Mandatory Reliability Standards for Critical Infrastructure Protection

As Enacted ( Federal Register)

Cited authorities 1

Cited in

Federal Register: September 25, 2008 (Volume 73, Number 187)

Proposed Rules

Page 55459-55460

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

DOCID:fr25se08-18

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission 18 CFR Part 40

Docket No. RM06-22-000

Mandatory Reliability Standards for Critical Infrastructure

Protection

Issued September 18, 2008.

AGENCY: Federal Energy Regulatory Commission.

ACTION: Order on proposed clarification.

SUMMARY: The Commission is proposing to clarify that the facilities within a nuclear generation plant in the United States that are not regulated by the U.S. Nuclear Regulatory Commission are subject to compliance with the eight mandatory ``CIP'' Reliability Standards approved in Commission Order No. 706.

DATES: Comments are due October 20, 2008.

ADDRESSES: You may submit comments, identified by docket number by any of the following methods:

Agency Web Site: http://ferc.gov. Documents created electronically using word processing software should be filed in native applications or print-to-PDF format and not in a scanned format.

Mail/Hand Delivery: Commenters unable to file comments electronically must mail or hand deliver an original and 14 copies of their comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street, NE., Washington, DC 20426.

FOR FURTHER INFORMATION CONTACT:

Jonathan First (Legal Information), Office of General Counsel, 888

First Street, NE., Washington, DC 20426, (202) 502-8529.

Regis Binder (Technical Information), Office of Electric Reliability, 888 First Street, NE., Washington, DC 20426, (202) 502-6460.

SUPPLEMENTARY INFORMATION:

Before Commissioners: Joseph T. Kelliher, Chairman; Suedeen G. Kelly,

Marc Spitzer, Philip D. Moeller, and Jon Wellinghoff. 1. In this order, the Commission proposes to clarify the scope of the eight Critical Infrastructure Protection (CIP) Reliability

Standards \1\ approved in Order No. 706 to assure that no ``gap'' occurs in the applicability of these Standards.\2\ In particular, each of the eight CIP Reliability Standards provides that facilities regulated by the U.S. Nuclear Regulatory Commission (NRC) are exempt from the Standard. It has come to the attention of the Commission that the NRC does not regulate all facilities within a nuclear generation plant. Thus, to assure that there is no ``gap'' in the regulatory process, the Commission proposes to clarify that the facilities within a nuclear generation plant in the United States that are not regulated by the NRC are subject to compliance with the eight CIP Reliability

Standards approved in Order No. 706.

\1\ Reliability Standards CIP-002-1 through CIP-009-1.

Reliability Standard CIP-001-1, which pertains to sabotage reporting, does not include the exemption statement that is the subject of this order.

\2\ Mandatory Reliability Standards for Critical Infrastructure

Protection, Order No. 706, 73 FR 7368 (Feb. 7, 2008), 122 FERC ] 61,040, order on reh'g, 123 FERC ] 61,174 (2008).

2. Comments on the Commission's proposed clarification are due 30 days from the date of issuance of this order, after which the

Commission intends to issue a further order on the matter.

Background 3. The North American Electric Reliability Corporation (NERC), the

Commission-certified Electric Reliability Organization (ERO), developed eight CIP Reliability Standards that require certain users, owners and operators of the Bulk-Power System to comply with specific requirements to safeguard critical cyber assets. In January 2008, pursuant to section 215 of the Federal Power Act (FPA),\3\ the Commission approved the eight CIP Reliability Standards. In addition, pursuant to section 215(d)(5) of the FPA,\4\ the Commission directed the ERO to develop modifications to the CIP Reliability Standards to address specific concerns identified by the Commission.

\3\ 16 U.S.C. Sec. 824o (2006).

\4\ 16 U.S.C. Sec. 824o(d)(5).

4. Each of the eight CIP Reliability Standards includes an exemption for facilities regulated by the NRC. For example, Reliability

Standard CIP-002-1 provides:

The following are exempt from Standard CIP-002: Facilities

Regulated by the U.S. Nuclear Regulatory Commission. * * * [\5\]

\5\ Reliability Standard CIP-002-1, section 4.2 (Applicability). 5. In an April 8, 2008 public joint meeting of the Commission and the NRC, staff of both Commissions discussed cyber security at nuclear generation plants. While NRC staff indicated that the NRC has proposed regulations to address cybersecurity at nuclear generation plants,\6\

NRC staff raised a concern regarding a potential gap in regulatory coverage. In particular, NRC staff indicated that the NRC's proposed regulations on cybersecurity would not apply to all systems within a nuclear generation plant. NRC staff explained:

\6\ Nuclear Regulatory Commission, Notice of Proposed

Rulemaking, Power Reactor Security Requirements, NRC Docket No. RIN 3150-AG63 (Oct. 2006).

