[Federal Register Volume 81, Number 145 (Thursday, July 28, 2016)]
[Notices]
[Pages 49641-49644]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-17854]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. RM16-18-000]


Cyber Systems in Control Centers

AGENCY: Federal Energy Regulatory Commission, Department of Energy.

ACTION: Notice of Inquiry.

-----------------------------------------------------------------------

SUMMARY: In this Notice of Inquiry, the Federal Energy Regulatory 
Commission seeks comment on possible modifications to the Critical 
Infrastructure Protection Reliability Standards regarding the 
cybersecurity of Control Centers used to monitor and control the bulk 
electric system in real time.

DATES: Comments are due September 26, 2016.

ADDRESSES: You may submit comments, identified by docket number and in 
accordance with the requirements posted on the Commission's Web site, 
http://www.ferc.gov. Comments may be submitted by any of the following 
methods:
     Agency Web site: Documents created electronically using 
word processing software should be filed in native applications or 
print-to-PDF format and not in a scanned format, at http://www.ferc.gov/docs-filing/efiling.asp.
     Mail/Hand Delivery: Those unable to file electronically 
must mail or hand deliver comments to: Federal Energy Regulatory 
Commission, Secretary of the Commission, 888 First Street NE., 
Washington, DC 20426.
    Instructions: For detailed instructions on submitting comments and 
additional information on the rulemaking process, see the Comment 
Procedures Section of this document.

FOR FURTHER INFORMATION CONTACT: 
David DeFalaise (Technical Information), Office of Electric 
Reliability, Federal Energy Regulatory Commission, 888 First Street 
NE., Washington, DC 20426, (202) 502-8180, [email protected]

Robert T. Stroh (Legal Information), Office of the General Counsel, 
Federal Energy Regulatory Commission, 888 First Street NE., Washington, 
DC 20426, (202) 502-8473, [email protected]

SUPPLEMENTARY INFORMATION: 
    1. In this Notice of Inquiry, pursuant to section 215 of the 
Federal Power Act (FPA),\1\ the Commission seeks comment on the need 
for, and possible effects of, modifications to the Critical 
Infrastructure Protection (CIP) Reliability Standards regarding the 
cybersecurity of Control Centers used to monitor and control the bulk 
electric system in real time.\2\ Cyber systems are used extensively for 
the operation and maintenance of interconnected transmission 
networks.\3\ A 2015

[[Page 49642]]

cyberattack on the electric grid in Ukraine is an example of how cyber 
systems used to operate and maintain interconnected networks, unless 
adequately protected, may be vulnerable to cyberattack. While certain 
controls in the CIP Reliability Standards may reduce the risk of such 
attacks,\4\ the Commission seeks comment on whether additional controls 
should be required.
---------------------------------------------------------------------------

    \1\ 16 U.S.C. 824o. Section 215(a)(3) of the FPA defines 
``Reliability Standard'' to include ``. . . requirements for the 
operation of existing bulk-power system facilities, including 
cybersecurity protection . . .''
    \2\ NERC defines ``Control Center'' as ``[o]ne or more 
facilities hosting operating personnel that monitor and control the 
Bulk Electric System (BES) in realtime to perform the reliability 
tasks, including their associated data centers . . . .'' NERC 
Glossary of Terms Used in Reliability Standards (May 17, 2016) at 33 
(NERC Glossary).
    \3\ Cyber systems are referred to as ``BES Cyber Systems'' in 
the CIP Reliability Standards. The NERC Glossary defines BES Cyber 
Systems as ``One or more BES Cyber Assets logically grouped by a 
responsible entity to perform one or more reliability tasks for a 
functional entity.'' NERC Glossary at 15. The NERC Glossary defines 
``BES Cyber Asset'' as ``A Cyber Asset that if rendered unavailable, 
degraded, or misused would, within 15 minutes of its required 
operation, misoperation, or non-operation, adversely impact one or 
more Facilities, systems, or equipment, which, if destroyed, 
degraded, or otherwise rendered unavailable when needed, would 
affect the reliable operation of the Bulk Electric System. 
Redundancy of affected Facilities, systems, and equipment shall not 
be considered when determining adverse impact. Each BES Cyber Asset 
is included in one or more BES Cyber Systems.'' Id.
    \4\ See, e.g., Reliability Standard CIP-005-5 (Electronic 
Security Perimeter(s)), Requirement R2, which protects against 
unauthorized interactive remote access; Reliability Standard CIP-
006-6 (Physical Security of BES Cyber Systems), Requirement R2, 
which protects against unauthorized physical access and Reliability 
Standard CIP-007-6 (System Security Management), Requirement R3, 
which protects against malware.
---------------------------------------------------------------------------

    2. Specifically, as discussed below, the Commission seeks comment 
on possible modifications to the CIP Reliability Standards--and any 
potential impacts on the operation of the Bulk-Power System resulting 
from such modifications--to address the following matters: (1) 
Separation between the Internet and BES Cyber Systems in Control 
Centers performing transmission operator functions; and (2) computer 
administration practices that prevent unauthorized programs from 
running, referred to as ``application whitelisting,'' for cyber systems 
in Control Centers.

