Wednesday, April 17, 2013

Breaking News: NERC Gets it Right!

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

As unaccustomed as I am to praising NERC, I have to now: they seem to have finally gotten the CIP Version 4 transition plan right, after a number of false starts.  And how did they do this?  By working with the regional auditors to put together a plan they were comfortable with.  No plan was ever going to work without the auditors being on board, and it is good to see that NERC realized this.

The document I’m referring to is the Cyber Security Standards Transition Guidance issued by NERC on April 11.  NERC has been promising this document for about a year.  Why is it needed?  Briefly, because there are two new NERC CIP versions pending.  CIP Version 4 is approved by FERC and will be in effect on April 1, 2014.  CIP Version 5 is approved by NERC but waiting for FERC approval.  Should V5 be approved before the V4 effective date, the current Version 3 would be extended and V4 would never come into effect.

However, as I’ve been saying for a year, it is unlikely that FERC will do what everybody (myself included) wanted and approve V5 by 4/1/2014 (see this post from April 2012, right after FERC approved V4.  Also this much more recent post).  NERC entities need to be prepared for full V4 compliance on that date (in fact, Honeywell and EnergySec just did a webinar on this very topic).   And since V5 will most likely become effective 2-3 years after that date, they need to start thinking about that as well.

Why is this a problem?  First, nobody wants to have to comply with two new CIP versions in 2-3 years.  But since CIP V4 will be the fourth CIP version in effect in six years (and since CIP-003 through CIP-009 are identical in V4 as compared to V3), this is actually a slower pace of change.  What has really caused consternation is the differing assets that are in scope for the two versions.  In CIP Version 4, blackstart plants and substations in the cranking path are Critical Assets and subject to the full CIP requirements.  However, under V5, they are no longer in scope (as High or Medium impact BES facilities, using the terminology in V5.  All BES facilities, including blackstart facilities, will have to comply as at least Low impact under V5, but the requirements for Lows are much less onerous than those for Mediums or Highs).

This means that the owners or operators of blackstart facilities, that weren’t Critical Assets under CIP Version 3, would have to put in place an entire CIP compliance program starting 4/1/2014, then abandon a lot of that in a few years (some will say that, since CIP just requires practices that are mostly required by good cyber security principles, these owners/operators shouldn’t complain: They are just being forced to do what they should be doing anyway.  This isn’t a valid argument because the whole apparatus of CIP compliance – documentation, reports filed with the Regional Entity, elaborate tickler systems to make sure everything is done when it should be, the ever-popular TFE’s, etc. – itself places a huge burden on the NERC entity.  And this apparatus doesn’t add anything to security).

To be honest, this is the main reason that this transition plan is so important, and why it has clearly been such a contentious subject at NERC.  Without this controversy, the plan would have been put out much sooner.  As it is, bringing it out less than a year before the V4 compliance date is very short notice, given that V4 was approved a year ago.  But better late than never.[i]

Another problem is discrepancies in asset coverage between Versions 3 and 4.  There are many entities that will have new assets in scope under V4, or will have assets drop out of scope.  And there are others that will have both: new assets in scope and old ones dropping out.  Many NERC entities have complained that they don’t want to have to maintain the CIP compliance program, for current Critical Assets that won’t be so under Version 4, right up until April 1, 2014.  Rather, they would like to focus on preparing the assets that are coming into scope. 

The reason this was a problem was that some of the Regional Entities had said that it would be unacceptable to adopt the CIP Version 4 bright-line criteria (which determine which assets are critical under V4) before V4 came into effect; this meant that entities couldn’t drop assets from the CIP program until 4/1/2014, even though they knew that they would be able to drop them then.  This problem has also been addressed in the plan (see the last footnote, or read the first paragraph on page 4 of the plan).

So what’s in the plan itself?  I must say to start out that this is a very dense document.  Take this excerpt:

Responsible Entities that will have new assets identified under the CIP Version 4 bright-line criteria between June 25, 2012 and April 1, 2014 should follow the FERC-approved implementation plan for CIP Version 4. This means that assets that met the CIP-002-4 Attachment 1 bright-line criteria as of the effective date of Order No. 761, which is June 25, 2012, must be compliant with all aspects of CIP Version 4 on April 1, 2014.

