[Federal Register Volume 79, Number 141 (Wednesday, July 23, 2014)]
[Proposed Rules]
[Pages 42734-42743]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-17231]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
Federal Energy Regulatory Commission
18 CFR Part 40
[Docket No. RM14-15-000]
Physical Security Reliability Standard
AGENCY: Federal Energy Regulatory Commission.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: Pursuant to the section regarding Electric Reliability of the
Federal Power Act, the Federal Energy Regulatory Commission
(Commission) proposes to approve Reliability Standard CIP-014-1
(Physical Security). The North American Electric Reliability
Corporation, the Commission-certified Electric Reliability
Organization, submitted the proposed Reliability Standard for
Commission approval in response to a Commission order issued on March
7, 2014. The purpose of proposed Reliability Standard CIP-014-1 is to
enhance physical security measures for the most critical Bulk-Power
System facilities and thereby lessen the overall vulnerability of the
Bulk-Power System against physical attacks. The Commission proposes to
approve Reliability Standard CIP-014-1. In addition, the Commission
proposes to direct NERC to develop two modifications to the physical
security Reliability Standard and seeks comment on other issues.
DATES: Comments are due September 8, 2014. Reply comments are due
September 22, 2014.
ADDRESSES: Comments, identified by docket number, may be filed in the
following ways:
Electronic Filing through http://www.ferc.gov/: Documents
created electronically using word processing software should be filed
in native applications or print-to-PDF format and not in a scanned
format.
Mail/Hand Delivery: Those unable to file electronically
may mail or hand-deliver comments to: Federal Energy Regulatory
Commission, Secretary of the Commission, 888 First Street NE.,
Washington, DC 20426.
Instructions: For detailed instructions on submitting comments and
additional information on the rulemaking process, see the Comment
Procedures Section of this document
FOR FURTHER INFORMATION CONTACT:
Regis Binder (Technical Information), Office of Electric Reliability,
Division of Reliability Standards and Security, Federal Energy
Regulatory Commission, 888 First Street NE., Washington, DC 20426,
Telephone: (301) 665-1601, [email protected].
Matthew Vlissides (Legal Information), Office of the General Counsel,
Federal Energy Regulatory Commission, 888 First Street NE., Washington,
DC 20426, Telephone: (202) 502-8408, [email protected].
SUPPLEMENTARY INFORMATION:
1. Pursuant to section 215 of the Federal Power Act (FPA), the
[[Page 42735]]
Commission proposes to approve Reliability Standard CIP-014-1 (Physical
Security). The North American Electric Reliability Corporation (NERC),
the Commission-certified Electric Reliability Organization (ERO),
submitted the proposed Reliability Standard for Commission approval in
response to a Commission order issued on March 7, 2014.\1\ The purpose
of the proposed Reliability Standard CIP-014-1 is to enhance physical
security measures for the most critical Bulk-Power System facilities
and thereby lessen the overall vulnerability of the Bulk-Power System
facilities against physical attacks. The Commission proposes to approve
Reliability Standard CIP-014-1. In addition, the Commission proposes to
direct NERC to develop two modifications to the physical security
Reliability Standard. Further, the Commission seeks comment on other
concerns regarding the proposed Reliability Standard, as discussed
below.
---------------------------------------------------------------------------
\1\ Reliability Standards for Physical Security Measures, 146
FERC ] 61,166 (2014) (March 7 Order).
---------------------------------------------------------------------------
I. Background
A. Section 215 and Mandatory Reliability Standards
2. Section 215 of the FPA requires the Commission to certify an ERO
to develop mandatory and enforceable Reliability Standards, subject to
Commission review and approval.\2\ Once approved, the Reliability
Standards may be enforced in the United States by the ERO, subject to
Commission oversight, or by the Commission independently.\3\
---------------------------------------------------------------------------
\2\ 16 U.S.C. 824o.
\3\ Id. 824o(e).
---------------------------------------------------------------------------
B. March 7 Order
3. In the March 7 Order, the Commission determined that physical
attacks on the Bulk-Power System could adversely impact the reliable
operation of the Bulk-Power System, resulting in instability,
uncontrolled separation, or cascading failures. Moreover, the
Commission observed that the current Reliability Standards do not
specifically require entities to take steps to reasonably protect
against physical security attacks on the Bulk-Power System.
Accordingly, to carry out section 215 of the FPA and to provide for the
reliable operation of the Bulk-Power System, the Commission directed
NERC, pursuant to FPA section 215(d)(5), to develop and file for
approval proposed Reliability Standards that address threats and
vulnerabilities to the physical security of critical facilities on the
Bulk-Power System.\4\
---------------------------------------------------------------------------
\4\ Id. 824o(d)(5).
---------------------------------------------------------------------------
4. The March 7 Order indicated that the Reliability Standards
should require owners or operators of the Bulk-Power System to take at
least three steps to address the risks that physical security attacks
pose to the reliable operation of the Bulk-Power System. Specifically,
the March 7 Order directed that: (1) The Reliability Standards should
require owners or operators of the Bulk-Power System to perform a risk
assessment of their systems to identify their ``critical facilities;''
(2) the Reliability Standards should require owners or operators of the
identified critical facilities to evaluate the potential threats and
vulnerabilities to those identified facilities; and (3) the Reliability
Standards should require those owners or operators of critical
facilities to develop and implement a security plan designed to protect
against attacks to those identified critical facilities based on the
assessment of the potential threats and vulnerabilities to their
physical security.
5. The March 7 Order stated that the risk assessment used by an
owner or operator to identify critical facilities should be verified by
an entity other than the owner or operator, such as by NERC, the
relevant Regional Entity, a reliability coordinator, or another
entity.\5\ In addition, the March 7 Order indicated that the
Reliability Standards should include a procedure for the verifying
entity, as well as the Commission, to add or remove facilities from an
owner's or operator's list of critical facilities.\6\ The March 7 Order
further stated that the determination of threats and vulnerabilities
and the security plan should be reviewed by NERC, the relevant Regional
Entity, the reliability coordinator, or another entity with appropriate
expertise.
---------------------------------------------------------------------------
\5\ March 7 Order, 146 FERC ] 61,166 at P 11.
\6\ Id.
---------------------------------------------------------------------------
6. The March 7 Order stated that, because the three steps of
compliance with the contemplated Reliability Standards could contain
sensitive or confidential information that, if released to the public,
could jeopardize the reliable operation of the Bulk-Power System, NERC
should include in the Reliability Standards a procedure that will
ensure confidential treatment of sensitive or confidential information
but still allow for the Commission, NERC and the Regional Entities to
review and inspect any information that is needed to ensure compliance
with the Reliability Standards.
