Table Of ContentUNITED STATES OF AMERICA
BEFORE THE
FEDERAL ENERGY REGULATORY COMMISSION
NORTH AMERICAN ELECTRIC ) Docket No. RD13-_____
RELIABILITY CORPORATION )
PETITION OF THE
NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION
FOR APPROVAL OF CRITICAL INFRASTRUCTURE PROTECTION RELIABILITY
STANDARDS VERSION 5
Gerald W. Cauley Charles A. Berardesco
President and Chief Executive Officer Senior Vice President and General Counsel
North American Electric Reliability Holly A. Hawkins
Corporation Assistant General Counsel
3353 Peachtree Road, N.E. Willie L. Phillips
Suite 600, North Tower Attorney
Atlanta, GA 30326 North American Electric Reliability
(404) 446-2560 Corporation
(404) 446-2595– facsimile 1325 G Street, N.W., Suite 600
Washington, D.C. 20005
(202) 400-3000
(202) 644-8099– facsimile
[email protected]
[email protected]
[email protected]
Counsel for North American Electric
Reliability Corporation
January 31, 2013
TABLE OF CONTENTS
I. Executive Summary………………………………………………………………………….. 3
II. Notices and Communications………………………………………………………………... 7
III. Background and Regulatory Framework.....……………………………………………….. 7
IV. Justification for Approval of the Proposed Modifications to Reliability Standards…….. 8
a. Basis for Approval of Proposed Reliability Standard
b. CIP Version 5 presents significant improvements to previous CIP standards
c. New Proposed Reliability Standards CIP-010-1and CIP-011-1
d. Proposed Definitions of Terms Used in CIP Version 5
e. Enforceability of the Proposed CIP Version 5 Reliability Standards
f. Violation Risk Factor and Violation Severity Level Assignments
g. NERC Reliability Standards Development Procedure
V. CIP Version 5 Satisfies All FERC Directives and Concerns …………………………….. 30
a. Order No. 706 Directives
b. Application of NIST Framework
c. Regional Perspective
VI. Summary of the Reliability Standard Development Proceedings………………….…….. 41
VII. CIP Version 5 Implementation Plan……………………………………………………… 42
VIII. Conclusion…………………………………………………………………………….….… 44
Exhibit A — Proposed CIP Version 5 Reliability Standards submitted for Approval and associated
modifications to the Glossary of Terms used in NERC Reliability Standards
Exhibit B — Implementation Plan for Proposed CIP Version 5 Reliability Standards submitted for
Approval
Exhibit C — Standard Drafting Team Roster for Project 2008-06 - Cyber Security Order 706
Version 5 CIP Standards
Exhibit D — Consideration of Comments Reports
Exhibit E — Table of VRFs and VSLs Proposed for Approval and Analysis of how VRFs and VSLs
Were Determined Using Commission Guidelines
Exhibit F — Record of Development of Proposed CIP Version 5 Reliability Standards
Exhibit G — Order No. 672 Criteria for Approving Proposed Reliability Standards
Exhibit H — Consideration of Issues and Directives
i
UNITED STATES OF AMERICA
BEFORE THE
FEDERAL ENERGY REGULATORY COMMISSION
NORTH AMERICAN ELECTRIC ) Docket No. RD13-____
RELIABILITY CORPORATION )
PETITION OF THE
NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION
FOR APPROVAL OF CRITICAL INFRASTRUCTURE PROTECTION RELIABILITY
STANDARDS VERSION 5
The North American Electric Reliability Corporation (“NERC”)1 hereby requests that the
Federal Energy Regulatory Commission (“FERC” or the “Commission”) approve, in accordance
with Section 215(d)(1) of the Federal Power Act (“FPA”)2 and Section 39.5 of the Commission’s
regulations, 18 C.F.R. § 39.5 (2012), the following ten proposed Critical Infrastructure
Protection (“CIP”) Reliability Standards (“CIP Version 5”) and find that they are just,
reasonable, not unduly discriminatory or preferential and in the public interest:
• CIP–002–5 — Cyber Security — BES Cyber System Categorization
• CIP–003–5 — Cyber Security — Security Management Controls
• CIP–004–5 — Cyber Security — Personnel and Training
• CIP–005–5 — Cyber Security — Electronic Security Perimeter(s)
• CIP–006–5 — Cyber Security — Physical Security of BES Cyber Systems
• CIP–007–5 — Cyber Security — Systems Security Management
• CIP–008–5 — Cyber Security — Incident Reporting and Response Planning
• CIP–009–5 — Cyber Security — Recovery Plans for BES Cyber Systems
• CIP–010–1 — Cyber Security — Configuration Change Management and
Vulnerability Assessments
• CIP–011–1 — Cyber Security — Information Protection
1 NERC was certified by the Commission as the electric reliability organization (“ERO”) in accordance with
Section 215 of the Federal Power Act in its order issued on July 20, 2006 in Docket No. RR06-1-000. North
American Electric Reliability Corp., 116 FERC ¶ 61,062 (2006) (“ERO Certification Order”).
