[Federal Register Volume 87, Number 18 (Thursday, January 27, 2022)]
[Proposed Rules]
[Pages 4173-4180]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-01537]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
18 CFR Part 40
[Docket No. RM22-3-000]
Internal Network Security Monitoring for High and Medium Impact
Bulk Electric System Cyber Systems
AGENCY: Federal Energy Regulatory Commission, Department of Energy.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The Federal Energy Regulatory Commission (Commission) proposes
to direct the North American Electric Reliability Corporation to
develop and submit for Commission approval new or modified Reliability
Standards that require internal network security monitoring within a
trusted Critical Infrastructure Protection networked environment for
high and medium impact Bulk Electric System Cyber Systems.
DATES: Comments are due March 28, 2022.
ADDRESSES: Comments, identified by docket number, may be filed in the
following ways. Electronic filing through https://www.ferc.gov, is
preferred.
Electronic Filing: Documents must be filed in acceptable
native applications and print-to-PDF, but not in scanned or picture
format.
For those unable to file electronically, comments may be
filed by U.S. Postal Service mail or by hand (including courier)
delivery.
[cir] Mail via U.S. Postal Service only: Addressed to: Federal
Energy Regulatory Commission, Office of the Secretary, 888 First Street
NE, Washington, DC 20426.
[cir] For delivery via any other carrier (including courier):
Deliver to: Federal Energy Regulatory Commission, Office of the
Secretary, 12225 Wilkins Avenue, Rockville, MD 20852.
FOR FURTHER INFORMATION CONTACT:
Cesar Tapia (Technical Information), Office of Electric Reliability,
Federal Energy Regulatory Commission, 888 First Street NE, Washington,
DC 20426, (202) 502-6559, [email protected]
Kevin Ryan (Legal Information), Office of the General Counsel, Federal
Energy Regulatory Commission, 888 First Street NE, Washington, DC
20426, (202) 502-6840, [email protected]
Milena Yordanova (Legal Information), Office of the General Counsel,
Federal Energy Regulatory Commission, 888 First Street NE, Washington,
DC 20426, (202) 502-6194, [email protected]
SUPPLEMENTARY INFORMATION:
1. Pursuant to section 215(d)(5) of the Federal Power Act (FPA),\1\
the Commission proposes to direct the North American Electric
Reliability Corporation (NERC), the Commission-certified Electric
Reliability Organization (ERO), to develop new or modified Reliability
Standards that require network security monitoring internal to a
Critical Infrastructure Protection (CIP) networked environment
(internal network security monitoring or INSM) for high and medium
impact Bulk Electric System (BES) Cyber Systems.\2\ INSM is a subset of
network security monitoring that is applied within a ``trust zone,''
\3\ such as an Electronic Security Perimeter (ESP),\4\ and is designed
to address situations where vendors or individuals with authorized
access are considered secure and trustworthy but could still introduce
a cybersecurity risk to a high or medium impact BES Cyber System.
---------------------------------------------------------------------------
\1\ 16 U.S.C. 824o(d)(5).
\2\ Reliability Standard CIP-002-5.1a (BES Cyber System
Categorization) sets forth criteria that registered entities apply
to categorize BES Cyber Systems as high, medium, or low depending on
the adverse impact that loss, compromise, or misuse of those BES
Cyber Systems could have on the reliable operation of the BES. The
impact level (i.e., high, medium, or low) of BES Cyber Systems, in
turn, determines the applicability of security controls for BES
Cyber Systems that are contained in the remaining CIP Reliability
Standards (i.e., Reliability Standards CIP-003-8 to CIP-013-1).
\3\ A trust zone is defined as a ``discrete computing
environment designated for information processing, storage, and/or
transmission that share the rigor or robustness of the applicable
security capabilities necessary to protect the traffic transiting in
and out of a zone and/or the information within the zone.'' U.S.
Department of Homeland Security, Cybersecurity and Infrastructure
Security Agency (CISA), Trusted internet Connections 3.0: Reference
Architecture, at 2 (July 2020), https://www.cisa.gov/sites/default/files/publications/CISA_TIC%203.0%20Vol.%202%20Reference%20Architecture.pdf.
\4\ The NERC Glossary defines an ESP as ``the logical border
surrounding a network to which BES Cyber Systems are connected using
a routable protocol.'' NERC, Glossary of Terms Used in NERC
Reliability Standards (June 28, 2021), https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf.
---------------------------------------------------------------------------
2. Although the currently effective CIP Reliability Standards offer
a broad set of cybersecurity protections, they do not address INSM.
This omission constitutes a gap in the CIP Reliability Standards.
Including INSM requirements in the CIP Reliability Standards would
ensure that responsible entities maintain visibility over
communications between networked devices within a trust zone (i.e.,
within an ESP), not simply monitor communications at the network
perimeter access point(s), i.e., at the boundary of an ESP as required
by the current CIP requirements. In the event of a compromised ESP,
improving visibility within a network would increase the probability of
early detection of malicious activities and would allow for quicker
mitigation and recovery from an attack. In addition to improved
incident response capabilities and situational awareness, INSM also
contributes to better vulnerability assessments within an ESP, all of
which support an entity's cybersecurity defenses and could reduce the
impact of cyberattacks.
3. While the currently effective CIP Reliability Standards do not
require INSM, NERC has recognized the proliferation and usefulness of
network monitoring technology on the BES. For example, on January 4,
2021, NERC issued a Compliance Monitoring and Enforcement Program
(CMEP) Practice Guide addressing Network Monitoring Sensors,
Centralized Collectors, and Information Sharing.\5\ NERC explained that
the CMEP Practice Guide was developed in response to a U.S. Department
of Energy (DOE) initiative ``to advance technologies and systems that
will provide cyber visibility, detection, and response capabilities for
[industrial control systems] of electric utilities.'' \6\ As discussed
below, in view
[[Page 4174]]
of these and other ongoing efforts to improve network monitoring, we
believe that there is a sufficient basis for a directive to NERC to
require INSM in the CIP Reliability Standards for high and medium
impact BES Cyber Systems.
---------------------------------------------------------------------------
\5\ NERC, ERO Enterprise CMEP Practice Guide: Network Monitoring
Sensors, Centralized Collectors, and Information Sharing (June 4,
2021), https://www.nerc.com/pa/comp/guidance/CMEPPracticeGuidesDL/CMEP%20Practice%20Guide%20-%20Network%20Monitoring%20Sensors.pdf
(CMEP Practice Guide).
\6\ Id. at 1.
