CLO in RD24-3 for CIP-01202 5-23-24

CLO in RD24-3-000 CIP-012-2- 5-23-2024.docx

FERC-725B, Revisions in RD24-3, Adding Voluntary Requests for Cybersecurity Incentives to Mandatory Reliability Standards for Critical Infrastructure Protection

CLO in RD24-3 for CIP-01202 5-23-24

OMB: 1902-0248

Document [docx]
Download: docx | pdf


187 FERC ¶ 61,086

UNITED STATES OF AMERICA

FEDERAL ENERGY REGULATORY COMMISSION


Before Commissioners: Willie L. Phillips, Chairman;

Allison Clements and Mark C. Christie.


North American Electric Reliability Corporation

Docket No.

RD24-3-000


ORDER APPROVING RELIABILITY STANDARD CIP-012-2


(Issued May 23, 2024)


  1. On January 31, 2024, the North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), filed a petition with the Commission seeking approval of proposed Reliability Standard CIP‑012-2 (Cyber Security – Communications between Control Centers). NERC also requested approval of the associated implementation plan, violation risk factors and violation severity levels, and the retirement of the currently-effective Reliability Standard CIP-012-1.

  2. Pursuant to section 215(d)(2) of the Federal Power Act (FPA), we approve proposed Reliability Standard CIP-012-2, its associated implementation plan, violation risk factors and violation severity levels, and the retirement of the currently-effective Reliability Standard CIP-012-1 immediately prior to the effective date of Reliability Standard CIP-012-2.1 For the reasons discussed below, we determine that proposed Reliability Standard CIP-012-2 improves upon and expands the protections required by Reliability Standard CIP-012-1 and addresses the Commission directive issued in Order No. 866.2

  1. Background

    1. Section 215 and Mandatory Reliability Standards

  1. Section 215 of the FPA provides that the Commission may certify an ERO, the purpose of which is to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval.3 Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO,4 and subsequently certified NERC.5

    1. Order No. 866 Directive

  1. In Order No. 866, the Commission directed NERC to modify Critical Infrastructure Protection (CIP) Reliability Standards to implement protections regarding the availability of communication links and sensitive bulk electric system (BES) data communicated between BES Control Centers.6 The Commission explained that creating an obligation to protect availability, while affording flexibility in terms of what data is protected and how, was “distinct from relying on currently-effective Reliability Standards whose effect may be to support availability.”7

    1. NERC Petition and Proposed Reliability Standard8 CIP-012-2

  1. NERC states that proposed Reliability Standard CIP-012-2 improves upon and expands the protections required by Reliability Standard CIP-012-1 by requiring responsible entities to mitigate the risk posed by loss of availability of communication links and Real-time Assessment9 and Real-time10 monitoring data transmitted between Control Centers.  Proposed Reliability Standard CIP-012-2 adds two new provisions to Requirement R1 that address availability by requiring (1) protections for the availability of data in transit and (2) protections to initiate recovery of lost (i.e., unavailable) communication links.11

  2. NERC also requests approval of the associated implementation plan, the associated violation risk factors and violation severity levels, and retirement of Reliability Standard CIP-012-1 immediately prior to the effective date of CIP-012-2. The 24-month implementation period is proposed to afford responsible entities sufficient time to implement the new controls and coordinate with other responsible entities that own or operate Control Centers as required in proposed Reliability Standard CIP-012-2.

  1. Notice of Filing and Responsive Pleadings

  1. Notice of NERC’s filing was published in the Federal Register, 89 Fed. Reg. 8419 (Feb. 7, 2024), with interventions, comments and protests due on or before March 1, 2024. None were filed. 

  1. Commission Determination

  1. Pursuant to section 215(d)(2) of the FPA, we approve Reliability Standard CIP‑012-2 as just, reasonable, not unduly discriminatory or preferential, and in the public interest. We conclude that Reliability Standard CIP-012-2 addresses the Commission’s directive issued in Order No. 866.

  2. Specifically, we determine that Reliability Standard CIP-012-2 improves upon and expands the protections required by Reliability Standard CIP-012-1 by requiring responsible entities to mitigate the risk posed by loss of availability of communication links and Real-time Assessment and Real-time monitoring data transmitted between Control Centers. We also approve the associated implementation plan. We agree that the proposed implementation plan reflects consideration that responsible entities need sufficient time to implement the new controls and coordinate with other responsible entities that own or operate Control Centers as required in Reliability Standard CIP‑012‑2. In addition, we approve the associated violation risk factors and violation severity level assignments for Reliability Standard CIP-012-2. Finally, we approve the retirement of the currently effective Reliability Standard CIP-012-1 immediately prior to the effective date of Reliability Standard CIP-012-2.12

The Commission orders:


The Commission hereby approves: (1) Reliability Standard CIP-012-2, (2) the associated implementation plan, the associated violation risk factors and violation severity levels, and (3) the retirement of the currently effective Commission-approved Reliability Standard CIP-012-1 immediately prior to the effective date of Reliability Standard CIP-012-2, as discussed in the body of this order.

By the Commission.


( S E A L )





Debbie-Anne A. Reese,

Acting Secretary.



1 16 U.S.C. § 824o(d)(2).

2 Critical Infrastructure Prot. Reliability Standard CIP-012-1 – Cyber Sec. – Commc’ns between Control Ctrs., Order No. 866, 170 FERC ¶ 61,031, at P 36 (2020).  

3 16 U.S.C. § 824o.

4 Rules Concerning Certification of the Elec. Reliability Org., & Procedures for the Establishment, Approval, & Enforcement of Elec. Reliability Standards, Order No. 672, 114 FERC ¶ 61,104, order on reh’g, Order No. 672-A, 114 FERC ¶ 61,328 (2006).

5 N. Am. Elec. Reliability Corp., 116 FERC ¶ 61,062, order on reh’g and compliance, 117 FERC ¶ 61,126 (2006), order on compliance, 118 FERC ¶ 61,030, order on clarification and reh’g, 119 FERC ¶ 61,046 (2007), aff’d sub nom. Alcoa Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).

6 Id. P 3.

7 Id. P 28.

8 The proposed Reliability Standard is not attached to this order. The proposed

Reliability Standard is available on the Commission’s eLibrary document retrieval system in Docket No. RD24-3-000 and on the NERC website, www.nerc.com.

9 The NERC Glossary defines Real-time Assessment as, “An evaluation of system conditions using Real-time data to assess existing (pre-Contingency) and potential (post-Contingency) operating conditions. The assessment shall reflect applicable inputs including, but not limited to: load; generation output levels; known Protection System and Remedial Action Scheme status or degradation, functions, and limitations; Transmission outages; generator outages; Interchange; Facility Ratings; and identified phase angle and equipment limitations. (Real-time Assessment may be provided through internal systems or through third-party services.)” NERC Glossary of Terms Used in NERC Reliability Standards (May 8, 2024), https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf.

10 Id. at 23.

11 NERC Petition at 3.

12 We are concurrently issuing a notice of information collection and request for comments in this docket.

File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File Modified0000-00-00
File Created2024-09-07
© 2024 OMB.report | Privacy Policy