Voglio sapere a riguardo di…

43592

Federal Register / Vol. 86, No. 151 / Tuesday, August 10, 2021 / Rules and Regulations
jbell on DSKJLSW7X2PROD with RULES

the Order No. 587 series of orders,6
wherein the Commission has incorporated by reference standards for interstate natural gas pipeline business practices and electronic communications that were developed and adopted by NAESBs WGQ. Upon incorporation by reference, this version of the standards will replace the currently incorporated version Version 3.1 of those business practice standards.
6. On August 17, 2020, NAESB filed a report informing the Commission that it had adopted and ratified WGQ
Version 3.2 of its business practice standards applicable to interstate natural gas pipelines. Version 3.2 of the WGQ includes business practice standards developed and modified in response to industry requests and directives from the NAESB Board of Directors. This version also includes the standards developed in response to the recommendations of Sandia, which in 2019 issued a cybersecurity surety assessment of the NAESB standards sponsored by DOE Sandia Surety Assessment,7 and the standards developed to enable the use of distributed ledger technologies when transacting the NAESB Base Contract for Sale and Purchase of Natural Gas.
7. The NAESB report identifies all the changes made to the WGQ Version 3.1
Standards and summarizes the deliberations that led to the changes being made. It also identifies changes to the existing standards that were considered but not adopted due to a lack of consensus or other reasons.
8. On February 18, 2021, the Commission issued a Notice of Proposed Rulemaking proposing to amend its regulations to incorporate by reference, with certain enumerated exceptions, the NAESB WGQ Version 6 This series of orders began with the Commissions issuance of Standards for Bus. Pracs.
of Interstate Nat. Gas Pipelines., Ord. No. 587, 61
FR 39053 July 26, 1996, FERC Stats. & Regs.
31,038 1996 cross-referenced at 76 FERC
61,042.
7 In April 2017, NAESB announced that Sandia, through funding provided by DOE, would be performing a surety assessment of the NAESB
standards. As determined by Sandia and DOE, the purpose of the surety assessment was to analyze cybersecurity elements within the standards, focusing on four areas: 1 The NAESB Certification Program for Accredited Certification Authorities, including the Wholesale Electric Quadrant WEQ
012 Public Key Infrastructure Business Practice Standards, the NAESB Accreditation Requirements for Authorized Certificate Authorities, and the Authorized Certification Authority Process; 2 the WEQ Open Access Same-Time Information Systems suite of standards; 3 the WGQ and Retail Markets Quadrant IET and Quadrant EDM Related Standards Manual; and 4 a high-level dependency analysis between the gas and electric markets to evaluate the different security paradigms the markets employ.

VerDate Sep<11>2014

16:06 Aug 09, 2021

Jkt 253001

3.2 business practice standards referenced above applicable to natural gas pipelines.8
9. In response to the Version 3.2
NOPR, NAESB and the Interstate Natural Gas Association of America INGAA filed comments. NAESB
clarifies that Standards 4.3.60 and 10.3.16 do not require multi-factor e.g., two-factor authentication on an individual basis. NAESB clarifies that Standard 4.3.60 states that a Customer Activities website should be protected by Hyper-Text Transport Protocol HTTP 9 Basic Authentication using transport layer security and require a single logon/password pair for each user session. NAESB further clarifies that Standard 10.3.16 states that trading partners should implement HTTP Basic Authentication using transport layer security.10 INGAA supports NAESBs clarifying comments.11
10. INGAA expresses support for the Commissions proposal to incorporate by reference NAESBs WGQ Version 3.2
business practice standards. INGAA also supports the Commissions proposal in the Version 3.2 NOPR, but urges the Commission to ensure that implementation of a Final Rule in this proceeding occurs for the first gas day of the month, but not prior to April 1, 2022, after the winter heating season.
INGAA states that implementation of a Final Rule in this proceeding will require substantial time and effort from both pipelines and their customers to alter business systems, scheduling, and coordination processes and, thus, it would be best to schedule implementation to not occur during the winter heating season.12
11. Further, INGAA states that requiring implementation to occur for the first gas day of the month is important for both pipelines and shippers. INGAA explains that while pipelines update their software to accommodate the new NAESB version ahead of the implementation date, both pipelines and shippers need to ensure that contract, nomination, allocation, invoice, and other changes will be fully in place and working properly with the start of the gas month. INGAA states that this is consistent with the 8 Standards for Bus. Pracs. of Interstate Nat. Gas Pipelines, Notice of Proposed Rulemaking, 86 FR
12879 Mar. 5, 2021, 174 FERC 61,103 2021
Version 3.2 NOPR.
9 HTTP is the original communications protocol of the internet which enables a web browser to depict text, pictures, shapes, live data, and click targets on a web browser. However, username and password combinations are not encrypted in HTTP
Basic Authentication.
10 NAESB Cmts. at 1.
11 INGAA Cmts. at 3.
12 Id. at 2.

PO 00000

Frm 00004

Fmt 4700

Sfmt 4700

industrys monthly billing cycle and shall avoid the complications of a midmonth transition.13
II. Discussion A. The NAESB WGQ Version 3.2
Business Practice Standards 1. Modifications to Previous Version of Standards a. Modifications in Response to the Sandia Surety Assessment 12. NAESB revised previously incorporated standards and developed new standards in response to the recommendations in the Sandia Surety Assessment. Specifically, NAESB
adopted revisions to the WGQ EDM
Related Business Practice Standards, which establish the framework for the electronic dissemination and communication of information between parties in the North American wholesale gas marketplace, and to the WGQ IET
Related Business Practice Standards, which define the implementation of various technologies necessary to communicate transactions and other electronic data using standard protocols for electronic commerce over the internet between trading partners. First, NAESB adopted two new standards, 4.3.109 and 10.3.28, to provide that trading partners should evaluate software fixes or patches for known vulnerabilities within 30 days and implement the fix or patch as soon as reasonably practicable based on the severity of the risk. Second, NAESB
adopted two new standards, 4.3.110 and 10.3.29, to provide that trading partners should mutually agree to the version of the EDM and IET to be used. Third, the new standards specify notification and coordination timelines with trading partners, where applicable, to address vulnerable systems or software as soon as possible. Fourth, the Sandia Surety Assessment recommended that NAESB
consider guidelines for configuration and logging, network traffic monitoring, alerting systems, and manual continuity of operations in the event of abnormal behavior or failure conditions within the system. In response, NAESB added language to new Standards 4.3.110 and 10.3.28 to include both specific and broad adoptions of such system security measures.
13. Further, NAESB added language to existing Standards 4.3.60, 4.3.61, 10.2.33, and 10.3.25 to clarify the Transport Layer Security protocol,14
13 Id.
14 The National Institute of Standards and Technology Special Pub. 80052 requires government Transport Layer Security servers and clients to support Transport Layer Security Version
E:FRFM10AUR1.SGM

10AUR1