Monday, May 27, 2013

The Transition to CIP Version 5

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

Oct. 18, 2014: Can someone tell me why this post is getting so many hits lately?  If you're all history buffs, I guess it has a certain value that way.  But don't expect to find anything that is going to help you now.  I admit I need to address this topic again soon, but this post from July gives some guidance.  I expect to have another on the actual transition - rather than the timeline - within a couple weeks.

Nov. 8: It is very likely FERC will approve CIP Version 5 before Thanksgiving, most likely at their meeting on Nov. 21.  Of course, what will be important is the Order they issue with V5.  When that is issued, your reporter will sequester himself until he has figured out what it means, and will post that as soon as possible thereafter.

July 25: I just put up a new post on NERC's Version 5 transition plan - or at least the "proposed" plan they released this week.  You can find it here.

Last week (May 21 and 22) I attended the excellent CIP workshop put on annually by SPP in Dallas.  I regret that I didn’t mention this workshop in previous blog posts, since it isn’t limited to SPP entities and provides a lot of good information (they did have good attendance).  Next year, look for the announcement on SPP’s website around Feb. or March.

One highlight of the meeting was a presentation by Kevin Perry, the Chief CIP Auditor for SPP (and member of the original NERC CIP Standards Drafting Team).  The title was “The CIP Version 4 Transition”.  Now before you start wondering what that has to do with the transition to Version 5 (especially since FERC’s NOPR makes it clear they don’t intend to let Version 4 come into effect), listen to his argument.  His reasoning goes like this (although a little of this is my own enhancement of what he said):

  1. There is only one fully approved new version of NERC CIP at the moment – Version 4.  The date for full compliance with V4 is April 1, 2014.
  2. While FERC said in the NOPR that V4 won’t come into effect, we can’t be absolutely sure that will happen.  As of today, NERC entities can’t just assume that V4 won’t come into effect.
  3. But there is a saving grace in this, in that a lot of what an entity has to do to prepare to comply with V4 will be exactly the same as what’s required to prepare for V5.  So the entity can take certain steps now that will be required no matter which way the wind blows in the future.
  4. NERC has said they will come out with a transition plan for Version 5 in July, which will hopefully address many questions that entities have on this.  As of the moment, Kevin has no idea what will be in the plan.[i]
  5. I pointed out in a question to Kevin that, while there are certainly a lot of common steps that need to be taken to prepare for either Version 4 or Version 5, there are also some steps that would be very specific to one version.  For example, an entity complying with Version 4 (who didn’t already have to comply with Version 3) would have to prepare a lot of specific documentation templates, etc. before 4/1/2014.  If Version 4 doesn’t happen, these items can’t be reused for Version 5.  There still is potentially a big opportunity to waste resources on Version 4 compliance activities.
  6. At that point, Scott Mix of NERC (for those of you who don’t know him, he’s the Obi Wan Kenobi of NERC CIP) pointed out that NERC is quite aware of this problem, and hopes to address it in the transition plan.  The specific way I hope they address it is to say that, if an entity chooses not to spend a lot of money on becoming V4 compliant on 4/1/2014 but then (due to some strange and unforeseen occurrence) V4 does come into effect on that date, they will be given extra time to comply .  Or maybe they won’t even have to comply with V4 at all, if V5 is approved soon after that date (of course, NERC wouldn’t have actual legal authority to do this.  They also didn’t have full authority to say in the V4 transition plan that blackstart resources wouldn’t be audited.  But it seems likely that FERC isn’t going to come down hard on them for this, and might indeed have given them some signal that this was OK).  We’ll have to wait until July to know exactly how NERC’s Version 5 transition plan is worded.
I know the V4-V5 transition is an important question because I have had two large IOU’s tell me in the last few days that they are plowing forward on their Version 4 implementation plans - since they can’t take any chance of having it come into effect and being caught non-compliant on 4/1/2014.  What can those entities (and any others in the same boat) do now, that will move them toward both V4 compliance and V5 compliance at the same time?  I will divide the discussion into several areas.

I. Critical Assets / High and Medium Impact BES Facilities
If you’re concerned about the possibility of having to comply with CIP Version 4 before Version 5, you will be glad (perhaps that’s not the right word) to know that your facilities that are Critical Assets for V4 will almost all be High and Medium impact Facilities in scope for V5 (which will require similar controls to those required of Critical Assets now).  The bright line criteria are very similar in V4 and V5, with the exception of blackstart facilities (blackstart plants and substations in the cranking path).  However, NERC’s April Version 4 transition plan specifically stated that blackstart facilities won’t be audited when/if V4 comes into effect, so they are in effect no longer critical under Version 4 either.