2 16 U.S.C. § 824o (2012).
1
NERC also requests approval of the proposed definitions of terms used in the proposed
CIP Version 5, the associated implementation plan, and the proposed Violation Risk Factors
(“VRFs”) and Violation Severity Levels (“VSLs”).3 This filing also addresses all remaining
standards-related issues and directives from Order No. 706.4
Additionally, NERC requests that CIP Version 5 become effective on the first day of the
eighth calendar quarter after a final rule is issued in this docket. The requested effective date:
(1) is just and reasonable; (2) properly balances the urgency to implement the standards with
time allowed to develop necessary procedures, software, facilities, staffing or other relevant
capabilities; and (3) allows applicable entities adequate time to ensure compliance with the
requirements in accordance with Order No. 672.5
After a successful industry ballot with the CIP Version 5 standards achieving approval
ranging from to 78.59% to 95.67%, the NERC Board of Trustees approved the CIP Version 5
standards and related documents on November 26, 2012.
Exhibit A to this filing sets forth the proposed CIP Version 5 standards and associated
modifications to the Glossary of Terms used in NERC Reliability Standards. Exhibit B contains
the Implementation Plan for CIP Version 5. Exhibit C contains the Standard Drafting Team
Roster for Project 2008-06 Cyber Security Order 706, which is the technical team responsible for
developing CIP Version 5. Exhibit D contains the Consideration of Comments Reports for CIP
3 Unless otherwise specified, capitalized terms used herein have the meanings specified in the NERC Glossary of
Terms, available at: http://www.nerc.com/files/Glossary_of_Terms.pdf.
4 Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 122 FERC ¶ 61,040,
denying reh’g and granting clarification, Order No. 706-A, 123 FERC ¶ 61,174 (2008), order on clarification,
Order No. 706-B, 126 FERC ¶ 61,229 (2009), order denying clarification, Order No. 706-C, 127 FERC ¶ 61,273
(2009) (“Order No. 706”).
5 Rules Concerning Certification of the Electric Reliability Organization; and Procedures for the Establishment,
Approval, and Enforcement of Electric Reliability Standards, Order No. 672, FERC Stats. & Regs. ¶ 31,204 at P
333, order on reh’g, Order No. 672-A, FERC Stats. & Regs. ¶ 31,212 (2006) (“In considering whether a proposed
Reliability Standard is just and reasonable, FERC will consider also the timetable for implementation of the new
requirements, including how the proposal balances any urgency in the need to implement it against the
reasonableness of the time allowed for those who must comply to develop the necessary procedures, software,
facilities, staffing or other relevant capability.”).
2
Version 5. Exhibit E contains a table of CIP Version 5 VRFs and VSLs proposed for approval
and Commission guideline analyses. Exhibit F contains the development record for CIP
Version 5. Exhibit G addresses the Order No. 672 Criteria for Approving Proposed Reliability
Standards. Exhibit H contains the Consideration of Issues and Directives.
NERC is also filing the proposed CIP Version 5 standards and associated documents for
approval with applicable governmental authorities in Canada.
I. EXECUTIVE SUMMARY
The White House and U.S. Congress have acknowledged that cybersecurity threats are
increasing in number and sophistication. President Barack Obama declared that the “cyber threat
is one of the most serious economic and national security challenges we face as a nation” and
that “America’s economic prosperity in the 21st century will depend on cybersecurity.”6
Defense Secretary Leon Panetta warned that the nation is facing the possibility of a
“cyber-Pearl Harbor” and is “increasingly vulnerable to foreign computer hackers who could
dismantle the nation’s power grid….”7 Congress has also considered cybersecurity legislation
“that would establish security standards to prevent large-scale cyber-attacks on the nation’s
critical infrastructure,” — including the electrical grid.8
Recognizing the importance of the Bulk Power System, Congress has vested the ERO
with the responsibility of developing mandatory Reliability Standards, including cybersecurity
standards. Taking into consideration four years of experience since the first NERC CIP Cyber
6 National Security Council, Cyber Security, http://www.whitehouse.gov/administration/eop/nsc/cybersecurity.
7 Elizabeth Bumiller and Thom Shanker, Panetta Warns of Dire Threat of Cyberattack on U.S., The New York
Times, October 11, 2012, http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-
cyberattack.html?pagewanted=all.
