Monday, January 28, 2013

Why the CIP Version 4 Compliance Date Needs to be Pushed Back

All opinions expressed herein are those of the author, not Honeywell International Inc.
In my previous post, I showed that all NERC entities have to be fully compliant with all standards in CIP Version 4 on April 1, 2014 – except those who are in the midst of becoming compliant for Critical Cyber Assets (CCAs) that were newly identified after the compliance date for CIP Version 3.  So, for most entities, I don’t believe there is any way they can legally challenge that date.  If the NERC Regional Entities want to take a tough line on V4 (and I hear they are preparing to do just that), any entity that isn’t fully compliant on that date will be facing potentially large fines.
But sometimes what seems clear from a legal point of view is less clear from a “what’s right” point of view.  And that is the case with the 4/1/2014 date.  To be frank, I know many entities are simply dragging their feet on preparing for CIP Version 4.  While a few of these may believe the law is on their side and they actually have longer to comply (at least until they read my previous post), I think there is another reason why most of them are delaying: NERC itself has been, and still is, sending the message that they don’t believe Version 4 will come into effect – that it will be superseded by Version 5[i].  The biggest evidence I have for this assertion is what NERC didn’t say last year, not so much what they did say (this is like Sherlock Holmes solving one of his famous cases by citing “the dog that didn’t bark.”  It didn’t bark because it knew the criminal, its master.  So he was the culprit - although there was other evidence, of course!).

FERC approved V4 (in Order 761) on April 19, 2012.  At that point, entities had 19 days short of two years to become fully compliant with V4 by April 1, 2014.  Obviously, every day after that is another day lost in this effort.  For a large generating station that will be a new Critical Asset under V4, one could argue that even starting work on April 20 would have been too late to meet the 4/1/2014 date.  For other assets, the situation isn’t quite so dire, but the difference isn’t huge.  The fact is, all entities needed to start work right away after April 19th 2012  – at least by first identifying new Critical Assets under V4, then inventorying all of their cyber assets (located at these new Critical Assets) and deciding which ones were CCAs under V4.

So where were NERC’s exhortations to the entities to get cracking on V4? The only one I know of is the following two paragraphs from the April 2012 NERC News:

On April 19, FERC approved NERC’s Version 4 of the CIP Cybersecurity Standards, agreeing with NERC’s justification for the bright-line criteria used to identify Critical Assets in Version 4. While the posted second draft of Version 5 has proposed to extend Version 3 until Version 5 is implemented in lieu of implementing Version 4, such an approach has not yet been approved by the industry. The approval date and implementation plan for Version 4 establishes an enforcement date in the United States of April 1, 2014.

The approval of Version 4 is a significant milestone in meeting the remaining directives in FERC’s Order No. 706, and NERC will continue to develop information for the industry on the coordination among Version 3, Version 4, and Version 5 of the CIP Cyber Security Standards.

I have italicized the line in the quotation above that confirms the 4/1/2014 date.  The big question: Given that this seems to be the only direct NERC reference to that date soon after FERC approved Version 4, do you think that page 7 of an 8-page monthly newsletter was the best forum for making sure that everybody understood what they needed to start doing to comply with Version 4? In fact, all this says is (to paraphrase) “FERC has approved V4 and here’s the compliance date.  It has been proposed that CIP Version 5 will supersede V4.  We can’t say yet whether or not that will happen.”  If you owned a large generating station and you had to probably spend millions to come into V4 compliance, would you commit those millions based on this statement?  To be fair, a few of the NERC regional entities did make this point more forcibly to their members.  But not all did, and in any case, such warnings were undercut by the lack of warnings from NERC itself.

Meanwhile, our hypothetical owner of the generating station reads, over the course of last summer and fall, that the CIP Version 5 implementation plan explicitly states that Version 4 will be set aside when V5 is approved, making V5 the only upcoming version that needs to be considered.  Why wouldn’t the owner wait until it’s clearer what will happen with V5 before making a big investment in V4 compliance that may turn out to be largely or even completely wasted (from a regulatory point of view.  From a security POV, most of it is hopefully not wasted, although a lot of it is, unfortunately)?

