Download:
docx |
pdf
FERC-725B,
OMB Control No. 1902-0248 (UPDATED
7/10/2013)
NOPR
in Docket No. RM13-5 (issued 4/18/2013)
RIN:
1902-AE66
Supporting
Statement
FERC-725B,
Mandatory Reliability Standards for Critical Infrastructure
Protection
(As
modified in the NOPR in Docket No. RM13-5, issued 4/18/2013)
The
Federal Energy Regulatory Commission (Commission or FERC) requests
that the Office of Management and Budget (OMB) approve FERC‑725B,
Mandatory Reliability Standards for Critical Infrastructure
Protection (CIP),
for the proposed revisions to the Reliability Standards found in the
Notice of Proposed Rulemaking (NOPR) in Docket No. RM13-5.
FERC-725B
(OMB
Control No. 1902-0248) is an existing data collection, as contained
in 18 Code of Federal Regulations (CFR), Part 40.
CIRCUMSTANCES
THAT MAKE THE COLLECTION OF INFORMATION NECESSARY
On
August 8, 2005, The Electricity Modernization Act of 2005, which is
Title XII of the Energy Policy Act of 2005 (EPAct 2005), was enacted
into law.
EPAct 2005 added a new section 215 to the Federal Power Act (FPA),
which requires a Commission-certified Electric Reliability
Organization (ERO) to develop mandatory and enforceable Reliability
Standards, which are subject to Commission review and approval. Once
approved the Reliability Standards may be enforced by the ERO,
subject to Commission oversight.
On
January 18, 2008, the Commission issued Order No. 706, which approved
the CIP version 1 Standards to address cyber security of the
Bulk-Power System.
In Order No. 706, the Commission approved eight CIP Reliability
Standards (CIP-002-1 through CIP-009-1). While approving the CIP
version 1 Standards, the Commission also directed NERC to develop
modifications to the CIP version 1 Standards, intended to enhance the
protection provided by the CIP Reliability Standards. Subsequently,
NERC filed the CIP version 2 and CIP version 3 Standards in partial
compliance with Order No. 706. The Commission approved these
standards in September 2009
and March 2010,
respectively.
On
April 19, 2012, the Commission issued Order No. 761, which approved
the CIP version 4 Standards (CIP-002-4 through CIP-009-4).
Reliability Standard CIP-002-4 (Critical Cyber Asset Identification)
sets forth 17 uniform “bright line” criteria for
identifying Critical Assets. The Commission also accepted NERC’s
proposed implementation schedule for the CIP version 4 Standards,
which are scheduled for full implementation and enforceability
beginning April 2014.
In
its petition to the Commission to approve the CIP version 5
standards, NERC states that it took into consideration 4 years of
experience since the first CIP standards were implemented, “as
well as FERC directives…developed the proposed CIP Version 5
standards to better protect the reliability of the nation’s
Bulk Electric System (“BES”) from cyber-attacks.”
NERC
goes on to state that:
The
improvements included in CIP Version 5 reflect a maturity of the NERC
CIP program. While the general framework of the proposed standards
follow the organization of the previous CIP versions, a new process
is introduced in proposed CIP-002-05 for identifying and classifying
BES Cyber Systems according to “Low-Medium-High” impact.
Once BES Cyber Systems are identified, a Responsible Entity must then
comply with proposed CIP-003-5 to CIP-011-1, according to specific
criteria relating to impact and other characteristics such as
communications connectivity. As such, NERC and its stakeholders have
proposed the most comprehensive set of mandatory cybersecurity
standards ever utilized on a widespread basis in the electric
industry.
In
terms of information collection, the CIP standards require entities
to document their compliance with requirements and to develop cyber
security policies and procedures.
HOW,
BY WHOM, AND FOR WHAT PURPOSE THE INFORMATION IS TO BE USED AND THE
CONSEQUENCES OF NOT COLLECTING THE INFORMATION
The
information collection requirements in the CIP Version 5 standards
apply to entities registered as the following functions: balancing
authorities, distribution providers, generator operators, generator
owners, interchange coordinators (or interchange authorities),
reliability coordinators, transmission operators, and transmission
owners. Based on the NERC compliance registry, FERC estimates there
are 1,475 entities registered for at least one of the functions
listed above. Each of these entities are considered “respondents”
for the purposes of fulfilling the paperwork requirements.