I. Background

    3. On January 28, 2008, the Commission approved an initial set of 
eight CIP Reliability Standards pertaining to cybersecurity.\5\ In 
addition, the Commission directed NERC to develop certain modifications 
to the CIP Reliability Standards. Since 2008, the CIP Reliability 
Standards have undergone multiple revisions to address Commission 
directives and respond to emerging cybersecurity issues.
---------------------------------------------------------------------------

    \5\ Mandatory Reliability Standards for Critical Infrastructure 
Protection, Order No. 706, 122 FERC ] 61,040, denying reh'g and 
granting clarification, Order No. 706-A, 123 FERC ] 61,174 (2008), 
order on clarification, Order No. 706-B, 126 FERC ] 61,229 (2009), 
order denying clarification, Order No. 706-C, 127 FERC ] 61,273 
(2009).
---------------------------------------------------------------------------

    4. On December 23, 2015, three regional electric power distribution 
companies in Ukraine experienced a cyberattack resulting in power 
outages that affected at least 225,000 customers. An analysis conducted 
by a team from the Electricity Information Sharing and Analysis Center 
(E-ISAC) and SANS Industrial Control Systems (SANS ICS) observed that 
``the cyber attacks in Ukraine are the first publicly acknowledged 
incidents to result in power outages.'' \6\
---------------------------------------------------------------------------

    \6\ E-ISAC, Analysis of the Cyber Attack on the Ukrainian Power 
Grid (March 18, 2016) at 3, http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf.
---------------------------------------------------------------------------

    5. On February 25, 2016, the U.S. Department of Homeland Security 
(DHS) Industrial Control Systems Cyber Emergency Response Team issued 
an ``Alert'' in response to the Ukraine incident.\7\ The Alert stated 
that the cyberattack was sophisticated and well planned. The Alert 
reported that the cyberattacks at each company occurred within 30 
minutes of each other and affected multiple central and regional 
facilities. The Alert also explained that during the cyberattacks:
---------------------------------------------------------------------------

    \7\ See Department of Homeland Security, Alert (IR-ALERT-H-16-
056-01) Cyber-Attack Against Ukrainian Critical Infrastructure 
(February 25, 2016) (Alert), https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01.

malicious remote operation of the breakers was conducted by multiple 
external humans using either existing remote administration tools at 
the operating system level or remote industrial control system (ICS) 
client software via virtual private network (VPN) connections. The 
companies believe that the actors acquired legitimate credentials 
---------------------------------------------------------------------------
prior to the cyber-attack to facilitate remote access.

    In addition, the Alert reported that the affected companies 
indicated that the attackers wiped some systems at the conclusion of 
the cyberattack, which erased selected files, rendering systems 
inoperable.
    6. In response to the Ukraine incident, the Alert recommended the 
following key examples of best practice mitigation strategies:

procurement and licensing of trusted hardware and software systems; 
knowing who and what is on your network through hardware and 
software asset management automation; on time patching of systems; 
and strategic technology refresh.\8\
---------------------------------------------------------------------------

    \8\ Id. at Mitigation Section. By ``strategic technology 
refresh,'' the Alert referred to the benefit of replacing legacy 
cyber systems that no longer receive security patches and, as a 
result, might not be secure.
---------------------------------------------------------------------------

II. Request for Comments

    7. The Commission seeks comment on whether to modify the CIP 
Reliability Standards to better secure Control Centers from 
cyberattacks. The Commission also seeks comment on the potential 
consequences or complications arising from implementing such 
modifications. In response to lessons learned from the Alert and 
analyses of the Ukraine incident, the Commission seeks comment on 
whether to modify the CIP Reliability Standards to require: (1) 
Separation between the Internet and BES Cyber Systems in Control 
Centers performing transmission operator functions; and (2) 
``application whitelisting'' for BES Cyber Systems in Control Centers.

A. Isolation of Transmission Operator Control Centers From the Internet

    8. In response to the Ukraine incident, the Alert recommended that:

[o]rganizations should isolate [industrial control system] networks 
from any untrusted networks, especially the Internet. All unused 
ports should be locked down and all unused services turned off. If a 
defined business requirement or control function exists, only allow 
real-time connectivity to external networks. If one-way 
communication can accomplish a task, use optical separation (`data 
diode'). If bidirectional communication is necessary, then use a 
single open port over a restricted network path.

