25 September 2008
[Federal Register: September 25, 2008 (Volume 73, Number 187)]
[Proposed Rules]
[Page 55459-55460]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr25se08-18]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
18 CFR Part 40
[Docket No. RM06-22-000]
Mandatory Reliability Standards for Critical Infrastructure
Protection
Issued September 18, 2008.
AGENCY: Federal Energy Regulatory Commission.
ACTION: Order on proposed clarification.
-----------------------------------------------------------------------
SUMMARY: The Commission is proposing to clarify that the facilities
within a nuclear generation plant in the United States that are not
regulated by the U.S. Nuclear Regulatory Commission are subject to
compliance with the eight mandatory ``CIP'' Reliability Standards
approved in Commission Order No. 706.
DATES: Comments are due October 20, 2008.
ADDRESSES: You may submit comments, identified by docket number by any
of the following methods:
Agency Web Site: http://ferc.gov. Documents created
electronically using word processing software should be filed in native
applications or print-to-PDF format and not in a scanned format.
Mail/Hand Delivery: Commenters unable to file comments
electronically must mail or hand deliver an original and 14 copies of
their comments to: Federal Energy Regulatory Commission, Secretary of
the Commission, 888 First Street, NE., Washington, DC 20426.
FOR FURTHER INFORMATION CONTACT:
Jonathan First (Legal Information), Office of General Counsel, 888
First Street, NE., Washington, DC 20426, (202) 502-8529.
Regis Binder (Technical Information), Office of Electric Reliability,
888 First Street, NE., Washington, DC 20426, (202) 502-6460.
SUPPLEMENTARY INFORMATION:
Before Commissioners: Joseph T. Kelliher, Chairman; Suedeen G. Kelly,
Marc Spitzer, Philip D. Moeller, and Jon Wellinghoff.
1. In this order, the Commission proposes to clarify the scope of
the eight Critical Infrastructure Protection (CIP) Reliability
Standards \1\ approved in Order No. 706 to assure that no ``gap''
occurs in the applicability of these Standards.\2\ In particular, each
of the eight CIP Reliability Standards provides that facilities
regulated by the U.S. Nuclear Regulatory Commission (NRC) are exempt
from the Standard. It has come to the attention of the Commission that
the NRC does not regulate all facilities within a nuclear generation
plant. Thus, to assure that there is no ``gap'' in the regulatory
process, the Commission proposes to clarify that the facilities within
a nuclear generation plant in the United States that are not regulated
by the NRC are subject to compliance with the eight CIP Reliability
Standards approved in Order No. 706.
---------------------------------------------------------------------------
\1\ Reliability Standards CIP-002-1 through CIP-009-1.
Reliability Standard CIP-001-1, which pertains to sabotage
reporting, does not include the exemption statement that is the
subject of this order.
\2\ Mandatory Reliability Standards for Critical Infrastructure
Protection, Order No. 706, 73 FR 7368 (Feb. 7, 2008), 122 FERC ]
61,040, order on reh'g, 123 FERC ] 61,174 (2008).
---------------------------------------------------------------------------
2. Comments on the Commission's proposed clarification are due 30
days from the date of issuance of this order, after which the
Commission intends to issue a further order on the matter.
Background
3. The North American Electric Reliability Corporation (NERC), the
Commission-certified Electric Reliability Organization (ERO), developed
eight CIP Reliability Standards that require certain users, owners and
operators of the Bulk-Power System to comply with specific requirements
to safeguard critical cyber assets. In January 2008, pursuant to
section 215 of the Federal Power Act (FPA),\3\ the Commission approved
the eight CIP Reliability Standards. In addition, pursuant to section
215(d)(5) of the FPA,\4\ the Commission directed the ERO to develop
modifications to the CIP Reliability Standards to address specific
concerns identified by the Commission.
---------------------------------------------------------------------------
\3\ 16 U.S.C. Sec. 824o (2006).
\4\ 16 U.S.C. Sec. 824o(d)(5).
---------------------------------------------------------------------------
4. Each of the eight CIP Reliability Standards includes an
exemption for facilities regulated by the NRC. For example, Reliability
Standard CIP-002-1 provides:
The following are exempt from Standard CIP-002: Facilities
Regulated by the U.S. Nuclear Regulatory Commission. * * * [\5\]
---------------------------------------------------------------------------
\5\ Reliability Standard CIP-002-1, section 4.2 (Applicability).
5. In an April 8, 2008 public joint meeting of the Commission and
the NRC, staff of both Commissions discussed cyber security at nuclear
generation plants. While NRC staff indicated that the NRC has proposed
regulations to address cybersecurity at nuclear generation plants,\6\
NRC staff raised a concern regarding a potential gap in regulatory
coverage. In particular, NRC staff indicated that the NRC's proposed
regulations on cybersecurity would not apply to all systems within a
nuclear generation plant. NRC staff explained:
---------------------------------------------------------------------------
\6\ Nuclear Regulatory Commission, Notice of Proposed
Rulemaking, Power Reactor Security Requirements, NRC Docket No. RIN
3150-AG63 (Oct. 2006).