The
cyber security policy, process, and procedure documentation required
by the CIP standards are the principal components of a cyber-security
program. The main use for the information generated is to achieve
and maintain a cyber-secure operational state, a process which
requires vigilant monitoring of activity against documented policies
and procedures. The information generated can also be used to show
auditors that required cyber security policies, processes, and
procedures are designed to achieve the requirement and are
implemented as designed. Similarly, the applicable compliance
enforcement authority (regional entity or NERC) relies upon any such
documentation it is shown to measure an entity’s compliance
with a given requirement. The information is also used for
evaluating reliability events or for enforcement actions.
If
the information collection requirements did not exist then it would
be difficult to monitor and enforce compliance with the standards,
which could lead entities to relax their compliance with the
requirements. Also, creating and maintaining documentation is
integral to the task of performing cyber security, as reflected in
the fact that some of the reliability standards’ requirements
actually require an entity to create a document (as opposed to
documenting
compliance
with a requirement). Without such information collection an entity
may fail to perform actions that may affect the reliability and
security of the grid.
DESCRIBE
ANY CONSIDERATION OF THE USE OF IMPROVED INFORMATION TECHNOLOGY TO
REDUCE THE BURDEN AND TECHNICAL OR LEGAL OBSTACLES TO REDUCING
BURDEN
The
use of current or improved technology is not covered in the CIP
Reliability Standards, and is therefore left to the discretion of
each responsible entity.
DESCRIBE
EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY
SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR
USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2
The
information collection requirements are unique to this reliability
standard and to this information collection. The Commission does not
know of any duplication in the requirements.
METHODS
USED TO MINIMIZE THE BURDEN IN COLLECTION OF INFORMATION INVOLVING
SMALL ENTITIES
The
CIP Version 5 Reliability Standards generally do apply to small
entities, depending first on their registered function(s) and then on
the type of facilities they own. Nearly all of the small entities,
which are subject to the CIP version 5 standards, own only
facilities that should fall into the Low impact category for these
standards. This means the burden for these entities is relatively
minor compared with the rest of the applicable entities. The CIP
Version 5 Reliability Standards only require owners of Low impact
category facilities to create and implement policies
to protect their cyber assets. The Requirements for Low impact
category facilities do not impose any specific, technical security
controls, which will provide small entities with more flexibility in
complying with the standards. As FERC stated in Order No. 761,
“…control systems that support Bulk-Power System
reliability are only as secure as their weakest links, and that a
single vulnerability opens the computer network and all other
networks with which it is interconnected to potential malicious
activity.”
Due to the inherent connectivity between entities that must occur to
operate the Bulk-Power System, the CIP Version 5 Reliability
Standards cannot exclude entities based on size alone without
creating a weak point in the security of the Bulk-Power System that
can be exploited to navigate to higher value cyber systems.
The
Standard Drafting Team considered the impact on small entities when
setting the cyber asset impact classification levels and intended
that the Low cyber assets would be provided with the least effort and
cost, compared to other impact levels.
The
Commission estimates the NOPR will impact 536 small entities.
Of this amount, the Commission estimates that only 14 small
entities
(2.6 percent of the total number of small entities) may, on average,
experience a significant economic impact of $116,000 per entity in
the first year, $145,000 in the second year, and $88,000 in the third
year.
This cost is primarily due to implementation during the compliance
period. After the initial implementation the Commission expects the
average annual cost per each of the 14 entities to be less than
$64,000. The Commission has determined that 2.6 percent of the
effected small entities do not represent a “substantial number”
in terms of the total number of regulated small entities applicable
to the NOPR.
The
Commission estimates that 234 out of the 536 small entities
will each experience an average economic impact of $29,000 per year
during years two and three.
Finally, the Commission estimates that the remaining 288 out of the
536 small entities
will only experience a minimal economic impact.
