Northern Kentucky Law Review Law +

Informatics Symposium

Federal Cyber-Security Law and Policy:

The Role of the Federal Energy Regulatory Commission

Presentation by Susan J. Court

Principal

SJC Energy Consultants, LLC

February 28, 2014

Overview of Remarks

• Introduction

• Background

• Federal Energy Regulatory Commission

• Energy Policy Act of 2005

• Scope of FERC Reliability Jurisdiction

• Reliability Paradigm

• CIP Cyber Security Standards

• Development

• Versions 3 vs. Version 5

• Enforcement

• Related Federal Action

• Prospect of Legislation

• Executive Order 13636

• Conclusion

Susa

n J.

Cour

t

2

Introduction Susa

n J.

Cour

t

3

2003 Northeast Blackout

Susa

n J.

Cour

t

4

2007 AuroraGenerator Test

Susa

n J.

Cour

t

5

2013 Metcalf Attack

Susa

n J.

Cour

t

6

Background Susa

n J.

Cour

t

7

Federal Energy Regulatory Commission

Susa

n J.

Cour

t

8

Energy Policy Act of 2005

• Federal Power Act Section 215, 16 U.S.C.§824o:

• Requires FERC to certify a singleElectric Reliability Organization(ERO).

• Requires ERO to oversee reliability ofbulk-electric systemin lower-48 by developing and enforcingmandatory reliability standardssubject to FERC approval and to delegate enforcement responsibilities to organizations calledRegional Entities.

• Requires Regional Entities to identify and registerusers, owners and operatorsof the bulk-power system, which are then subject to mandatory standards.

• FederalPower Act Section 316,16 U.S.C.§825o:provides that anyperson who violates any provision ofPart II of the Act or anyrule or order thereunder shall be subject to acivil penaltyof not more than$1,000,000for each day that such violation continues.

Susa

n J.

Cour

t

9

Scope of FERC Jurisdiction — Facilities

FERC Jurisdiction

[Bulk Power System]

Susa

n J.

Cour

t

10

Reliability Paradigm

FERC

Electric Reliability

Organization

(ERO)North American Electric Reliability Corporation (NERC)

Regional Entities (RE’s)TRE, MRO, NPCC, RFC, SERC, SPP, WECC, and FRCC

Users, Owners and Operators

Of the Bulk-Power System

(Registered Entities)

Susa

n J.

Cour

t

11

Regional Entities

Susa

n J.

Cour

t

12

Registered Entities and Functions (As of 1/31/14)

RE# of

Reg

Ent.

BA DP GO GOP IA LSE PA PSE RC RP RSG TO TOP TP TSP TOTAL

FUNC-TIONS

FRCC

MRO

NPCC

RFC

SERC

SPP

TRE

WECC

69

134

301

344

234

145

222

475

10

20

6

12

23

18

1

34

27

54

56

66

74

50

46

166

31

52

144

158

105

66

115

232

31

52

142

157

95

65

90

226

10

5

7

3

19

3

1

0

19

58

57

51

74

52

59

142

13

6

6

3

21

2

1

30

26

74

97

149

84

66

44

146

0

3

6

2

8

2

1

0

15

34

6

15

30

23

1

55

1

2

3

1

7

1

0

3

24

40

28

40

52

42

32

86

16

21

14

16

28

18

18

56

13

24

14

13

32

19

27

46

8

12

14

3

18

3

1

35

244

457

600

689

670

430

437

1257

Totals 1924 124 539 903 858 48 512 82 686 22 179 18 344 187 188 94 4784

Functions: BalancingAuthority, Distribution Provider, Generator Owner,Generator Operator, Interchange Authority, Load Serving Entity, Planning Authority, Purchasing Selling Entity, Reliability Coordinator, Resource

Planner,ReserveSharingGroup, TransmissionOwner, Transmission Operator, Transmission Planner, Transmission Service Provider

Susa

n J.

Cour

t

13

Scope of FERC Jurisdiction —

Entities

Susa

n J.

Cour

t

FERC Traditional Jurisdiction --

Investor-Owned Utilities

Army Corps of Engineers

14

Reliability Standards Development

• NERCstaffdevelopscontinent-wide standards,withthe participation of thestakeholders fromten industry segments.They do this through an iterative process informed by the protocols used by the American National Standards Institute (ANSI).

• NERCBoard of Trustees (BOT)reviewsproposed standards,and, if they agree,submitsthem toFERC.

• FERCapprovesproposed standards,inrulemakings in which anyone may participate and comment, orremandsdisapproved standards toNERC. FERCmay NOT modify a proposed standard.

Susa

n J.

