All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.
Note: This article was originally posted in early December, 2012. All of the points made in it remain valid as of February 16, 2012. I have just put up a new post that addresses most of what is in this post in a much shorter fashion - for those pressed for time.
I attended the MRO compliance meetings recently in St. Paul, and was struck by two things: 1) the degree to which concerns about CIP now predominate over concerns about almost all of the other NERC standards put together, and 2) the high level of interest in CIP Versions 4 and 5 – both in their content and in the possible scenarios for their implementation.
Crowning all of the Versions 4 and 5 concerns is this one: Will the industry have to comply with CIP Version 4 – now approved by FERC and scheduled to come into effect April 1, 2014 – or will Version 4 be bypassed in favor of Version 5, which now has NERC Board of Trustees approval and will soon be submitted to FERC?
This is literally the (multi-) million dollar question for many NERC entities. Many are desperate to avoid having to comply with V4 and then two or three years later with V5. A V4 compliance program will be much different from a V5 program – documents, processes and procedures will mostly have to be redone. And there are some controls required by V4 that aren’t required by V5, such as the infamous six-wall boundary of CIP-006.
Because the two versions are applicable to differing sets of assets, an entity could literally spend millions putting in place Version 4 controls and programs for a facility that will no longer be needed under V5 because it isn’t in scope (as a Medium or High impact facility). Conversely, entities could expose themselves to huge penalties if they don’t put in place controls and programs for a facility that is in scope for Version 4, if Version 4 is in fact enforced on 4/1/2014.
I will be honest at the outset: I don’t know the answer to the question whether V4 will be enforced. The only ones who possibly could know are the five FERC commissioners, and I suspect they have not made up their minds. What I will try to do in this post is at least parameterize the different areas of uncertainty, and suggest developments that might occur next year which will indicate whether this event is more or less likely. You are hereby warned: this will be a long post. Like all things NERC CIP, this is a very complicated issue.
To start out, I would like to try to identify the groups that will and won’t be affected by this issue. It is certainly true that this isn’t a problem for many NERC entities, while for others it is a huge problem.
But first I want to clarify one point: When I say an entity “has to comply” with CIP Versions 3 or 4, I mean they will have at least one Critical Asset with at least one Critical Cyber Asset.
And when I say an entity “has to comply” with CIP Version 5, I mean that they will have BES Cyber Systems associated with facilities that are listed as Medium or High impact in CIP-002-5 Attachment 1. There are of course many more entities that will have BES Cyber Systems at facilities that are Low impact in Attachment 1 (or more accurately, BES facilities that aren’t listed in Attachment 1, since all others become Low by default). Since the requirements for the Lows are so much less than those for the Mediums or Highs (Lows only need to develop and implement four policies, and cyber assets don’t have to be inventoried), I don’t consider the question whether or not an entity has to comply with Version 5 as a Low to be one that carries a high dollar impact.[i]
Let me first list some types of entities for which the question whether CIP Version 4 will be implemented isn’t really an issue. They include:
- Entities that don’t have to comply with CIP V3 now and won’t have to comply under V4 or V5.
- Entities that currently have to comply with CIP Version 3 and will continue to have to comply for V4 and V5, for the same assets. They will have to make the transition from V4 to V5 like everybody else, but since they already have a V3 program in place for the asset(s), they won’t have to change anything they’re now doing when V4 is implemented (since CIP-003 through -009 are unchanged from V3 to V4).
- Entities that a) currently have to comply with V3, b) will continue to comply with V4 for the same asset(s), and c) will not have to comply with V5. An example of this would be an entity that currently has declared a blackstart plant as critical under V3. The plant will continue as critical under V4, but will not be Medium or High impact under V5.[ii] So the question whether V4 will be implemented or not is just a question of when they can discontinue their CIP compliance program for that asset (hopefully, they’ll still leave most of the important security controls in place, but they certainly won’t have to continue to file TFE’s, for example). This is a budgetary question, but not one that requires them currently to change what they are doing.
- Entities that don’t have to comply with V3 now and won’t have to comply with V4, but will with V5. I don’t think there are a lot of these, but one example might be some substations (since the V5 bright-line criteria for substations differ from the V4 ones). In any case, these entities will ultimately have to comply with V5 regardless of whether V4 is implemented or not, so the question of V4’s implementation isn’t a big deal for them.