8 Ed O’Keefe and Ellen Nakashima, Cybersecurity Bill Fails in Senate, The Washington Post, August 2, 2012,
http://www.washingtonpost.com/world/national-security/cybersecurity-bill-fails-in-
senate/2012/08/02/gJQADNOOSX_story.html.
3
Security Reliability Standards were implemented, as well as applicable FERC directives, NERC
developed the proposed CIP Version 5 standards to better protect the reliability of the nation’s
Bulk Electric System (“BES”)9 from cyber-attacks.
The proposed CIP Version 5 standards were overwhelmingly supported by industry, with
the industry ballot averaging nearly 90% approval. The standards also present a significant
improvement over the existing CIP Version 310 and the Commission-approved CIP Version 4
standards.11 For this reason, NERC seeks swift action by the Commission to approve the
proposed CIP Version 5 standards as discussed in this petition.
With respect to concerns expressed by Responsible Entities regarding the transition from
CIP Version 3 to Version 4 to Version 5 Reliability Standards, NERC understands that the
transition could be complicated. For this reason, NERC stands ready to work with industry to
address transition issues as they arise.
The proposed implementation plan for CIP Version 5, included with this filing as Exhibit
B, provides language that would allow entities to transition from CIP Version 3 to CIP Version
5, thereby bypassing implementation of CIP Version 4 completely upon Commission approval.
The proposed implementation plan specifically states:
Notwithstanding any order to the contrary, CIP-002-4 through CIP-009-4
do not become effective, and CIP-002-3 through CIP-009-3 remain in
effect and are not retired until the effective date of the Version 5 CIP
Cyber Security Standards under this implementation plan.
9 In this petition, the terms “Bulk Power System” and “Bulk Electric System” are used interchangeably. “Bulk
Electric System” is defined in the NERC Glossary of Terms, and generally includes facilities operated at voltages at
and above 100 kV. See NERC Glossary of Terms Used in Reliability Standards at 2. “Bulk-Power System” is
defined in section 215 of the FPA, and does not include a voltage threshold. See 16 U.S.C. 824o(a)(1).
10 North American Electric Reliability Corporation, 130 FERC ¶ 61,271 (March 31, 2010) (“In this order, we
approve the modified CIP Reliability Standards, with an effective date of October 1, 2010.”)
11 See Version 4 Critical Infrastructure Protection Reliability Standards, Order No. 761, 139 FERC ¶ 61,058
(2012)(Noting CIP Version 4 Implementation date of April 1, 2014).
4
Prompt Commission approval of the CIP Version 5 standards and the implementation
plan would reduce uncertainty among Responsible Entities regarding implementation of the CIP
standards. Therefore, NERC reiterates its request for prompt Commission action approving the
CIP Version 5 standards and associated implementation plan. Additionally, to help the industry
implement the CIP Version 4 and 5 standards, NERC will initiate a series of industry workshops
that will be presented across North America beginning in 2013.
The improvements included in CIP Version 5 reflect a maturity of the NERC CIP
program. While the general framework of the proposed standards follow the organization of the
previous CIP versions, a new process is introduced in proposed CIP-002-05 for identifying and
classifying BES Cyber Systems according to “Low-Medium-High” impact.12 Once BES Cyber
Systems are identified, a Responsible Entity must then comply with proposed CIP-003-5 to CIP-
011-1, according to specific criteria relating to impact and other characteristics such as
communications connectivity. As such, NERC and its stakeholders have proposed the most
comprehensive set of mandatory cybersecurity standards ever utilized on a widespread basis in
the electric industry.
Key features of the comprehensive approach taken in CIP Version 5 include:
• Utilizing a National Institute of Standards and Technology (“NIST”) based
approach to categorize all cyber systems which impact the BES as “Low-
Medium-High” (at the system level) and requiring at least a minimum
classification of “Low Impact” for all BES Cyber Systems.
• Building on the implementation experience from prior CIP Reliability
Standard versions.
• Addressing all applicable directives in Order No. 706.