The NRC's cyber requirements are not going to extend to power continuity systems. They do not extend directly to what is not directly associated with reactor safety security or emergency response. * * *

As a result, and when you look at the CIP standards that were issued, there is a discrete statement in each of the seven or eight standards where it specifically exempts facilities regulated by the

United States Nuclear Regulatory Commission from compliance with those CIP Standards. So there is an issue there in the sense that our regulations for cyber security go up to a certain point, and end.[\7\]

\7\ April 8, 2008, Joint Meeting of the Nuclear Regulatory

Commission and Federal Regulatory Commission, Tr. at 77-78.

Discussion 6. The Commission shares the concern raised at the April 8, 2008 joint meeting. It appears that the NRC's regulation of a nuclear generation plant is limited to the facilities that are associated with reactor safety or emergency response.\8\ The Commission believes that a nuclear generation plant will likely include critical assets and critical cyber assets that are not safety related and, therefore, not regulated by the NRC. For example, facilities that pertain to the

``continuity of operation'' of a nuclear generation plant may be

Page 55460

necessary for the generation of electricity that affects the reliability of Bulk-Power System but not have a role in reactor safety.

The Commission understands that such facilities would not be subject to compliance with cyber security regulations developed by the NRC.

\8\ See id. See also 42 U.S.C. 2133, 2201 and 2232.

7. The Commission believes that the plain meaning of the exemption language in the eight CIP Reliability Standards at issue is that only those facilities within a nuclear generation plant that are regulated by the NRC are exempt from those Standards. The exemption language in the eight CIP Reliability Standards neither states, nor implies, that all facilities within a nuclear generation plant are exempt from the

Standards, regardless of whether they are subject to NRC regulation.

However, the Commission believes there is a need to assure that there is no potential gap in the regulation of critical cyber assets at nuclear generation plants and to assure that there is no misunderstanding of the scope of the exemption in the CIP Reliability

Standards. The Commission, therefore, proposes to clarify that

Reliability Standards CIP-002-1 through CIP-009-1 apply to the facilities within a nuclear generation plant that are not regulated by the NRC. 8. To be clear, the Commission's intent is to eliminate a potential gap in the regulation of critical assets and critical cyber assets at nuclear generation plants in the United States. The Commission reaffirms the language of the CIP Reliability Standards--and respects the jurisdiction of the NRC--and does not intend that those Standards apply to facilities within a nuclear generation plant that are regulated by the NRC. This should allay concerns that a specific facility is subject to ``dual'' regulation by both the Commission and

NRC as to cyber security. 9. In addition to comments on the proposed clarification, the

Commission seeks comment on the following two related matters:

Whether there is a clear delineation between those facilities within a nuclear generation plant that pertain to reactor safety security or emergency response and the non-safety portion or, as NRC refers to it, the ``balance of plant.'' For example, the generator itself in a nuclear generation plant would seem to be under the CIP

Reliability Standards, but the motors that operate nuclear reactor control rods would seem to be under NRC regulation. If the delineation is not clear, is there a need for owners and/or operators of nuclear generation plants to identify the specific facilities that pertain to reactor safety security or emergency response and subject to NRC regulation, and the balance of plant that is subject to the eight CIP Reliability Standards?

In Order No. 706, the Commission approved NERC's ``(Revised)

Implementation Plan for Cyber Security Standards CIP-001-1 through

CIP-009-1'' for the eight cybersecurity Reliability Standards. The implementation plan provides a staggered approach to implementation that includes three tables with separate timelines for various industry segments. Table 3, which applies to generation owners and generation operators, requires achieving compliance with the requirements of the CIP Reliability Standards by December 31, 2009.

The only requirement that has a different compliance date in Table 3 is CIP-003-1 Requirement R2, which must be complied with by June 30, 2008. The Commission seeks comment on whether Table 3 for generation owners and generation operators should control the implementation schedule of the CIP Reliability Standards to the facilities within a nuclear generation plant that the NRC does not regulate. 10. Comments on the Commission's proposed clarification are due 30 days from the date of issuance of this order, after which the

Commission intends to issue a further order on the matter.

The Commission orders: The Commission directs that this order be published in the Federal Register. Comments on the Commission's proposed clarification are due 30 days from the date of issuance of this order.

By the Commission.

Kimberly D. Bose,

Secretary.

FR Doc. E8-22198 Filed 9-24-08; 8:45 am

BILLING CODE 6717-01-P

Subscribers can access the reported version of this case.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see a list of all the cited cases and legislation of a document.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see a list of all the documents that have cited the case.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see the revised versions of legislation with amendments.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see any amendments made to the case.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see a visualisation of a case and its relationships to other cases. An alternative to lists of cases, the Precedent Map makes it easier to establish which ones may be of most relevance to your research and prioritise further reading. You also get a useful overview of how the case was received.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see the list of results connected to your document through the topics and citations Vincent found.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Mandatory Reliability Standards for Critical Infrastructure Protection

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users