Cour

t

15

Mandatory Reliability Standardshttp://www.nerc.com/pa/Stand/Reliability%20Standards%20Complete

%20Set/RSCompleteSet.pdf

• Resource and Demand Balancing (BAL)

• Communications (COM)

• Critical Infrastructure Protection (CIP)

• Emergency Preparedness and Operations (EOP)

• Facilities Design, Connections, and Maintenance (FAC)

• Interchange Scheduling and Coordination (INT)

• Interconnection Reliability Operations and Coordination (IRO)

• Modeling, Data and Analysis (MOD)

• Nuclear (NUC)

• Personnel Performance, Training and Qualifications (PER)

• Protection and Control (PRC)

• Transmission Operations (TOP)

• Transmission Planning (TPL)

• Voltage and Reactive (VAR)

Susa

n J.

Cour

t

16

CIP Cyber Security Standards Susa

n J.

Cour

t

17

CIP Standards Development• FERCApproval Process (milestones for all versions)• Order No. 693 (2007) (CIP-001-1) (now part of EOP-004 – Event Reporting)

• Order No. 706 (2008) (CIP-002-1 to 009-1)

• Unnumbered order (2009) (CIPv2)

• Unnumbered order (2010) (CIPv3) [currently effective version]

• Order No. 761 (2012) (v4)[rescinded by Order No. 791]

• Order No. 791(November 2013) (CIP-002-5 to CIP-009-5 and CIP-010-1 and CIP-011-1) [to become effective in April 2016] (rehearing pending)

• NERC Standards Development Process (for CIPv5)• Standards Authorization Request(SAR) postedfor comment (March 2008)

• Standards Committee authorized moving the SAR forward to standard development (July 2008)

• First posting for 60-day formal comment period and concurrent ballot (November 2011)

• Second posting for 40-day formal comment period and concurrent ballot (April 2012)

• Third posting for 30-day formal comment period and concurrent ballot (September 2011)

• NERC BOT adoption (December 2012)

• NERC submission to FERC (January 2013)

Susa

n J.

Cour

t

18

CIP-002:Identification of Critical Cyber Assets (CAAs)

• Currently effective version: Acritical cyber asset(CCA) is acyber assetessential to the reliability operation ofcritical assets, wherecyber assetsrefer to “programmable electronic devices and communication networks including hardware, software, and data” andcritical assetsrefer to “facilities, systems and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.”

• CIPv5 modification: Cyber Asset is one that “if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unvailable when needed, would affect the reliable operation of the Bulk Electric System.” Su

san

J. Co

urt

19

CIP-003:Security Management Controls

• Current version: A responsible entity must develop and implement security management controls to protect

CCAs.

• CIPv5 modification: The CIP Senior Manager of the responsible entity must approve the documented cyber

security policies related to the remaining standards, thereby representing management’s commitment and

ability to secure the responsible entity’s CCAs, and review and approve cyber security policy at least once

every 15 calendar months.

Susa

n J.

Cour

t

20

CIP-004:Personnel and Training

• Current version: Personnel with access to CCAs must have identity verification, a criminal check, and employee training.

• CIPv5modification: A responsible entity must have documented processes or programs for security awareness, cyber security training, personnel risk assessment, and access management, including training for visitor control programs, electronic interconnectivity supporting the operation and control of BES Cyber Systems, storage media, and a seven year criminal history check covering all locations where the individual has resided for six consecutive months. In addition, the responsible entity must revoke a terminated employee’s access concurrent with his or her termination, to be completed within 24 hours.

Susa

n J.

Cour

t

21

CIP-005:Electronic Security Perimeters (ESP)

• Current version: An electronic security perimeter and access points must be identified and protected where

the perimeter encompasses the CCAs.

• CIPv5modification: A responsible entity must ensure that all cyber assets connected to a network via a

routable protocolresidewithin a defined ESP and that all external routable connectivity is through an

identified electronic access point.

Susa

n J.

Cour

t

22

CIP-006:Physical Security of Critical Cyber Assets

• Current version: A responsible entity must create and maintain a physical security plan that ensures that all

cyber assets within an electronic security perimeter are kept in an identified physical security perimeter.

• CIPv5modification: The responsible entity must ensure that physical assets to all BES Cyber Systems is

restricted and appropriately managed to protect BES Cyber Systems against compromise that could lead to

misoperation or instability. To this end, among other things, it must issue an alarm or alert to detected

unauthorized access within 15 minutes of detection.

Susa

n J.

Cour

t

23

CIP-007:Systems Security Management

• Current version: A responsible entity must define methods, processes, and procedure for security of the

systems identified as CCAs, as well as the non-critical cyber assets within an electronic security perimeter.

• CIPv5modification: A responsible entity must adhere to specific technical, operational, and procedural

requirements to protect BES Cyber Systems against compromise that could lead to misoperation or

instability,e.g., by documenting how it addresses the malware risk for each BES Cyber System.

Susa

n J.