I know for a fact that many entities are even now playing a waiting game on V4 – and NERC doesn’t seem to be doing a lot to get them to do otherwise.  My recent post addressed the question whether V4 would be implemented or not – I can summarize it by saying I think the chances are slim at best that V4 will not be implemented.  In any case, it will be several months at least before we know definitely what will happen.  At that point it will be less than a year before 4/1/2014.  If – say this summer or fall - a large number of entities suddenly start scrambling to become fully compliant with V4, they will find there aren’t enough experienced resources – consultants or new hires – available to help them all get over the finish line in time.  In my opinion: It’s almost inevitable that there will be a large number of NERC entities that aren’t fully compliant on the CIP Version 4 compliance date.

So what do we do about this?  One answer is simply to say, “Too bad.  There are lots of entities already hard at work on V4 compliance.  It’s unfortunate that others didn’t do that, but they have nobody to blame but themselves.”  In my opinion, such an attitude might be justified had NERC given numerous clear action notices about the need to get working on V4 compliance.  However, they have done just the opposite.  NERC’s lack of action – and their constant hints that Version 5 will supplant Version 4 (most recently, the "implementation plan" presented at the March CIPC meeting - see this post) – has poisoned the well from a moral, if not a legal, point of view.

Let me use an analogy of parking ordinances in a small town.  If I'm the only one who breaks an ordinance on a particular day, I clearly have nobody to blame but myself.  But if a new ordinance is passed and half the town ends up breaking it, partly due to confusion about what it meant, this is different.  Someone needs to go back and determine how the ordinance was explained to people.
I believe the Version 4 compliance date should be pushed back by 6-12 months, to 10/1/2014 or even better 4/1/2015.  This isn’t in order to give FERC more time to approve V5.   As I said in December and again recently, the only way I believe that Version 4 can really be superseded is if NERC addresses the issue head on and petitions FERC to rescind Order 761 (i.e. dis-approve Version 4).  To that petition, I think NERC should add, “And if you won’t rescind Order 761, we request that you push back the Version 4 implementation date by 6-12 months.”

There is another reason why I say the date should be pushed back.  My September post was titled "Not-so-Bright Lines" and pointed out that a guidance document is needed for applying the Version 4 bright-line criteria– just like a document had to be developed to help entities identify Critical Assets under CIP Versions 1-3.[ii]  If entities can’t clearly identify their Critical Assets, they obviously can’t clearly identify their CCAs, and they could end up out of compliance with Version 4.  Again, does this really sound like something a beleaguered power plant owner is going to want to commit large amounts of money for at this point?  I think many have decided to wait until the situation is clearer.  Unfortunately, the situation is if anything less clear now than it was last April.

Pushing the V4 compliance date back will give NERC a chance to develop this document in time for it actually to be useful for entities in preparing for V4 compliance.  As it is, NERC could develop it today and it wouldn’t be able to help a lot of entities who have already had to make decisions on V4 critical assets based on whatever information they had available.  And it will take at least six months to develop; the previous guidance took much more than a year.
In conclusion, NERC should petition FERC to push back the CIP Version 4 compliance date and then do two things:

  1. Let all the entities know that they need to get going now on implementing V4 compliance; and
  2. Start work on the guidance document for the bright-line criteria in CIP-002-4, so it can be ready in time to actually help people identify their new Critical Assets.

[i] The primary reason why I say this is that the Implementation Plan for CIP Version 5 includes this sentence:
“Notwithstanding any order to the contrary, CIP-002-4 through CIP-009-4 do not become effective, and CIP-002-3 through CIP-009-3 remain in effect and are not retired until the effective date of the Version 5 CIP Cyber Security Standards under this implementation plan.”
and also this footnote:
“In jurisdictions where CIP-002-4 through CIP-009-4 have not yet become effective according to their implementation plan (even if approved by order), this implementation plan and the Version 5 CIP Cyber Security Standards supersede and replace the implementation plan and standards for CIP-002-4 through CIP-009-4.”
The gist of these two sentences is: Once CIP Version 5 is approved by FERC, Version 4 will never come into effect (assuming it hasn’t been implemented yet – i.e. if Version 5 is approved before April 1, 2014.  After that date, of course, it would be almost impossible to roll back Version 4).  This has been restated in NERC SDT emails and meetings at various times, although always with the caveat that this assumes “regulatory approval”.  And therein lies the rub: Even if FERC approves all of the Version 5 standards, they don’t have to approve the implementation plan.  They can send this plan back to NERC and require specific changes such as removing these two sentences.  This is FERC's decision to make, not NERC's.

