RD24-3 supporting statement - Final 9-6-24

RD24-3 supporting statement - Final 9-6-24.docx

FERC-725B, Revisions in RD24-3, Adding Voluntary Requests for Cybersecurity Incentives to Mandatory Reliability Standards for Critical Infrastructure Protection

OMB: 1902-0248

Document [docx]
Download: docx | pdf

FERC-725B (OMB Control No. 1902-0248)


Supporting Statement for:

FERC-725B, Revisions in RD24-3, Adding Voluntary Requests for Cybersecurity Incentives to Mandatory Reliability Standards for Critical Infrastructure Protection



The Federal Energy Regulatory Commission (“Commission” or “FERC”) requests that the Office of Management and Budget (OMB) review the revised collection of information designated as FERC-725B (Mandatory Reliability Standards: Critical Infrastructure Protection Reliability Standards) in RD24-3-000.


  1. CIRCUMSTANCES THAT MAKE THE COLLECTION OF INFORMATION NECESSARY


On August 8, 2005, Congress enacted the Energy Policy Act of 2005.1 The Energy Policy Act of 2005 added a new section 215 to the Federal Power Act (FPA),2 which requires a Commission-certified Electric Reliability Organization to develop mandatory and enforceable Reliability Standards,3 including requirements for cybersecurity protection, which are subject to Commission review and approval. Once approved, the Reliability Standards may be enforced by the Electric Reliability Organization subject to Commission oversight, or the Commission can independently enforce Reliability Standards.

On February 3, 2006, the Commission issued Order No. 672,4 implementing FPA section 215. The Commission subsequently certified North American Electric Reliability Corporation (NERC) as the Electric Reliability Organization.

The Reliability Standards developed by NERC become mandatory and enforceable after Commission approval and apply to users, owners, and operators of the Bulk-Power System, as set forth in each Reliability Standard.5


The CIP Reliability Standards require entities to comply with specific requirements to safeguard critical cyber assets. These standards are results-based and do not specify a technology or method to achieve compliance, instead leaving it up to the entity to decide how best to comply. On January 18, 2008, the Commission issued Order No. 706,6 approving the initial eight CIP Reliability Standards, CIP version 1 Standards, submitted by NERC. Subsequently, the Commission has approved multiple versions of the CIP Reliability Standards submitted by NERC, partly to address the evolving nature of cyber-related threats to the Bulk-Power System. On November 22, 2013, the Commission issued Order No. 791,7 approving CIP version 5 Standards, the last major revision to the CIP Reliability Standards. The CIP version 5 Standards implement a tiered approach to categorize assets, identifying them as high, medium, or low risk to the operation of the Bulk Electric System (BES)8 if compromised. High impact systems include large control centers. Medium impact systems include smaller control centers, ultra-high voltage transmission, and large substations and generating facilities. The remainder of the BES Cyber Systems9 are categorized as low impact systems. Most requirements in the CIP Reliability Standards apply to high and medium impact systems.


  1. HOW, BY WHOM AND FOR WHAT PURPOSE IS THE INFORMATION TO BE USED AND THE CONSEQUENCES OF NOT COLLECTING THE INFORMATION

On January 31, 2024, the North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization (ERO), filed a petition with the Commission seeking approval of proposed Reliability Standard CIP-012-2 (Cyber Security – Communications between Control Centers). NERC also requested approval of the associated implementation plan, violation risk factors and violation severity levels, and the retirement of the currently effective Reliability Standard CIP-012-1.