7. The Commission directed NERC to submit the proposed Reliability
Standards to the Commission for approval within 90 days of issuance of
the March 7 Order (i.e., June 5, 2014).
C. NERC Petition
8. On May 23, 2014, NERC petitioned the Commission to approve
proposed Reliability Standard CIP-014-1 and its associated violation
risk factors and violation severity levels, implementation plan, and
effective date.\7\ NERC maintains that the proposed Reliability
Standard is just, reasonable, not unduly discriminatory, or
preferential, and in the public interest. In addition, NERC asserts
that the proposed Reliability Standard complies with the Commission's
directives in the March 7 Order.
---------------------------------------------------------------------------
\7\ NERC explains that, to meet the 90-day deadline in the March
7 Order, the NERC Standards Committee approved waivers to the
Standard Processes Manual to shorten the comment and ballot periods
for the Standards Authorization Request and draft Reliability
Standard. NERC Petition at 13-14. Proposed Reliability Standard CIP-
014-1 is not attached to the notice of proposed rulemaking. The
complete text of proposed Reliability Standard CIP-014-1 is
available on the Commission's eLibrary document retrieval system in
Docket No. RM14-15-000 and is posted on the ERO's Web site,
available at http://www.nerc.com.
---------------------------------------------------------------------------
9. NERC explains that proposed Reliability Standard CIP-014-1
``serves the vital reliability goal of enhancing physical security
measures for the most critical Bulk-Power System facilities and
lessening the overall vulnerability of the Bulk-Power System to
physical attacks.'' \8\ NERC maintains that the ``appropriate focus of
the proposed Reliability Standard is Transmission stations and
Transmission substations, which are uniquely essential elements of the
Bulk-Power System.'' \9\ The proposed Reliability Standard is
applicable to transmission owners that satisfy the Applicability
Sections 4.1.1.1, 4.1.1.2, 4.1.1.3, or 4.1.1.4 and to transmission
operators. NERC states that the transmission facilities covered by
Applicability Sections 4.1.1.1 through 4.1.1.4 match the ``Medium
Impact'' transmission facilities listed in Attachment 1 of Reliability
Standard
[[Page 42736]]
CIP-002-5.1.\10\ According to NERC, the ``standard drafting team
determined that using the criteria for `Medium Impact' Transmission
Facilities set forth in Reliability Standard CIP-002-5.1 is an
appropriate applicability threshold as the Commission has acknowledged
that it is [ ] a technically sound basis for identifying Transmission
Facilities, which, if compromised, would present an elevated risk to
the Bulk-Power System.'' \11\
---------------------------------------------------------------------------
\8\ NERC Petition at 15-16.
\9\ Id. at 18. NERC states that, although the terms
``Transmission stations'' and ``Transmission substations'' are
sometimes used interchangeably, the proposed Reliability Standard
uses the term ``Transmission substation'' to refer to a facility
contained within a physical border (e.g., a fence or wall) that
contains one or more autotransformers. Id. According to NERC, the
term ``Transmission station,'' as used in the proposed Reliability
Standard, refers to a facility that functions as a switching station
or switchyard but does not contain autotransformers. Id. at 18-19.
\10\ Id. at 25 (citing Reliability Standard CIP-002-5.1 (Cyber
Security -- BES Cyber System Categorization), Attachment 1 (Impact
Rating Criteria)).
\11\ Id.
---------------------------------------------------------------------------
10. Proposed Reliability Standard CIP-014-1 has six requirements.
Requirement R1 requires applicable transmission owners to perform risk
assessments on a periodic basis to identify their transmission stations
and transmission substations that, if rendered inoperable or damaged,
could result in widespread instability, uncontrolled separation, or
cascading within an Interconnection. Requirement R1 also requires
transmission owners to identify the primary control center that
operationally controls each of the identified transmission stations or
transmission substations.
11. Requirement R2 requires that each applicable transmission owner
have an unaffiliated third party with appropriate experience verify the
risk assessment performed under Requirement R1. Requirement R2 states
that the transmission owner must either modify its identification of
facilities consistent with the verifier's recommendation or document
the technical basis for not doing so. In addition, Requirement R2
requires each transmission owner to implement procedures for protecting
sensitive or confidential information made available to third party
verifiers or developed under the proposed Reliability Standard from
public disclosure.
12. Requirement R3 requires the transmission owner to notify a
transmission operator that operationally controls a primary control
center identified under Requirement R1 of such identification to ensure
that the transmission operator has notice of the identification so that
it may timely fulfill its obligations under Requirements R4 and R5 to
protect the primary control center.
13. Requirement R4 requires each applicable transmission owner and
transmission operator to conduct an evaluation of the potential threats
and vulnerabilities of a physical attack on each of its respective
transmission stations, transmission substations, and primary control
centers identified as critical in Requirement R1.
14. Requirement R5 requires each transmission owner and
transmission operator to develop and implement documented physical
security plans that cover each of their respective transmission
stations, transmission substations, and primary control centers
identified as critical in Requirement R1.
15. Requirement R6 requires that each transmission owner and
transmission operator subject to Requirements R4 and R5 have an
unaffiliated third party with appropriate experience review its
Requirement R4 evaluation and Requirement R5 security plan. Requirement
R6 states that the transmission owner or transmission operator must
either modify its evaluation and security plan consistent with the
recommendation, if any, of the reviewer or document its reasons for not
doing so.
II. Discussion
16. Pursuant to FPA section 215(d)(2), we propose to approve
proposed Reliability Standard CIP-014-1 as just, reasonable, not unduly
discriminatory or preferential, and in the public interest. In
addition, the Commission proposes to approve the violation risk
factors, violation severity levels, implementation plan, and effective
date proposed by NERC.
17. The proposed Reliability Standard CIP-014-1 largely satisfies
the directives in the March 7 Order concerning the development and
submittal of proposed physical security Reliability Standards. However,
as discussed below, the Commission proposes to direct NERC to develop a
modification to the physical security Reliability Standard to allow
applicable governmental authorities (i.e., the Commission and any other
appropriate federal or provincial authorities) to add or subtract
facilities from an applicable entity's list of critical facilities
under Requirement R1. The Commission also proposes to direct NERC to
modify the physical security Reliability Standard to remove the term
``widespread.''
18. In addition to the proposed modifications to the physical
security Reliability Standard, the Commission proposes to direct NERC
to make an informational filing within six months of the effective date
of a final rule in this proceeding addressing the possibility that, as
described below, proposed Reliability Standard CIP-014-1 may not
provide physical security for all ``High Impact'' control centers, as
that term is defined in Reliability Standard CIP-002-5.1, necessary for
the reliable operation of the Bulk-Power System. The Commission also
proposes to direct NERC to make an informational filing within one year
of the effective date of a final rule in this proceeding addressing
possible resiliency measures that can be taken to maintain the reliable
operation of the Bulk-Power System following the loss of critical
facilities.