Cour

t

24

CIP-008:Incident Reporting and Response Planning

• Current version: A responsible entity must identify, classify, respond to, and report cyber security incidents related to CCAs.

• CIPv5modification: The responsible entity must follow specific incident response requirements,e.g., by reporting Cyber Security Incidents within one hour of recognition, verifying response plan effectiveness and consistent application in responding to a Cyber Security Incident, providing for an after-action review for tests or actual incidents, and updating the Cyber Security Incident response plan based on those lessons learned.

Susa

n J.

Cour

t

25

CIP-009:Recovery Plans for Critical Cyber Assets

• Current version: A responsible entity must establish recovery plans for CCAs using established business

continuity and disaster recovery techniques and practices.

• CIPv5modification: A responsible entity must follow specific requirements regarding a recovery plan to

support the continued stability, operability, and reliability of the BES,e.g., by having controls to protect data

that would be useful in the investigation of an event that results in the execution of a Cyber System

recovery plan.

Susa

n J.

Cour

t

26

CIP-010 and CIP-011

• CIP-010-1–CyberSecurity–Configuration Change Management and Vulnerability Assessmentsspecifies configuration change management requirements to detect unauthorized modifications to BES Cyber Systems and to ensure proper implementation of cyber security controls while promoting continuous improvement of a responsible entity’s cyber security posture.

 

• CIP-011-1–Cyber Security–Information Protectionspecifies information protection controls to prevent unauthorized access to BES Cyber System Information and reuse and disposal provisions to prevent unauthorized dissemination of protected information.

Susa

n J.

Cour

t

27

CIP Standards Enforcement Susa

n J.

Cour

t

28

Susa

n J.

Cour

t

29

Enforcement Process• Regions:follow NERC’sComplianceMonitoring and Enforcement Programwhich

includessevenmonitoring processes:• Compliance audits• Self-certification• Spot checking• Investigations• Self-reporting• Periodic data submittals• Complaints

• NERC: Board of Trustees (BOT) Compliance Committee reviews all proposed remedies from Regions, and submits approved ones to FERC in filings calledNotices of Penalty(NOPs).

• FERC:must act within 30 days on an NOP or the proposed remedy becomes effective byoperation of law, but FERC may suspend the period by affirmative action.

Susa

n J.

Cour

t

30

Enforcement Statistics

• NOPs (2008-2013):673.

• Number of Violations Reported in NOPs (6/4/08-1/31/14): 5,240.

• FERC Enforcement Settlements: seven (but only one involved alleged violation of a CIP standard).

• Penalties: $36,420,622 (through NOPs) and $31,200,000 (through FERC enforcement settlements). Penalties associated with CIP violations (through NOPs): $16,366,829 or 45%.

• Most Violated Standards: CIP Standards, even though CIP Standards are only 1/10 of the total number of mandatory standards.

Susa

n J.

Cour

t

31

Most Violated Standards

(2012and2013)

CIP‐007 CIP‐006 CIP‐005 PRC‐005CIP‐004CIP‐002 CIP‐003 VAR‐002 CIP‐009 FAC‐008

450

400

350

300

250

200

150

100

50

2012

2013 Susa

n J.

Cour

t

32

Related Federal Action Susa

n J.

Cour

t

33

Possible Cyber Legislation• Background: U.S. Department of Energy Inspector General’s January 2011 audit report on FERC’s “Monitoring of

Power Grid CyberSecurity “

• Raisedconcerns about the adequacy of, and the implementation and schedule for, the CIP standards, and concluded thattheseproblems exist in part because FERC’s authority to ensure adequate BES reliability is limited.

• Recommendedthat additional authority be granted to FERC to ensure adequate BES cyber security.

• Prospects: little to none in113thCongress.

• Latest focus: physical security as reflected in 2/7/14 Letter to FERC and NERC from four U.S. Senators, concerned about incidents like Metcalf.

Susa

n J.

Cour

t

34

E.O.13636 (February 2013)

• Establishednew information sharing between the private and public sectors, providing classified and unclassified threat information to U.S. companies.

• Requiredfederal agencies to produce unclassified reports of threats to U.S. companies and to share the reports in a timely manner.

• Openedup a real-time information sharing program, currently open to the defense industry, to other sectors.

• Directedthe National Institute of Standards and Technology (NIST), a federal agency, to develop a new cyber security framework to reduce cyber risks to critical infrastructure, and required NIST to publish a preliminary version of the framework within 240 days of the Executive Order and a final version one year after the Executive Order.

• Calledon agencies to incorporate privacy and civil liberties safeguards, based in part on the Fair Information Practice Principles, into their cyber security efforts and required agencies to conduct regular, public assessments of their privacy and civil liberties standards

Susa

n J.

Cour

t

35

Conclusion

Susa

n J.

Cour

t

36

Questions?

Thank you.

Susa

n J.

Cour

t

37