Monday, January 28, 2013

Why the CIP Version 4 Compliance Date Needs to be Pushed Back

All opinions expressed herein are those of the author, not Honeywell International Inc.
In my previous post, I showed that all NERC entities have to be fully compliant with all standards in CIP Version 4 on April 1, 2014 – except those who are in the midst of becoming compliant for Critical Cyber Assets (CCAs) that were newly identified after the compliance date for CIP Version 3.  So, for most entities, I don’t believe there is any way they can legally challenge that date.  If the NERC Regional Entities want to take a tough line on V4 (and I hear they are preparing to do just that), any entity that isn’t fully compliant on that date will be facing potentially large fines.
But sometimes what seems clear from a legal point of view is less clear from a “what’s right” point of view.  And that is the case with the 4/1/2014 date.  To be frank, I know many entities are simply dragging their feet on preparing for CIP Version 4.  While a few of these may believe the law is on their side and they actually have longer to comply (at least until they read my previous post), I think there is another reason why most of them are delaying: NERC itself has been, and still is, sending the message that they don’t believe Version 4 will come into effect – that it will be superseded by Version 5[i].  The biggest evidence I have for this assertion is what NERC didn’t say last year, not so much what they did say (this is like Sherlock Holmes solving one of his famous cases by citing “the dog that didn’t bark.”  It didn’t bark because it knew the criminal, its master.  So he was the culprit - although there was other evidence, of course!).

FERC approved V4 (in Order 761) on April 19, 2012.  At that point, entities had 19 days short of two years to become fully compliant with V4 by April 1, 2014.  Obviously, every day after that is another day lost in this effort.  For a large generating station that will be a new Critical Asset under V4, one could argue that even starting work on April 20 would have been too late to meet the 4/1/2014 date.  For other assets, the situation isn’t quite so dire, but the difference isn’t huge.  The fact is, all entities needed to start work right away after April 19th 2012  – at least by first identifying new Critical Assets under V4, then inventorying all of their cyber assets (located at these new Critical Assets) and deciding which ones were CCAs under V4.

So where were NERC’s exhortations to the entities to get cracking on V4? The only one I know of is the following two paragraphs from the April 2012 NERC News:

On April 19, FERC approved NERC’s Version 4 of the CIP Cybersecurity Standards, agreeing with NERC’s justification for the bright-line criteria used to identify Critical Assets in Version 4. While the posted second draft of Version 5 has proposed to extend Version 3 until Version 5 is implemented in lieu of implementing Version 4, such an approach has not yet been approved by the industry. The approval date and implementation plan for Version 4 establishes an enforcement date in the United States of April 1, 2014.

The approval of Version 4 is a significant milestone in meeting the remaining directives in FERC’s Order No. 706, and NERC will continue to develop information for the industry on the coordination among Version 3, Version 4, and Version 5 of the CIP Cyber Security Standards.

I have italicized the line in the quotation above that confirms the 4/1/2014 date.  The big question: Given that this seems to be the only direct NERC reference to that date soon after FERC approved Version 4, do you think that page 7 of an 8-page monthly newsletter was the best forum for making sure that everybody understood what they needed to start doing to comply with Version 4? In fact, all this says is (to paraphrase) “FERC has approved V4 and here’s the compliance date.  It has been proposed that CIP Version 5 will supersede V4.  We can’t say yet whether or not that will happen.”  If you owned a large generating station and you had to probably spend millions to come into V4 compliance, would you commit those millions based on this statement?  To be fair, a few of the NERC regional entities did make this point more forcibly to their members.  But not all did, and in any case, such warnings were undercut by the lack of warnings from NERC itself.

Meanwhile, our hypothetical owner of the generating station reads, over the course of last summer and fall, that the CIP Version 5 implementation plan explicitly states that Version 4 will be set aside when V5 is approved, making V5 the only upcoming version that needs to be considered.  Why wouldn’t the owner wait until it’s clearer what will happen with V5 before making a big investment in V4 compliance that may turn out to be largely or even completely wasted (from a regulatory point of view.  From a security POV, most of it is hopefully not wasted, although a lot of it is, unfortunately)?

I know for a fact that many entities are even now playing a waiting game on V4 – and NERC doesn’t seem to be doing a lot to get them to do otherwise.  My recent post addressed the question whether V4 would be implemented or not – I can summarize it by saying I think the chances are slim at best that V4 will not be implemented.  In any case, it will be several months at least before we know definitely what will happen.  At that point it will be less than a year before 4/1/2014.  If – say this summer or fall - a large number of entities suddenly start scrambling to become fully compliant with V4, they will find there aren’t enough experienced resources – consultants or new hires – available to help them all get over the finish line in time.  In my opinion: It’s almost inevitable that there will be a large number of NERC entities that aren’t fully compliant on the CIP Version 4 compliance date.