19. Below, the Commission discusses and seeks comment from NERC and
interested entities on the following issues: (A) Providing for
applicable governmental authorities to add or subtract facilities from
an entity's list of critical facilities; (B) the standard for
identifying critical facilities; (C) control centers; (D) exclusion of
generators from the applicability section of the proposed Reliability
Standard; (E) third-party recommendations; (F) resiliency; (G)
violation risk factors and violation severity levels; and (H)
implementation plan and effective date.
A. Applicable Governmental Authority's Ability To Add or Subtract
Facilities From an Entity's List of Critical Facilities
March 7 Order
20. In the March 7 Order, the Commission stated that:
[T]he risk assessment used by an owner or operator to identify
critical facilities should be verified by an entity other than the
owner or operator. Such verification could be performed by NERC, the
relevant Regional Entity, a Reliability Coordinator, or another
entity. The Reliability Standards should include a procedure for the
verifying entity, as well as the Commission, to add or remove
facilities from an owner's or operator's list of critical
facilities. Similarly, the determination of threats and
vulnerabilities and the security plan should also be reviewed by
NERC, the relevant Regional Entity, the Reliability Coordinator, or
another entity with appropriate expertise. Finally, the Reliability
Standards should require that the identification of the critical
facilities, the assessment of the potential risks and
vulnerabilities, and the security plans be periodically reevaluated
and revised to ensure their continued effectiveness. NERC should
establish a timeline for when such reevaluations should occur.\12\
---------------------------------------------------------------------------
\12\ March 7 Order, 146 FERC ] 61,166 at P 11.
---------------------------------------------------------------------------
NERC Petition
21. The proposed Reliability Standard does not include a procedure
that allows the Commission to add or subtract facilities from an
applicable entity's list of critical facilities under Requirement R1.
Instead, NERC states that the Commission has the existing authority to
enforce NERC Reliability Standards pursuant to FPA section
[[Page 42737]]
215(e)(3).\13\ NERC explains that a transmission owner must be able to
demonstrate that its method for performing its risk assessment under
Requirement R1 ``was technically sound and reasonably designed to
identify its critical Transmission stations and Transmission
substations.'' \14\ NERC maintains that if ``in the course of assessing
an entity's compliance with the proposed Reliability Standard, NERC, a
Regional Entity or [the Commission] finds that the entity's
transmission analysis was patently deficient and that the Requirement
R2 verification process did not cure those deficiencies, they could use
their enforcement authority to compel Transmission Owners to re-perform
the risk assessment using assumptions designed to identify the
appropriate critical facilities.'' \15\
---------------------------------------------------------------------------
\13\ NERC Petition at 37.
\14\ Id.
\15\ Id.
---------------------------------------------------------------------------
Discussion
22. The proposed Reliability Standard does not include a procedure
that allows the Commission to add or subtract facilities from an
applicable entity's list of critical facilities. Accordingly, if the
Commission determines through an audit of an applicable entity, or
through some other means, that a critical facility does not appear on
the entity's list of critical facilities, there is no provision in the
proposed Reliability Standard to allow the Commission to require its
inclusion. We agree with NERC that failure to identify a critical
facility would be a violation of Requirement R1, and thus could subject
the relevant applicable entity to compliance or enforcement actions.
However, we believe that NERC's proposal is not an equally efficient or
effective alternative to the directive in the March 7 Order. While the
Commission anticipates that we would exercise such authority only
rarely, we propose to direct NERC to modify the physical security
Reliability Standard to include a procedure that would allow applicable
governmental authorities to add or subtract facilities from an
applicable entity's list of critical facilities.
23. As discussed above, we agree with NERC that an applicable
entity's failure to develop an appropriate list of critical facilities
consistent with Requirement R1, even if the list is verified by a
third-party under Requirement R2, constitutes non-compliance with
Requirement R1. According to NERC, the corrective action for non-
compliance would be to require the applicable entity to correct and
repeat the Requirement R1 assessment, with the expectation that the
omitted facility would then be assessed as critical. While NERC appears
to expect that correcting and re-performing the assessment would result
in the applicable entity adding to its critical facilities list the
previously omitted facility or facilities that the Commission thought
critical, there is no guarantee that would happen in a timely manner,
if at all. We are concerned that, as currently proposed, the
Commission, NERC, or Regional Entities cannot ``effectively require
Transmission Owners to add or remove facilities'' under Requirement
R1.\16\ Accordingly, we propose to determine that NERC's proposal does
not satisfy the directive in the March 7 Order, either directly or in
an equally efficient and effective manner. We therefore propose to
direct that NERC develop a modification to the physical security
Reliability Standard to include a procedure that would allow applicable
governmental authorities, i.e., the Commission and any other
appropriate federal or provincial authorities, to add or subtract
facilities from an applicable entity's list of critical facilities.
---------------------------------------------------------------------------
\16\ Id.
---------------------------------------------------------------------------
24. The Commission seeks comment on this proposed directive.
B. Standard for Identifying Critical Facilities
March 7 Order
25. The March 7 Order stated that a critical facility is ``one
that, if rendered inoperable or damaged, could have a critical impact
on the operation of the interconnection through instability,
uncontrolled separation or cascading failures on the Bulk-Power
System.'' \17\
---------------------------------------------------------------------------
\17\ March 7 Order, 146 FERC ] 61,166 at P 6.
---------------------------------------------------------------------------
NERC Petition
26. The proposed Reliability Standard states that its purpose is to
``identify and protect Transmission stations and Transmission
substations, and their associated primary control centers, that if
rendered inoperable or damaged as a result of a physical attack could
result in widespread instability, uncontrolled separation, or Cascading
within an Interconnection.'' Requirement R1 of the proposed Reliability
Standard states that the ``initial and subsequent risk assessments
shall consist of a transmission analysis or transmission analyses
designed to identify the Transmission station(s) and Transmission
substation(s) that if rendered inoperable or damaged could result in
widespread instability, uncontrolled separation, or Cascading within an
Interconnection.'' In the technical guidance document appended to the
proposed Reliability Standard, which is intended to assist applicable
entities to identify critical facilities under Requirement R1, NERC
indicates that, in performing its risk assessment to identify critical
transmission stations and transmission substations, ``[a]n entity could
remove all lines, without regard to the voltage level, to a single
Transmission station or Transmission substation and review the
simulation results to assess system behavior to determine if Cascading
of Transmission Facilities, uncontrolled separation, or voltage or
frequency instability is likely to occur over a significant area of the
Interconnection.'' \18\ The NERC petition also uses the term
``uncontrollable impact'' to describe the scope of the proposed
Reliability Standard.\19\
---------------------------------------------------------------------------
\18\ NERC Petition, Exhibit A (Proposed Reliability Standard) at
23.