CONSEQUENCE
TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY
As
stated in response to item #2, the documentation related to the CIP
reliability standards is an integral part of maintaining cyber
security. The power grid would be at greater risk to cyber threats
if the collection was conducted less frequently.
EXPLAIN
ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION COLLECTION
There
is one special circumstances as described in 5 CFR 1320.5(d)(2)
related to this information collection.
Entities
may have to submit to or show the auditors security or confidential
information that is related to the CIP standards. The general
practice is that the auditor returns the confidential information to
the entity following the audit.
This
special circumstance is necessary to maintain an effective
cyber-security program.
DESCRIBE
EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND
THE AGENCY’S RESPONSE
The
ERO process to establish Reliability Standards is a collaborative
process with the ERO, Regional Entities and other stakeholders
developing and reviewing drafts, and providing comments, with the
final proposed standard submitted to the FERC for review and
approval.
In addition, each FERC rulemaking (both proposed and final rules) is
published in the Federal
Register,
thereby providing public utilities and licensees, state commissions,
Federal agencies, and other interested parties an opportunity to
submit data, views, comments or suggestions concerning the proposed
collection of data.
The proposed rule was published in the Federal Register on April 24,
2013 (78 FR 24107). The Commission also issued an errata notice��1�
in this docket on May 5, 2013 correcting a few mistakes in the
proposed rule.
In
the NOPR the Commission proposes to approve the CIP version 5
Standards as an improvement over the currently –approved CIP
Reliability Standards. However, certain aspects of the proposed
standards raise concerns regarding the potential ambiguity and,
ultimately, the enforceability of the CIP version 5 Standards. For a
summary of the Commission’s concerns and requests for comment,
see the paragraphs 4-10 of the proposed rule.
EXPLAIN
ANY PAYMENT OR GIFTS TO RESPONDENTS
There
are no payments or gifts for respondents related to this collection.
DESCRIBE
ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS
As
stated in item #7, if a registered entity is required to disclose
security or confidential information during an audit, the general
practice is that the auditor returns that information to the entity
following the audit.
PROVIDE
ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE
There
are no questions of a sensitive nature that are considered private.
ESTIMATED
BURDEN OF COLLECTION OF INFORMATION
The
Commission based its paperwork burden estimates on the difference
between the latest Commission-approved (and OMB approved for the
information collection requirements) version of the CIP Reliability
Standards (CIP version 4) and the estimated paperwork burden
resulting from CIP version 5 Reliability Standards (CIP Version 5).
The
paperwork burden under CIP version 5 is different than that imposed
by CIP version 4. Under CIP version 4, all applicable entities must
first identify, by applying criteria specified in CIP-002-4, which of
the Cyber Assets they own are subject to the mandatory protections
specified in the remaining CIP standards. Those identified Cyber
Assets are termed Critical Cyber Assets (CCA) in CIP version 4. If,
upon completion of the required process in CIP-002-4, the entity has
identified at least one CCA, it must implement all mandatory
protections specified in the remaining CIP Reliability Standards with
respect to any identified CCA. If, on the other hand, the entity
determines that it does not own any CCAs, it is not required to
implement any of the protections specified in the remaining CIP
version 4 Standards.
By
contrast, CIP version 5 does not use the term CCA. Under CIP version
5, a responsible entity identifies Cyber Assets for protection by
applying the CIP-002-5 definitions and classification criteria. The
responsible entity is required to comply with at least some mandatory
protections in the remaining standards for all Cyber Assets
identified as BES Cyber Systems. The specific mandatory protections
with which the responsible entity must comply depends on whether the
the Cyber Assets it owns and identifies as BES Cyber Systems are
classified as Low, Medium, or High impact by CIP-002-5 Attachment 1
(and
other characteristics detailed in various individual requirements).
Each responsible entity that owns Cyber Assets identified as BES
Cyber Systems will be concerned at least with the Low impact
classification.
