[Federal Register Volume 73, Number 187 (Thursday, September 25, 2008)]
[Proposed Rules]
[Pages 55459-55460]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-22198]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

18 CFR Part 40

[Docket No. RM06-22-000]


Mandatory Reliability Standards for Critical Infrastructure 
Protection

Issued September 18, 2008.
AGENCY: Federal Energy Regulatory Commission.

ACTION: Order on proposed clarification.

-----------------------------------------------------------------------

SUMMARY: The Commission is proposing to clarify that the facilities 
within a nuclear generation plant in the United States that are not 
regulated by the U.S. Nuclear Regulatory Commission are subject to 
compliance with the eight mandatory ``CIP'' Reliability Standards 
approved in Commission Order No. 706.

DATES: Comments are due October 20, 2008.

ADDRESSES: You may submit comments, identified by docket number by any 
of the following methods:
     Agency Web Site: http://ferc.gov. Documents created 
electronically using word processing software should be filed in native 
applications or print-to-PDF format and not in a scanned format.
     Mail/Hand Delivery: Commenters unable to file comments 
electronically must mail or hand deliver an original and 14 copies of 
their comments to: Federal Energy Regulatory Commission, Secretary of 
the Commission, 888 First Street, NE., Washington, DC 20426.

FOR FURTHER INFORMATION CONTACT:
Jonathan First (Legal Information), Office of General Counsel, 888 
First Street, NE., Washington, DC 20426, (202) 502-8529.
Regis Binder (Technical Information), Office of Electric Reliability, 
888 First Street, NE., Washington, DC 20426, (202) 502-6460.

SUPPLEMENTARY INFORMATION:

Before Commissioners: Joseph T. Kelliher, Chairman; Suedeen G. Kelly, 
Marc Spitzer, Philip D. Moeller, and Jon Wellinghoff.

    1. In this order, the Commission proposes to clarify the scope of 
the eight Critical Infrastructure Protection (CIP) Reliability 
Standards \1\ approved in Order No. 706 to assure that no ``gap'' 
occurs in the applicability of these Standards.\2\ In particular, each 
of the eight CIP Reliability Standards provides that facilities 
regulated by the U.S. Nuclear Regulatory Commission (NRC) are exempt 
from the Standard. It has come to the attention of the Commission that 
the NRC does not regulate all facilities within a nuclear generation 
plant. Thus, to assure that there is no ``gap'' in the regulatory 
process, the Commission proposes to clarify that the facilities within 
a nuclear generation plant in the United States that are not regulated 
by the NRC are subject to compliance with the eight CIP Reliability 
Standards approved in Order No. 706.
---------------------------------------------------------------------------

    \1\ Reliability Standards CIP-002-1 through CIP-009-1. 
Reliability Standard CIP-001-1, which pertains to sabotage 
reporting, does not include the exemption statement that is the 
subject of this order.
    \2\ Mandatory Reliability Standards for Critical Infrastructure 
Protection, Order No. 706, 73 FR 7368 (Feb. 7, 2008), 122 FERC ] 
61,040, order on reh'g, 123 FERC ] 61,174 (2008).
---------------------------------------------------------------------------

    2. Comments on the Commission's proposed clarification are due 30 
days from the date of issuance of this order, after which the 
Commission intends to issue a further order on the matter.

Background

    3. The North American Electric Reliability Corporation (NERC), the 
Commission-certified Electric Reliability Organization (ERO), developed 
eight CIP Reliability Standards that require certain users, owners and 
operators of the Bulk-Power System to comply with specific requirements 
to safeguard critical cyber assets. In January 2008, pursuant to 
section 215 of the Federal Power Act (FPA),\3\ the Commission approved 
the eight CIP Reliability Standards. In addition, pursuant to section 
215(d)(5) of the FPA,\4\ the Commission directed the ERO to develop 
modifications to the CIP Reliability Standards to address specific 
concerns identified by the Commission.
---------------------------------------------------------------------------

    \3\ 16 U.S.C. Sec.  824o (2006).
    \4\ 16 U.S.C. Sec.  824o(d)(5).
---------------------------------------------------------------------------

    4. Each of the eight CIP Reliability Standards includes an 
exemption for facilities regulated by the NRC. For example, Reliability 
Standard CIP-002-1 provides:

    The following are exempt from Standard CIP-002: Facilities 
Regulated by the U.S. Nuclear Regulatory Commission. * * * [\5\]
---------------------------------------------------------------------------

    \5\ Reliability Standard CIP-002-1, section 4.2 (Applicability).

    5. In an April 8, 2008 public joint meeting of the Commission and 
the NRC, staff of both Commissions discussed cyber security at nuclear 
generation plants. While NRC staff indicated that the NRC has proposed 
regulations to address cybersecurity at nuclear generation plants,\6\ 
NRC staff raised a concern regarding a potential gap in regulatory 
coverage. In particular, NRC staff indicated that the NRC's proposed 
regulations on cybersecurity would not apply to all systems within a 
nuclear generation plant. NRC staff explained:
---------------------------------------------------------------------------

    \6\ Nuclear Regulatory Commission, Notice of Proposed 
Rulemaking, Power Reactor Security Requirements, NRC Docket No. RIN 
3150-AG63 (Oct. 2006).