---------------------------------------------------------------------------
4. We seek comments on all aspects of the proposed directive to
NERC to modify the CIP Reliability Standards to require INSM for high
and medium impact BES Cyber Systems. The proposed directive centers on
high and medium impact BES Cyber Systems in order to improve visibility
within networks containing BES Cyber Systems whose compromise could
have a significant impact on the reliable operation of the BES.
However, because low impact BES Cyber Systems have fewer security
controls than high and medium impact BES Cyber Systems, we also seek
comments on the usefulness and practicality of implementing INSM to
detect malicious activity in networks with low impact BES Cyber
Systems, including any potential benefits, technical barriers and
associated costs.
5. Upon review of the filed comments, the Commission will consider
whether to broaden the directives in the final rule to direct NERC to
require INSM in the CIP Reliability Standards for low impact BES Cyber
Systems or a defined subset of low impact BES Cyber Systems.
I. Background
A. Section 215 and Mandatory Reliability Standards
6. Section 215 of the FPA requires the Commission to certify an ERO
to develop mandatory and enforceable Reliability Standards, subject to
Commission review and approval.\7\ Once approved, the Reliability
Standards are enforceable in the United States by the ERO, subject to
Commission oversight, or by the Commission independently. Pursuant to
section 215 of the FPA, the Commission established a process to select
and certify an ERO,\8\ and subsequently certified NERC.\9\
---------------------------------------------------------------------------
\7\ 16 U.S.C. 824o.
\8\ Rules Concerning Certification of the Electric Reliability
Organization; and Procedures for the Establishment, Approval, and
Enforcement of Electric Reliability Standards, Order No. 672, 71 FR
8662 (Feb. 17, 2006), 114 FERC ] 61,104, order on reh'g, Order No.
672-A, 71 FR 19814 (Apr. 18, 2006), 114 FERC ] 61,328 (2006).
\9\ North American Electric Reliability Corp., 116 FERC ]
61,062, order on reh'g and compliance, 117 FERC ] 61,126 (2006),
aff'd sub nom. Alcoa, Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).
---------------------------------------------------------------------------
B. Network Security Monitoring and Internal Network Security Monitoring
1. Network Security Monitoring in Currently Effective CIP Reliability
Standards
7. Currently, network security monitoring in the CIP Reliability
Standards focuses on network perimeter defense and preventing
unauthorized access at the network perimeter. While responsible
entities are required to have a security program to implement various
controls,\10\ Reliability Standard CIP-005-6 (Electronic Security
Perimeter(s)), Requirement R1.5 is the only requirement that addresses
monitoring of network traffic for malicious communications at the ESP.
In particular, this provision requires a responsible entity to have one
or more methods for detecting known or suspected malicious
communications for both inbound and outbound communications. Under
Requirement R1.5, the only locations that require network security
monitoring are the ESP electronic access points for high and medium
impact BES Cyber Systems at control centers. The currently effective
CIP Reliability Standards do not require entities to have a defined ESP
for low impact BES Cyber Systems and, therefore, there is no
requirement for network security monitoring for inbound or outbound
communication of such systems.
---------------------------------------------------------------------------
\10\ See, e.g., (1) network perimeter defenses (CIP-005-7,
Requirement R1--Electronic Security Perimeter); (2) sensitive
information control (CIP-011-2--Information Protection, CIP-004-6,
Requirement R4--Access Management Program, and CIP-004-6,
Requirement R5--Access Revocation); (3) anti-malware (CIP-007-6,
Requirement R3--Malicious Code Prevention); (4) security awareness
and training (CIP-004-6, Requirement R1--Security Awareness Program
and CIP-004-6, Requirement R2--Cyber Security Training Program); and
(5) configuration change management (CIP-010-4, Requirement R1--
Configuration Change Management).
---------------------------------------------------------------------------
8. The CIP Reliability Standards also require entities to install
security monitoring tools at the device level. For instance,
Reliability Standard CIP-007-6 (System Security Management),
Requirement R.4.1.3 addresses security monitoring and requires the
entity to detect malicious code for all high and medium impact BES
Cyber Systems and their associated Electronic Access Control or
Monitoring Systems, Physical Access Control Systems, and Protected
Cyber Assets. To comply with Reliability Standard CIP-007-6 (Systems
Security Management), Requirement R.4.1.3, a responsible entity is not
required to use INSM methods, such as an intrusion detection
system.\11\
---------------------------------------------------------------------------
\11\ Under Reliability Standard CIP-007-6, Requirement R.4.1.3,
an entity may choose, but is not required, to use system generated
listing of network log in/log outs, or malicious code, or other
types of monitored network traffic at the perimeter of all high and
medium impact BES Cyber Systems. See Reliability Standard CIP-007-6
(Cyber Security--Systems Security Management), Requirement R.4.1.3,
Measures (stating that examples of evidence of compliance may
include, but are not limited to, a paper or system generated listing
of monitored activities for which the BES Cyber System is configured
to log and capable of detecting).
---------------------------------------------------------------------------
2. Internal Network Security Monitoring
9. INSM refers to network security monitoring inside of a trust-
zone. INSM is designed to address situations where perimeter network
defenses are breached by providing the earliest possible alerting and
detection of intrusions and malicious activity within a trust zone.
INSM consists of three stages: (1) Collection; (2) detection; and (3)
analysis that, taken together, provide the benefit of early detection
and alerting of intrusions and malicious activity.\12\ Some of the
tools used for INSM include: Anti-malware; Intrusion Detection Systems;
Intrusion Prevention Systems; and firewalls.\13\ These tools are
multipurpose and can be used for collection, detection, and analysis
(e.g., forensics). Additionally, some of the tools (e.g., anti-malware,
firewall, or Intrusion Prevention Systems) have the capability to block
network traffic.
---------------------------------------------------------------------------
\12\ See Chris Sanders & Jason Smith, Applied Network Security
Monitoring, at 9-10 (Nov. 2013).
\13\ See NIST Special Publication 800-83, Guide to Malware
Incident Prevention and Handling for Desktops and Laptops, at pp.
10-13 (July 2013) (Explaining that anti-malware tools find and
remove malware. Intrusion Detection Systems monitor a network for
anomalous activity, which includes malicious activity or policy
violations, and report them to security teams for further analysis.
A firewall monitors and controls incoming and outgoing network
traffic).