Also, please note my post from March 8 about a new development, which unfortunately doesn't change this dreary situation.
[ii] A few people have pointed out that the Standards Drafting Team did develop a Rationale and Implementation Reference Document in 2010, as CIP Version 4 was being drafted and balloted.  This document does discuss the bright line criteria, but it is – as the title suggests – a rationale for how they were derived, not guidance for applying them in the real world.  See my September post for examples of the problems that can come up when you actually start trying to apply those criteria.

When Do I Have to Comply with NERC CIP Version 4?

 All opinions expressed herein are those of the author, not Honeywell International Inc.
I have recently posted on the question whether CIP Version 5 will be speedily approved by FERC and supersede Version 4 - my quick answer is it seems highly unlikely. The point of this post is: If you aren’t doing anything to prepare for Version 4 in the hope that it won’t happen, you’re risking more and more every day you wait.  Legally, you are required to be fully compliant with CIP-002-4 through CIP-009-4 on April 1, 2014. 
Since there is still a lot of confusion on these points, I’ll go through the details to try to convince anyone who has doubts.  However, this legal point isn’t the whole story.  The other part of the story is in a second post that immediately follows this one.

Let’s start with the basic date.  When do you need to comply with CIP Version 4?  To find this date, you open up any of the V4 standards (for example, here is CIP-002-4) and go to paragraph 5.  There, you find:

Effective Date: The first day of the eighth calendar quarter after applicable regulatory approvals have been received (or the Reliability Standard otherwise becomes effective the first day of the ninth calendar quarter after BOT adoption in those jurisdictions where regulatory approval is not required).

FERC approved V4 on April 19, 2012.  This is of course the second quarter.  You start with the third quarter of 2012, call that the first quarter (after approval) and find the eighth quarter after approval, which is the second quarter of 2014.  The first day of that quarter is April 1.  So April 1, 2014 is the official date – this shouldn’t be a big surprise, since this date has often been mentioned by me and other scribblers (of course, since FERC isn’t the regulatory authority for Canadian entities, this date doesn’t apply to them.  Each province has its own schedule).

But is this the compliance date for all US entities?  To answer that question, you need to open up the V4 Implementation Plan.  That plan contains this paragraph:
Proposed Effective Date for CIP-002-4 through CIP-009-4
All Facilities Other Than U.S. Nuclear Power Plant Facilities
Responsible Entities shall be compliant with the requirements of CIP-002-4 through CIP-009-4 on the later of (i) the Effective Date specified in the Standard or (ii) the compliance milestones specified in version 3 of the Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities.
OK, so (i) is just telling us what we already know: that the date is April 1, 2014.  How about (ii)?  To figure that out, you need to go to version 3 of the Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities (this is abbreviated IPNICCANRE, just to show that NERC has a sense of humor).   And what is this strange document?  Each CIP version so far has had its IPNICCANRE (in fact, the text may not have changed since the first version, other than the version numbers themselves.  The Version 2 and Version 3 plans were combined, which makes sense since V3 was rushed to approval in 90 days to satisfy a FERC order that required just a single change in V2).

The IPNICCANRE for each CIP version was approved along with the standards themselves, as well as the overall Implementation Plan for that version.  The IPNICCANRE specifies how NERC entities will comply for Critical Cyber Assets (CCAs) that are identified or placed into service after the compliance date of the appropriate version (meaning the Version 3 IPNICCANRE applies to CCAs identified after the compliance date for CIP Version 3, which was October 1, 2010).  It also specifies how newly-registered entities will comply with this CIP version.