So what do we do about this?  One answer is simply to say, “Too bad.  There are lots of entities already hard at work on V4 compliance.  It’s unfortunate that others didn’t do that, but they have nobody to blame but themselves.”  In my opinion, such an attitude might be justified had NERC given numerous clear action notices about the need to get working on V4 compliance.  However, they have done just the opposite.  NERC’s lack of action – and their constant hints that Version 5 will supplant Version 4 (most recently, the "implementation plan" presented at the March CIPC meeting - see this post) – has poisoned the well from a moral, if not a legal, point of view.

Let me use an analogy of parking ordinances in a small town.  If I'm the only one who breaks an ordinance on a particular day, I clearly have nobody to blame but myself.  But if a new ordinance is passed and half the town ends up breaking it, partly due to confusion about what it meant, this is different.  Someone needs to go back and determine how the ordinance was explained to people.
I believe the Version 4 compliance date should be pushed back by 6-12 months, to 10/1/2014 or even better 4/1/2015.  This isn’t in order to give FERC more time to approve V5.   As I said in December and again recently, the only way I believe that Version 4 can really be superseded is if NERC addresses the issue head on and petitions FERC to rescind Order 761 (i.e. dis-approve Version 4).  To that petition, I think NERC should add, “And if you won’t rescind Order 761, we request that you push back the Version 4 implementation date by 6-12 months.”

There is another reason why I say the date should be pushed back.  My September post was titled "Not-so-Bright Lines" and pointed out that a guidance document is needed for applying the Version 4 bright-line criteria– just like a document had to be developed to help entities identify Critical Assets under CIP Versions 1-3.[ii]  If entities can’t clearly identify their Critical Assets, they obviously can’t clearly identify their CCAs, and they could end up out of compliance with Version 4.  Again, does this really sound like something a beleaguered power plant owner is going to want to commit large amounts of money for at this point?  I think many have decided to wait until the situation is clearer.  Unfortunately, the situation is if anything less clear now than it was last April.

Pushing the V4 compliance date back will give NERC a chance to develop this document in time for it actually to be useful for entities in preparing for V4 compliance.  As it is, NERC could develop it today and it wouldn’t be able to help a lot of entities who have already had to make decisions on V4 critical assets based on whatever information they had available.  And it will take at least six months to develop; the previous guidance took much more than a year.
In conclusion, NERC should petition FERC to push back the CIP Version 4 compliance date and then do two things:

  1. Let all the entities know that they need to get going now on implementing V4 compliance; and
  2. Start work on the guidance document for the bright-line criteria in CIP-002-4, so it can be ready in time to actually help people identify their new Critical Assets.

[i] The primary reason why I say this is that the Implementation Plan for CIP Version 5 includes this sentence:
“Notwithstanding any order to the contrary, CIP-002-4 through CIP-009-4 do not become effective, and CIP-002-3 through CIP-009-3 remain in effect and are not retired until the effective date of the Version 5 CIP Cyber Security Standards under this implementation plan.”
and also this footnote:
“In jurisdictions where CIP-002-4 through CIP-009-4 have not yet become effective according to their implementation plan (even if approved by order), this implementation plan and the Version 5 CIP Cyber Security Standards supersede and replace the implementation plan and standards for CIP-002-4 through CIP-009-4.”
The gist of these two sentences is: Once CIP Version 5 is approved by FERC, Version 4 will never come into effect (assuming it hasn’t been implemented yet – i.e. if Version 5 is approved before April 1, 2014.  After that date, of course, it would be almost impossible to roll back Version 4).  This has been restated in NERC SDT emails and meetings at various times, although always with the caveat that this assumes “regulatory approval”.  And therein lies the rub: Even if FERC approves all of the Version 5 standards, they don’t have to approve the implementation plan.  They can send this plan back to NERC and require specific changes such as removing these two sentences.  This is FERC's decision to make, not NERC's.

Also, please note my post from March 8 about a new development, which unfortunately doesn't change this dreary situation.
[ii] A few people have pointed out that the Standards Drafting Team did develop a Rationale and Implementation Reference Document in 2010, as CIP Version 4 was being drafted and balloted.  This document does discuss the bright line criteria, but it is – as the title suggests – a rationale for how they were derived, not guidance for applying them in the real world.  See my September post for examples of the problems that can come up when you actually start trying to apply those criteria.

No comments:

Post a Comment