    9. Commission-approved Reliability Standard CIP-007-6, Requirement 
R1 (Ports and Services), Part 1.1 requires, where technically feasible, 
unused logical ports to be disabled.\9\ In addition, Reliability 
Standard CIP-007-6, Requirement R1, Part 1.2 requires protection of 
physical ports against unnecessary use.\10\ These requirements 
therefore address the Alert's recommendation that ``[a]ll unused ports 
should be locked down and all unused services turned off.''
---------------------------------------------------------------------------

    \9\ Logical ports are connection points where two applications 
communicate to identify different applications or processes running 
on a cyber asset.
    \10\ A physical port serves as an interface or connection 
between a cyber asset and another cyber asset, or peripheral device, 
using a physical medium such as a cable.
---------------------------------------------------------------------------

    10. The current CIP Reliability Standards do not require isolation 
between the Internet and BES Cyber Systems in Control Centers 
performing transmission operator functions through use of physical 
(hardware) or logical (software) means. Although BES Cyber Systems are 
protected by electronic security perimeters and the disabling of unused 
logical ports, BES Cyber Systems are permitted, within the scope of the 
current CIP Reliability Standards, to route, or connect, to the 
Internet.\11\ Requiring physical separation between the Internet and 
cyber systems in Control Centers performing transmission operator 
functions would require data connections to Control Centers or other 
facilities owned by transmission operators over dedicated data lines 
owned or leased by the transmission operator, rather than allowing 
communications over the

[[Page 49643]]

Internet.\12\ Logical separation, in some contexts, can achieve a 
similar objective through different means.
---------------------------------------------------------------------------

    \11\ NERC defines an electronic security perimeter as ``the 
logical border surrounding a network to which BES Cyber Systems are 
connected using a routable protocol.'' NERC Glossary at 39.
    \12\ See Alert at Mitigation Section; see also Department of 
Homeland Security, Seven Steps to Effectively Defend Industrial 
Control Systems at 3.
---------------------------------------------------------------------------

    11. The Commission seeks comment on whether the CIP Reliability 
Standards should be modified to require isolation between the Internet 
and BES Cyber Systems in Control Centers performing the functions of a 
transmission operator. In addition, the Commission seeks comment on the 
operational impact to the Bulk-Power System if BES Cyber Systems were 
isolated from the Internet in all Control Centers performing 
transmission operator functions. Specifically, the Commission seeks 
comment on what, if any, reliability issues might arise from such a 
requirement. For example, would requiring isolation prevent an activity 
required by another Reliability Standard? If isolation is required, is 
logical isolation preferable to physical isolation (or vice versa) and, 
if so, why? The Commission also seeks comment on whether and how such a 
requirement might affect a transmission operator's communications with 
its reliability coordinator or other applicable entities required under 
the Reliability Standard. Finally, if isolation is not required, are 
there communications with these Control Centers for which the use of 
one-way data diodes would be reliable and appropriate?

B. Application Whitelisting for BES Cyber Systems in Control Centers

    12. Application whitelisting is a computer administration practice 
used to prevent unauthorized programs from running.\13\ The purpose is 
primarily to protect computers and networks from harmful applications, 
and, to a lesser extent, to prevent unnecessary demand for computer 
resources. The ``whitelist'' is a list of applications granted 
permission to run by the user or an administrator. Whitelisting works 
best when applied to static cyber systems.\14\
---------------------------------------------------------------------------

    \13\ See Alert at Mitigation Section.
    \14\ Id.
---------------------------------------------------------------------------

    13. In response to the Ukraine incident, the Alert recommended 
that:

asset owners take defensive measures by leveraging best practices to 
minimize the risk from similar malicious cyber activity. Application 
Whitelisting (AWL) can detect and prevent attempted execution of 
malware uploaded by malicious actors. The static nature of some 
systems, such as database servers and HMI computers, make these 
ideal candidates to run AWL. Operators are encouraged to work with 
their vendors to baseline and calibrate AWL deployments.