Because
the change in paperwork burden between CIP version 4 and CIP version
5 differs depending upon the extent to which that entity had to
comply with CIP version 4, we delineate the registered entities into
three groupings related to their status under CIP version 4, as
follows:
Group
A:
Entities that are not subject to the CIP version 4 Standards, but
are subject to the CIP version 5 Standards. The Group A entities
consist of those Distribution Providers that are not also registered
for another CIP function, such as the Load Serving Entity function
(which is subject to CIP version 4). All of these entities are
concerned only with
the Low classification because they do
not own any assets classified as Medium or High under CIP-002-5
Attachment 1.
Group
B: Entities
that are registered for functions subject to CIP version 4, but that
did not identify any CCAs under CIP-002-4. Therefore, Group B
entities do not own facilities that require the implementation of
mandatory protections specified by the remaining CIP version 4
Standards. Cyber Assets that would not have been subject to
mandatory protections under the CIP version 4 Standards are not
classified as High impact under the CIP version 5 Standards.
Therefore, Group B entities do not own any assets classified as High
impact by CIP-002-5 Attachment 1, and are concerned with only the
Low and potentially Medium impact classifications (depending whether
any assets they own meet the Medium criteria).
Group
C: Entities
that are registered for functions subject to CIP version 4 and
that identify, upon completion of the CIP-002-4 analysis, at least
one asset as a CCA. Therefore, Group C entities own facilities that
require the implementation of the mandatory protections specified in
the remaining CIP version 4 Standards. Most types of Cyber Assets
that would been subject to mandatory protections under the CIP
version 4 Standards (all except blackstart generation and cranking
path facilities) are classified as either High or Medium impact
under the CIP version 5 Standards. Therefore, Group C entities
potentially own Cyber Assets that are classified as High or Medium
impact by CIP-002-5 Attachment 1, and are concerned with all three
impact classifications (depending on the extent to which the assets
they own meet the Medium or High criteria).
NERC
states on its website that, “All bulk power system owners,
operators, and users must comply with approved NERC Reliability
standards. These entities are required to register with NERC through
the appropriate regional entity.”
The NERC Compliance Registry as of February 28, 2013 indicated that
1,927 entities were registered for NERC’s compliance program.
Of these, 1,911 were identified as being U.S. entities. Staff
concluded that approximately 1,475 U.S. entities were registered for
at least one CIP-applicable function, and therefore must comply with
the proposed CIP version 5 Reliability Standards. Further, 1,414 are
subject to the currently approved CIP version 4. There is one
functional registration that was not subject to CIP version 4 (or
other prior versions) but which is now subject to CIP version 5, by
virtue of being added to the list of responsible entities under the
Applicability section of each of the CIP version 5 Standards
(Distribution Providers). However, many entities registered for the
Distribution Provider function are also registered for another
function that made them subject to CIP version 4 (and past versions).
The net difference (the entities registered such that they are
subject to CIP version 5 but are not subject to CIP version 4) are
the entities that constitute Group A (61 entities).
Consistent
with the Commission’s approach in Order No. 761 (CIP version
4),
we assume that 23 percent (325 unique entities) of the 1,414 US
entities subject to CIP version 4 identified CCAs (Group C). It
follows that the remaining 77 percent (1089 unique entities) of the
U.S. entities did not identify any CCAs under CIP version 4 (Group
B). This ratio factors into several of the calculations needed to
estimate the differences in effort among entities in Group B, as
compared to Group C.
To
estimate the change in paperwork burden between CIP version 4 and
proposed CIP version 5, we recognize that the entities in all groups
will undertake the following paperwork tasks to at least some extent:
1) create or modify documentation of processes used to identify and
classify the cyber assets to be protected under the CIP Reliability
Standards; 2) create or modify policy, process and compliance
documentation; and 3) create and maintain documentation related to
compliance activities. Entities have two years to comply with
requirements applicable to Cyber Assets classified as High or Medium,
and three years to comply with requirements applicable to those
classified as Low. We assume that entities with High or Medium
assets will incur burden over years one and two and entities with Low
assets will incur burden over years two and three.