---------------------------------------------------------------------------
10. The benefits of INSM can be understood by first describing the
way attackers commonly compromise targets. Attackers typically follow a
systematic process of planning and execution to increase the likelihood
of a successful compromise.\14\ This process includes: Reconnaissance
(e.g., information gathering); choice of attack type and method of
delivery (e.g., malware delivered through a phishing campaign); taking
control of the entity's systems; and carrying out the attack
[[Page 4175]]
(e.g., exfiltration of project files, administrator credentials, and
employee personal identifiable information).\15\ Successful
cyberattacks require the attacker to gain access to a target system and
execute commands while in that system.
---------------------------------------------------------------------------
\14\ A widely accepted cybersecurity attack framework for
describing the process that an effective adversary typically follows
to increase the probability of a successful compromise is referred
to as Cyber Kill Chain. The Cyber Kill Chain provides more detail on
the specific steps that an attacker could follow. SANS Institute,
Applying Security Awareness to the Cyber Kill Chain, (May 2019),
https://www.sans.org/blog/applying-security-awareness-to-the-cyber-kill-chain/.
\15\ Id.
---------------------------------------------------------------------------
11. INSM could better position an entity to detect malicious
activity that has circumvented perimeter controls. Because an attacker
that moves among devices internal to a trust zone must use network
pathways and required protocols to send malicious communications, INSM
will potentially alert an entity of the attack and improve the entity's
ability to stop the attack at its early phases.
12. By providing visibility of network traffic that may only
traverse internally within a trust zone, INSM can warn entities of an
attack in progress. For example, properly placed, configured, and tuned
INSM capabilities such as intrusion detection system and intrusion
prevention system sensors could detect and/or block malicious activity
early and alert an entity of the compromise. INSM can also be used to
record network traffic for analysis, providing a baseline that an
entity can use to better detect malicious activity. Establishing
baseline network traffic allows entities to define what is and is not
normal and expected network activity and determine whether observed
anomalous activity warrants further investigation.\16\ The collected
network traffic can also be retained to facilitate timely recovery and/
or perform a thorough post-incident analysis of malicious activity.
---------------------------------------------------------------------------
\16\ See CISA, Best Practices for Securing Election Systems,
Security Tip (ST19-002), (Aug. 2021), https://www.cisa.gov/tips/st19-002.
---------------------------------------------------------------------------
13. In summary, INSM better postures an entity to detect an
attacker in the early phases of an attack and reduces the likelihood
that an attacker can gain a strong foothold and potential command and
control, including operational control, on the target system. In
addition to early detection and mitigation, INSM may improve incident
response by providing higher quality data about the extent of an attack
internal to a trust zone. High quality data from collected network
traffic is important for recovering from cyberattacks as this type of
data allows for: (1) Determining the timeframe for backup restoration;
(2) creating a record of the attack for incident response and
reporting; and (3) analyzing the attack itself to prevent it from
happening again (e.g., through lessons learned that can improve
organizational policies, processes, and playbooks).\17\ Finally, INSM
allows entities to conduct internal assessments and prioritize any
improvements based on their risk profile.\18\
---------------------------------------------------------------------------
\17\ Help Net Security, Three Reasons Why Ransomware Recovery
Requires Packet Data, (Aug. 2021), https://www.helpnetsecurity.com/2021/08/24/ransomware-recovery-packet-data/.
\18\ CISA, CISA Analysis: FY2020 Risk and Vulnerability
Assessments, (July 2021), https://www.cisa.gov/sites/default/files/publications/FY20-RVA-Analysis_508C.pdf.
---------------------------------------------------------------------------
II. Discussion
14. As discussed below, we believe that the absence of a
requirement to conduct INSM for CIP networked environments containing
high and medium impact BES Cyber Systems constitutes a gap in the
Reliability Standards. Accordingly, pursuant to section 215(d)(5) of
the FPA, we propose to direct NERC to develop new or modified
Reliability Standards that address the use of INSM for high and medium
impact BES Cyber Systems. We believe that requiring entities to
implement INSM will improve visibility and awareness of communications
between networked devices and between devices internal to trust zones
(i.e., ESPs), and increase the probability of detecting and mitigating
malicious activity in the early phases of an attack.
15. We also seek comments on the usefulness and practicality of
implementing INSM to detect malicious activity in networks with low
impact BES Cyber System, including any potential benefits, technical
barriers, and associated costs. The Commission may broaden its
directive in a final rule to include low impact BES Cyber Systems, or
some subset of low impact BES Cyber Systems, if the filed comments
support such a directive. While the high and medium impact categories
have defined thresholds, the low impact category of BES Cyber Systems
is essentially a broad group of all BES Cyber Systems that do not
satisfy the high or medium impact thresholds. Identifying a subset of
low impact BES Cyber Systems to which INSM provisions would apply could
allow entities to focus their resources on the assets with a more
significant risk profile within the broad low impact tier of BES Cyber
Systems. For example, a subset of low impact BES Cyber Systems to which
INSM provisions could apply may be contained within control centers and
backup control centers, transmission stations and substations, and/or
generation resources.\19\
---------------------------------------------------------------------------
\19\ Reliability Standard CIP-002-5.1a (Cyber Security--BES
Cyber System Categorization), Attachment 1, Section 3 (explaining
that low impact rating is assigned to BES Cyber Systems that, among
other requirements, are associated with assets such as control
centers and backup control centers, transmission stations and
substations, generation resources, etc.).
---------------------------------------------------------------------------
16. In the following sections, we discuss: (A) Current risks to
trusted CIP networked environments; (B) how INSM is a widely recognized
control against cyberattacks; (C) how the absence of INSM constitutes a
gap in the CIP Reliability Standards; and (D) how the proposed
directive would address the gap.
A. Risks to Trusted CIP Networked Environment
17. Currently, the NERC CIP Reliability Standards require
monitoring of the ESP and associated systems for high and medium impact
BES Cyber Systems. However, even when the ESP is monitored and
protected, the CIP networked environment (i.e., trust zone) remains
vulnerable to cyber threats like insider threats or supply chain
attacks initiated by an adversary by infiltrating a trusted vendor,
among other attack vectors. In the context of supply chain risk, a
malicious update from a known software vendor could be downloaded
directly to a server as trusted code, and it would not set-off any
alarms until abnormal behavior occurred and was detected. Because the
CIP networked environment is a trust zone, the compromised server in
the trust zone could be used to install malicious updates directly onto
devices that are internal to the CIP networked environment without
detection. In the context of an insider threat, an employee with
elevated administrative credentials could identify and collect data,
add additional accounts, delete logs, or even exfiltrate data without
being detected.