See what I mean?  The IRS itself couldn’t come up with something much more complicated.  However, I don’t particularly blame the NERC writers.  This is a very complicated plan, made more so by the fact that there were multiple groups involved in writing it.  But given the very messy situation with three different versions of CIP to be juggled, this was probably inevitable.

The heart of the plan is the designation of two “approaches” that NERC entities subject to CIP V3 and/or V4 can take during the time between now and April 1, 2014 (they must take one of them, and they must formally declare their choice):

  1. In Approach 1, the entity pretty much continues what it is doing now: annually applying a risk-based assessment methodology (RBAM) as required in CIP-002-3 R2.[ii]  If that annual application happens to bring any new Critical Assets into scope, the entity then deals with them per the CIP Version 3 “Implementation Plan for Newly Identified Critical Cyber Assets and Newly Registered Entities” (IPNICCANRE) unless the asset will be critical under the V4 criteria (in which case the IPNICCANRE doesn’t apply and the asset has to be fully compliant on 4/1/2014).[iii]  When April 1, 2014 rolls around, they will have to fully comply with CIP-002-4 through CIP-009-4 just like everyone else, with the exception that Criteria 1.4 and 1.5 in Attachment 1 of CIP-002-4 will not apply (for more on this exception, see below).
  2. In Approach 2, the previous RBAM goes away.  The entity adopts the CIP Version 4 bright line criteria (in CIP-002-4 Attachment 1) in lieu of an RBAM, thus using those criteria to determine its critical assets.[iv]  The entity continues to do this after April 1, 2014.  For assets that are critical under V4 but not under V3, the entity won’t be audited for compliance until after 4/1/2014.  For assets that are critical under both V3 and V4, audits will continue as scheduled during the runup to 4/1/2014 (this is possible because the standards being audited on – CIP-003 through CIP-009 – are identical in V4 and V3).
However, in Approach 2 the entity can disregard Criteria 1.4 and 1.5 of Attachment 1 in CIP-002-4.  This means that blackstart plants and cranking path substations are out of the compliance picture for those entities that choose Approach 2.  In fact, even if an entity chooses Approach 1 and sticks with their current RBAM, they will still be able to disregard those two criteria when CIP V4 becomes enforceable on 4/1/2014 (as I just said above).  Let me stress this: Blackstart plants and substations are now out of the picture as Critical Assets for CIP Version 4.[v]  The V4 bright-line criteria are now much closer to those in V5 (of course, there still are other differences, but blackstart facilities were until now the biggest difference between V4 and V5).

The astute observer, who read my March post making fun of the draft version of this plan presented at the Albuquerque CIPC meeting, may now accuse me of hypocrisy.  That draft plan would have allowed NERC entities to choose whether to comply with the V4 or V5 bright-line criteria.  I said the draft plan was unworkable because the regional entities would never allow their members to choose between criteria that were approved by FERC and thus were regulatory law (i.e. the V4 criteria) and criteria that weren’t (V5).  Yet now I’m saying the new plan is workable, even though it is essentially allowing the entity to make the V4 criteria much closer to the V5 criteria (even better, they can take out the two V4 criteria that aren’t in V5 while still skipping the criteria in V5 that go beyond V4 – such as the expanded coverage of control centers and substations).  Why is this plan workable while the Albuquerque plan wasn’t?

The difference, Dear Reader, is that now the Regional Entities (specifically, the CIP auditors at the RE’s) have bought in on the plan – in fact, they helped write it.  And to be clear, NERC and the RE’s aren’t saying that Version 4 is changed – they’re just saying that, during the “transition period” before Version 5 is approved (which I believe won’t be until later 2014 at the earliest), they won’t do compliance audits on blackstart facilities (and they presumably won’t after V5 is approved either, unless FERC mandates that blackstart facilities be put back into the V5 criteria when they approve it).