We
estimate the level of paperwork burden for each Group as follows:
No
more than 10 percent of the Group A entities, and all of Group B &
C entities will own at least one subject facility classified as Low
under the CIP version 5 Standards. We estimate 24 hours
per entity to develop its evaluation process documentation for
identifying the facilities subject to the standard, and 1,024 hours
to develop the required documentation for covered assets. We divide
the total burden hours between the second and third years of the
compliance period allowed for the facilities classified as Low
because this is when we assume the entities will do the work.
The
burden hours for facilities classified as Medium and High are split
between the first and second year, since Groups B and C are allowed
a 24-month period to bring them into compliance. (The third year
figure shown for these rows represents an ongoing effort level).
Except for Group C Blackstart facilities (see bullet on Blackstart
facilities below), we assume 32 hours
per entity for development of its evaluation process documentation.
We
assume no more than 30 percent of Group B and Group C entities will
own one or more of the newly covered transmission facilities
classified as Medium. For those Group B entities that do, we assume
3,200 hours
to develop the required policy, compliance and implementation
documentation for the 10 standards, and 832 hours
per entity for ongoing compliance burden. For those Group C
entities that do, we assume 832 hours
per entity for ongoing compliance burden.
With
respect to the Blackstart facilities owned by Group C entities, we
assume 160 hours
per entity to modify policy and evaluation process documentation.
We also assume a reduction
of 728 hours
per entity for ongoing compliance documentation that is required
under the currently approved CIP standards but is no longer required
under CIP version 5.
For
Group C’s Medium and High facilities, we assume 1,600 hours
per entity to modify the required policy, compliance, and
implementation documentation, and 416 hours
per entity for ongoing compliance.
The
estimated paperwork burden changes for these entities, as contained
in the proposed rule in RM13-5-000, are illustrated in the table
below. The information collection burden also varies according to
the types of facilities the entities own, as classified by the
criteria in CIP-002-5, Attachment 1. To further refine our estimate,
we indicate the classes of facilities each group of entities owns in
the second column of the table below.
Groups
of Registered Entities
|
Classes
of Entity’s Facilities Requiring CIP Version 5 Protections
|
Number
of Entities
|
Total
Hours in Year 1 (hours)
|
Total
Hours in Year 2 (hours)
|
Total
Hours in Year 3 (hours)
|
Group
A
|
Low
|
61
|
0
|
3,804
|
3,804
|
Group
B
|
Low
|
1,089
|
0
|
570,636
|
570,636
|
Group
B
|
Medium
|
260
|
128,960
|
128,960
|
64,896
|
Group
C
|
Low
|
325
|
0
|
170,300
|
170,300
|
Group
C
|
Medium
(New)
|
78
|
1,248
|
1,248
|
19,136
|
Group
C
|
Low
(Blackstart)
|
283
|
22,640
|
22,640
|
-206,024
|
Group
C
|
Medium
or High
|
325
|
265,200
|
265,200
|
135,200
|
Totals
|
|
|
418,048
|
1,162,788
|
757,948
|
The
following shows the average annual cost burden (averaged over Years
1-3 and rounded for hours/entity) for all entities within the group,
based on the burden hours in the table above:
Group
A: 61 unique entities * 41.5 hrs/entity * $72/hour = $182,000
Group
B: 1,089 unique entities * 448 hrs/entity * $72/hour = $35,127,000
Group
C: 325 unique entities * 889 hrs/entity * $72/hour = $20,803,000
Total
average annual paperwork cost (averaged over Years 1-3) for the
change in requirements contained in the NOPR in RM13-5 = $56,112,000.
[($182,000 + $35,127,000 + $20,803,000) = $56,112,000].
The
estimated hourly rate of $72 is the average loaded cost (wage plus
benefits) of legal services ($128.00 per hour), technical employees
($58.86 per hour) and administrative support ($30.18 per hour), based
on hourly rates and average benefits data from the Bureau of Labor
Statistics.
The
existing burden hours for FERC-725B are 850,680. In this clearance
package we request a 286,927 hour downward adjustment, and a 779,595
hour program increase, as explained in item #15.