Pursuant to section 215(d)(2) of the Federal Power Act (FPA), we approved the proposed Reliability Standard CIP-012-2, its associated implementation plan, violation risk factors and violation severity levels, and the retirement of the Reliability Standard CIP-012-1, which became effective upon the issuance of the order approvingReliability Standard CIP-012-2.10 For the reasons discussed below, we determine that proposed Reliability Standard CIP-012-2 improves upon and expands the protections required by Reliability Standard CIP-012-1 and addresses the Commission directive issued in Order No. 866.11

Background

Section 215 and Mandatory Reliability Standards

Section 215 of the FPA provides that the Commission may certify an ERO, the purpose of which is to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval.12 Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO,13 and subsequently certified NERC.14

Order No. 866 Directive

In Order No. 866, the Commission directed NERC to modify Critical Infrastructure Protection (CIP) Reliability Standards to implement protections regarding the availability of communication links and sensitive bulk electric system (BES) data communicated between BES Control Centers.15 The Commission explained that creating an obligation to protect availability, while affording flexibility in terms of what data is protected and how, was “distinct from relying on currently-effective Reliability Standards whose effect may be to support availability.”16

NERC Petition and Proposed Reliability Standard17 CIP-012-2

NERC states that proposed Reliability Standard CIP-012-2 improves upon and expands the protections required by Reliability Standard CIP-012-1 by requiring responsible entities to mitigate the risk posed by loss of availability of communication links and Real-time Assessment18 and Real-time19 monitoring data transmitted between Control Centers.  Proposed Reliability Standard CIP-012-2 adds two new provisions to Requirement R1 that address availability by requiring (1) protections for the availability of data in transit and (2) protections to initiate recovery of lost (i.e., unavailable) communication links.20

NERC also requests approval of the associated implementation plan, the associated violation risk factors and violation severity levels, and retirement of Reliability Standard CIP-012-1 immediately prior to the effective date of CIP-012-2. The 24-month implementation period is proposed to afford responsible entities sufficient time to implement the new controls and coordinate with other responsible entities that own or operate Control Centers as required in proposed Reliability Standard CIP-012-2.


  1. DESCRIBE ANY CONSIDERATION OF THE USE OF IMPROVED TECHNOLOGY TO REDUCE BURDEN AND TECHNICAL OR LEGAL OBSTACLES TO REDUCING BURDEN.


The use of current or improved technology and the medium are not covered in Reliability Standards and are therefore left to the discretion of each respondent. We think that nearly all of the respondents are likely to make and keep related records in an electronic format. The compliance portals allow documents developed by the registered entities to be attached and uploaded to the Regional Entity’s portal. Compliance data can also be submitted by filling out data forms on the portals. These portals are accessible through an internet browser password-protected user interface.


  1. DESCRIBE EFFORTS TO IDENTIFY DUPLICATION AND SHOW SPECIFICALLY WHY ANY SIMILAR INFORMATION ALREADY AVAILABLE CANNOT BE USED OR MODIFIED FOR USE FOR THE PURPOSE(S) DESCRIBED IN INSTRUCTION NO. 2


Filing requirements are periodically reviewed as OMB review dates arise or as the Commission may deem necessary in carrying out its regulatory responsibilities under the FPA in order to eliminate duplication and ensure that filing burden is minimized. There are no similar sources for information available that can be used or modified for these reporting purposes.


  1. METHODS USED TO MINIMIZE BURDEN IN COLLECTION OF INFORMATION INVOLVING SMALL ENTITIES


The Commission estimates one-time and ongoing increases in reporting burden on variety of NERC-registered entities (including Reliability Coordinators, Generator Operators, Generator Owners, Interchange Coordinators, Transmission Operators, Balancing Authorities, Transmission Owners) due to the changes in the revised Reliability Standards, with no other increase in the cost of compliance (when compared with the current standards). Approximately 585 of the 714 affected entities are expected to meet the SBA’s definition for a small entity.21


The Reliability Standards do not contain provisions for minimizing the burden of the collection for small entities. All the requirements in the Reliability Standards apply to every applicable entity. However, small entities generally can reduce their burden by taking part in a joint registration organization or a coordinated function registration. These options allow an entity the ability to share its compliance burden with other similar entities. Detailed information regarding these options is available in NERC’s Rules of Procedure at Section 1502, Paragraph 2, available at NERCs website.