• Eliminating unnecessary documentation requirements to allow entities to
focus on the reliability and security of the Bulk Power System.
12 BES Cyber Systems, discussed herein, is a proposed addition to the Glossary of Terms used in NERC Reliability
Standards.
5
• Providing guidance and context within each CIP Version 5 standard.
The identification of cyber assets has evolved through the various CIP Reliability
Standards versions. Building on the prior “Risk-Based Assessment Methodology” in CIP-002-3
and the “Bright-line Criteria” in CIP-002-4, the proposed CIP Version 5 standards focus on all
cyber system assets that have an impact on Bulk Power System reliability, and characterizes that
impact as either high, medium or low.
In Order No. 761, the Commission directed NERC to file CIP Version 5 addressing all
remaining directives from Order No. 706, by March 31, 2013. With the strong support of
industry, and the efforts of the diverse standard drafting team, this petition satisfies the
Commission’s directives two months prior to the Commission-required due date.
6
II. NOTICES AND COMMUNICATIONS
Notices and communications with respect to this filing may be addressed to the following:13
Gerald W. Cauley Charles A. Berardesco*
President and Chief Executive Officer Senior Vice President and General Counsel
North American Electric Reliability Holly A. Hawkins*
Corporation Assistant General Counsel
3353 Peachtree Road, N.E. Willie L. Phillips*
Suite 600, North Tower Attorney
Atlanta, GA 30326 North American Electric Reliability Corporation
(404) 446-2560 1325 G Street, N.W., Suite 600
(404) 446-2595– facsimile Washington, D.C. 20005
(202) 400-3000
(202) 644-8099– facsimile
[email protected]
[email protected]
[email protected]
III. BACKGROUND AND REGULATORY FRAMEWORK
By enacting the Energy Policy Act of 2005 (“EPAct 2005”),14 Congress entrusted the
Commission with the duties of approving and enforcing rules to ensure the reliability of the
Nation’s Bulk Power System, and with the duty of certifying an electric reliability organization
(“ERO”) that would be charged with developing and enforcing mandatory Reliability Standards,
subject to Commission approval. Section 215 of the FPA states that all users, owners, and
operators of the Bulk Power System in the United States will be subject to Commission-
approved Reliability Standards, which include requirements for the operation of existing Bulk
Power System facilities and cybersecurity protection.15
13 Persons to be included on the Commission’s service list are indicated with an asterisk. NERC requests waiver of
the Commission’s rules and regulations to permit the inclusion of more than two people on the service list.
14 16 U.S.C. § 824o (2012).
15 See Section 215(b)(1)(“All users, owners and operators of the bulk-power system shall comply with reliability
standards that take effect under this section.”).
7
IV. JUSTIFICATION FOR APPROVAL OF THE PROPOSED RELIABILITY
STANDARDS
In this section we will discuss the following: a) the basis for approval of the proposed
Reliability Standards; b) significant improvements to previous CIP standards; c) new proposed
Reliability Standards CIP-010-1and CIP-011-1; d) proposed definitions of glossary terms used in
CIP Version 5; e) enforceability of the proposed CIP Version 5; f) VRF and VSL assignments;
and g) NERC Reliability Standards Development Procedure.
This section summarizes the development of proposed CIP Version 5 and demonstrates
that the proposed modifications meet the criteria for approval established by the Commission.
That is, the modifications and enhancements provided in CIP Version 5 ensure that the proposed
standards are just, reasonable, not unduly discriminatory or preferential and in the public
interest.16
The proposed CIP Version 5 standards, which were overwhelmingly approved by
industry, are a significant improvement over the existing CIP standards and help protect the
reliability of the BES. Thus, given the strong industry support for these improvements, NERC
respectfully requests that the Commission expeditiously approve the proposed CIP Version 5
standards, as presented in Exhibit A.
a. Basis for Approval of Proposed Reliability Standards
Section 39.5(a) of the Commission’s regulations requires the ERO to file with the
Commission for its approval each Reliability Standard that the ERO proposes to become
mandatory and enforceable in the United States, and each modification to a Reliability Standard
that the ERO proposes to be made effective. The Commission has the regulatory responsibility
to approve standards that protect the reliability of the Bulk Power System and to ensure that such
16 See Order No. 672.
8
Description:Jan 24, 2011 3353 Peachtree Road, N.E.. Suite 600, North Tower. Atlanta, GA 30326. (404)
446-2560. (404) 446-2595– facsimile. Charles A. Berardesco.
