Critical Infrastructure Protection Reliability Standard CIP-003-11-Cyber Security-Security Management Controls

DEPARTMENT OF ENERGY <SUBAGY>Federal Energy Regulatory Commission</SUBAGY> <CFR>18 CFR Part 40</CFR> <DEPDOC>[Docket No. RM25-8-000]</DEPDOC> <SUBJECT>Critical Infrastructure Protection Reliability Standard CIP-003-11—Cyber Security—Security Management Controls</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Federal Energy Regulatory Commission. <HD SOURCE="HED">ACTION:</HD> Notice of proposed rulemaking. <SUM> <HD SOURCE="HED">SUMMARY:</HD> The Federal Energy Regulatory Commission (Commission) proposes to approve Critical Infrastructure Protection (CIP) Reliability Standard: CIP-003-11 (Cyber Security—Security Management Controls). The North American Electric Reliability Corporation, the Commission-certified electric reliability organization, submitted the proposed Reliability Standard modifications to mitigate risks posed by a coordinated cyberattack on low impact facilities; the aggregate impact of which could be much greater. </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> Comments are due November 24, 2025. </EFFDATE> <HD SOURCE="HED">ADDRESSES:</HD> Comments, identified by docket number, may be filed in the following ways. Electronic filing through <E T="03">http://www.ferc.gov,</E> is preferred. • <E T="03">Electronic Filing:</E> Documents must be filed in acceptable native applications and print-to-PDF, but not in scanned or picture format. • For those unable to file electronically, comments may be filed by USPS mail or by hand (including courier) delivery. ○ <E T="03">Mail via U.S. Postal Service Only:</E> Addressed to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE, Washington, DC 20426. ○ <E T="03">Hand (including courier) Delivery:</E> Deliver to: Federal Energy Regulatory Commission, 12225 Wilkins Avenue, Rockville, MD 20852. The Comment Procedures Section of this document contains more detailed filing procedures. <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> <FP SOURCE="FP-1"> Jacob Waxman (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6879, <E T="03">Jacob.Waxman@ferc.gov.</E> </FP> <FP SOURCE="FP-1"> Chanel Chasanov (Legal Information), Office of General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-8569, <E T="03">Chanel.Chasanov@ferc.gov.</E> </FP> </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> 1. Pursuant to section 215(d)(2) of the Federal Power Act (FPA), <SU>1</SU> <FTREF/> we propose to approve proposed Reliability Standard CIP-003-11 (Cyber Security—Security Management Controls), submitted by the North American Electric Reliability Corporation (NERC), as just, reasonable, not unduly discriminatory or preferential, and in the public interest. We also propose to approve the associated violation risk factors, violation severity levels, implementation plans, and effective dates for the proposed Reliability Standard, as well as to approve the retirement of currently effective Reliability Standard CIP-003-9. <SU>2</SU> <FTREF/> <FTNT> <SU>1</SU>  16 U.S.C. 824o(d)(2). </FTNT> <FTNT> <SU>2</SU>  We are issuing a NOPR concurrently in Docket No. RM24-8-000. In that NOPR, we are proposing to approve proposed Reliability Standard CIP-003-10, 192 FERC ¶ 61,228. Here, we are proposing to approve proposed Reliability Standard CIP-003-11 and have it supersede Reliability Standard CIP-003-10. </FTNT> 2. Proposed Reliability Standard CIP-003-11 specifies security management controls that establish responsibility and accountability to protect low impact bulk electric system (BES) Cyber Systems against compromise that could lead to misoperation or instability in the bulk electric system. <SU>3</SU> <FTREF/> Reliability Standard CIP-003-11, amongst other obligations, requires entities with assets containing low impact BES Cyber Systems to document and maintain plans that include controls specified in Attachment 1 of the Standard. NERC states that the modifications in proposed Reliability Standard CIP-003-11 would mitigate the risks posed by a coordinated attack utilizing distributed low impact BES Cyber Systems by adding controls to authenticate remote users, protecting the authentication information in transit, and detecting malicious communications to or between assets containing low impact BES Cyber Systems with external routable connectivity. <SU>4</SU> <FTREF/> <FTNT> <SU>3</SU>  NERC Petition at 1. </FTNT> <FTNT> <SU>4</SU>   <E T="03">Id.