18. For example, the recent SolarWinds attack demonstrates how an
attacker can bypass all network perimeter-based security controls
traditionally used to identify the early phases of an attack.\20\ On
December 13, 2020, FireEye Inc., a cybersecurity solutions and
forensics firm, identified a global intrusion campaign that introduced
a compromise delivered through updates to the Orion network monitoring
product from SolarWinds, a widely used IT infrastructure management
software.\21\ This supply
[[Page 4176]]
chain attack leveraged a trusted vendor to compromise the networks of
public and private organizations, and it was attributed by the U.S.
government to the Russian foreign intelligence service.\22\ SolarWinds
customers had no reason to suspect the installation of compromised
updates because the attacker used an authenticated SolarWinds
certificate. This attack bypassed all network perimeter-based security
controls traditionally used to identify the early phases of an attack.
---------------------------------------------------------------------------
\20\ See FERC, NERC, SolarWinds and Related Supply Chain
Compromise, at 16 (July 7, 2021), https://cms.ferc.gov/media/solarwinds-and-related-supply-chain-compromise-0.
\21\ FireEye, Global Intrusion Campaign Leverages Software
Supply Chain Compromise, (2020), https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html.
\22\ The White House, Fact Sheet: Imposing Costs for Harmful
Foreign Activities by the Russian Government, (April 15, 2021),
https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/.
---------------------------------------------------------------------------
19. The supply chain is not the only attack vector used to gain
malicious access to a system. While not jurisdictional for purposes of
our reliability standards, the May 2021 large-scale ransomware attack
targeting Colonial Pipeline provides an important example of an attack
via one such vector that could halt an entity's operations.\23\ In this
case, the attacker gained the credentials to and exploited a legacy
virtual private network profile that was not intended to be in use.\24\
Although this attack was directed at the information technology (IT)
systems of the pipeline, Colonial Pipeline decided to shut down
operations as a precaution.\25\ With tools such as INSM, a shutdown of
operations may not be necessary as entities are better postured to
timely detect and mitigate similar events in which an adversary
successfully penetrates perimeter defenses and moves freely within the
internal network.
---------------------------------------------------------------------------
\23\ Colonial Pipeline, Media Statement Update: Colonial
Pipeline System Disruption (May 9, 2021), https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption (stating that after learning of the attack, Colonial took
certain systems offline to contain the threat. These actions
temporarily halted all pipeline operations and affected some of
Colonial's IT systems) (May 9, 2021 Colonial Pipeline Media
Statement Update); Colonial Pipeline, Media Statement Update:
Colonial Pipeline System Disruption, (May 8, 2021), https://www.colpipe.com/news/press-releases/media-statement-colonial-pipeline-system-disruption (On May 7, 2021 Colonial Pipeline Company
learned it was the victim of a cybersecurity attack and determined
that the incident involved ransomware).
\24\ Hearing Before The United States House Of Representatives
Committee On Homeland Security (117th Congress), Testimony of Joseph
Blount, President and Chief Executive Officer Colonial Pipeline
Company, at 4 (June 9, 2021), https://www.congress.gov/117/meeting/house/112689/witnesses/HHRG-117-HM00-Wstate-BlountJ-20210609.pdf.
See also Reuters, One Password Allowed Hackers to Disrupt Colonial
Pipeline, CEO Tells Senators (June 8, 2021), https://www.reuters.com/business/colonial-pipeline-ceo-tells-senate-cyber-defenses-were-compromised-ahead-hack-2021-06-08/ (explaining that
the legacy virtual private network had single-factor authentication,
a password, and did not have a multi-factor authentication
requirement in place).
\25\ May 9, 2021 Colonial Pipeline Media Statement Update.
---------------------------------------------------------------------------
20. In addition to early detection, INSM is critical for
identifying malicious activities at the later stages of cybersecurity
attacks. Absent INSM, an entity may not be alerted if an adversary
establishes a command and control communication channel that interacts
with the compromised system on a regular basis.\26\ Once an attacker
proceeds to the last phase of an attack, the attacker will have had
time to compromise multiple devices, steal user credentials, and map
the network extensively.\27\ Removing an attacker at this level of
penetration can be time consuming (e.g., months to years), costly, and
extremely difficult.
---------------------------------------------------------------------------
\26\ A command and control communication channel is used to
issue instructions to the compromised devices, download additional
malicious payloads (e.g., malware), which sit harmlessly until
triggered, and exfiltrate data. See NSA, Cybersecurity Report: NSA/
CSS Technical Cyber Threat Framework (Nov. 2018), https://www.nsa.gov/portals/75/documents/what-we-do/cybersecurity/professional-resources/ctr-nsa-css-technical-cyber-threat-framework.pdf.
\27\ Network mapping is used to compile an electronic inventory
of the systems and the services on the network. See SANS Institute,
Glossary of Terms, https://www.sans.org/security-resources/glossary-of-terms.
---------------------------------------------------------------------------
21. The serious operational consequences of such undetected
penetration into a networked environment for the BES could include: (1)
Loss of situational awareness monitoring; (2) loss of coordination
capabilities during reliability events and system restoration
activities; (3) unexpectedly large power flows; (4) loss of voice or
data communication; (5) loss of protection systems; (6) loss of
electric generation, transmission, or fuel supply, water supply/
coolant; (7) power market disruption; and (8) loss of Critical Energy/
Electric Infrastructure Information.\28\ For example, if an attacker
compromises high and/or medium impact BES Cyber Systems internal to a
CIP networked environment (i.e., trust zone) without INSM, the attacker
could communicate with and move freely between devices within a trust
zone with little likelihood of detection. The attacker could then
access the Supervisory Control and Data Acquisition (SCADA) \29\ system
and control equipment like circuit breakers \30\ dropping generating
resources or load, and potentially causing BES instability or
uncontrolled separation.\31\
---------------------------------------------------------------------------
\28\ SERC Reliability Corporation, 2020 SERC Reliability Risk
Report, (Sept. 21, 2020), https://www.serc1.org/docs/default-source/committee/ec-reliability-risk-working-group/2020-reliability-risk-report.pdf?sfvrsn=e80ea39_2.
\29\ SCADA is a system that aims to monitor and control field
devices at remote sites. SCADA systems are critical as they help
maintain efficiency by collecting and processing real-time data. See
DPS Telecom, How Do SCADA Systems Work?, https://www.dpstele.com/scada/how-systems-work.php.