\19\ NERC Petition at 22.
---------------------------------------------------------------------------
Discussion
27. The Commission proposes to direct NERC to modify the physical
security Reliability Standard to remove the term ``widespread'' as it
appears in the proposed Reliability Standard in the phrase ``widespread
instability.'' The phrase ``widespread instability'' is undefined by
NERC and is inconsistent with the March 7 Order's explanation of
``critical facility'' and the definition of ``reliable operation'' in
FPA section 215(a)(4).\20\
---------------------------------------------------------------------------
\20\ ``[A facility] that, if rendered inoperable or damaged,
could have a critical impact on the operation of the interconnection
through instability, uncontrolled separation or cascading failures
on the Bulk-Power System.'' March 7 Order, 146 FERC ] 61,166 at P 6;
16 U.S.C. 824o(a)(4) (``The term `reliable operation' means
operating the elements of the bulk-power system within equipment and
electric system thermal, voltage, and stability limits so that
instability, uncontrolled separation, or cascading failures of such
system will not occur as a result of a sudden disturbance, including
a cybersecurity incident, or unanticipated failure of system
elements.'').
---------------------------------------------------------------------------
28. The phrase ``widespread instability'' in Requirement R1 could,
depending on the meaning of ``widespread,'' narrow the scope (and
number) of identified critical facilities under the proposed
Reliability Standard beyond what was contemplated in the March 7 Order.
The March 7 Order required the identification of facilities whose loss
could result in instability, uncontrolled separation, or cascading
failures, which is consistent with the definition of ``reliable
operation'' in FPA section 215(a)(4). The term ``widespread'' is
undefined and could potentially render the Reliability Standard
unenforceable or could lead to an inadequate level of reliability by
[[Page 42738]]
omitting facilities that are critical to the reliable operation of the
Bulk-Power System.
29. Accordingly, pursuant to section 215(d)(5) of the FPA, we
propose to direct that NERC develop a modification to Reliability
Standard CIP-014-1 to remove the term ``widespread'' as it appears in
the proposed standard in the phrase ``widespread instability.'' The
Commission seeks comment on this proposal.
C. Control Centers
March 7 Order
30. The March 7 Order stated that a ``critical facility is one
that, if rendered inoperable or damaged, could have a critical impact
on the operation of the interconnection through instability,
uncontrolled separation or cascading failures on the Bulk-Power
System.'' \21\ The March 7 Order, while not mandating that a minimum
number of facilities be deemed critical under the physical security
Reliability Standards, explained that the ``Commission expects that
critical facilities generally will include, but not be limited to,
critical substations and critical control centers.'' \22\
---------------------------------------------------------------------------
\21\ March 7 Order, 146 FERC ] 61,166 at P 6.
\22\ Id. P 6, n.6.
---------------------------------------------------------------------------
NERC Petition
31. NERC states that the proposed Reliability Standard addresses
the protection of primary control centers, which NERC defines as
facilities that ``operationally control[] a Transmission station or
Transmission substation when the electronic actions from the control
center can cause direct physical actions at the identified Transmission
station or Transmission substation, such as opening a breaker.'' \23\
---------------------------------------------------------------------------
\23\ NERC Petition at 19.
---------------------------------------------------------------------------
32. NERC maintains that ``[c]ontrol centers that provide back-up
capability and control centers that cannot operationally control a
critical Transmission station or Transmission substation do not present
similar direct risks to Real-time operations if they are the target of
a physical attack,'' and thus they are not covered by the proposed
Reliability Standard.\24\ NERC explains that the destruction of a back-
up control center would ``have no direct reliability impact in Real-
time as the entity can continue operating . . . from its primary
control center.'' \25\ With respect to control centers that do not
physically operate Bulk-Power System facilities, such as control
centers operated by reliability coordinators, NERC states that, while
``certain monitoring and oversight capabilities might be lost as a
result of a physical attack on such control centers, the Transmission
Owner or Transmission Operator that operationally controls the critical
Transmission station or Transmission substation would be able to
continue operating its transmission system to prevent widespread
instability, uncontrolled separation, or Cascading within an
Interconnection.'' \26\
---------------------------------------------------------------------------
\24\ Id.
\25\ Id. at 20.
\26\ Id. at 20-21.
---------------------------------------------------------------------------
33. NERC acknowledges that certain control centers categorized as
``High Impact'' or ``Medium Impact'' under Reliability Standard CIP-
002-5.1 (Cyber Security--BES Cyber System Categorization) would not be
covered control centers under the proposed Reliability Standard.\27\
NERC explains that this:
---------------------------------------------------------------------------
\27\ Reliability Standard CIP-002-5.1 (Cyber Security--BES Cyber
System Categorization), Attachment 1 (Impact Rating Criteria).
Reflects the different nature of cyber security risks and
physical security risks at control centers . . . [a] primary cyber
security concern for control centers is the corruption of data or
information and the potential for operators to take action based on
corrupted data or information . . . [and] [t]his concern exists at
control centers that operationally control Bulk-Power System
facilities and those that do not. As such, there is no distinction
in CIP-002-5.1 between these control centers . . . however, such a
distinction is appropriate in the physical security context.\28\
---------------------------------------------------------------------------
\28\ Id. at 22 n.55.
34. NERC points out that Reliability Standard CIP-006-5 already
requires physical security protections that are ``designed to restrict
physical access to locations containing High and Medium Impact Cyber
Systems,'' which include control centers and backup control centers for
reliability coordinators, balancing authorities, transmission operators
and generation operators irrespective of their ability to operationally
control Bulk-Power System facilities.\29\
---------------------------------------------------------------------------
\29\ Id. at 21.
---------------------------------------------------------------------------
Discussion
35. The Commission proposes to direct NERC to make an informational
filing within six months of the effective date of a final rule in this
proceeding indicating whether the development of Reliability Standards
that provide physical security for all ``High Impact'' control centers,
as that term is defined in Reliability Standard CIP-002-5.1, is
necessary for the reliable operation of the Bulk-Power System.
36. Proposed Reliability Standard CIP-014-1, Requirement R1.2
requires applicable transmission owners to ``identify the primary
control center that operationally controls each Transmission station or
Transmission substation identified in the Requirement R1 risk
assessment.'' Thus the proposed Reliability Standard, while addressing
transmission owners' primary control centers, does not encompass
transmission owner back-up control centers or any control centers owned
or operated by other functional entity types, such as reliability
coordinators, balancing authorities, and generator operators.
