
6162 2015.
42 Supply Chain Risk Management Reliability Standards, Order No. 850, 165 FERC 61,020, at P
2 2018.
43 The Secretary of Health and Human Services declared a public health emergency on January 31, 2020, under section 319 of the Public Health
VerDate Sep<11>2014

16:29 Feb 04, 2021

Jkt 253001

prompted many organizations to revise their operations to support an increased number of remote workers. The rapid expansion of teleworking capabilities revealed potential vulnerabilities, and some identified cybersecurity events specifically targeting remote access network equipment.44 It is important that public utilities make cybersecurity investments to quickly and effectively address these cybersecurity challenges as well as other emerging threats.
Therefore, the Commission has concluded that, given the unique importance of protecting the cybersecurity of the Bulk-Power System, it is appropriate to provide incentives for public utility cybersecurity investment as proposed in this NOPR.
18. Section 215 of the FPA and the CIP Reliability Standards promulgated under that statute have served as the Commissions primary tools for mandating changes to cybersecurity practices within the electric sector. As required by FPA section 215, the Commissions mandatory CIP Reliability Standards provide for the reliable operation of the Bulk-Power System.45
Although the CIP Reliability Standards offer protection of the BES 46 and improve the baseline cybersecurity posture of entities,47 they have certain limitations. For example, it can take many months for a new Reliability Standard to be developed and, once approved, it may be several more months or years before a Reliability Standard is fully implemented and enforceable.48 Further, the Bulk-Power System relies on the interdependence of connected networks and equipment;
because the CIP Reliability Standards apply to BES facilities, which are generally 100 kV or higher as identified in CIP002, not all cybersecurity systems are covered by these standards.
Thus, while there are limits to how quickly CIP Reliability Standards can Service Act 42 U.S.C. 247d, in response to COVID19.
44 Cybersecurity and Infrastructure Security Agency, National Cyber Awareness System Alerts, COVID19 Exploited by Malicious Cyber Actors Alert AA20099A Apr. 8, 2020, https uscert.cisa.gov/ncas/alerts/aa20099a::text=Both %20CISA%20and%20NCSC%20are,threat %20to%20individuals%20and%20organizations.
45 FPA section 215a3 provides that the term reliability standard means a requirement, approved by the Commission under this section, to provide for reliable operation of the bulk-power system.
46 Order No. 791, 145 FERC 61,160 at PP 2, 41.
47 Order No. 822, 154 FERC 61,037 at 2.
48 See, e.g., Am. Elec. Power, Inc., Comments, Docket No. PL193000, at 1314 filed June 26, 2019 noting that there is a potential gap between the dynamic threats faced by the energy industry and the CIP Reliability Standards development and compliance process, which sets the rules for minimum compliance.

PO 00000

Frm 00005

Fmt 4702

Sfmt 4702

8313

become mandatory and enforceable as well as limits to what the CIP Reliability Standards can cover, the cybersecurity threats public utilities face evolve and arise on their own timeframe. For these reasons, we believe that an effective strategy against emerging cybersecurity threats includes not only requiring public utilities to comply with the mandatory CIP Reliability Standards but also encouraging public utilities to make cybersecurity investments in addition to those required by the CIP Reliability Standards. We propose to do this by providing incentives to public utilities that voluntarily make certain cybersecurity investments above and beyond those investments required by the CIP Reliability Standards. The Commission proposes taking a twoprong approach to cybersecurity, which includes both mandatory CIP Reliability Standards and a cybersecurity incentives framework. This approach would encourage public utilities to increase the protection of their systems against cybersecurity threats. Currently, public utilities may not have the appropriate economic incentives to invest in cybersecurity measures that go above and beyond the mandatory CIP
Reliability Standards. The cybersecurity incentives outlined in this NOPR strive to incent public utilities to use known, effective, and dynamic solutions to cybersecurity threats for the benefit of ratepayers.
19. Given that cybersecurity investments can be made to more than a public utilitys transmission system, we find that basing our incentives framework under this proposal on our transmission incentives authority under FPA section 219, as considered in the White Paper, may unnecessarily limit the application of an effective cybersecurity incentives framework and, thereby, limit possible cybersecurity investment. Creating an incentive-based approach under FPA sections 205 and 206 that encourages public utilities to undertake cybersecurity investments on a voluntary basis that are above and beyond the requirements of the mandatory CIP Reliability Standards better ensures secure service for ratepayers. This approach would incent a public utility to adopt cybersecurity practices that would not only better protect its own systems but also improve the security of the Bulk-Power System. For example, the expansion of network monitoring provides the potential integration of all aspects of Bulk-Power System security to include physical access control, equipment status indicators, and system performance monitoring. This provides
E:FRFM05FEP1.SGM

05FEP1