With blackstarts out of the way, the differences between the two versions are mainly in these areas[ii]:

  • More control centers are High or Medium impact under Version 5 than are Critical Assets under V4.  But since all V4 control centers will be High or Medium under V5 as well, you won’t be wasting your time by implementing security controls at V4 control centers that aren’t currently critical under Version 3.
  • There are definitely wording differences between V4 and V5 in the criteria for substations, but given how complicated the criteria are, your Operations people will need to tell you what the impact will be for your organization.
  • FACTS (Flexible AC Transmission Systems) seem to me to be the one case where an asset is critical under V4 but not High or Medium under V5, since there is no criterion in V5 that specifically mentions FACTS.  But your Operations people need to look at this.[iii]
  • Of course, in V5 every BES Facility that isn’t High or Medium impact will be a Low impact.  But given that almost none of these facilities are critical under Version 4, this doesn’t affect the decision of what to do now.

Kevin did devote a lot of his discussion in Dallas to the question of adopting the Version 4 bright-line criteria as your RBAM for CIP Version 3.  NERC’s CIP Version 4 Transition Plan (you can see my post about that plan here ) says there are two options for this:

  1. You can adopt some or all of the V4 bright-line criteria as your RBAM.  That means you will have to show there is a risk basis for adopting those criteria (and you could of course include other “criteria” in your RBAM as well).
  2. You can adopt the V4 criteria without change (meaning you can’t pick and choose among them).  The plan said specifically that you can ignore the criteria having to do with blackstart resources, but you have to include all of the other criteria unchanged.[iv]  In this option, you don’t have to provide a risk basis.

Whether or not FERC ends up approving V5, you can adopt the Version 4 criteria now since this is part of the V4 transition plan, which has been officially promulgated by NERC.  Kevin did also recommend the following:

  1. If you do follow Option 2, get this signed by your CIP Senior Manager just like you would do with the RBAM.
  2. Don’t wait until you’re about to be audited to adopt the bright line criteria.  If you do, you’ll still be audited on the basis of your old RBAM up until the point where you switched.  In other words, if you’re going to adopt the BLC, do so soon.

Many will ask: can we adopt the V5 criteria, rather than the V4 ones?  That will presumably be answered in NERC’s V5 transition plan in July.  However, don’t assume that the plan will allow adopting the V5 criteria now.  Remember, the V4 criteria are set in stone since FERC has approved them.  The V5 criteria are still fluid, and FERC may still require changes in them.  Fortunately, given how close the criteria now are between V4 and V5, it probably wouldn’t be much of an imposition if you were only allowed to adopt the V4 criteria, even though V5 (really V6 of course) is probably the next CIP version to come into effect.

III. What should I do?  What shouldn’t I do?
Here is my handy dandy guide to figuring out what is worth doing and what isn’t worth doing during the V3-V4-V5 transition period.  My feeling is this should cover most entities, even in the unlikely event that V4 comes into effect.  However, caveat emptor.  There is still much uncertainty (of course, there has essentially been nothing but uncertainty regarding the path to the new CIP versions since at least 2010.  Every month I have thought the uncertainty was finally about to end, and almost every month it’s ended up increasing).

1.                   If you have assets that are currently critical under your RBAM but won’t be critical under the v4 criteria, you should definitely look at adopting the V4 BLC now, so you can remove them as Critical Assets.  Even if the V4 BLC will add any Critical Assets, remember the V4 transition plan says you won’t be audited on them until V4 comes into effect (and hopefully the V5 transition plan will say something similar).  Of course, keep in mind, if you drop Critical Assets, that they will still be Low impact under V5, meaning you shouldn't start ripping out your security controls.
2.                   If you have assets that will be critical under V4 and High/Medium impact under V5 (and almost all V4 Critical Assets will be High/Medium under V5, except of course for blackstart resources), you can certainly start to put in place the controls that will be common to both standards.  For example, both standards require ESPs, personnel risk assessments, patch management, monitoring of physical access, incident response plans, etc.
3.                   What you shouldn’t do now is invest a lot in developing procedures, training and documentation specific to Version 4 – that is effort that will be wasted if Version 4 does not in fact come into effect, as seems very likely to happen.
4.                   You should start thinking about your Low impact assets – essentially, everything you own or operate that touches the BES, that won’t be a High or Medium impact under V5.  While the Version 5 compliance date for Lows is probably at least three years away, the problem is there are so many Lows.  If you wait to do anything at all until FERC approves Version 6 (which probably won’t be until later 2014), you may then have a big scramble to get them all compliant in the two years or so that FERC allows for compliance.[v]
5.                   Remember, FERC broadcast loud and clear in their NOPR that they want specific controls to be applied to Lows (not just the four policies that are in Version 5 now).  And they also made clear they want cyber assets at Low impact facilities to be inventoried.  A good first step would be to conduct an inventory of all cyber assets at all Low impact facilities.  This will be a large job for many entities, but it will have to be done for Version 5 anyway, and it’s the foundation for any further cyber security program.

