This package is withdrawn from review pending revisions to ensure adequate respondent compliance as well as the assurance of the confidentiality of sensitive information that would be provided in response to the proposed information collection. A revised submission should reflect the knowledge gained through respondent interviews as well as any relevant changes in the factual scenario.
table that charts list comparision
Inventory as of this Action
Requested
Previously Approved
6 Months From Approved
0
0
0
0
0
0
0
0
0
FERC-725C information is necessary to determine the level of security for critical infrastructure on the electric grid, so FERC can determine any necessary expedited or emergency actions. So that FERC can carry its responsibilities under section 215 of the Federal Power Act (FPA), it needs accurate and timely information about the status of cyber protection at electric facilities, as well as any planned measures for cyber security undertaken by the industry. Recent tests conducted the Idaho National Laboratory exposed cyber vulnerabilities within the electric industry that prompted a hearing by a Congressional oversight committee. The Committee directed FERC to conduct an investigation into electric industry compliance with mitigation measures created by an North American Electric Reliability Corporation advisory. Section 307 of the FPA provides FERC with the authority to conduct investigations.
This information is necessary to determine the level of security for critical infrastructure on the electric grid, so that FERC can determine any necessary emergency actions. The FERC also requires the proposed information in order to properly respond to recent Congressional requests.
A recent experiment conducted for the Department of Homeland Security by the Idaho National Laboratory suggested that energy infrastructure could be intentionally compromised through cyber attack. In that experiment, researchers caused a generator to malfunction through an experimental cyber attack. This cyber attack vulnerability, which was recently broadcast on CNN, was the subject of an October 17, 2007 hearing before the Homeland Security Subcommittee on Emerging Threats, Cyber security, and Science and Technology, U.S. House of Representatives, at which FERC staff testified. On October 17, 2007, the Chairman of FERC received a letter from the full Committee on Homeland Security, asking FERC to immediately investigate the level of mitigation efforts by the electric industry.
It is FERC's understanding that a number of entities are already either secured against the cyber vulnerability referred to above or have taken steps to mitigate this vulnerability. However, given the seriousness of this vulnerability, the Commission believes further action is necessary in order to ensure that the owners and operators of the Bulk-Power System have taken or are taking appropriate steps to protect the Bulk-Power System. In addition, while NERC did send a data request to its members late last week, that data request is limited in scope. It is essentially a request that industry members indicate if their mitigation plans are Âcomplete, Âin progress, or Ânot performing. This information is not sufficient for the Commission to discharge its duties under section 215 of the Federal Power Act because it does not provide information on what facilities are the subject of the mitigation plans, what steps to mitigate the cyber vulnerability are being taken, and when those steps are planned to be taken  and, if certain actions are not being taken, why not.
FERC believes that an accurate overview of the actions being taken in the industry is necessary to determine whether any immediate measures need to be taken to ensure the safety and reliability of the electricity grid. The ability to collect this information prior to the expiration of the normal OMB 60-day review time frame is essential to the mission of the Commission and is prompted by the unanticipated urgency caused by publicity of the cyber vulnerability. As such, the Commission has requested emergency processing of this proposed information collection.
The information sought will assist the Commission in determining whether additional emergency measures are necessary to ensure cyber security within the electric industry. The FERC seeks to examine the actual security plans of industry members to determine whether adequate mitigation measures have been taken. The information will also assist the Commission in responding to the questions posed to it by the House Committee on Homeland Security. However, in light of the security-sensitive nature of the information requested, the information will be submitted to NERC, and will be available only to NERC and Commission personnel on a need-to-know basis.
On behalf of this Federal agency, I certify that the collection of information encompassed by this request complies with 5 CFR 1320.9 and the related provisions of 5 CFR 1320.8(b)(3).
The following is a summary of the topics, regarding the proposed collection of information, that the certification covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control number;
If you are unable to certify compliance with any of these provisions, identify the item by leaving the box unchecked and explain the reason in the Supporting Statement.