The NRC's cyber requirements are not going to extend to power
continuity systems. They do not extend directly to what is not
directly associated with reactor safety security or emergency
response. * * *
As a result, and when you look at the CIP standards that were
issued, there is a discrete statement in each of the seven or eight
standards where it specifically exempts facilities regulated by the
United States Nuclear Regulatory Commission from compliance with
those CIP Standards. So there is an issue there in the sense that
our regulations for cyber security go up to a certain point, and
end.[\7\]
---------------------------------------------------------------------------
\7\ April 8, 2008, Joint Meeting of the Nuclear Regulatory
Commission and Federal Regulatory Commission, Tr. at 77-78.
---------------------------------------------------------------------------
Discussion
6. The Commission shares the concern raised at the April 8, 2008
joint meeting. It appears that the NRC's regulation of a nuclear
generation plant is limited to the facilities that are associated with
reactor safety or emergency response.\8\ The Commission believes that a
nuclear generation plant will likely include critical assets and
critical cyber assets that are not safety related and, therefore, not
regulated by the NRC. For example, facilities that pertain to the
``continuity of operation'' of a nuclear generation plant may be
[[Page 55460]]
necessary for the generation of electricity that affects the
reliability of Bulk-Power System but not have a role in reactor safety.
The Commission understands that such facilities would not be subject to
compliance with cyber security regulations developed by the NRC.
---------------------------------------------------------------------------
\8\ See id. See also 42 U.S.C. 2133, 2201 and 2232.
---------------------------------------------------------------------------
7. The Commission believes that the plain meaning of the exemption
language in the eight CIP Reliability Standards at issue is that only
those facilities within a nuclear generation plant that are regulated
by the NRC are exempt from those Standards. The exemption language in
the eight CIP Reliability Standards neither states, nor implies, that
all facilities within a nuclear generation plant are exempt from the
Standards, regardless of whether they are subject to NRC regulation.
However, the Commission believes there is a need to assure that there
is no potential gap in the regulation of critical cyber assets at
nuclear generation plants and to assure that there is no
misunderstanding of the scope of the exemption in the CIP Reliability
Standards. The Commission, therefore, proposes to clarify that
Reliability Standards CIP-002-1 through CIP-009-1 apply to the
facilities within a nuclear generation plant that are not regulated by
the NRC.
8. To be clear, the Commission's intent is to eliminate a potential
gap in the regulation of critical assets and critical cyber assets at
nuclear generation plants in the United States. The Commission
reaffirms the language of the CIP Reliability Standards--and respects
the jurisdiction of the NRC--and does not intend that those Standards
apply to facilities within a nuclear generation plant that are
regulated by the NRC. This should allay concerns that a specific
facility is subject to ``dual'' regulation by both the Commission and
NRC as to cyber security.
9. In addition to comments on the proposed clarification, the
Commission seeks comment on the following two related matters:
Whether there is a clear delineation between those facilities
within a nuclear generation plant that pertain to reactor safety
security or emergency response and the non-safety portion or, as NRC
refers to it, the ``balance of plant.'' For example, the generator
itself in a nuclear generation plant would seem to be under the CIP
Reliability Standards, but the motors that operate nuclear reactor
control rods would seem to be under NRC regulation. If the
delineation is not clear, is there a need for owners and/or
operators of nuclear generation plants to identify the specific
facilities that pertain to reactor safety security or emergency
response and subject to NRC regulation, and the balance of plant
that is subject to the eight CIP Reliability Standards?
In Order No. 706, the Commission approved NERC's ``(Revised)
Implementation Plan for Cyber Security Standards CIP-001-1 through
CIP-009-1'' for the eight cybersecurity Reliability Standards. The
implementation plan provides a staggered approach to implementation
that includes three tables with separate timelines for various
industry segments. Table 3, which applies to generation owners and
generation operators, requires achieving compliance with the
requirements of the CIP Reliability Standards by December 31, 2009.
The only requirement that has a different compliance date in Table 3
is CIP-003-1 Requirement R2, which must be complied with by June 30,
2008. The Commission seeks comment on whether Table 3 for generation
owners and generation operators should control the implementation
schedule of the CIP Reliability Standards to the facilities within a
nuclear generation plant that the NRC does not regulate.
10. Comments on the Commission's proposed clarification are due 30
days from the date of issuance of this order, after which the
Commission intends to issue a further order on the matter.
The Commission orders: The Commission directs that this order be
published in the Federal Register. Comments on the Commission's
proposed clarification are due 30 days from the date of issuance of
this order.
By the Commission.
Kimberly D. Bose,
Secretary.
[FR Doc. E8-22198 Filed 9-24-08; 8:45 am]
BILLING CODE 6717-01-P
|