\30\ A circuit breaker is an electrical switch designed to
protect an electrical circuit from damage caused by overcurrent/
overload or short circuit. Its basic function is to interrupt
current flow after protective relays detect a fault. See Eaton,
Circuit Breaker Fundamentals, https://www.eaton.com/us/en-us/products/electrical-circuit-protection/circuit-breakers/circuit-breakers-fundamentals.html.
\31\ Electricity Information Sharing and Analysis Center (E-
ISAC), Modular ICS Malware (Aug. 2017), https://www.eisac.com/cartella/Asset/00006542/TLP_WHITE_E-ISAC_SANS_Ukraine_DUC_6_Modular_ICS_Malware%20Final.pdf?parent=64412.
---------------------------------------------------------------------------
B. INSM Is a Widely Recognized Control Against Cyberattacks
22. Elements of INSM have been recognized and recommended by
government officials and industry experts as necessary for the early
detection and mitigation of cyberattacks. For example, on May 12, 2021,
the President issued Executive Order No. 14028 on Improving the
Nation's Cybersecurity,\32\ which directly addresses cyber protection
through increased visibility and data collection.\33\ The Executive
Order directs the Federal government and encourages the private sector
to implement several aspects of INSM and emphasizes that the Federal
government must improve its efforts to identify, deter, protect
against, detect, and respond to the actions of sophisticated malicious
actor cyber campaigns that threaten the security and privacy of the
public sector, private sector, and the American people.\34\ Further,
the Executive Order instructs Federal agencies, among other things, to
modernize their approach to cybersecurity by increasing visibility into
threats and advancing toward zero
[[Page 4177]]
trust principles; \35\ allocating resources to maximize early detection
of cybersecurity vulnerabilities and incidents on networks; \36\ and
collecting and maintaining information from network and system logs, as
they are invaluable tools for investigation and remediation.\37\
---------------------------------------------------------------------------
\32\ Executive Order No. 14028, 86 FR 26633 (May 12, 2021),
https://www.govinfo.gov/content/pkg/FR-2021-05-17/pdf/2021-10460.pdf.
\33\ The scope of protection includes systems that process data
(i.e., information technology) and those that run the vital
machinery that ensures safety (i.e., operational technology).
\34\ Executive Order No. 14028, 86 FR 26633, 26635, 26643 (May
12, 2021) (mandating that the ``Federal Government shall employ all
appropriate resources and authorities to maximize the early
detection of cybersecurity vulnerabilities and incidents on its
networks'' and ``increas[e] the Federal Government's visibility into
threats.'' The Executive Order further emphasizes that
``cybersecurity requires more than government action'' and ``[t]he
private sector must adapt to the continuously changing threat
environment, ensure its products are built and operate securely, and
partner with the Federal Government to foster a more secure
cyberspace.'').
\35\ Id. at 26635. Executive Order No. 14028 refers to zero
trust architecture. Zero trust is the term for an evolving set of
cybersecurity paradigms that move defenses from static, network-
based perimeters to focus on users, assets, and resources. A zero
trust architecture uses zero trust principles to plan industrial and
enterprise infrastructure and workflows. Zero trust assumes there is
no implicit trust granted to assets or user accounts based solely on
their physical or network location (i.e., local area networks versus
the internet) or based on asset ownership (enterprise or personally
owned). See generally National Institute of Standards and Technology
(NIST), NIST Special Publication 800-207 Zero Trust Architecture,
(Aug. 2020), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf (providing a general definition of zero trust
and general information and cases where zero trust may improve an
entity's overall cybersecurity posture).
\36\ Executive Order No. 14028, 86 FR 26633, 26643 (May 12,
2021).
\37\ Id. at 26644.
---------------------------------------------------------------------------
23. In addition, on July 28, 2021, the President signed the
National Security Memorandum on Improving Cybersecurity for Critical
Infrastructure Control Systems (National Security Memorandum) to
comprehensively address cybersecurity for critical infrastructure.\38\
The President emphasizes that ``[r]ecent high-profile attacks on
critical infrastructure around the world, including the ransomware
attacks on the Colonial Pipeline and JBS Foods in the United States,
demonstrate that significant cyber vulnerabilities exist across U.S.
critical infrastructure, which is largely owned and operated by the
private sector.'' \39\ The National Security Memorandum established an
Industrial Control Systems Cybersecurity Initiative (Cybersecurity
Initiative) to facilitate the deployment of technology and systems that
provide threat visibility, indicators, detections, and warnings.\40\
The Cybersecurity Initiative started with a pilot in the electricity
sector and has wide participation, including participation by vendors
that have implemented INSM in their products.\41\
---------------------------------------------------------------------------
\38\ National Security Memorandum on Improving Cybersecurity for
Critical Infrastructure Control Systems, Section 2 (Industrial
Control Systems Cybersecurity Initiative), (July 28, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/ (National Security
Memorandum). See also The White House, Fact Sheet: Biden
Administration Announces Further Actions to Protect U.S. Critical
Infrastructure, (July 28, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/fact-sheet-biden-administration-announces-further-actions-to-protect-u-s-critical-infrastructure/) (The White House July 28, 2021 Fact Sheet).
\39\ The White House July 28, 2021 Fact Sheet. JBS is a meat
processing company, which shut down all of its beef processing
plants in the USA as a result of a ransomware attack. See U.S.
Department of Agriculture, Statement from the U.S. Department of
Agriculture on JBS USA Ransomware Attack, (June 2021), https://www.usda.gov/media/press-releases/2021/06/01/statement-us-department-agriculture-jbs-usa-ransomware-attack.
\40\ National Security Memorandum, Section 2 (Industrial Control
Systems Cybersecurity Initiative).
\41\ White House July 28, 2021 Fact Sheet.
---------------------------------------------------------------------------
24. Furthermore, CISA and NIST have recommended detailed
cybersecurity practices, which include elements of INSM, such as
recommending that organizations conduct network baseline analysis on
control systems and networks to understand approved communication flows
and to monitor control systems for malicious activity on control
systems.\42\ Similarly, CISA and the Federal Bureau of Investigation
published a joint cybersecurity advisory in response to illicit
activities by a Chinese group known as APT40.\43\ The activities of
APT40 resulted in the theft of trade secrets, intellectual property,
and other high-value information from companies and organizations in
the United States and abroad.\44\ The joint cybersecurity advisory
recommended deployment of INSM measures such as active scanning and
monitoring of internet-accessible applications for unauthorized access,
modification, and anomalous activities; logging domain name service
queries; developing and monitoring network and system baselines to
allow for the identification of anomalous activity; and using baseline
comparison to monitor Windows event logs and network traffic to detect
when a user maps a privileged administrative share on a Windows
system.\45\
---------------------------------------------------------------------------
\42\ CISA, Critical Infrastructure Control Systems Cybersecurity
Performance Goals and Objectives (Sept. 21, 2021), https://www.cisa.gov/control-systems-goals-and-objectives.