    Similarly, a December 2015 document by DHS identifies application 
whitelisting as the first of seven strategies to defend industrial 
control systems and states that this strategy would have ``potentially 
mitigated'' 38 percent of ICS-CERT Fiscal Year 2014 and 2015 incidents, 
more than any of the other strategies.\15\ While the NERC Guidelines 
and Technical Basis document associated with Reliability Standard CIP-
007-6, Requirement R3 identifies application whitelisting as an option 
for mitigating malicious cyber activity, its use is not mandatory.\16\ 
The Guidelines and Technical Basis discussion in Reliability Standard 
CIP-007-6 explains:
---------------------------------------------------------------------------

    \15\ Seven Steps to Effectively Defend Industrial Control 
Systems at 1.
    \16\ Reliability Standard CIP-007-6, Requirement R3 provides 
that ``[e]ach Responsible Entity shall implement one or more 
documented process(es) that collectively include each of the 
applicable requirement parts in CIP-007-6 Table R3--Malicious Code 
Prevention'' and lists application whitelisting as an option. In 
addition, the CIP Reliability Standards require a combination of 
ensuring that an individual's privileges are the minimum necessary 
to perform their work function (i.e., ``least privilege'') and anti-
malware (i.e., ``blacklisting''). See, e.g., Reliability Standard 
CIP-004-6, Requirement R4 and Guidelines and Technical Basis; 
Reliability Standard CIP-007-6, Requirement R3.

    Due to the wide range of equipment comprising the BES Cyber 
Systems and the wide variety of vulnerability and capability of that 
equipment to malware as well as the constantly evolving threat and 
resultant tools and controls, it is not practical within the 
standard to prescribe how malware is to be addressed on each Cyber 
Asset. Rather, the Responsible Entity determines on a BES Cyber 
System basis, which Cyber Assets have susceptibility to malware 
intrusions and documents their plans and processes for addressing 
those risks and provides evidence that they follow those plans and 
processes. There are numerous options available including 
traditional antivirus solutions for common operating systems, white-
listing solutions, network isolation techniques, Intrusion 
Detection/Prevention (IDS/IPS) solutions, etc.\17\
---------------------------------------------------------------------------

    \17\ Reliability Standard CIP-007-6, Guidelines and Technical 
Basis, at 4.

    14. While application whitelisting is identified above as one 
available option, the Ukraine incident and the subsequent Alert raise 
the question of whether application whitelisting should be required. 
Application whitelisting could be a more effective mitigation tool than 
other mitigation measures because whitelisting allows only software 
applications and processes that are reviewed and tested before use in 
the system network. By knowing all installed applications, the security 
professional can set the application whitelisting program to know the 
application is approved; all unapproved applications will trigger an 
alert.
    15. The Commission seeks comment on whether the CIP Reliability 
Standards should be modified to require application whitelisting for 
all BES Cyber Systems in Control Centers. Is application whitelisting 
appropriate for all such systems? If not, are there certain devices or 
components on such systems for which it is appropriate? In addition, 
the Commission seeks comment on the operational impact, including 
potential reliability concerns, for each approach.

III. Comment Procedures

    16. The Commission invites interested persons to submit comments, 
and other information on the matters, issues and specific questions 
identified in this notice. Comments are due September 26, 2016. 
Comments must refer to Docket No. RM16-18-000, and must include the 
commenter's name, the organization they represent, if applicable, and 
their address in their comments.
    17. The Commission encourages comments to be filed electronically 
via the eFiling link on the Commission's Web site at http://www.ferc.gov. The Commission accepts most standard word processing 
formats. Documents created electronically using word processing 
software should be filed in native applications or print-to-PDF format 
and not in a scanned format. Commenters filing electronically do not 
need to make a paper filing.
    18. Commenters that are not able to file comments electronically 
must send an original of their comments to: Federal Energy Regulatory 
Commission, Secretary of the Commission, 888 First Street NE., 
Washington, DC 20426.
    19. All comments will be placed in the Commission's public files 
and may be viewed, printed, or downloaded remotely as described in the 
Document Availability section below. Commenters on this proposal are 
not required to serve copies of their comments on other commenters.

IV. Document Availability

    20. In addition to publishing the full text of this document in the 
Federal Register, the Commission provides all interested persons an 
opportunity to view and/or print the contents of this document via the 
Internet through FERC's Home Page (http://www.ferc.gov) and in FERC's 
Public Reference Room during normal business hours (8:30 a.m. to 5:00 
p.m. Eastern time) at 888 First Street NE., Room 2A, Washington, DC 
20426.
    21. From FERC's Home Page on the Internet, this information is 
available on

[[Page 49644]]

eLibrary. The full text of this document is available on eLibrary in 
PDF and Microsoft Word format for viewing, printing, and/or 
downloading. To access this document in eLibrary, type the docket 
number excluding the last three digits of this document in the docket 
number field.
    22. User assistance is available for eLibrary and the FERC's Web 
site during normal business hours from FERC Online Support at 202-502-
6652 (toll free at 1-866-208-3676) or email at 
[email protected], or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at 
[email protected].

    By direction of the Commission.

    Issued: July 21, 2016.
Kimberly D. Bose,
Secretary.
[FR Doc. 2016-17854 Filed 7-27-16; 8:45 am]
BILLING CODE 6717-01-P