P.S. Be sure to sign up for Honeywell’s upcoming webinar with EnergySec, “Covering your Assets in CIP Version 5”.  You can sign up for it here.  The webinar is on August 21st 10:30CDT.  If you can’t make the webinar but want to see the video, sign up anyway.  You’ll get the link to the video as soon as it is posted after the webinar.

[i] Ironically, NERC came out with their Version 4 transition plan – which had been promised for about a year – around April 11, one week before FERC issued their NOPR and changed the whole situation.  But as you'll see in this post, the plan does still have a lot of significance.  August 2: Even though NERC came out with a draft V5 transition plan last week, it seems likely they will never come out with an official one until FERC approves V5 and makes the way clear.  So the V4 transition plan remains in effect, although you should confirm this with your Regional Entity.

[ii] When I say “mainly”, this is the judgment of Tom Alrich, non-EE.  There are wording differences between V4 and V5 in almost all of the criteria.  These seem trivial to me but need to be reviewed by your Operations people to make sure there isn’t some hidden gotcha that makes V5 more or less inclusive than V4 for a particular type of Facility.  I've been told by a number of entities that the V5 criteria for substations are much more inclusive than the V4 criteria.
[iii] They especially need to review whether Criterion 2.6 in Version 5 does actually cover FACTS; the V4-V5 mapping document the SDT sent out (which isn’t part of the standards) shows that criterion as corresponding to Criterion 1.9 (FACTS) in V4.
[iv] There is one other provision in the V4 plan that you should know about.  Let’s say your organization has a control center that controls blackstart plants; criterion 1.15 in CIP-002-4 Attachment 1 says that control center has to be critical since it controls a Critical Asset.  Since the blackstarts won’t effectively be critical under V4, will the control center also not be critical?  No.  The transition plan says (page two) “Control centers associated with Blackstart Resources (Criterion 1.15) and Cranking Paths (Criterion 1.16) shall continue to be deemed critical regardless of the aforementioned exclusion” (the exclusion referred to is the exclusion of blackstart resources from audits once V4 is implemented).  Plus, in Version 5 most control centers will be High or Medium impact anyway.

[v] While the Version 5 implementation plan now allows three years for the Lows to become compliant after FERC approval, FERC expressed big reservations about this in their NOPR.  I am guessing that FERC will require about a two-year implementation period for Lows (and about a one-year period for Medium/Highs), although keep in mind this will be from late 2014 or early 2015, when I believe that FERC will approve CIP Version 6, the next version you will have to comply with.


  1. What's the basis for thinking that NERC will release a v5 transition plan in Jul2013?

    My search found only the following statement in NERC's Cyber Security Standards Transition Guidance dated 11 Apr2013:
    "Once Version 5 is approved by FERC, NERC will provide additional transition guidance."

    Why does this 27May blog suggest that NERC will provide transition guidance in Jul2013 while your earlier blog suggests that FERC approval for v5 may not arrive until 02Jan2014?


  2. Both good questions, beenthere. It was stated at the SPP CIP Workshop that NERC had advised the regional auditors that this was coming. However, they also had advised them more than a year ago that the V4 transition guidance was coming, and it didn't show up until two months ago.

    However, given the big decisions that NERC entities have to make very soon, I am pretty confident (or at least hopeful) that NERC will make this deadline.

    And this is the same reason that they can't wait until FERC approves V5 - entities can't wait that long for guidance. Of course, that does mean the guidance will be conditional, based on FERC's actually approving V5 by 4/1/2014.

    However, since we don't know what kind of changes FERC may make to the implementation plan for V5 (really the V6 implementation plan, since V5 will never be implemented), the NERC guidance will probably assume the same implementation schedule as in the V5 plan as it stands now (even though FERC has said they will likely want it shortened).

    As usual, nothing is simple in NERC/FERC-land.