\43\ Joint Cybersecurity Advisory, Tactics, Techniques, and
Procedures of Indicted APT40 Actors Associated with China's MSS
Hainan State Security Department, (July 19, 2021), https://www.cisa.gov/uscert/sites/default/files/publications/CSA_TTPs-of-Indicted-APT40-Actors-Associated-with-China-MSS-Hainan-State-Security-Department.pdf.
\44\ Id. at 1.
\45\ Id. at 4-5.
---------------------------------------------------------------------------
25. Industry and government cybersecurity experts also supported
the use of INSM at the Commission's 2021 Annual Reliability Technical
Conference.\46\ Panelists discussed the importance of improved
visibility to detect cyberattacks by implementing network capabilities
like INSM.\47\ One panelist observed that recent attacks like
SolarWinds and Colonial Pipeline ``demonstrated how a coordinated
attack could compromise our systems,'' and that they ``really
underscore[] the need for heightened visibility . . . more
comprehensive logging of events, potentially other controls that you
know go across all asset environments, but it should be done in a risk
based way.'' \48\ Another panelist discussed additional benefits of
INSM, stating that monitoring and having the appropriate logs are
essential to perform a root cause analysis and understand the sequence
of events that occurred, and collection of data (i.e., logs), enabled
by INSM, is also essential to gaining a deeper understanding of a
cyberattack.\49\
---------------------------------------------------------------------------
\46\ Federal Energy Regulatory Commission, 2021 Annual
Reliability Technical Conference, Transcript, Panel 3: Managing
Cyber Risks in the Electric Power Sector, Docket No. AD21-11-000
(Sept. 30, 2021), https://www.ferc.gov/news-events/events/annual-commissioner-led-reliability-technical-conference-09302021.
\47\ Id. at 165 (Ben Miller, Vice President, Services and R&D,
Dragos Inc.); 178:14:23 (Mark Fabro, President and Chief Security
Scientist, Lofty Perch).
\48\ Id. at 200 (Manny Cancel, Senior Vice President and Chief
Executive Officer, NERC E-ISAC).
\49\ Id. at 202:8-19 (Miller).
---------------------------------------------------------------------------
C. The Absence of INSM Constitutes a Gap in the Reliability Standards
26. While NERC's approved CIP Reliability Standards provide a broad
set of cybersecurity protections, they do not require INSM. Currently,
the only locations that require network security monitoring are the
electronic access points at high and medium impact BES Cyber Systems at
control centers. In these zones, trusted vendors or authorized
individuals are the only users with access, but they are not subject to
monitoring under the CIP Reliability Standards. Implementing INSM will
help to detect and mitigate situations where malicious actors exploit
this gap.
27. Given the increased sophistication of cyberattacks, relying on
network perimeter defense and other existing controls leaves trust
zones vulnerable. As the President's Deputy National Security Advisor
for Cyber and Emerging Technology explained ``[i]f you can't see a
network, you can't defend a network.'' \50\ Panelists at the
Commission's 2021 Annual Reliability Technical Conference confirmed
this gap in the CIP Reliability Standards, explaining that there is
[[Page 4178]]
``implementation of perimeter controls and some other protective
controls, and some planning, but there is not a concept around
detection and monitoring.'' \51\ An estimate from a security vendor
panelist indicates that 70% of the NERC CIP Reliability Standards are
focused on prevention, and the remaining 30% focus on other protection
measures, including monitoring.\52\ Panelists supported the view that
monitoring within a trust zone is critical, underscoring the need to
close the reliability gap in the currently effective Reliability
Standards.\53\ This is particularly important as the energy sector
undergoes a digital transformation, which creates new cyber threat
pathways.\54\
---------------------------------------------------------------------------
\50\ The White House, Press Briefing by Press Secretary Jen
Psaki and Deputy National Security Advisor for Cyber and Emerging
Technology Anne Neuberger, (Feb. 17, 2021), https://www.whitehouse.gov/briefing-room/press-briefings/2021/02/17/press-briefing-by-press-secretary-jen-psaki-and-deputy-national-security-advisor-for-cyber-and-emerging-technology-anne-neuberger-february-17-2021/.
\51\ 2021 Annual Reliability Technical Conference, Tr. 201:20-
25; 202:1-7 (Miller).
\52\ Id.
\53\ Id. at 202:22-23 (Tony Hall, Manager, CIP Program,
Louisville Gas and Electric Company and Kentucky Utilities Company).
\54\ Id. at 170:24-25; 171:1 (Puesh Kumar, Acting Principal
Deputy Assistant Secretary, Office of Cybersecurity, Energy
Security, and Emergency Response, U.S. Department of Energy).
---------------------------------------------------------------------------
28. NERC facilitated the voluntary use of INSM in its CMEP Practice
Guide, which provides guidance on how to incorporate network sensors in
the ESP while being compliant with the CIP Reliability Standards. These
network sensors enable entities to use INSM, if they choose, and
support implementation of the Essence Cybersecurity Tool.\55\ However,
the CMEP Practice Guide does not modify the CIP Reliability Standards
to require INSM, leaving unaddressed the cybersecurity gap within trust
zones.
---------------------------------------------------------------------------
\55\ National Rural Electric Cooperative Association (NRECA),
DOE Awards NRECA $6M to Take Essence Cybersecurity Tool to the Next
Level (Sept. 29, 2020), https://www.electric.coop/doe-gives-nreca-6m-to-take-essence-cybersecurity-tool-to-the-next-level; NRECA, New
Cyber Technology Provides Real-Time Defense (March 15, 2021),
https://www.electric.coop/new-essence-cyber-technology-provides-real-time-defense.
---------------------------------------------------------------------------
D. The Commission Proposed Directive Addresses the Identified
Reliability Gap
29. Pursuant to section 215(d)(5) of the FPA, we propose to direct
NERC to develop new or modified CIP Reliability Standards that require
security controls for INSM for high and medium impact BES Cyber
Systems. Based on the current threat environment discussed above, a
requirement for INSM that augments existing perimeter defenses is
critical to increasing network visibility so that an entity may
understand what is occurring in its CIP networked environment, and thus
improve capability to timely detect potential compromises. INSM also
allows for the collection of data and analysis required to implement a
defense strategy, improves an entity's incident investigation
capabilities, and increases the likelihood that an entity can better
protect itself from a future cyberattack and address any security gaps
the attacker was able to exploit.