The just-cited clause (ii) in the CIP Version 4 Implementation Plan refers to the Version 3 IPNICCANRE.  This plan applies to CCAs that were identified while Version 3 was in effect; and since V3 is still in effect, the V3 IPNICCANRE applies to CCAs that were newly identified between October 1, 2010 and April 1, 2014.  How are they identified?  Here is the fifth paragraph of the document:

The term ‘newly identified Critical Cyber Asset’ is used when a Registered Entity has been
required to be compliant with NERC Reliability Standard CIP-002-3 for at least one application of the risk-based Critical Asset identification methodology. Upon a subsequent annual application of the risk-based Critical Asset identification method in compliance with requirements of NERC Reliability Standard CIP-002, either a previously non-critical asset has now been determined to be a Critical Asset, and its associated essential Cyber Assets have now been determined to be Critical Cyber Assets, or Cyber Assets associated with an existing Critical Asset have now been identified as Critical Cyber Assets. These newly determined Critical Cyber Assets are referred to in this Implementation Plan as ’newly identified Critical Cyber Assets’.

In English, the two ways that new CCAs can be identified are:

  1. A new Critical Asset is identified (using Attachment 1 of CIP-002-4) or put into service, and that makes one or more of its associated cyber assets become CCAs;
  2. Cyber assets associated with an existing Critical Asset are now identified as CCAs (or newly put into service).
I’ll let you look through the plan to see if it applies to you.   If it does, you have between 6 and 24 months (depending on the standard number, as well as on whether your entity has previously had CCAs or not) to comply with CIP Version 3 for the newly-identified CCAs.

But why is the CIP Version 4 Implementation Plan referring to the Version 3 IPNICCANRE?  Because CCAs that are newly identified under V3 are the only exceptions to the April 1, 2014 compliance date for Version 4.  Clause (ii) of the cited sentence in the V4 Implementation Plan says that, if you are still bringing newly identified CCAs into compliance with CIP Version 3 on April 1, 2014 in accordance with the V3 IPNICCANRE (or if you are a newly registered NERC entity that has identified CCAs while Version 3 is in effect), you have until later than that date to comply with V4 (assuming that your compliance date under the V3 INPICCANRE is later than 4/1/2014.  If it’s not, then 4/1/2014 is your V4 date, just like for everyone else).  In other words, for you, the V4 compliance date is the date you would have to have those new CCAs in compliance with V3 under the V3 IPNICCANRE (and since CIP-003 through CIP-009 are the same in V3 and V4, it doesn’t matter that you’ll technically be bringing them into compliance with V4, rather than V3.  What you have to do to them is exactly the same under V4 as it is under V3). 

You may say, “That’s great, but I don’t have any newly-identified CCAs, and I won’t have any before 4/1/2014.”  If so, your compliance date is April 1, 2014, period.  What this really means for you is that there are no other exceptions to that date.  The implications of this statement may surprise (and disappoint) you.

You may ask, “What about Critical Assets that are newly identified as a result of application of the V4 bright-line criteria (and these of course are the whole reason why V4 was developed – to bring in more Critical Assets and thus more CCAs)?  Do their associated CCAs count as newly-identified CCAs under Version 4?”  If so, the V4 IPNICCANRE would apply.  And since that reads the same as the V3 document (other than the references to V4 instead of V3), that means you would have 6-24 more months to comply with V4 for those CCAs (i.e. from 10/1/2014 through 4/1/2016).  

Maybe this last sentence makes your ears perk up; I know there are at least a few entities that have already noticed this.  They are envisioning a scenario like this:

