All opinions expressed herein are those of the author, not Honeywell International Inc.
I have recently posted on the question whether CIP Version 5 will be speedily approved by FERC and supersede Version 4 - my quick answer is it seems highly unlikely. The point of this post is: If you aren’t doing anything to prepare for Version 4 in the hope that it won’t happen, you’re risking more and more every day you wait. Legally, you are required to be fully compliant with CIP-002-4 through CIP-009-4 on April 1, 2014.
Since there is still a lot of confusion on these points, I’ll go through the details to try to convince anyone who has doubts. However, this legal point isn’t the whole story. The other part of the story is in a second post that immediately follows this one.
Let’s start with the basic date. When do you need to comply with CIP Version 4? To find this date, you open up any of the V4 standards (for example, here is CIP-002-4) and go to paragraph 5. There, you find:
Effective Date: The first day of the eighth calendar quarter after applicable regulatory approvals have been received (or the Reliability Standard otherwise becomes effective the first day of the ninth calendar quarter after BOT adoption in those jurisdictions where regulatory approval is not required).
FERC approved V4 on April 19, 2012. This is of course the second quarter. You start with the third quarter of 2012, call that the first quarter (after approval) and find the eighth quarter after approval, which is the second quarter of 2014. The first day of that quarter is April 1. So April 1, 2014 is the official date – this shouldn’t be a big surprise, since this date has often been mentioned by me and other scribblers (of course, since FERC isn’t the regulatory authority for Canadian entities, this date doesn’t apply to them. Each province has its own schedule).
But is this the compliance date for all US entities? To answer that question, you need to open up the V4 Implementation Plan. That plan contains this paragraph:
Proposed Effective Date for CIP-002-4 through CIP-009-4
All Facilities Other Than U.S. Nuclear Power Plant Facilities
Responsible Entities shall be compliant with the requirements of CIP-002-4 through CIP-009-4 on the later of (i) the Effective Date specified in the Standard or (ii) the compliance milestones specified in version 3 of the Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities.
OK, so (i) is just telling us what we already know: that the date is April 1, 2014. How about (ii)? To figure that out, you need to go to version 3 of the Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities (this is abbreviated IPNICCANRE, just to show that NERC has a sense of humor). And what is this strange document? Each CIP version so far has had its IPNICCANRE (in fact, the text may not have changed since the first version, other than the version numbers themselves. The Version 2 and Version 3 plans were combined, which makes sense since V3 was rushed to approval in 90 days to satisfy a FERC order that required just a single change in V2).
The IPNICCANRE for each CIP version was approved along with the standards themselves, as well as the overall Implementation Plan for that version. The IPNICCANRE specifies how NERC entities will comply for Critical Cyber Assets (CCAs) that are identified or placed into service after the compliance date of the appropriate version (meaning the Version 3 IPNICCANRE applies to CCAs identified after the compliance date for CIP Version 3, which was October 1, 2010). It also specifies how newly-registered entities will comply with this CIP version.
The just-cited clause (ii) in the CIP Version 4 Implementation Plan refers to the Version 3 IPNICCANRE. This plan applies to CCAs that were identified while Version 3 was in effect; and since V3 is still in effect, the V3 IPNICCANRE applies to CCAs that were newly identified between October 1, 2010 and April 1, 2014. How are they identified? Here is the fifth paragraph of the document:
The term ‘newly identified Critical Cyber Asset’ is used when a Registered Entity has been
required to be compliant with NERC Reliability Standard CIP-002-3 for at least one application of the risk-based Critical Asset identification methodology. Upon a subsequent annual application of the risk-based Critical Asset identification method in compliance with requirements of NERC Reliability Standard CIP-002, either a previously non-critical asset has now been determined to be a Critical Asset, and its associated essential Cyber Assets have now been determined to be Critical Cyber Assets, or Cyber Assets associated with an existing Critical Asset have now been identified as Critical Cyber Assets. These newly determined Critical Cyber Assets are referred to in this Implementation Plan as ’newly identified Critical Cyber Assets’.
In English, the two ways that new CCAs can be identified are:
- A new Critical Asset is identified (using Attachment 1 of CIP-002-4) or put into service, and that makes one or more of its associated cyber assets become CCAs;
- Cyber assets associated with an existing Critical Asset are now identified as CCAs (or newly put into service).
I’ll let you look through the plan to see if it applies to you. If it does, you have between 6 and 24 months (depending on the standard number, as well as on whether your entity has previously had CCAs or not) to comply with CIP Version 3 for the newly-identified CCAs.
But why is the CIP Version 4 Implementation Plan referring to the Version 3 IPNICCANRE? Because CCAs that are newly identified under V3 are the only exceptions to the April 1, 2014 compliance date for Version 4. Clause (ii) of the cited sentence in the V4 Implementation Plan says that, if you are still bringing newly identified CCAs into compliance with CIP Version 3 on April 1, 2014 in accordance with the V3 IPNICCANRE (or if you are a newly registered NERC entity that has identified CCAs while Version 3 is in effect), you have until later than that date to comply with V4 (assuming that your compliance date under the V3 INPICCANRE is later than 4/1/2014. If it’s not, then 4/1/2014 is your V4 date, just like for everyone else). In other words, for you, the V4 compliance date is the date you would have to have those new CCAs in compliance with V3 under the V3 IPNICCANRE (and since CIP-003 through CIP-009 are the same in V3 and V4, it doesn’t matter that you’ll technically be bringing them into compliance with V4, rather than V3. What you have to do to them is exactly the same under V4 as it is under V3).