  1. CONSEQUENCE TO FEDERAL PROGRAM IF COLLECTION WERE CONDUCTED LESS FREQUENTLY


The collection of voluntary rate-incentive filings “on occasion,” as provided by the final rule, is integral to the Commission’s compliance with the requirement of FPA section 219A to

encourage utilities to invest in Advanced Cybersecurity Technology, and to encourage utilities to participate in information sharing regarding cybersecurity threats. The consequence of collecting this information less frequently would be detrimental to the Commission’s fulfillment of that statutory obligation.


Without the collection of informational filings annually, the Commission would be hindered in ensuring that a utility receiving incentive rate treatment has implemented the requirements of the incentive and ensuring that the utility continues to adhere to the requirements.


  1. EXPLAIN ANY SPECIAL CIRCUMSTANCES RELATING TO THE INFORMATION COLLECTION


FERC-725B information collection has no special circumstances.


  1. DESCRIBE EFFORTS TO CONSULT OUTSIDE THE AGENCY: SUMMARIZE PUBLIC COMMENTS AND THE AGENCY'S RESPONSE TO THESE COMMENTS


The Commission published the 60-day notice in Docket No. RD24-3-000 on 5/31/2024 (89 FR 47147) with no comments received. That 30-day notice was published on August 20, 2024 (89 FR 67432). The Commission received no public comments in response.


  1. EXPLAIN ANY PAYMENT OR GIFTS TO RESPONDENTS


No payments or gifts have been made to respondents.


  1. DESCRIBE ANY ASSURANCE OF CONFIDENTIALITY PROVIDED TO RESPONDENTS


According to the NERC Rules of Procedure,22 “…a Receiving Entity shall keep in confidence and not copy, disclose, or distribute any Confidential Information or any part thereof without the permission of the Submitting Entity, except as otherwise legally required.” This serves to protect confidential information submitted to NERC or Regional Entities.

Responding entities do not submit the information collected due to the Reliability Standards to FERC. Rather, they submit the information to NERC, the regional entities, or maintain it internally. Since there are no submissions made to FERC, FERC provides no specific provisions in order to protect confidentiality.


  1. PROVIDE ADDITIONAL JUSTIFICATION FOR ANY QUESTIONS OF A SENSITIVE NATURE, SUCH AS SEXUAL BEHAVIOR AND ATTITUDES, RELIGIOUS BELIEFS, AND OTHER MATTERS THAT ARE COMMONLY CONSIDERED PRIVATE


This collection does not contain any questions of a sensitive nature.

  1. ESTIMATED BURDEN OF COLLECTION OF INFORMATION


Estimate of Annual Burden:23 The Commission bases its paperwork burden estimates on the changes in paperwork burden presented by the revision to CIP Reliability Standard CIP-012-2 as compared to the prior Commission-approved Reliability Standard CIP-012-1. As discussed above, the immediate order addresses the area of modification to the CIP Reliability Standards: modifications to provide protections of the availability of communication links and sensitive data transmitted between BES Control Centers.

The CIP Reliability Standards, viewed as a whole, implement a defense-in-depth approach to protecting the security of BES Cyber Systems at all impact levels.24 The CIP

Reliability Standards are objective-based and allow entities to choose compliance approaches best tailored to their systems.25 The NERC Compliance Registry, as of March 15, 2024, identifies approximately 1,610 unique U.S. entities that are subject to mandatory compliance with CIP Reliability Standards. Of this total, we estimate that 730 entities will face an increased paperwork burden under proposed Reliability Standard CIP-012-2. Based on these assumptions, we estimate the following reporting burdens:

FERC-725B, Modifications in Docket No. RD24-3-000


No. of Respondents

(1)

No. of Responses26 per Respondent

(2)

Total No. of Responses

(1)X(2)=(3)

Avg. Burden Hrs. & Cost Per Response27



(4)

Total Annual Burden Hours & Total Annual Cost

(3)X(4)=5

Implementation of Documented Plan(s) (Requirement R1)28

730

1

730

42 hrs.;

$4,493.16

30,660 hrs.;

