Virtualization Reliability Standards

DEPARTMENT OF ENERGY <SUBAGY>Federal Energy Regulatory Commission</SUBAGY> <CFR>18 CFR Part 40</CFR> <DEPDOC>[Docket No. RM24-8-000]</DEPDOC> <SUBJECT>Virtualization Reliability Standards</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Federal Energy Regulatory Commission. <HD SOURCE="HED">ACTION:</HD> Notice of proposed rulemaking. <SUM> <HD SOURCE="HED">SUMMARY:</HD> The Federal Energy Regulatory Commission (Commission) proposes to approve four new definitions and 18 modified definitions in the North American Electric Reliability Corporation (NERC) Glossary of Terms Used in Reliability Standards. The Commission also proposes to approve eleven modified Critical Infrastructure Protection (CIP) Reliability Standards. NERC, the Commission-certified electric reliability organization, submitted the proposed modifications to update the CIP Reliability Standards to enable the application of virtualization and other new technologies in a secure manner. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> Comments are due November 24, 2025. </EFFDATE> <HD SOURCE="HED">ADDRESSES:</HD> Comments, identified by docket number, may be filed in the following ways. Electronic filing through <E T="03">http://www.ferc.gov,</E> is preferred. • <E T="03">Electronic Filing:</E> Documents must be filed in acceptable native applications and print-to-PDF, but not in scanned or picture format. • For those unable to file electronically, comments may be filed by USPS mail or by hand (including courier) delivery. ○ <E T="03">Mail via U.S. Postal Service Only:</E> Addressed to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE, Washington, DC 20426. ○ <E T="03">Hand (including courier) delivery:</E> Deliver to: Federal Energy Regulatory Commission, 12225 Wilkins Avenue, Rockville, MD 20852. The Comment Procedures Section of this document contains more detailed filing procedures. <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> <FP SOURCE="FP-1"> Mayur Manchanda (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6166, <E T="03">Mayur.Manchanda@ferc.gov</E> </FP> <FP SOURCE="FP-1"> Chanel Chasanov (Legal Information), Office of General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-8569, <E T="03">Chanel.Chasanov@ferc.gov</E> </FP> <FP SOURCE="FP-1"> Alan J. Rukin (Legal Information), Office of General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-8502, <E T="03">Alan.Rukin@ferc.gov</E> </FP> </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> <HD SOURCE="HD1">I. Introduction</HD> 1. Pursuant to section 215(d)(2) of the Federal Power Act (FPA), <SU>1</SU> <FTREF/> we propose to approve the addition of four new and 18 proposed revisions to the North American Electric Reliability Corporation (NERC) Glossary of Terms Used in Reliability Standards (Glossary). We also propose to approve 11 proposed Critical Infrastructure Protection (CIP) Reliability Standards. NERC submitted the proposed modifications to update the CIP Reliability Standards to enable the application of virtualization and other new technologies in a secure manner. <SU>2</SU> <FTREF/> We also propose to approve the associated violation risk factors, violation severity levels, implementation plans, and effective dates for the proposed Reliability Standards, as well as to approve the retirement of the currently effective version of each proposed Reliability Standard. <FTNT> <SU>1</SU>  16 U.S.C. 824o(d)(2). </FTNT> <FTNT> <SU>2</SU>   <E T="03">See</E> NERC Petition at 2-5. Virtualization is “the process of creating virtual, as opposed to physical, versions of computer hardware to minimize the amount of physical hardware resources required to perform various functions.” NERC Petition at 12 (quoting National Institute of Standards and Technology (NIST), Guide to Security for Full Virtualization Technologies, Special Publication 800-125 (Jan. 2011) (NIST Virtualization Security Special Publication)). </FTNT> 2. We support NERC's efforts to update the CIP Reliability Standards to accommodate virtualization and other nascent technologies. These proposed updates will allow responsible entities to enhance their reliability and security posture by adapting to emerging risks with forward-looking security models. As NERC explains, the current framework for CIP Reliability Standards “was designed around the concept that devices have a one-to-one relationship between software and hardware,”  <SU>3</SU> <FTREF/> and CIP-mandated controls such as perimeter-based security were designed to fit this concept. However, “technology supporting and enabling the industrial control systems that operate the Bulk-Power System has evolved rapidly.”  <SU>4</SU> <FTREF/> To accommodate this evolution, NERC has updated the CIP Reliability Standards to provide responsible entities the flexibility to adopt virtualization and other new technologies “to operate their systems effectively and efficiently while maintaining a robust security posture.”  <SU>5</SU> <FTREF/> The proposed modifications do not obligate entities to adopt virtualization, rather, if approved, the proposed CIP Reliability Standards would accommodate responsible entities that choose to do so. NERC highlights the reliability benefits of virtualization, including “increased uptime, fast recovery capability, and flexible architecture that can instantly adapt to changing workloads.”  <SU>6</SU> <FTREF/> We agree that these potential reliability benefits are worth pursuing, and we continue to support efforts by NERC and responsible entities to facilitate the use of technological advancements that enhance the reliability and security of the Bulk-Power System. <FTNT> <SU>3</SU>  NERC Petition at 4. </FTNT> <FTNT> <SU>4</SU>   <E T="03">Id.</E> at 2. </FTNT> <FTNT> <SU>5</SU>   <E T="03">Id.</E> at 16 & Ex. D (standard drafting team white paper titled Virtualization and Future Technologies: The Case for Change). </FTNT> <FTNT> <SU>6</SU>   <E T="03">Id.</E> at 16. </FTNT> 3. While we propose to approve the proposed CIP Reliability Standard modifications, we have questions regarding the proposed language (repeated in multiple Requirements) that would replace the phrase where technically feasible with the phrase per system capability. <SU>7</SU> <FTREF/> NERC explains that the revision would eliminate the technical feasibility exceptions and associated reporting and approval process. Going forward, responsible entities would still be required to document an identified limit to a system capability and simply retain the documentation for review upon audit or other compliance activity. <SU>8</SU> <FTREF/> We recognize NERC's efforts to alleviate administrative burdens associated with the current technical feasibility exception process. Nonetheless, we are concerned that the proposed phrase per system capability would eliminate transparency and meaningful Commission and NERC oversight by introducing a self-implementing exceptions process with no reporting obligations. Thus, as discussed below, we seek comments on this aspect of the NERC proposal, including alternative approaches, which will assist the Commission in formulating a possible directive in a final rule. <FTNT> <SU>7</SU>   <E T="03">See</E> NERC Rules of Procedure section 412 (Requests for Technical Feasibility Exceptions to NERC Critical Infrastructure Protection Reliability Standards), Appendix 4D (Procedure for Requesting and Receiving Technical Feasibility Exceptions to NERC Critical Infrastructure Protection Reliability Standards). </FTNT> <FTNT> <SU>8</SU>   <E T="03">See</E> NERC Petition at 29-30; <E T="03">see also</E> NERC Supplemental Petition at 26 (an entity relying on the system capability exception “will need to document the limit to the system's capability and demonstrate during compliance monitoring activities that the system's incapability prevents the Responsible Entity from implementing the control within the requirement”). </FTNT> <HD SOURCE="HD1">II. Background</HD> <HD SOURCE="HD2">A. Section 215 and Mandatory Reliability Standards</HD> 4. Section 215 of the FPA provides that the Commission may certify an Electric Reliability Organization (ERO), the purpose of which is to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. <SU>9</SU> <FTREF/> Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently. <SU>10</SU> <FTREF/> Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO, <SU>11</SU> <FTREF/> and subsequently certified NERC. <SU>12</SU> <FTREF/> <FTNT> <SU>9</SU>  16 U.S.C. 824o(c). </FTNT> <FTNT> <SU>10</SU>   <E T="03">Id.</E> 824o(e). </FTNT> <FTNT> <SU>11</SU>   <E T="03">Rules Concerning Certification of the Elec. Reliability Org.; & Procs. for the Establishment, Approval, & Enf't of Elec. Reliability Standards,</E> Order No. 672, 71 FR 8662 (Feb. 17, 2006), 114 FERC ¶ 61,104, <E T="03">order on reh'g,</E> Order No. 672-A, 71 FR 19814 (Apr. 18, 2006), 114 FERC ¶ 61,328 (2006); <E T="03">see also</E> 18 CFR 39.4(b). </FTNT> <FTNT> <SU>12</SU>   <E T="03">N. Am. Elec. Reliability Corp.,</E> 116 FERC ¶ 61,062, <E T="03">order on reh'g & compliance,</E> 117 FERC ¶ 61,126 (2006), <E T="03">aff'd sub nom. Alcoa, Inc.</E> v. <E T="03">FERC,</E> 564 F.3d 1342 (D.C. Cir. 2009). </FTNT> <HD SOURCE="HD2">B. Virtualization</HD> 5. Virtualization is the process of creating virtual, as o ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 48k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━