30. The proposal to direct NERC to add an INSM requirement to the
existing set of CIP Reliability Standard is also consistent with
Executive Order No. 14028, which calls for employing a zero trust
cybersecurity approach, and the objectives of the President's July 2021
Cybersecurity Initiative targeting deployment of control system
cybersecurity technologies in the electricity and other critical
sectors. INSM is a fundamental element of the zero trust approach and
should improve the cybersecurity posture of responsible entities with
high and medium impact BES Cyber Systems.
1. High and Medium Impact BES Cyber Systems
31. To address the reliability gap and improve cybersecurity, we
propose to direct that NERC, as the ERO, develop new or modified CIP
Reliability Standards requiring that applicable responsible entities
implement INSM for their high and medium impact BES Cyber Systems. Such
new or modified Reliability Standards should address the following
three security objectives that pertain to INSM. First, any new or
modified CIP Reliability Standards should address the need for each
responsible entity to develop a baseline for their network traffic by
analyzing expected network traffic and data flows for security
purposes. This objective reduces the likelihood that an attacker could
exploit legitimate cyber resources to: (1) Escalate privileges, i.e.,
exploit software vulnerability to gain administrator account
privileges; (2) move undetected inside a CIP networked environment
(i.e., trust zone); and (3) execute unauthorized code, e.g., a virus or
ransomware. Second, any new or modified CIP Reliability Standards
should address the need for responsible entities to monitor for and
detect unauthorized activity, connections, devices, and software inside
the CIP networked environment (i.e., trust zone). This objective
reduces detection time, which shortens the time an attacker has to
leverage compromised user accounts and traverse over unmonitored
network connections. And third, any new or modified CIP Reliability
Standards should address the ability to support operations and response
by requiring responsible entities to: (1) Log and packet capture \56\
network traffic; (2) maintain sufficient records to support incident
investigation (i.e., monitoring, collecting, and analyzing current and
historical evidence); and (3) implement measures to minimize the
likelihood of an attacker removing evidence of their Tactics,
Techniques, and Procedures (TTPs) \57\ from compromised devices.
Logging, including packet capture, of network traffic is critical for a
responsible entity to assess the severity of the attack, assess the
scope of systems compromised, and devise appropriate mitigations.
---------------------------------------------------------------------------
\56\ Packet capture allows information to be intercepted in
real-time and stored for long term or short-term analysis, this
providing a network defender greater insight into a network. Packet
captures provide context to security events, such as intrusion
detection system alerts. See CISA, National Cybersecurity Protection
System Cloud Interface Reference Architecture, Volume 1, General
Guidance, at 13,25, (July 2020), https://www.cisa.gov/sites/default/files/publications/CISA_NCPS_Cloud_Interface_RA_Volume-1.pdf.
\57\ TTPs describe the behavior of an actor. Tactics are high-
level descriptions of behavior, techniques are detailed descriptions
of behavior in the context of a tactic, and procedures are even
lower-level, highly detailed descriptions in the context of a
technique. TTPs could describe an actor's tendency to use a specific
malware variant, order of operations, attack tool, delivery
mechanism (e.g., phishing or watering hole attack), or exploit. See,
NIST, NIST Special Publication 800-150: Guide to Cyber Threat
Information Sharing, (Oct. 2016), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf.
---------------------------------------------------------------------------
32. We seek comments on all aspects of the proposed directive,
including the three objectives discussed above. In particular, we seek
comments on: (1) What are the potential challenges to implementing INSM
(e.g., cost, availability of specialized resources, and documenting
compliance); (2) what capabilities (e.g., software, hardware, staff,
and services) are appropriate for INSM to meet the security objectives
described above; (3) are the security objectives for INSM described
above necessary and sufficient and, if not sufficient, what are other
pertinent objectives that would support the goal of a having
responsible entities successfully implement INSM; and (4) what is a
reasonable timeframe for expeditiously developing and implementing
Reliability Standards for INSM given the importance of addressing this
reliability gap?
2. Low Impact BES Cyber Systems
33. While our proposal is centered on high and medium impact BES
Cyber Systems, we also seek comments on the usefulness and practicality
of implementing INSM to detect malicious activity in networks with low
impact BES Cyber Systems, including any
[[Page 4179]]
potential benefits, technical barriers and associated costs. In
particular, we seek comments on whether the same risks associated with
high and medium impact BES Cyber Systems apply to low impact BES Cyber
Systems. Those risks could include: (1) Escalating privileges; (2)
moving inside the CIP networked environment (i.e., trust zone); and (3)
executing unauthorized code. To the extent such risks exist, we seek
comment on the appropriate scope of coverage for INSM needed to meet
the security objectives listed above for low impact BES Cyber Systems.
34. As discussed above, there may be benefits to having INSM
requirements apply to a defined subset of low impact BES Cyber Systems.
To better understand the potential benefits of such an approach, we
first seek comment on possible criteria or methodology for identifying
an appropriate subset of low impact BES Cyber Systems that could
benefit from INSM. For example, should the subset focus on low impact
BES Cyber Systems located at assets strategic for the reliable
operation of the BES, such as control centers and backup control
centers, transmission stations and substations, and/or generation
resources. Second, we seek comment on the potential benefits or
drawbacks of defining a subset of low impact BES Cyber Systems. For
example, would focusing resources on the assets with a more significant
risk profile within the broad low impact tier of BES Cyber Systems
improve an entity's risk profile and avoid situations where an attacker
exploits legitimate cyber resources without timely detection and
response. Third, as discussed above, there are currently no CIP
requirements for low impact BES Cyber Systems for monitoring
communications at the ESP.\58\ Would it make sense to require INSM when
perimeter monitoring is not required? Would it be appropriate to
address both perimeter monitoring and INSM for low impact BES Cyber
Systems?
---------------------------------------------------------------------------
\58\ See supra Para. 7.
---------------------------------------------------------------------------
III. Information Collection Statement
35. The information collection requirements contained in this
Notice of Proposed Rulemaking are subject to review by the Office of
Management and Budget (OMB) under section 3507(d) of the Paperwork
Reduction Act of 1995.\59\ OMB's regulations require approval of
certain information collection requirements imposed by agency
rules.\60\ Upon approval of a collection of information, OMB will
assign an OMB control number and expiration date. Respondents subject
to the filing requirements of this rule will not be penalized for
failing to respond to this collection of information unless the
collection of information displays a valid OMB control number. Comments
are solicited on the Commission's need for the information proposed to
be reported, whether the information will have practical utility, ways
to enhance the quality, utility, and clarity of the information to be
collected, and any suggested methods for minimizing the respondent's
burden, including the use of automated information techniques.