$3,280,006.80

Document Identification of methods to mitigate the risk(s) posed

by unauthorized disclosure and unauthorized modification (Requirement R1.1)14

730

1

730

20 hrs.;

$2,139.60

14,600 hrs.;

$1,561,908

Document Identification of methods to mitigate the risk(s) posed

by loss of the ability to communicate (Requirement R1.2)14

730

1

730

60 hrs.; $6,418.80

43,800 hrs.;

$4,685,724

Document Identification of methods to use to initiate the recovery of communication links (Requirement R1.3)14

730

1

730

100 hrs.;

$10,698

73,000 hrs.;

$7,809,540

Document Identification of where the implemented method(s) as required in Parts 1.1 and 1.2 (Requirement R1.4)12

730

1

730

50 hrs.;

$5,349

36,500 hrs.;

$3,904,770

Document identification of the responsibilities of each Responsible Entity (if not owned by same Responsible Entity) required in Parts 1.1, 1.2 and 1.3 (Requirement R1.5)14

730

1

730

50 hrs.;

$5,349

36,500 hrs.;

$3,904,770

Maintaining Compliance (ongoing, starting in Year 2)

730

1

730

1 hr.;

$106.98

730 hrs.;

$78,095.40

Total (one-time, in Year 1)


4,380


235,060 hrs.;

$25,146,718.80

Total (ongoing, starting in Year 2)


730


730 hrs.;

$78,095.40


The one-time burden (in Year 1) for the FERC-725B information collection will be averaged over three years:

  • 235,060 hours ÷ 3 = 78,353 (rounded) hours/year over Years 1-3

  • The number of one-time responses for the FERC-725B information collection is also averaged over Years 1-3: 4,380 responses ÷ 3 = 1,460 responses/year

The average annual number (for Years 1-3) of responses and burden for one-time and ongoing burden will total:

  • 2,190 responses [1,460 responses (one-time) + 730 responses (ongoing)]

  • 79,083 burden hours [78,353 hours (one-time) + 730 hours (ongoing)]

  1. ESTIMATE OF THE TOTAL ANNUAL COST BURDEN TO RESPONDENTS


There are no start-up or other non-labor costs.


Total Capital and Start-up cost: $0

Total Operation, Maintenance, and Purchase of Services: $0


All costs due to the final rule are associated with burden hours (labor) and described in Questions #12 and #15 in this supporting statement.


  1. ESTIMATED ANNUALIZED COST TO FEDERAL GOVERNMENT


The Commission would incur costs associated with processing filings under the final rule, and in obtaining OMB clearance under the Paperwork Reduction Act (PRA). The estimated processing cost total $207,787 annually. The Commission estimates receiving 20 informational filings per year under the final rule, with each filing estimated to take approximately 100 hours to analyze and process, totaling the number of hours and cost of one FTE.


The estimated PRA Administrative Cost of $8,396 is a federal cost associated with preparing, issuing, and submitting materials necessary to comply with the PRA for rulemakings, orders, or any other vehicle used to create, modify, extend, or discontinue an information collection. This average annual cost includes requests for extensions, all associated rulemakings and orders, other changes to the collection, and associated publications in the Federal Register.


As shown in the table below, $ is the sum of the estimated annual federal cost of analyzing and processing the filings (which is the annual salary for one Full-Time Equivalent (FTE) of $207,786) plus the estimated PRA administrative cost of $8,396.


Table 14

Estimated Annual Federal Costs


FERC-725B

Number of Employees (FTEs)

Estimated Annual Federal Cost

Analysis and Processing of Filings

1

$207,786

Paperwork Reduction Act Administrative Cost


$8,396

TOTAL


$216,182



  1. REASONS FOR CHANGES IN BURDEN INCLUDING THE NEED FOR ANY INCREASE


Changes due to Agency discretion

Totals:

+1,466 Responses, +79,083 Annual Burden Hours


All of the estimated burdens described above in Discussion # 12 are program changes to FERC-725B. The estimated annual burdens would add average annual number (for Years 1-3) of responses and burden for one-time and ongoing burden will total:

  • 1,460 responses (one-time) 78,353 hours (one-time) for Years 1-3

  • With the addition of 730 hours (ongoing) the hours have been updated to add +6 responses and 730 burden hours for a total of 730 responses (There was already 724 responses from RD22-2 and +6 was added+ totaling 730 responses) and 62,755 burden hours to FERC-725B.