</E> at 3-4. </FTNT> 3. We seek comments on all aspects of proposed Reliability Standard CIP-003-11 and our proposal to approve the Standard. As discussed later, we also seek comments on the continuing evolution of threats of compromise to low impact BES Cyber Systems. Related, we seek comment on whether it is worthwhile to direct NERC to perform a study or develop a whitepaper on evolving threats as they relate to the potential exploitation of low impact BES Cyber Systems. <HD SOURCE="HD1">I. Background</HD> <HD SOURCE="HD2">A. Section 215 and Mandatory Reliability Standards</HD> 4. Section 215 of the FPA provides that the Commission may certify an ERO, the purpose of which is to develop mandatory and enforceable Reliability Standards, subject to Commission review and approval. <SU>5</SU> <FTREF/> Reliability Standards may be enforced by the ERO, subject to Commission oversight, or by the Commission independently. <SU>6</SU> <FTREF/> Pursuant to section 215 of the FPA, the Commission established a process to select and certify an ERO, <SU>7</SU> <FTREF/> and subsequently certified NERC. <SU>8</SU> <FTREF/> <FTNT> <SU>5</SU>  16 U.S.C. 824o(c). </FTNT> <FTNT> <SU>6</SU>   <E T="03">Id.</E> 824o(e). </FTNT> <FTNT> <SU>7</SU>   <E T="03">Rules Concerning Certification of the Elec. Reliability Org.; & Procs. for the Establishment, Approval, & Enf't of Elec. Reliability Standards,</E> Order No. 672, 71 FR 8662 (Feb. 17, 2006), 114 FERC ¶ 61,104, <E T="03">order on reh'g,</E> Order No. 672-A, 71 FR 19814 (Apr. 18, 2006), 114 FERC ¶ 61,328 (2006); <E T="03">see also</E> 18 CFR 39.4(b). </FTNT> <FTNT> <SU>8</SU>   <E T="03">N. Am. Elec. Reliability Corp.,</E> 116 FERC ¶ 61,062, <E T="03">order on reh'g & compliance,</E> 117 FERC ¶ 61,126 (2006), <E T="03">aff'd sub nom. Alcoa, Inc.</E> v. <E T="03">FERC,</E> 564 F.3d 1342 (D.C. Cir. 2009). </FTNT> <HD SOURCE="HD2">B. Low Impact BES Cyber Systems</HD> 5. The CIP Reliability Standards apply a “tiered” approach with different obligations depending on whether a BES Cyber System  <SU>9</SU> <FTREF/> is classified as high, medium, or low impact. <SU>10</SU> <FTREF/> The purpose of categorizing BES Cyber Systems is to apply cybersecurity requirements consistently, efficiently, and commensurate with the adverse impact that a loss, compromise, or misuse of those systems could have on the reliable operation of the Bulk-Power System. <FTNT> <SU>9</SU>  BES Cyber Systems are defined as “one or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks.” A BES Cyber Asset is defined as “[a] Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more facilities, systems, or equipment, which, if destroyed degraded or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System.” NERC, <E T="03">Glossary of Terms Used in NERC Reliability Standards</E> 49 (Feb. 26, 2025) (NERC Glossary), <E T="03">https://www.nerc.com/pa/Stand/GlossaryofTerms/Glossary_of_Terms.pdf.</E> </FTNT> <FTNT> <SU>10</SU>  Reliability Standard CIP-002-5.1a (BES Cyber System Categorization) delineates three categories of BES Cyber Systems: high, medium, and low, determined by a BES Cyber System's potential impact on Bulk-Power System reliability. </FTNT> 6. Most individual BES Cyber Systems within the bulk electric system are categorized as low impact. <SU>11</SU> <FTREF/> Individual low impact BES Cyber Systems have less of an impact on bulk electric system reliability than medium or high impact BES Cyber Systems and thus, have fewer CIP Reliability Standard requirements. Nevertheless, low impact BES Cyber Systems may still introduce reliability risks of a higher impact when distributed low impact BES Cyber Systems are subjected to a coordinated cyber-attack. <FTNT> <SU>11</SU>   <E T="03">See, e.g.,</E> NERC, <E T="03">Low Impact Criteria Review Report</E> 5 (Oct. 2022) (Low Impact Criteria Review Report), <E T="03">https://www.nerc.com/pa/comp/SupplyChainRiskMitigationProgramDL/NERC_LICRT_White_Paper_clean.pdf#search=low%20impact%20criteria%20review%20report.</E> </FTNT> <HD SOURCE="HD1"> II. NERC Petition   The proposed Reliability Standard is not attached to this NOPR. The proposed Reliability Standard is available on the Commission's eLibrary document retrieval system in Docket No. RM25-8-000 and on the NERC website, <E T="03">www.nerc.com.</E> </FTNT> 7. On December 20, 2024, NERC submitted proposed Reliability Standard CIP-003-11 for Commission approval. NERC explains that, in response to the SolarWinds Orion platform attack, and at the direction of the NERC Board of Trustees, NERC staff assembled a team of cybersecurity experts and compliance experts called the Low Impact Criteria Review Team (LICRT) that developed a report that discussed the potential threats and risks posed by a coordinated attack on low impact BES Cyber Systems. <SU>13</SU> <FTREF/> NERC's proposed modifications made in Reliability Standard CIP-003-11 reflect many of the reco ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 36k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━