Voglio sapere a riguardo di…

Federal Register / Vol. 86, No. 23 / Friday, February 5, 2021 / Proposed Rules
jbell on DSKJLSW7X2PROD with PROPOSALS

low risk to the operation of the Bulk Electric System BES 15 if compromised. High impact systems include large control centers. Medium impact systems include smaller control centers, ultra-high voltage transmission, and large substations and generating facilities. The remainder of the BES
Cyber Systems 16 are categorized as low impact systems. Most requirements in the CIP Reliability Standards apply to high and medium impact systems;
however, a technical controls requirement in CIP003, described below, applies only to low impact systems. Since 2013, the Commission has approved new and modified CIP
Reliability Standards that address specific issues such as supply chain risk management, cyber incident reporting, communications between control centers, and the physical security of critical transmission facilities.17
8. The CIP Reliability Standards currently consist of 12 standards specifying a set of requirements that entities must follow to ensure the cyber and physical security of the Bulk-Power System. There are 10 currently effective cybersecurity standards and one 15 In general, NERC defines BES to include all Transmission Elements operated at 100 kV or higher and Real Power and Reactive Power resources connected at 100 kV or higher. This does not include facilities used in the local distribution of electric energy. See NERC, Bulk Electric System Definition Reference Document, Version 3, at page iii August 2018. In Order No. 693, the Commission found that NERCs definition of BES is narrower than the statutory definition of Bulk-Power System.
The Commission decided to rely on the NERC
definition of BES to provide certainty regarding the applicability of Reliability Standards to specific entities. See Mandatory Reliability Standards for the Bulk-Power System, Order No. 693, 72 FR 16415
Apr. 4, 2007, 118 FERC 61,218, at PP 75, 79, 491, order on rehg, Order No. 693A, 72 FR 49717 July 25, 2007, 120 FERC 61,053 2007.
16 NERC defines BES Cyber System as one or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity. NERC, Glossary of Terms Used in NERC Reliability Standards, at 5
2020, https www.nerc.com/files/glossary_of_
terms.pdf NERC Glossary of Terms. NERC defines BES Cyber Asset as A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or nonoperation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES
Cyber Systems.
Id. at 4.
17 See, e.g., Order No. 791, 78 FR 72755; Revised Critical Infrastructure Protection Reliability Standards, Order No. 822, 81 FR 4177 Jan. 26, 2016, 154 FERC 61,037, rehg denied, Order No.
822A, 156 FERC 61,052 2016; Revised Critical Infrastructure Protection Reliability Standard CIP
0037Cyber SecuritySecurity Management Controls, Order No. 843, 163 FERC 61,032 2018.

VerDate Sep<11>2014

16:29 Feb 04, 2021

Jkt 253001

cybersecurity standard that has been approved by the Commission and will become enforceable on July 1, 2022.
There is also one physical security standard, which is not the subject of this NOPR:18
CIP0025.1a Bulk Electric System Cyber System Categorization: requires entities to identify and categorize BES
Cyber Assets for the application of cyber security requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES
Cyber Systems could have on the reliable operation of the BES.
CIP0038 Security Management Controls: Requires entities to specify consistent and sustainable security management controls that establish responsibility and accountability to protect BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
CIP0046 Personnel and Training:
Requires entities to minimize the risk against compromise that could lead to misoperation or instability in the BES
from individuals accessing BES Cyber Systems by requiring an appropriate level of personnel risk assessment, training, and security awareness in support of protecting BES Cyber Systems.
CIP0056 Electronic Security Perimeters: Requires entities to manage electronic access to BES Cyber Systems by specifying a controlled Electronic Security Perimeter in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
CIP0066 Physical Security of Bulk Electric System Cyber Systems:
Requires entities to manage physical access to BES Cyber Systems by specifying a physical security plan in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
CIP0076 System Security Management: Requires entities to manage system security by specifying select technical, operational, and procedural requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
CIP0085 Incident Reporting and Response Planning: 19 Requires entities 18 CIP0142Physical Security: requires entities to identify and protect transmission stations and transmission substations, and their associated primary control centers, that, if rendered inoperable or damaged as a result of a physical attack, could result in instability, uncontrolled separation, or cascading within an interconnection.
19 An update to CIP0086 Reliability Standard will become enforceable on January 1, 2021.

PO 00000

Frm 00003

Fmt 4702

Sfmt 4702

8311

to mitigate the risk to the reliable operation of the BES as the result of a cybersecurity incident by specifying incident response requirements.
CIP0096 Recovery Plans for Bulk Electric System Cyber Systems: Requires entities to recover reliability functions performed by BES Cyber Systems by specifying recovery plan requirements in support of the continued stability, operability, and reliability of the BES.
CIP0103 Configuration Change Management and Vulnerability Assessments: Requires entities to prevent and detect unauthorized changes to BES Cyber Systems by specifying configuration change management and vulnerability assessment requirements in support of protecting BES Cyber Systems from compromise that could lead to misoperation or instability in the BES.
CIP0112 Information Protection:
Requires entities to prevent unauthorized access to BES Cyber System Information by specifying information protection requirements in support of protecting BES Cyber Systems against compromise that could lead to misoperation or instability in the BES.
CIP0121 Communications between Control Centers: 20 Requires entities to protect the confidentiality and integrity of Real-time Assessment and Real-time monitoring data transmitted between Control Centers.
CIP0131 Supply Chain Risk Management: Requires entities to mitigate cybersecurity risks to the reliable operation of the BES by implementing security controls for supply chain risk management of BES
Cyber Systems.
9. The CIP Reliability Standards, viewed as a whole, implement a defense-in-depth approach to protecting the security of BES Cyber Systems at all impact levels.21 The CIP Reliability Standards are objective-based and allow entities to choose compliance approaches best tailored to their systems.22
B. NIST Framework 10. The Cybersecurity Enhancement Act of 2014 Cybersecurity Act 23
updated the role of the NIST to include identifying and developing cybersecurity risk frameworks for voluntary use by critical infrastructure owners and operators. Under the Cybersecurity Act, NIST must identify a 20 CIP0121: Communications between Control Centers will be subject to enforcement by July 1, 2022.
21 Order No. 822, 154 FERC 61,037 at 32.
22 Order No. 706, 122 FERC 61,040 at 72.
23 15 U.S.C. 272e1Ai.

E:FRFM05FEP1.SGM

05FEP1