- I’m sure this isn’t all the cases, but you hopefully get the idea – there are a lot of entities that don’t have to worry about whether V4 will be implemented or not. I’m sure it’s by far the majority of NERC entities.
So who are the entities that are worrying? Well, probably you – otherwise, why are you reading this post? The two main categories include:
- Entities that don’t have to comply with V3, but will with V4 and with V5. Their problem isn’t that they’re not sure they’ll have to comply sometime in the future; it is certain they will. However, since they don’t have a CIP compliance program in place now, they will have to implement one. Because the V4 and V5 compliance programs are quite different, they are running the risk of putting in place a full V4 program, then having to scrap most of that and implement a V5 program.
- Entities that don’t have to comply with V3 and will have to comply with V4, but then won’t have to comply with V5 when it comes out. To comply with V4, these entities will have to put in place both a V4 compliance program and a lot of security controls (both technical and procedural). Since this won’t be needed when V5 comes into effect, a lot of the compliance program will be wasted money and effort (although presumably most of the controls themselves are a good investment regardless of CIP compliance). The biggest example of this case is owners and operators of blackstart generating stations and substations in the blackstart cranking path. These are Critical Assets under V4, but are Low impact facilities under V5. I’m sure a lot of these people are agonizing over their decisions now (although see endnote 2 for more nuance on blackstart generators).
The question we began with is really two questions:
- Under the normal process for NERC/FERC interaction, what is the likelihood that Version 4 will be bypassed?
- What extraordinary actions could be taken (by NERC and FERC) to prevent Version 4 from coming into effect? There seems to be at least one scenario under which this could happen, which I’ll discuss. I won’t even guess at its probability, though.
To address the first question, let’s start by asking what are the events (or non-events) we need to watch for over the next year and a half in order to know whether V4 will come into effect?
The most important date will be April 1, 2014. If FERC lets V4 come into effect on that date, they will never go back and rescind it after that.[iii] It will only be replaced when V5 comes into effect (which will probably be at least two years later), not before that.
And practically speaking, FERC definitely has to make the decision to approve V5 well before 4/1/2014, say six months earlier at least.[iv] Can you imagine what would happen if the Regional Entities and Registered Entities had spent a lot of time and money getting ready for V4, and on - say - March 1, 2014 FERC pulled the plug on it? It wouldn’t be pretty.
What this means effectively is that FERC needs to finally approve CIP Version 5 by October 1, 2013 at the very latest, in order for Version 4 to be superseded, following the Version 5 implementation plan.
What is the probability of FERC’s approving V5 by October 1, 2013? I’ll be honest; I think it’s extremely remote, perhaps not significantly different from zero. Consider these facts:
- The NERC Board of Trustees approved V5 on Nov. 26. V5 now has to be filed with FERC. The filing has to include just about everything that went on in developing V5 – all of the comments, all of the different drafts, meeting minutes, etc. I’m sure the filing will be over 5,000 pages, probably more like 7 or 8,000. Most of this is just cut and paste, of course, but there is a lot of writing that has to be done as well. Let’s assume that the filing is the end of December, 2012 – I’d say that’s the earliest it could be, and it will likely be later than that.[v]
- A FERC representative addressed the MRO meeting this week. While his subject was virtualization and compliance (and the presentation was quite good), he was asked about the prospects for quick approval of V5. He said that the staff had been preparing for the V5 submittal for many months now and would be as expeditious as possible in pushing it through to the Commissioners, but he pointed out that just getting a case number assigned takes more than a month. And the big question is how long the Commissioners will take to decide, once the staff presents V5 to them – I doubt they themselves know at this point.
- FERC took 14 months from the date NERC submitted V4 to the date they approved it. V4 revised CIP-002 but left the other 8 CIP standards exactly the same. V5, on the other hand, is a radical revision of all of CIP (more like Version 1, which took FERC 17 months to approve). If V5 is submitted by NERC by Jan. 1 (again, not very likely), is it really possible that FERC will take just nine months to approve V5?
- I have argued elsewhere that it is likely FERC will send V5 back to NERC and require specific changes in perhaps 90 days. It is also very possible, if they think the problems with V5 are more fundamental, that they will do what they did in Order 706: tell NERC they just want them to do better, and here are the principles we want you to follow.[vi] In either case, this will clearly make it impossible to meet my stipulated October 1, 2013 deadline for V5 approval.