So what about FERC?  After all, they’re the final word on all of this, right?  NERC can tell people to disregard Criteria 1.4 and 1.5, but if April 1, 2014 comes along and FERC decides they don’t agree with this approach, couldn’t they just start fining entities who didn’t declare their blackstart facilities as Critical Assets?

This was exactly my question when I first read the plan.   However, in communicating with a couple knowledgeable people, I was assured that this was unlikely to happen.  Since the auditors won’t be auditing blackstart facilities, there won’t be any Potential Violations passed up to FERC for them.  FERC would have to use some procedure called a 1-B (I'm told this is a horrendous FERC audit that you wouldn't wish on your worst enemy's dog), which is outside of the normal audit process, to find a violation.  And one hopes that there is some sort of understanding between NERC and FERC on this – after all, FERC staff members can read the plan as well as anybody else.  As I’ve said, the backing of the regions is the key difference between this plan and the Albuquerque version.  But keep your ears open.  Obviously, if either FERC or NERC changes their mind on this plan, it goes out the window.[vi]

There is one important thing to keep in mind about the V4 bright-line criteria.  Even though criteria 1.4 and 1.5 are out of the picture now, there are two other criteria that depend on them.  In Approach #2, the second sentence states “Control centers associated with Blackstart Resources (Criterion 1.15) and Cranking Paths (Criterion 1.16) shall continue to be deemed critical, regardless of the aforementioned exclusion.”  In other words, if a control center controls blackstart resources identified in Criteria 1.4 or 1.5, it will still be critical, even though the blackstart resources themselves are no longer “critical”.[vii]

If you thought you were done now, sit down.  We still have a ways to go on this.  We now have the really complicated part – the timeline issues.  Probably the best way to deal with them is to break them down into the different cases.

                    I.     If your assets subject to the V4 criteria (except 1.4 and 1.5) were all in existence on April 1, 2012, you have to be fully compliant for all of those assets on April 1, 2014.
                  II.     If you have assets that meet the V4 criteria (except 1.4 and 1.5) but that were identified between April 1, 2012[viii] and June 25, 2012[ix], they are subject to the CIP Version 3 IPNICCANRE linked above.  That would possibly allow a later compliance date than 4/1/2014, although not later than June 25, 2014 (thank God for small favors, as my old boss used to say).
                III.     (this is the most important case) For assets that meet the V4 criteria that were in service on June 25, 2012 and not already under a V3 IPNICCANRE schedule, the compliance date for all of V4 (CIP-002-4 through CIP-009-4) is April 1, 2014 (although see the next case for an exception to this rule).[x] 
                IV.     NERC realized that an asset could have been in service on June 25, 2012, but that the entity wouldn’t have known at the time that it would meet the V4 bright-line criteria because it hadn’t yet received a “third-party notification”.  Specifically, there are four criteria – 1.3, 1.8, 1.9 and 1.10 – which identify an asset as critical when notification is received from an RC, TP, PC or PA.  If that happens to an entity after June 25, 2012 (and continuing through the CIP Version 4 enforcement period, which starts 4/1/2014 and ends when Version 5 kicks in perhaps 2-3 years later), the asset owner/operator will follow the Version 4 IPNICCANRE, meaning the compliance date will almost certainly be later than 4/1/2014.

It is worth mentioning that the plan specifically addresses the question whether assets newly identified as critical under the V4 criteria are subject to compliance with just CIP-002-4 on 4/1/2014, or with all of CIP-002-4 through CIP-009-4.[xi]  The plan says:

Responsible Entities that will have new assets identified under the CIP Version 4 bright-line criteria between June 25, 2012 and April 1, 2014 should follow the FERC-approved implementation plan for CIP Version 4. This means that assets that met the CIP-002-4 Attachment 1 bright-line criteria as of the effective date of Order No. 761, which is June 25, 2012, must be compliant with all aspects of CIP Version 4 on April 1, 2014.