37. Primary and back-up control centers of functional entities
other than transmission owners and operators identified as ``High
Impact'' may warrant assessment and physical security controls under
this Reliability Standard because a successful attack could prevent or
impair situational awareness, especially from a wide-area perspective,
or could allow attackers to distribute misleading and potentially
harmful data and operating instructions that could result in
instability, uncontrolled separation, or cascading failures.
38. NERC's petition recognizes that Reliability Standard CIP-006-5
(Cyber Security--Physical Security of BES Cyber Systems) already
requires certain physical security protections for applicable primary
and backup control centers of reliability coordinators, balancing
authorities, transmission operators, and generator operators.
Reliability Standard CIP-006-5 applies to primary and backup control
centers containing BES Cyber Systems that are ``High Impact'' or
``Medium Impact,'' as defined in Reliability Standard CIP-002-5.1,
Attachment 1. ``High Impact'' facilities include the control centers
and backup control centers of reliability coordinators and certain
balancing authorities, transmission operators, and generator operators.
The ``Medium Impact'' categorization applies to all transmission
operator primary and backup control centers not categorized as ``High
Impact'' and to primary and backup control centers for certain
generator operators and balancing authorities.
39. The proposed informational filing should address whether there
is a need for consistent treatment of ``High Impact'' control centers
for cybersecurity and physical security purposes through the
development of Reliability Standards that afford physical protection to
all ``High Impact'' control centers. The Commission notes that the
development of physical security protections for all ``High Impact''
control centers would not be
[[Page 42739]]
without precedent because, as noted above, Reliability Standard CIP-
006-5 already requires that ``High Impact'' control centers have some
physical protections, including restrictions on physical access, to
protect BES Cyber Assets. However, the security measures required by
Reliability Standard CIP-006-5 may not be comparable to those required
by proposed Reliability Standard CIP-014-1, and thus may not be
sufficient to ``deter, detect, delay, assess, communicate, and respond
to potential threats and vulnerabilities'' as required in Requirement
R5 of the proposed Reliability Standard. Further, Reliability Standard
CIP-006-5 does not require an ``unaffiliated third party review'' of
the evaluation and security plan required by proposed Reliability
Standard CIP-014-1.
40. The Commission seeks comment on this proposal.
D. Generators
March 7 Order
41. The March 7 Order did not direct NERC to make the physical
security Reliability Standards applicable to specific functional entity
types. The March 7 Order stated that ``some of the requirements imposed
by these newly proposed Reliability Standards may best be performed by
the owner and other activity may best be performed by the operator,''
and that NERC should clearly indicate which entity is responsible for
each requirement.\30\ With regard to the applicable types of
facilities, the Commission stated that it ``is not requiring NERC to
adopt a specific type of risk assessment, nor is the Commission
requiring that a mandatory number of facilities be identified as
critical facilities under the Reliability Standards.'' \31\
---------------------------------------------------------------------------
\30\ March 7 Order, 146 FERC ] 61,166 at P 6, n.4.
\31\ Id. P 6.
---------------------------------------------------------------------------
NERC Petition
42. In explaining why the proposed Reliability Standard does not
include generator owners and generator operators as applicable
entities, the standard drafting team found that:
It was not necessary to include Generator Operators and
Generator Owners in the Reliability Standard. First, Transmission
stations or Transmission substations interconnecting generation
facilities are considered when determining applicability.
Transmission Owners will consider those Transmission stations and
Transmission substations that include a Transmission station on the
high side of the Generator Step-up transformer (GSU) using
Applicability Section 4.1.1.1 and 4.1.1.2 . . . Second, the
transmission analysis or analyses conducted under Requirement R1
should take into account the impact of the loss of generation
connected to applicable Transmission stations or Transmission
substations. Additionally, the [Commission] order does not
explicitly mention generation assets and is reasonably understood to
focus on the most critical Transmission Facilities.\32\
\32\ NERC Petition, Exhibit A (Proposed Reliability Standard) at
23. The standard drafting team provided the following example: ``a
Transmission station or Transmission substation identified as a
Transmission Owner facility that interconnects generation will be
subject to the Requirement R1 risk assessment if it operates at 500
kV or greater or if it is connected at 200 kV-499 kV to three or
more other Transmission stations or Transmission substations and has
an `aggregate weighted value' exceeding 3000 according to the table
in Applicability Section 4.1.1.2.'' Id. at 23.
43. NERC explains that generator owners and generator operators
were not included in the applicability section because, ``while the
loss of a generator facility due to a physical attack may have local
reliability effects, the loss of the facility is unlikely to have the
widespread, uncontrollable impact'' contemplated in the March 7
Order.\33\ NERC maintains that a ``generation facility does not have
the same critical functionality as certain Transmission stations and
Transmission substations due to the limited size of generating plants,
the availability of other generation capacity connected to the grid,
and planned resilience of the transmission system to react to the loss
of a generation facility.'' \34\
---------------------------------------------------------------------------
\33\ NERC Petition at 22.
\34\ Id.
---------------------------------------------------------------------------
Discussion
44. The Commission proposes to approve the applicability section of
the proposed Reliability Standard without the inclusion of generator
owners and generator operators. Omitting generator owners and generator
operators from the applicability section is consistent with the March 7
Order. The March 7 Order explained that the ``number of facilities
identified as critical will be relatively small compared to the number
of facilities that comprise the Bulk-Power System.'' \35\ We affirm
this understanding and approach to physical security. The directive
from the March 7 Order was intended to fill a recognized gap in the
reliable operation of the Bulk-Power System. From that perspective, it
is reasonable to focus attention on the most critical facilities in
order to provide the most effective use of resources while adequately
addressing the identified reliability gap.
---------------------------------------------------------------------------
\35\ March 7 Order, 146 FERC ] 61,166 at P 12.
---------------------------------------------------------------------------
45. Accordingly, we propose to accept NERC's justification for
excluding generator owners and operators because it is in keeping with
the March 7 Order's focus on protecting the most critical facilities.
NERC explains that a generation facility ``does not have the same
critical functionality as certain Transmission stations and
Transmission substations due to the limited size of generating plants,
the availability of other generation capacity connected to the grid,
and planned resilience of the transmission system to react to the loss
of a generation facility.'' \36\ Also, as NERC points out, Requirement
R1 mandates a transmission analysis that accounts for transmission
owner or transmission operator-owned substations that connect
generating stations to the Bulk-Power System with step-up transformers.
The Commission seeks comment on this proposal. In addition, while we
propose to accept the applicability section of the proposed Reliability
Standard, we note that NERC's proposed omission of generator owners and
generator operators could potentially exempt substations owned or
operated by generators. The Commission seeks comment on the potential
reliability impact of excluding generator owned or operated
substations.
---------------------------------------------------------------------------
\36\ NERC Petition at 22.