  1. On April 1, 2014, they have to comply with CIP Version 4.  They start with CIP-002, since it is the first standard, and ensure it is completed by 4/1/2014.    They apply the bright-line criteria in Attachment 1 to their existing assets.  Lo and behold, they find an asset – say, a substation – that wasn’t critical under V3 but is now critical under V4.
  2. This substation has cyber assets associated with it; one or more of those meet the definition of Critical Cyber Assets included in CIP-002-4 Requirement 2.  The entity reasons these are newly-identified CCAs under Version 4.
  3. The entity goes to the V4 IPNICCANRE and is very pleased to find they have 6-24 months to comply with CIP-003-4 through CIP-009-4 for those new CCAs.  They get to work on meeting those compliance dates, and when the auditors come knocking they just show them the IPNICCANRE and tell them – in a nice, completely compliant fashion - to come back in a couple of years when they are finished.
Why doesn’t this scenario work?  Go back to the Version 4 Implementation Plan and the paragraph cited above (specifically clause (ii)): The only CCAs that don’t have to be fully compliant on April 1, 2014 are those that were newly-identified under CIP Version 3, and whose implementation date under the Version 3 IPNICCANRE is still in the future.  The CCAs that the entity discussed above just identified were ID’d under Version 4, not V3, so they don’t fall under clause (ii).  They should have been fully compliant with all of CIP-002-4 through CIP-009-4 on 4/1/2014.

If you’re still skeptical of this, I refer you to NERC’s 2000-page filing document[i] for V4 (which I’m sure everybody read cover to cover.  I didn't either - a knowledgeable person pointed this out to me).  There is a small section in there – pages 41-43 – that discusses compliance dates under various scenarios.   Here is the discussion of the scenario that is most relevant (I can also send you just this section, if you want to email me -

Scenario 2: Upon FERC acceptance of these proposed CIP Reliability Standards, a Responsible Entity has existing Critical Cyber Assets and has additional assets that now meet the uniform criteria in Attachment 1 of CIP-002-4 that were not previously identified using its established risk-based identification methodology. Under this scenario the Responsible Entity shall use the Implementation Plan in Exhibit B [Tom’s note: this is the V4 implementation plan quoted and linked at the beginning of this post], which specifies that Responsible Entities shall be compliant with the requirements of CIP-002-4 through CIP-009-4 on the later of (i) the Effective Date specified in the Standard or (ii) the compliance milestones specified in Version 3 of the Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities. Since these Critical Cyber Assets were not identified using CIP-002-3, the Version 3 Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities does not apply. Hence, the Responsible Entity shall be compliant with CIP-002-4 through CIP-009-4 for those previously existing Critical Cyber Assets as well as those additional assets captured by the uniform criteria in Attachment 1 of CIP-004 on the Effective Date of these propose (sic) CIP Reliability Standards.
The italics are mine; after reading this, I don’t think there can be too much question whether or not an entity has to fully comply with CIP V4 on 4/1/2014.  The implication of this is that, right after April 19, 2012, all entities should have started identifying assets that will be critical under the CIP Version 4 bright-line criteria, as well as their associated CCAs.  They should then have started preparing to have those CCAs fully compliant with all of CIP-003-4 through CIP-009-4 on April 1, 2014.[ii]  And if they didn’t do these things at the time, they should definitely be doing them now.
My conclusion?  From a strictly legal point of view, there is no question: All entities with assets in place on April 19, 2012, that aren’t currently covered by the CIP Version 3 IPNICCANRE, need to be fully compliant with CIP-002-4 through CIP-009-4 on April 1, 2014.

But that’s not the end of the story.  Sometimes you have to look beyond the letter of the law.  That’s what the following post is about.

[i] If you want to find this filing, go here, choose the 2011 filings, and find the Feb. 10 filing.  I don’t want to give you the actual link, because if you click on it, you’ll immediately start downloading 18 MB of data.  This way, you’re warned first.
[ii] A few very knowledgeable CIP compliance people may read this post and notice one way they might legally push their compliance date back for critical assets and CCAs that will be identified under the Version 4 bright-line criteria.  This would be to change their Risk Based Assessment Methodology (for CIP Version 3) to reflect the Version 4 bright-line criteria.  The next time they applied their RBAM, they would presumably identify the new CCAs.  Since these would have been identified under Version 3, the entity would then have the extended time shown in the Version 3 IPNICCANRE to become compliant with Version 4.

I don’t know of any document specifically prohibiting this strategy.  However, I want to point out that it is very risky, since most of the regions are taking a very negative view of anybody adopting the V4 bright-line criteria in their RBAM at this point.  Whatever you do, check with your region first.