    The NRC's cyber requirements are not going to extend to power 
continuity systems. They do not extend directly to what is not 
directly associated with reactor safety security or emergency 
response. * * *
    As a result, and when you look at the CIP standards that were 
issued, there is a discrete statement in each of the seven or eight 
standards where it specifically exempts facilities regulated by the 
United States Nuclear Regulatory Commission from compliance with 
those CIP Standards. So there is an issue there in the sense that 
our regulations for cyber security go up to a certain point, and 
end.[\7\]
---------------------------------------------------------------------------

    \7\ April 8, 2008, Joint Meeting of the Nuclear Regulatory 
Commission and Federal Regulatory Commission, Tr. at 77-78.
---------------------------------------------------------------------------

Discussion

    6. The Commission shares the concern raised at the April 8, 2008 
joint meeting. It appears that the NRC's regulation of a nuclear 
generation plant is limited to the facilities that are associated with 
reactor safety or emergency response.\8\ The Commission believes that a 
nuclear generation plant will likely include critical assets and 
critical cyber assets that are not safety related and, therefore, not 
regulated by the NRC. For example, facilities that pertain to the 
``continuity of operation'' of a nuclear generation plant may be

[[Page 55460]]

necessary for the generation of electricity that affects the 
reliability of Bulk-Power System but not have a role in reactor safety. 
The Commission understands that such facilities would not be subject to 
compliance with cyber security regulations developed by the NRC.
---------------------------------------------------------------------------

    \8\ See id. See also 42 U.S.C. 2133, 2201 and 2232.
---------------------------------------------------------------------------

    7. The Commission believes that the plain meaning of the exemption 
language in the eight CIP Reliability Standards at issue is that only 
those facilities within a nuclear generation plant that are regulated 
by the NRC are exempt from those Standards. The exemption language in 
the eight CIP Reliability Standards neither states, nor implies, that 
all facilities within a nuclear generation plant are exempt from the 
Standards, regardless of whether they are subject to NRC regulation. 
However, the Commission believes there is a need to assure that there 
is no potential gap in the regulation of critical cyber assets at 
nuclear generation plants and to assure that there is no 
misunderstanding of the scope of the exemption in the CIP Reliability 
Standards. The Commission, therefore, proposes to clarify that 
Reliability Standards CIP-002-1 through CIP-009-1 apply to the 
facilities within a nuclear generation plant that are not regulated by 
the NRC.
    8. To be clear, the Commission's intent is to eliminate a potential 
gap in the regulation of critical assets and critical cyber assets at 
nuclear generation plants in the United States. The Commission 
reaffirms the language of the CIP Reliability Standards--and respects 
the jurisdiction of the NRC--and does not intend that those Standards 
apply to facilities within a nuclear generation plant that are 
regulated by the NRC. This should allay concerns that a specific 
facility is subject to ``dual'' regulation by both the Commission and 
NRC as to cyber security.
    9. In addition to comments on the proposed clarification, the 
Commission seeks comment on the following two related matters:

    Whether there is a clear delineation between those facilities 
within a nuclear generation plant that pertain to reactor safety 
security or emergency response and the non-safety portion or, as NRC 
refers to it, the ``balance of plant.'' For example, the generator 
itself in a nuclear generation plant would seem to be under the CIP 
Reliability Standards, but the motors that operate nuclear reactor 
control rods would seem to be under NRC regulation. If the 
delineation is not clear, is there a need for owners and/or 
operators of nuclear generation plants to identify the specific 
facilities that pertain to reactor safety security or emergency 
response and subject to NRC regulation, and the balance of plant 
that is subject to the eight CIP Reliability Standards?
    In Order No. 706, the Commission approved NERC's ``(Revised) 
Implementation Plan for Cyber Security Standards CIP-001-1 through 
CIP-009-1'' for the eight cybersecurity Reliability Standards. The 
implementation plan provides a staggered approach to implementation 
that includes three tables with separate timelines for various 
industry segments. Table 3, which applies to generation owners and 
generation operators, requires achieving compliance with the 
requirements of the CIP Reliability Standards by December 31, 2009. 
The only requirement that has a different compliance date in Table 3 
is CIP-003-1 Requirement R2, which must be complied with by June 30, 
2008. The Commission seeks comment on whether Table 3 for generation 
owners and generation operators should control the implementation 
schedule of the CIP Reliability Standards to the facilities within a 
nuclear generation plant that the NRC does not regulate.

    10. Comments on the Commission's proposed clarification are due 30 
days from the date of issuance of this order, after which the 
Commission intends to issue a further order on the matter.
    The Commission orders: The Commission directs that this order be 
published in the Federal Register. Comments on the Commission's 
proposed clarification are due 30 days from the date of issuance of 
this order.

    By the Commission.
Kimberly D. Bose,
Secretary.
[FR Doc. E8-22198 Filed 9-24-08; 8:45 am]
BILLING CODE 6717-01-P