  1. TIME SCHEDULE FOR THE PUBLICATION OF DATA


There is no tabulating, statistical or publication plans in accordance with the final rule.


  1. DISPLAY OF THE EXPIRATION DATE


The expiration date is displayed in a table posted on ferc.gov at https://www.ferc.gov/information-collections.


  1. EXCEPTIONS TO THE CERTIFICATION STATEMENT


There are no exceptions.

1 Energy Policy Act of 2005, Pub. L. No. 109-58, sec. 1261 et seq., 119 Stat. 594 (2005).

2 16 U.S.C. 824o.

3 The FPA, at 16 U.S.C. 824o(a)(3), defines “Reliability Standard” as a requirement, approved by the Commission, to provide for reliable operation of the bulk-power system. This definition includes cybersecurity protection, and the design of planned additions or modifications to bulk-power facilities to the extent necessary to provide for reliable operation of the Bulk-Power System. However, the term does not include any requirement to enlarge such facilities or to construct new transmission capacity or generation capacity.

4 Rules Concerning Certification of the Elec. Reliability Org.; and Procedures for the Establishment, Approval, and Enf’t of Elec. Reliability Standards, Order No. 672, 71 FR 8661 (Feb. 17, 2006), 114 FERC ¶ 61,104, order on reh’g, Order No. 672-A, 71 FR 19814 (Apr. 28, 2006), 114 FERC ¶ 61,328 (2006).


5 NERC uses the term “registered entity” to identify users, owners, and operators of the Bulk-Power System responsible for performing specified reliability functions with respect to NERC Reliability Standards. See, e.g., Version 4 Critical Infrastructure Protection Reliability Standards, Order No. 761, 77 FR 24594 (Apr. 25, 2012), 139 FERC ¶ 61,058, at P 46, order denying clarification and reh’g, 140 FERC ¶ 61,109 (2012). Within the NERC Reliability Standards are various subsets of entities responsible for performing various specified reliability functions. We collectively refer to these as “entities.”

6 Order No. 706, 122 FERC ¶ 61,040 at P 1 (2008).

7 Version 5 Critical Infrastructure Protection Reliability Standards, Order No. 791, 78 FR 72755 (Dec. 13, 2013), 145 FERC ¶ 61,160 (2013), order on reh’g, Order No. 791-A, 146 FERC ¶ 61,188 (2014).

8 In general, NERC defines BES to include all Transmission Elements operated at 100 kV or higher and Real Power and Reactive Power resources connected at 100 kV or higher. This does not include facilities used in the local distribution of electric energy. See NERC, Bulk Electric System Definition Reference Document, Version 3, at page iii (August 2018). In Order No. 693, the Commission found that NERC’s definition of BES is narrower than the statutory definition of Bulk-Power System. The Commission decided to rely on the NERC definition of BES to provide certainty regarding the applicability of Reliability Standards to specific entities. See Mandatory Reliability Standards for the Bulk-Power System, Order No. 693, 72 FR 16415 (Apr. 4, 2007), 118 FERC ¶ 61,218, at PP 75, 79, 491, order on reh’g, Order No. 693-A, 72 FR 49717 (July 25, 2007), 120 FERC ¶ 61,053 (2007).

9 NERC defines BES Cyber System as “[o]ne or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.” NERC, Glossary of Terms Used in NERC Reliability Standards, at 5 (2020), https://www.nerc.com/files/glossary_of_terms.pdf NERC Glossary of Terms). NERC defines BES Cyber Asset as

A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, mis-operation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems.

Id. at 4.

10 16 U.S.C. § 824o(d)(2).