---------------------------------------------------------------------------
\59\ 44 U.S.C. 3507(d).
\60\ 5 CFR 1320.11 (2021).
---------------------------------------------------------------------------
36. The proposal to direct NERC to develop new, or to modify
existing, reliability standards (and the corresponding burden) are
covered by, and already included in, the existing OMB-approved
information collection FERC-725 (Certification of Electric Reliability
Organization; Procedures for Electric Reliability Standards; OMB
Control No. 1902-0225),\61\ under Reliability Standards
Development.\62\ The reporting requirements in FERC-725 include the
ERO's overall responsibility for developing Reliability Standards, such
as any Reliability Standards that relate to internal network security
monitoring for high and medium impact BES Cyber Systems.
---------------------------------------------------------------------------
\61\ Another item for FERC-725 is pending review at this time,
and only one item per OMB Control No. can be pending OMB review at a
time. In order to submit this NOPR timely to OMB, we are using FERC-
725(1B) (a temporary, placeholder information collection number).
\62\ Reliability Standards Development as described in FERC-725
covers standards development initiated by NERC, the Regional
Entities, and industry, as well as standards the Commission may
direct NERC to develop or modify.
---------------------------------------------------------------------------
IV. Environmental Analysis
37. The Commission is required to prepare an Environmental
Assessment or an Environmental Impact Statement for any action that may
have a significant adverse effect on the human environment.\63\ The
Commission has categorically excluded certain actions from this
requirement as not having a significant effect on the human
environment. Included in the exclusion are rules that are clarifying,
corrective, or procedural or that do not substantially change the
effect of the regulations being amended.\64\ The actions proposed
herein fall within this categorical exclusion in the Commission's
regulations.
---------------------------------------------------------------------------
\63\ Regulations Implementing the National Environmental Policy
Act of 1969, Order No. 486, FERC Stats. & Regs. ] 30,783 (1987)
(cross-referenced at 41 FERC ] 61,284).
\64\ 18 CFR 380.4(a)(2)(ii) (2021).
---------------------------------------------------------------------------
V. Regulatory Flexibility Act Analysis
38. The Regulatory Flexibility Act of 1980 (RFA) \65\ generally
requires a description and analysis of proposed rules that will have
significant economic impact on a substantial number of small entities.
---------------------------------------------------------------------------
\65\ 5 U.S.C. 601-612.
---------------------------------------------------------------------------
39. We are proposing only to direct NERC, the Commission-certified
ERO, to develop modified Reliability Standards that require internal
network security monitoring within a trusted Critical Infrastructure
Protection networked environment for high and medium impact BES Cyber
Systems.\66\ Therefore, this Notice of Proposed Rulemaking will not
have a significant or substantial impact on entities other than NERC.
Consequently, the Commission certifies that this Notice of Proposed
Rulemaking will not have a significant economic impact on a substantial
number of small entities. Any Reliability Standards proposed by NERC in
compliance with this rulemaking will be considered by the Commission in
future proceedings. As part of any future proceedings, the Commission
will make determinations pertaining to the Regulatory Flexibility Act
based on the content of the Reliability Standards proposed by NERC.
---------------------------------------------------------------------------
\66\ Cf. Cyber Security Incident Reporting Reliability
Standards, Notice of Proposed Rulemaking, 82 FR 61499 (Dec. 28,
2017), 161 FERC ] 61,291 (2017) (proposing to direct NERC to develop
and submit modifications to the NERC Reliability Standards to
improve mandatory reporting of Cyber Security Incidents, including
incidents that might facilitate subsequent efforts to harm the
reliable operation of the BES).
---------------------------------------------------------------------------
V. Comment Procedures
40. The Commission invites interested persons to submit comments on
the matters and issues proposed in this Notice of Proposed Rulemaking
to be adopted, including any related matters or alternative proposals
that commenters may wish to discuss. Comments are due March 28, 2022.
Comments must refer to Docket No. RM22-3-000, and must include the
commenter's name, the organization they represent, if applicable, and
address in their comments. All comments will be placed in the
Commission's public files and may be viewed, printed, or downloaded
remotely as described in the Document Availability section below.
Commenters on this proposal are not required to serve copies of their
comments on other commenters.
41. The Commission encourages comments to be filed electronically
via the eFiling link on the Commission's website at http://www.ferc.gov. The
[[Page 4180]]
Commission accepts most standard word processing formats. Documents
created electronically using word processing software must be filed in
native applications or print-to-PDF format and not in a scanned format.
Commenters filing electronically do not need to make a paper filing.
42. Commenters that are not able to file comments electronically
may file an original of their comment by USPS mail or by courier- or
other delivery services. For submission sent via USPS only, filings
should be mailed to: Federal Energy Regulatory Commission, Office of
the Secretary, 888 First Street NE, Washington, DC 20426. Submission of
filings other than by USPS should be delivered to: Federal Energy
Regulatory Commission, 12225 Wilkins Avenue, Rockville, MD 20852.
VI. Document Availability
43. In addition to publishing the full text of this document in the
Federal Register, the Commission provides all interested persons an
opportunity to view and/or print the contents of this document via the
internet through the Commission's Home Page (http://www.ferc.gov). At
this time, the Commission has suspended access to the Commission's
Public Reference Room due to the President's March 13, 2020
proclamation declaring a National Emergency concerning the Novel
Coronavirus Disease (COVID-19).
44. From the Commission's Home Page on the internet, this
information is available on eLibrary. The full text of this document is
available on eLibrary in PDF and Microsoft Word format for viewing,
printing, and/or downloading. To access this document in eLibrary, type
the docket number excluding the last three digits of this document in
the docket number field.
45. User assistance is available for eLibrary and the Commission's
website during normal business hours from the Commission's Online
Support at 202-502-6652 (toll free at 1-866-208-3676) or email at
[email protected], or the Public Reference Room at (202) 502-
8371, TTY (202)502-8659. Email the Public Reference Room at
[email protected].
By direction of the Commission.
Issued: January 20, 2022.
Debbie-Anne A. Reese,
Deputy Secretary.
[FR Doc. 2022-01537 Filed 1-26-22; 8:45 am]
BILLING CODE 6717-01-P