---------------------------------------------------------------------------
E. Third-Party Recommendations
March 7 Order
46. In the March 7 Order, the Commission stated that ``the risk
assessment used by an owner or operator to identify critical facilities
should be verified by an entity other than the owner or operator . . .
[and] [s]imilarly, the determination of threats and vulnerabilities and
the security plan should also be reviewed by NERC, the relevant
Regional Entity, the Reliability Coordinator, or another entity with
appropriate expertise.'' \37\
---------------------------------------------------------------------------
\37\ March 7 Order, 146 FERC ] 61,166 at P 11.
---------------------------------------------------------------------------
NERC Petition
47. Requirement R2 of the proposed Reliability Standard requires
transmission owners to have their risk assessments verified by an
unaffiliated third party. Requirement R6, likewise, requires each
transmission owner and transmission operator to have its vulnerability
and threat assessment(s) along with its security plan(s) for any
critical facilities reviewed by an unaffiliated third party.
48. Regarding how an applicable entity is supposed to address any
recommendations by a third-party verifier, the proposed Reliability
Standard, in Requirement R2.3, states that the transmission owner must
either
[[Page 42740]]
(a) ``modify its identification . . . consistent with the
recommendation'' or (b) ``document the technical basis for not
modifying the identification in accordance with the recommendation.''
Similarly, Requirement R6.3 explains the procedure for considering any
recommendations from the reviewing entity as to the threat assessments
and security plans: the applicable entity must either (a) ``modify its
evaluation or security plan(s) consistent with the recommendation'' or
(b) ``document the reason(s) for not modifying the evaluation or
security plan(s) consistent with the recommendation.''
49. NERC states that ``[r]equiring documentation of the technical
basis for not modifying the identification in accordance with the
recommendation will help ensure that a Transmission Owner meaningfully
considers the verifier's recommendations and follows those
recommendations unless it can technically justify its reasons for not
doing so. To comply with Part 2.3, the technical justification must be
sound and based on acceptable approaches to conducting transmission
analyses.'' \38\ The NERC petition contains a similar explanation for
the third-party review (Requirement R6) of the threat assessments and
security plans mandated in Requirements R4 and R5.\39\
---------------------------------------------------------------------------
\38\ NERC Petition at 36.
\39\ Id. at 50.
---------------------------------------------------------------------------
Discussion
50. We propose to approve the proposed Reliability Standard,
including the third-party verification and review method proposed by
NERC in Requirements R2 and R6. Failure to provide a written,
technically justifiable reason for rejecting a third-party
recommendation would render the applicable entity non-compliant. With
that understanding, we propose to approve NERC's proposal regarding
third-party verification and review in Requirements R2 and R6 of the
proposed Reliability Standard as an equally efficient and effective
alternative to the directive in the March 7 Order.
51. The Commission seeks comment on this proposal.
F. Resiliency
March 7 Order
52. In the March 7 Order, the Commission stated that the
development of physical security Reliability Standards ``will help
provide for the resiliency and reliable operation of the Bulk-Power
System. To that end, the proposed Reliability Standards should allow
owners or operators to consider resiliency of the grid in the risk
assessment when identifying critical facilities, and the elements that
make up those facilities, such as transformers that typically require
significant time to repair or replace. As part of this process, owners
or operators may consider elements of resiliency such as how the system
is designed, operated, and maintained, and the sophistication of
recovery plans and inventory management.'' \40\
---------------------------------------------------------------------------
\40\ March 7 Order, 146 FERC ] 61,166 at P 7.
---------------------------------------------------------------------------
NERC Petition
53. The proposed Reliability Standard mentions resiliency in
Requirement R5, stating in Requirement R5.1 that the physical security
plans that entities develop shall include, among other attributes:
``Resiliency or security measures designed collectively to deter,
detect, delay, assess, communicate, and respond to potential physical
threats and vulnerabilities identified during the evaluation conducted
in Requirement R4.'' The NERC petition describes Requirement R5.1, with
regard to resiliency, as referring to ``steps an entity may take that,
while not specifically targeted as hardening the physical security of
the site, help to decrease the potential adverse impact of a physical
attack . . . including modifications to system topology or the
construction of a new Transmission station . . . that would lessen the
criticality of the facility.'' \41\
---------------------------------------------------------------------------
\41\ NERC Petition at 42.
---------------------------------------------------------------------------
Discussion
54. The NERC petition describes resiliency measures that could be
included in the required physical security plans. However, specific
resiliency measures are not required by the proposed Reliability
Standard, which is consistent with the March 7 Order. Instead, the
proposed Reliability Standard allows the security plans to be flexible
in order to meet different threats and protect varying Bulk-Power
System configurations.
55. Resiliency is as, or even more, important than physical
security given that physical security cannot protect against all
possible attacks. In the case of the loss of a substation, the Bulk-
Power System may depend on resiliency to minimize the impact of the
loss of facilities and restore blacked-out portions of the Bulk-Power
System as quickly as possible. Some entities may implement resiliency
measures rather than security measures, such as by adding facilities or
operating procedures that reduce or eliminate the importance of
existing critical facilities. Such measures could significantly improve
reliability and resiliency.
56. According to the NERC petition, the NERC Board of Trustees
expects NERC management to monitor and assess the implementation of the
proposed Reliability Standard on an ongoing basis.\42\ According to
NERC, this effort includes: The number of assets identified as critical
under the proposed Reliability Standard; the defining characteristics
of the assets identified as critical; the scope of security plans
(i.e., the types of security and resiliency measures contemplated under
the various security plans); the timelines included in the security
plan for implementing the security and resiliency measures; and
industry progress in implementing the proposed Reliability Standard.
NERC explains that this information could be used to provide regular
updates to Commission staff.\43\ The Commission proposes to rely on
NERC's ongoing assessment of the proposed Reliability Standard's
implementation and to require NERC to make such information available
to Commission staff upon request.
---------------------------------------------------------------------------
\42\ NERC Petition at 14-15.
\43\ Id.
---------------------------------------------------------------------------
57. In addition, the Commission proposes to direct NERC to submit
an informational filing that addresses the resiliency of the Bulk-Power
System when confronted with the loss of critical facilities. The
informational filing should explore what steps can be taken, in
addition to those required by the proposed Reliability Standard, to
maintain the reliable operation of the Bulk-Power System when faced
with the loss or degradation of critical facilities. In this regard, we
note that NERC issued a report on severe impact resilience in 2012.\44\
The filing proposed here could draw on NERC's 2012 report but should
also reflect subsequent work and development on this topic,
particularly non-confidential information regarding supply chain,
transporting and other logistical issues for equipment such as large
transformers. The Commission proposes to direct NERC to submit the
informational filing within one year after the effective date of the
final rule in this proceeding. The Commission seeks comment on this
proposal.