11 Critical Infrastructure Protection Reliability Standard CIP-012-1 – Cyber Security – Communications between Control Centers, Order No. 866, 170 FERC ¶ 61,031, P 36 (2020).  

12 16 U.S.C. § 824o.

13 Rules Concerning Certification of the Elec. Reliability Org.; & Procedures for the Establishment, Approval, & Enforcement of Elec. Reliability Standards, Order No. 672, 114 FERC ¶ 61,104, order on reh’g, Order No. 672-A, 114 FERC ¶ 61,328 (2006).

14 N. Am. Elec. Reliability Corp., 116 FERC ¶ 61,062, order on reh’g and compliance, 117 FERC ¶ 61,126 (2006), order on compliance, 118 FERC ¶ 61,030, order on clarification and reh’g, 119 FERC ¶ 61,046 (2007), aff’d sub nom. Alcoa Inc. v. FERC, 564 F.3d 1342 (D.C. Cir. 2009).

15 Id.at P 3.

16 Id. at P 28.

17 The proposed Reliability Standard is not attached to this order. Reliability Standard is available on the Commission’s library document retrieval system in Docket No. RD24-3-000 and on the NERC website, www.nerc.com.

18 The NERC Glossary defines Real-time Assessment as, “An evaluation of system conditions using Real-time data to assess existing (pre-Contingency) and potential (post-Contingency) operating conditions. The assessment shall reflect applicable inputs including, but not limited to load; generation output levels; known Protection System and Remedial Action Scheme status or degradation, functions, and limitations; Transmission outages; generator outages; Interchange; Facility Ratings; and identified phase angle and equipment limitations. (Real-time Assessment may be provided through internal systems or through third-party services.)” NERC Glossary of Terms Used in NERC Reliability Standards (April 1, 2024).


19 Id. at 23.

20 NERC Petition at 3.

21 Public utilities may fall under one of several different categories, each with a size threshold based on the company’s number of employees, including affiliates, the parent company, and subsidiaries. For the analysis in this Final Rule, we are using a 500-employee threshold due to each affected entity falling in the role of Electric Bulk Power Transmission and Control (NAISC Code: 221121).

22 NERC Rules of Procedure, Section 1502, at 91-92 (revised November 28, 2023).

23 “Burden” is the total time, effort, or financial resources expended by persons to generate, maintain, retain, or disclose or provide information to or for a Federal agency. 5 C.F.R. § 1320.3.

24 Order No. 822, 154 FERC ¶ 61,037 at 32 (2016).

25 Mandatory Reliability Standards for Critical Infrastructure Protection, Order No. 706, 73 FR 7368 (Feb. 7, 2008), 122 FERC ¶ 61,040, at P 72 (2008); order on reh’g, Order No. 706-A, 123 FERC ¶ 61,174 (2008); order on clarification, Order No. 706-B, 126 FERC ¶ 61,229 (2009).

26 We consider the filing of an application to be a “response.”

27 The hourly cost for wages plus benefits is based on the average of the occupational categories for 2024 found on the Bureau of Labor Statistics website (http://www.bls.gov/oes/current/naics2_22.htm ):

Information Security Analysts (Occupation Code: 15-1212): $80.62

Computer and Mathematical (Occupation Code: 15-0000): $74.16

Legal (Occupation Code: 23-0000): $160.24

Computer and Information Systems Managers (Occupation Code: 11-3021): $112.88

These various occupational categories’ wage figures are averaged as follows: $80.62/hour + $74.16/hour + $160.24/hour + $112.88/hour) ÷ 4 = $106.975/hour ($106.98 rounded). The resulting wage figure is rounded to $106.98/hour for use in calculating wage figures in the Final Rule in Docket No. RD24-3-000.

28 This includes the record retention costs for the one-time and the on-going reporting documents.

7

File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File TitleRM18-20 NOPR supporting statement
Author[email protected]
File Modified0000-00-00
File Created2024-09-07

© 2024 OMB.report | Privacy Policy