ESTIMATE
OF THE TOTAL ANNUAL COST BURDEN TO RESPONDENTS
The
main potential non-labor cost is for electronic record storage. The
Commission considers any cost related to storing CIP standard
documents to be negligible. However, the Commission will continue
with the current records storage cost of $15.25 per entity per year
for each of the applicable entities (331 total (331*$15.25=$5,047
(rounded down))).
There
are no other non-labor costs associated with the CIP version 5
standards.
ESTIMATED
ANNUALIZED COST TO FEDERAL GOVERNMENT
The
CIP Reliability Standards do not require any information to be
submitted to FERC. Most of the FERC cost pertaining to the CIP
standards relates to violation reporting or other compliance
monitoring and review activities, all of which are contained in the
FERC-725 collection (OMB Control No. 1902-0225).
FERC
does incur costs in maintaining this collection of information
current with OMB as indicated in the following table.
FERC-725B
Federal Cost
|
Estimated
Annual Federal Cost
|
PRA
Administration Cost
|
$2,250
|
REASONS
FOR CHANGES IN BURDEN INCLUDING THE NEED FOR ANY INCREASE
FERC
has issued a proposed rule which proposes to adopt the CIP version 5
Reliability Standards. As discussed previously, these standards are
an improvement over the current Version 4 standards. The CIP version
5 standards will require new and ongoing paperwork burden.
FERC
is averaging the estimated burden hours from the proposed rule across
the first three years to create an annual figure to provide to OMB.
This annual figure is 779,595 hrs [(418,048 hrs + 1,162,788 hrs +
757,948 hrs)/3 = 779,595 hrs]. After the first three years, entities
will have completed implementation of CIP version 5 and the total
burden will be reduced by 383,543 hours/year.
FERC
proposes to add the annual hours from the NOPR, 779,595 hours, to an
adjusted baseline of burden hours under the existing CIP standards.
The current burden inventory shows 850,680 hours. FERC is adjusting
the existing hours based upon careful review of the assumptions used
to generate the previous estimates.
In
particular, one of the assumptions was that entities would incur the
full burden of preparing for an audit each
year
instead
of every 3-5 years. A small fraction of entities may be responsible
for multiple functions and be audited on a more frequent basis but
this is the exception and not the rule. We account for that in the
adjusted figure. The total burden reduction for modifying this
assumption is 429,600 hours.
Also,
the assumptions did not include some of the yearly burden required
to keep documents up to date for future audits. The change here
leads to a 143,208 hour increase.
Finally,
there are an estimated net 26 fewer entities now than there were the
last time OMB approved this collection (a reduction from 1,501 to
1,475). This change leads to a 534 hour burden reduction. CIP
version 5 adds 61 entities leading to an overall change of -26
entities. The general reason for the reduction in entities is
caused by some entities merging and some entities dropping from the
market.
The
total change due to agency adjustment is 286,927 hours
(143,208 hours – 429,600 hours – 534 hours = 286,927
hours). See the spreadsheet attached to this package for more
details regarding this agency adjustment change.
FERC
does not consider there to be any additional non-labor costs for CIP
version 5. The adjustment (-$397) in the annual cost burden below is
due to fewer applicable entities (going from 357 entities to 331
entities estimated to incur this cost).
This
table shows the adjustments and discretionary changes to the burden
estimates, as described previously.
FERC-725B
|
Total
Request
|
Previously
Approved
|
Change
due to Adjustment in Estimate
|
Change
Due to Agency Discretion
|
Annual
Number of Responses
|
1,475
|
1,501
|
-87
|
61
|
Annual
Time Burden (Hr)
|
1,343,348
|
850,680
|
-286,927
|
779,595
|
Annual
Cost Burden ($)
|
5,047
|
5,444
|
-397
|
0
|
TIME
SCHEDULE FOR PUBLICATION OF DATA
There
are no publications of data as part of this collection.
DISPLAY
OF EXPIRATION DATE
It
is not appropriate to display the expiration date because the
information is not collected on a preformatted form or in any format
that would allow for such a display.
EXCEPTIONS
TO THE CERTIFICATION STATEMENT
The
Commission does not use statistical methods for this collection.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Modified | 0000-00-00 |
| File Created | 2021-01-29 |