---------------------------------------------------------------------------
\44\ See NERC, Severe Impact Resilience: Considerations and
Recommendations (May 2012), available at http://www.nerc.com/comm/OC/SIRTF%20Related%20Files%20DL/SIRTF_Final_May_9_2012-Board_Accepted.pdf.
---------------------------------------------------------------------------
G. Violation Risk Factors and Violation Severity Levels
58. Each requirement of proposed Reliability Standard CIP-014-1
includes one violation risk factor and has an
[[Page 42741]]
associated set of at least one violation severity level. The ranges of
penalties for violations will be based on the sanctions table and
supporting penalty determination process described in the Commission-
approved NERC Sanction Guidelines, according to the NERC petition. The
Commission proposes to approve the proposed violation risk factors and
violation severity levels for the requirements proposed in Reliability
Standard CIP-014-1 as consistent with the Commission's established
guidelines.\45\
---------------------------------------------------------------------------
\45\ North American Electric Reliability Corp., 135 FERC ]
61,166 (2011).
---------------------------------------------------------------------------
H. Implementation Plan and Effective Date
59. The NERC petition proposes that proposed Reliability Standard
CIP-014-1 become effective the ``first day of the first calendar
quarter that is six months beyond the date that this standard is
approved by applicable regulatory authorities.'' In other words, the
effective date of the proposed Reliability Standard would be the first
day of the first calendar quarter that is six months after the
effective date of a final rule in this proceeding approving the
proposed Reliability Standard.\46\ NERC states that the initial risk
assessment required under Requirement R1 must be completed by or before
the effective date of the proposed Reliability Standard.\47\ As
described in the requirements of the proposed Reliability Standard,
NERC also identifies when Requirements R2, R3, R4, R5, and R6 must be
complied with following the effective date of the proposed Reliability
Standard. The Commission proposes to approve NERC's implementation plan
and effective date for proposed Reliability Standard CIP-014-1.
---------------------------------------------------------------------------
\46\ NERC Petition, Exhibit B (Implementation Plan) at 1.
\47\ Id.
---------------------------------------------------------------------------
III. Information Collection Statement
60. The Office of Management and Budget (OMB) regulations require
approval of certain information collection requirements imposed by
agency rules. Upon approval of a collection(s) of information, OMB will
assign an OMB control number and an expiration date. Respondents
subject to the filing requirements of an agency rule will not be
penalized for failing to respond to these collections of information
unless the collections of information display a valid OMB control
number. The Paperwork Reduction Act (PRA) requires each federal agency
to seek and obtain OMB approval before undertaking a collection of
information directed to ten or more persons, or contained in a rule of
general applicability.
61. The Commission is submitting these reporting requirements to
OMB for its review and approval under section 3507(d) of the PRA.
Comments are solicited on the Commission's need for this information,
whether the information will have practical utility, ways to enhance
the quality, utility, and clarity of the information to be collected,
and any suggested methods for minimizing the respondent's burden,
including the use of automated information techniques.
62. The Commission based its paperwork burden estimates on the NERC
compliance registry as of May 28, 2014. According to the registry,
there are 357 transmission owners and 197 transmission operators. The
NERC compliance registry also shows that there are only 19 transmission
operators that are not also registered as a transmission owner.
63. The following table shows the Commission's burden and cost
estimates, broken down by requirement and year:
----------------------------------------------------------------------------------------------------------------
Average burden
Requirements in reliability Number of Number of Total number hours and cost Total burden
standard CIP-014-1 over respondents responses per of responses per response hours and
respondent \48\ total cost
Years 1-3 (1) (2) (1)*(2)=(3) (4) (3)*(4)
----------------------------------------------------------------------------------------------------------------
Year 1:
R1.......................... 357 1 357 20 7,140
$1,220 $435,540
R2.......................... 357 1 357 34 12,138
$2,342 $836,094
R3.......................... 2 1 2 1 2
$128 $256
R4.......................... 32 1 32 80 2,560
$4,880 $156,160
R5.......................... 32 1 32 320 10,240
$19,520 $624,640
R6.......................... 32 1 32 304 9,728
$18,812 $601,984
Record Retention............ 359 1 359 2 718
$64 $22,976
Year 2:
Record Retention............ 359 1 359 2 718
$64 $22,976
Year 3:
R1.......................... 30 1 30 20 600
$1,220 $36,600
R2.......................... 30 1 30 34 1,029
$2,342 $70,260
R3.......................... 2 1 2 1 2
$128 $256
R4.......................... 32 1 32 80 2,560
$4,880 $156,160
R5.......................... 32 1 32 80 2,560
$4,880 $156,160
R6.......................... 32 1 32 134 4,288
$8,442 $270,144
[[Page 42742]]
Record Retention............ 359 1 359 2 718
$64 $22,976
-------------------------------------------------------------------------------
Year 1 Total............ .............. .............. .............. .............. 42,526
$2,677,650
-------------------------------------------------------------------------------
Year 2 Total............ .............. .............. .............. .............. 718
$22,976
-------------------------------------------------------------------------------
Year 3 Total............ .............. .............. .............. .............. 11,748
$712,556
===============================================================================
Total............... .............. .............. .............. .............. 54,992
$3,413,182
----------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------
\48\ The estimates for cost per response are derived using the
following formula: Average Burden Hours per Response * XX per Hour =
Average Cost per Response. The hourly cost figures are based on
wages plus benefits for engineers ($61/hr), attorneys ($128/hr), and
administrative staff ($32/hr). These figures are based on Bureau of
Labor Statistics wage and benefit data obtainable at http://www.bls.gov/oes/current/naics3_221000.htm and http://www.bls.gov/news.release/ecec.nr0.htm.
---------------------------------------------------------------------------
64. In arriving at the figures in the above table, the Commission
made the following assumptions:
a. Requirement R1: We assume that responsible entities will
complete the required risk assessment at approximately the same time as
they complete the assessments required under the existing TPL
Reliability Standards. Accordingly, the burden for proposed Reliability
Standard CIP-014-1 only represents the documentation required in
addition to what entities currently prepare. Conservatively, we assume
that in the first year all transmission owners and transmission
operators will complete the required risk assessment.\49\ In the third
year, we assume that only 30 transmission operators will be required to
do another risk assessment and that the entities with critical
facilities after the first risk assessment will still have critical
facilities after the second risk assessment.
---------------------------------------------------------------------------
\49\ While it is likely that only large transmission owners and
transmission operators will have critical facilities under
Requirement R1, the Commission's estimate includes all transmission
owners and operators because reliable data on what percentage of
large owners and operators control critical facilities is
unavailable.
---------------------------------------------------------------------------
b. Requirement R5: We assume that developing physical security
plans in the first year will be more time consuming than in later years
because in later years the plans will likely only need to be updated.