You may say, “That’s great, but I don’t have any newly-identified CCAs, and I won’t have any before 4/1/2014.” If so, your compliance date is April 1, 2014, period. What this really means for you is that there are no other exceptions to that date. The implications of this statement may surprise (and disappoint) you.
You may ask, “What about Critical Assets that are newly identified as a result of application of the V4 bright-line criteria (and these of course are the whole reason why V4 was developed – to bring in more Critical Assets and thus more CCAs)? Do their associated CCAs count as newly-identified CCAs under Version 4?” If so, the V4 IPNICCANRE would apply. And since that reads the same as the V3 document (other than the references to V4 instead of V3), that means you would have 6-24 more months to comply with V4 for those CCAs (i.e. from 10/1/2014 through 4/1/2016).
Maybe this last sentence makes your ears perk up; I know there are at least a few entities that have already noticed this. They are envisioning a scenario like this:
- On April 1, 2014, they have to comply with CIP Version 4. They start with CIP-002, since it is the first standard, and ensure it is completed by 4/1/2014. They apply the bright-line criteria in Attachment 1 to their existing assets. Lo and behold, they find an asset – say, a substation – that wasn’t critical under V3 but is now critical under V4.
- This substation has cyber assets associated with it; one or more of those meet the definition of Critical Cyber Assets included in CIP-002-4 Requirement 2. The entity reasons these are newly-identified CCAs under Version 4.
- The entity goes to the V4 IPNICCANRE and is very pleased to find they have 6-24 months to comply with CIP-003-4 through CIP-009-4 for those new CCAs. They get to work on meeting those compliance dates, and when the auditors come knocking they just show them the IPNICCANRE and tell them – in a nice, completely compliant fashion - to come back in a couple of years when they are finished.
Why doesn’t this scenario work? Go back to the Version 4 Implementation Plan and the paragraph cited above (specifically clause (ii)): The only CCAs that don’t have to be fully compliant on April 1, 2014 are those that were newly-identified under CIP Version 3, and whose implementation date under the Version 3 IPNICCANRE is still in the future. The CCAs that the entity discussed above just identified were ID’d under Version 4, not V3, so they don’t fall under clause (ii). They should have been fully compliant with all of CIP-002-4 through CIP-009-4 on 4/1/2014.
If you’re still skeptical of this, I refer you to NERC’s 2000-page filing document[i] for V4 (which I’m sure everybody read cover to cover. I didn't either - a knowledgeable person pointed this out to me). There is a small section in there – pages 41-43 – that discusses compliance dates under various scenarios. Here is the discussion of the scenario that is most relevant (I can also send you just this section, if you want to email me - email@example.com):
Scenario 2: Upon FERC acceptance of these proposed CIP Reliability Standards, a Responsible Entity has existing Critical Cyber Assets and has additional assets that now meet the uniform criteria in Attachment 1 of CIP-002-4 that were not previously identified using its established risk-based identification methodology. Under this scenario the Responsible Entity shall use the Implementation Plan in Exhibit B [Tom’s note: this is the V4 implementation plan quoted and linked at the beginning of this post], which specifies that Responsible Entities shall be compliant with the requirements of CIP-002-4 through CIP-009-4 on the later of (i) the Effective Date specified in the Standard or (ii) the compliance milestones specified in Version 3 of the Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities. Since these Critical Cyber Assets were not identified using CIP-002-3, the Version 3 Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities does not apply. Hence, the Responsible Entity shall be compliant with CIP-002-4 through CIP-009-4 for those previously existing Critical Cyber Assets as well as those additional assets captured by the uniform criteria in Attachment 1 of CIP-004 on the Effective Date of these propose (sic) CIP Reliability Standards.
The italics are mine; after reading this, I don’t think there can be too much question whether or not an entity has to fully comply with CIP V4 on 4/1/2014. The implication of this is that, right after April 19, 2012, all entities should have started identifying assets that will be critical under the CIP Version 4 bright-line criteria, as well as their associated CCAs. They should then have started preparing to have those CCAs fully compliant with all of CIP-003-4 through CIP-009-4 on April 1, 2014.[ii] And if they didn’t do these things at the time, they should definitely be doing them now.
My conclusion? From a strictly legal point of view, there is no question: All entities with assets in place on April 19, 2012, that aren’t currently covered by the CIP Version 3 IPNICCANRE, need to be fully compliant with CIP-002-4 through CIP-009-4 on April 1, 2014.
But that’s not the end of the story. Sometimes you have to look beyond the letter of the law. That’s what the following post is about.
[ii] A few very knowledgeable CIP compliance people may read this post and notice one way they might legally push their compliance date back for critical assets and CCAs that will be identified under the Version 4 bright-line criteria. This would be to change their Risk Based Assessment Methodology (for CIP Version 3) to reflect the Version 4 bright-line criteria. The next time they applied their RBAM, they would presumably identify the new CCAs. Since these would have been identified under Version 3, the entity would then have the extended time shown in the Version 3 IPNICCANRE to become compliant with Version 4.
I don’t know of any document specifically prohibiting this strategy. However, I want to point out that it is very risky, since most of the regions are taking a very negative view of anybody adopting the V4 bright-line criteria in their RBAM at this point. Whatever you do, check with your region first.