How can we sum up the compliance date discussion in a short, pithy sentence?  Here I go: If you had an asset that was in service on June 25, 2012 (whether or not it was a Critical Asset under CIP Version 3), and it meets one or more of the bright-line criteria in CIP-002-4 Attachment 1 (except for 1.4 and 1.5), then it must be fully compliant with all of CIP-002-4 through CIP-009-4 on 4/1/2014 – with the exception of third-party notifications as in case IV above or assets identified in the 4/1/2012-6/25/2012 window, subject to the V3 IPNICCANRE.   This isn’t exactly “Give me liberty or give me death” but hey, this is NERC we’re talking about; nothing is short and pithy in NERC-land.   However, I think they’ve done a pretty good job overall with this new plan.[xii]

[i] I still believe that the V4 compliance date should be pushed back from 4/1/2014 by 6 to 12 months because of all this confusion.  However, I don’t expect that to happen.
[ii] The document mentions “This risk-based discussion may reach conclusions supported by the CIP Version 4 bright-line criteria…”  However, this is not the same as adopting the V4 BLC as your RBAM.  That’s what Approach 2 is about.
[iii] I’m being somewhat misleading when I say this, since when you read the rest of this post you’ll realize that nobody in their right mind would designate a new asset as critical under Approach 1, if it wouldn’t also be critical under Approach 2 – since Approach 2 will essentially be the only “approach” after 4/1/2014.
[iv] In fact, even still calling this an RBAM is misleading, since there will be no auditing of that document.   Essentially, the entity is moving to CIP-002-4 (which doesn’t have an RBAM) ahead of schedule, period.
[v] You may wonder what happens to entities that choose Approach 1 but whose RBAM identifies one or more blackstart resources as Critical Assets.  Will those blackstarts still be Critical Assets?  The answer is, between now and 4/1/2014, the auditors will only audit assets that meet the Version 4 bright-line criteria, so those blackstarts will effectively not be Critical Assets either.  In fact, any other asset that might be identified by the RBAM, that isn’t covered in the V4 criteria, is effectively no longer critical.
[vi] It was pointed out to me that, if FERC really does change their mind on this, they will do so only if they intend to make blackstart resources High or Medium impact under CIP Version 5.  So if FERC does object to this plan, blackstart owners should plan on pretty much permanent status as critical assets (which will raise other problems of course). 
[vii] Regarding the notion of controlling generation, it is important to read the discussion of what that means on page 11 of the CIP V4 Rationale and Implementation Reference Document.
[viii] The plan says April 19 is that date, not April 1.  But a regional auditor suggests that the date should really be 4/1/2012, since that gives two full years for compliance.  What a guy.
[ix] This is 60 days after FERC Order 761, approving V4, was published in the Federal Register.  It is the effective date of Order 761, which was actually issued on April 19, 2012.
[x] You may notice a seeming contradiction here: In the previous case, assets identified before 6/25/2012 might have longer to comply than 4/1/2014.  Yet assets identified on or after 6/25/2012 have to comply on 4/1/2014, with the exception noted in case IV.  This is because Order 761 essentially overrode the V3 IPNICCANRE for assets that were in existence on the date it became official, 6/25/2012.  This means you can’t claim that you just noticed that an asset was critical under CIP-002-4 on say February 1, 2013 – and therefore you should have more time to comply.  It also means that if a new asset was commissioned on say August 1, 2013, it still has to be fully compliant on 4/1/2014.  The IPNICCANRE (both the V3 and the V4 versions) makes clear that newly commissioned assets need to be compliant upon commissioning.
[xi] I dealt with this issue in this post in January.  Portions of that post are now moot because of this new plan, but the discussion of his issue remains valid.
[xii] There are a couple more points made in the plan.  One confirms that assets that are critical under V3 can be removed as critical if the entity chooses to apply the V4 bright-line criteria (minus criteria 1.4 and 1.5) now.  The other confirms that certain periodic activities required by CIP, like the various annual assessments and the cyber vulnerability assessment, must be completed by 4/1/2014 for assets that are critical under the V4 criteria (this is the “bookending” issue, that we discussed in our recent webinar on Version 4). 

No comments:

Post a Comment