65. Title: FERC-725U, Mandatory Reliability Standards: Reliability
Standard CIP-014-1.
Action: Proposed collection of information.
OMB Control No: To be determined.
Respondents: Business or other for profit, and not for profit
institutions.
Frequency of Responses: Ongoing.
Necessity of the Information: The proposed Reliability Standard
CIP-014-1, if adopted, would implement the Congressional mandate of the
Energy Policy Act of 2005 to develop mandatory and enforceable
Reliability Standards to better ensure the reliability of the nation's
Bulk-Power System. Specifically, the proposal would ensure that
applicable entities with critical Bulk-Power System facilities develop
and implement physical security plans to address physical security
threats and vulnerabilities that could result in instability,
uncontrolled separation, or cascading within an Interconnection.
Internal review: The Commission has reviewed the proposed
Reliability Standard and has determined that the proposed Reliability
Standard is necessary to ensure the reliability and integrity of the
Nation's Bulk-Power System.
66. Interested persons may obtain information on the reporting
requirements by contacting: Federal Energy Regulatory Commission, 888
First Street NE., Washington, DC 20426 [Attention: Ellen Brown, Office
of the Executive Director, email: [email protected], Phone: (202)
502-8663, fax: (202) 273-0873]. Comments on the requirements of this
rule may also be sent to the Office of Information and Regulatory
Affairs, Office of Management and Budget, Washington, DC 20503
[Attention: Desk Officer for the Federal Energy Regulatory Commission].
For security reasons, comments should be sent by email to OMB at [email protected]. Comments submitted to OMB should include Docket
Number RM14-15-000.
IV. Environmental Analysis
67. The Commission is required to prepare an Environmental
Assessment or an Environmental Impact Statement for any action that may
have a significant adverse effect on the human environment.\50\ The
Commission has categorically excluded certain actions from this
requirement as not having a significant effect on the human
environment. Included in the exclusion are rules that are clarifying,
corrective, or procedural or that do not substantially change the
effect of the regulations being amended.\51\ The actions proposed here
fall within this categorical exclusion in the Commission's regulations.
---------------------------------------------------------------------------
\50\ Regulations Implementing the National Environmental Policy
Act, Order No. 486, 52 FR 47897 (Dec. 17, 1987), FERC Stats. & Regs.
Regulations Preambles 1986-1990 ] 30,783 (1987).
\51\ 18 CFR 380.4(a)(2)(ii).
---------------------------------------------------------------------------
V. Regulatory Flexibility Act
68. The Regulatory Flexibility Act of 1980 (RFA) \52\ generally
requires a description and analysis of proposed rules that will have
significant economic impact on a substantial number of small entities.
---------------------------------------------------------------------------
\52\ 5 U.S.C. 601-612.
---------------------------------------------------------------------------
69. The Small Business Administration (SBA) recently revised its
size standard (effective January 22, 2014) for electric utilities from
a standard based on megawatt hours to a standard based on the number of
employees, including affiliates.\53\ Under SBA's new size standards,
transmission
[[Page 42743]]
owners and transmission operators likely come under the following
category and associated size threshold: Electric bulk power
transmission and control, at 500 employees.\54\
---------------------------------------------------------------------------
\53\ SBA Final Rule on ``Small Business Size Standards:
Utilities,'' 78 FR 77,343 (Dec. 23, 2013).
\54\ 13 CFR 121.201, Sector 22, Utilities.
---------------------------------------------------------------------------
70. Based on U.S. economic census data, the approximate percentage
of small firms in this category is 57 percent.\55\ Currently, the
Commission does not have information concerning how the economic census
data compares with entities registered with NERC and is unable to
estimate the number of small transmission owners and transmission
operators using the new SBA definition. However, the Commission
recognizes that proposed Reliability Standard CIP-014-1 only applies to
transmission owners and transmission operators that own and/or operate
certain critical Bulk-Power System facilities. The Commission believes
that the proposed Reliability Standard will be applicable to a
relatively small group of large entities and that an even smaller
subset of large entities will have to comply with each of the
requirements in the proposed Reliability Standard.
---------------------------------------------------------------------------
\55\ Data and further information are available on the SBA Web
site. See SBA Firm Size Data, available at http://www.sba.gov/advocacy/849/12162.
---------------------------------------------------------------------------
71. Based on the above, the Commission certifies that proposed
Reliability Standard CIP-014-1 will not have a significant impact on a
substantial number of small entities. Accordingly, no initial
regulatory flexibility analysis is required. The Commission seeks
comment on this proposal.
VI. Comment Procedures
72. The Commission invites interested persons to submit comments on
the matters and issues proposed in this notice to be adopted, including
any related matters or alternative proposals that commenters may wish
to discuss. Comments are due September 8, 2014. Reply comments are due
September 22, 2014. Comments must refer to Docket No. RM14-15-000, and
must include the commenter's name, the organization they represent, if
applicable, and their address in their comments.
73. The Commission encourages comments to be filed electronically
via the eFiling link on the Commission's Web site at http://www.ferc.gov. The Commission accepts most standard word processing
formats. Documents created electronically using word processing
software should be filed in native applications or print-to-PDF format
and not in a scanned format. Commenters filing electronically do not
need to make a paper filing.
74. Commenters that are not able to file comments electronically
must send an original of their comments to: Federal Energy Regulatory
Commission, Secretary of the Commission, 888 First Street NE.,
Washington, DC 20426.
75. All comments will be placed in the Commission's public files
and may be viewed, printed, or downloaded remotely as described in the
Document Availability section below. Commenters on this proposal are
not required to serve copies of their comments on other commenters.
VII. Document Availability
76. In addition to publishing the full text of this document in the
Federal Register, the Commission provides all interested persons an
opportunity to view and/or print the contents of this document via the
Internet through the Commission's Home Page (http://www.ferc.gov) and
in the Commission's Public Reference Room during normal business hours
(8:30 a.m. to 5:00 p.m. Eastern time) at 888 First Street NE., Room 2A,
Washington, DC 20426.
77. From the Commission's Home Page on the Internet, this
information is available on eLibrary. The full text of this document is
available on eLibrary in PDF and Microsoft Word format for viewing,
printing, and/or downloading. To access this document in eLibrary, type
the docket number excluding the last three digits of this document in
the docket number field.
78. User assistance is available for eLibrary and the Commission's
Web site during normal business hours from the Commission's Online
Support at 202-502-6652 (toll free at 1-866-208-3676) or email at
[email protected], or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at
[email protected].
Issued: July 17, 2014.
By direction of the Commission.
Nathaniel J. Davis, Sr.,
Deputy Secretary.
[FR Doc. 2014-17231 Filed 7-22-14; 8:45 am]
BILLING CODE 6717-01-P