- I think it is also likely that FERC will order NERC to do a new survey of asset identification, just like they did for V4 in 2010. This is because I think FERC will be concerned about the number of generation assets that will be High or Medium impact under V5 (see the blog link above for more on this). The V4 survey took three months, so I’m sure this one will as well.
- FERC always issues a NOPR (Notice of Proposed Rulemaking) before actually issuing an Order approving regulations; the purpose is to provide a forum for concerned parties to submit comments. The V4 NOPR was issued in September 2011, about seven months before Order 761 approved V4. Moving back seven months from the 10/1/2013 date leaves March 1, 2013 as the date by which FERC would have to be certain enough that they wanted to approve V5 that they issued the NOPR. Given that the Commissioners won’t have even received their staff report by then, I’d say that this consideration alone dooms the idea that V4 can be bypassed just through normal NERC and FERC actions.
So the answer to the first question looks decidedly negative. We now arrive at the second question: What extraordinary actions could be taken by NERC and FERC to keep V4 from coming into effect? Fortunately, I don’t have to guess in this. NERC has been soliciting comments from the trade organizations on two possible alternative actions they can take. One doesn’t seem very realistic, but the other would possibly work if FERC agrees.
In this scenario, NERC would submit a request to FERC (possibly with the V5 filing but not as an actual part of it) to push the implementation date for V4 out a certain amount of time, say one or two years. This way, entities wouldn’t have to spend big bucks making assets compliant with V4 that then wouldn’t have to comply with V5 (there’s more to it than that, but this is essentially what NERC is suggesting). There are a number of questions with this option, the main one being (as my Knowledgeable Person points out) that this just prolongs the uncertainty for entities.
The Knowledgeable Person has added another option: file V5 as intended, but simultaneously petition FERC to completely rescind Order 761, meaning that V3 would remain the law of the land until V5 came into effect. This strikes me as the best, since it removes all uncertainty about whether V4 will be implemented or not. The question then is, “Will FERC be interested in this?” And my answer: I haven’t a clue. Ask the Commissioners.[vii]
[i] I’m sure some will disagree with me in this regard, and say there could be a substantial effort required by entities to comply with V5 for Low impact facilities. I agree a number of technologies like firewalls and locks on the doors have to be put in place (and I know that even now there are facilities without those), but the biggest burden of CIP is all the compliance procedures and paperwork,. Those are almost entirely absent for Lows in V5.
[ii] A Knowledgeable Person has pointed out that many if not most blackstart plants were not designated Critical Assets under V3 (or if they were most didn’t have Critical Cyber Assets due to the routable protocol exemption), so there probably aren’t many in this category. As you can see below, this may make them entities that do have to worry about whether V4 will be implemented (although they can still avail themselves of the “non-routable protocol exemption” in V4). However, this person also believes that a lot of them have altered their EOP-005 blackstart plans so that the plants won’t be required as blackstart in the future. In that case, these entities are in the first category: they don’t have to comply with any of the CIP versions.
[iii] CIP V5 junkies may raise the point that the V5 Implementation Plan currently states that V5 will supersede V4 no matter when it is approved by FERC – i.e. even after 4/1/2014. But FERC doesn’t have to live with that – they can send the plan back to NERC to change it. It is simply unimaginable that they would let a new version (V4) go into effect, then pull it back later.
[iv] My Knowledgeable Person says that even six months isn’t enough time, because of the limited vendor resources (both security and ICS vendors) available to help everyone come into compliance; if entities wait until then to start implementing V4 compliance in earnest, they will collectively never be able to do it). He is probably right, but I am trying to see in this essay if there is any basis at all for a belief that V4 won’t be implemented. So I’m trying to give that belief all the benefit of any doubt.
[v] The filing was in fact on January 31, 2013.
[vi] The astute observer might note that Order 706 approved CIP Version 1, even while asking for something better. However, when FERC did that, there was no mandatory cyber security standard already in place, so they undoubtedly felt something was better than nothing. That is obviously not the case now.
[vii] NERC didn’t include any sort of extraordinary request to FERC in the 1/31/2013 V5 filing. Does this mean they’ve given up on the idea of trying to get V4 bypassed? It could, although they could still make a separate filing with the new request. However, this certainly doesn’t increase the very low probability that Version 4 won’t come into effect, and probably pushes it even closer to zero. See this post for more on what NERC should be doing, IMHO.