Monday, July 29, 2013

Open Letter to NERC

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

July 31: I listened to Scott Mix's excellent presentation to TRE on CIP Version 5 today (7/31). I submitted the question of when NERC would tell entities it was OK not to worry about V4 anymore, but he didn't explicitly answer it. However, from other things he said I can infer his answer: NERC expects FERC to approve CIP Version 5 this year, but until then, NERC entities can't rest assured that Version 4 won't come into effect on 4/1/2014. He spent a lot of time discussing timeline for V4 compliance, etc.

This isn't great news, since I know it means some entities will continue to spend money on Version 4 compliance, even though that will in all likelihood be wasted. All I can say is I tried, and I hope FERC approves Version 5 in September, as NERC seems to think they will (although Scott said he thought it would be later this year).

Aug. 2:  I knew there was a reason why I am the only person in North America working on an August Friday afternoon.  NERC just officially released the proposed transition plan - the same one I saw a week ago.  However, they say this will be finalized on Aug. 14.  This is good because there will now be an official plan for transitioning to Version 5.  But it's bad because they clearly aren't going to address the issue of whether Version 4 will come into effect - and whether they'll audit against it if by some chance it does.  So entities who want a final word on this will have to wait until FERC approves Version 5.

Sept. 7: To nobody's surprise, the final version of the CIP Version 5 Transition Plan ignores my sage advice below.  So we'll have to wait for FERC to approve V5 directly and put an end once and for all to the idea that V4 might still happen.  
Dear NERC:

I was pleased with what was in the proposed CIP Version 5 Transition Plan released last week.  However, I have a big concern about something that wasn’t in it. 

My concern is about guidance on CIP Version 4.  As you know, FERC made it quite clear in their NOPR that they don’t intend to let Version 4 come into effect.   However, it was exactly one year before that NOPR, in Order 761, that they had made it very clear that Version 4 would come into effect. 

A number of NERC entities (and I talked to two of them just this morning) believe they can’t take a chance that FERC will change their mind again and V4 will come into effect.  Some of them are still going forward with Version 4 preparation, including things like documentation and training that will not be applicable to CIP Version 5 – i.e. these are probably stranded costs that might not be allowed by the PUC’s. 

I had reason to believe the Version 5 plan would indeed address this question.  I thought Scott Mix’s comments at the SPP CIP Workshop in Dallas in May (which I reported in this post, see the paragraph numbered 6) indicated the plan would do that.  However, there is no word at all about it.  I certainly hope the final plan – which I also hope will be issued soon – will address the issue.  Let me suggest some rough language that would, I believe, allow a lot of NERC compliance professionals (as well as utility and IPP CEO’s!) to sleep at night:

Should CIP Version 4 come into effect as currently scheduled, and absent some other FERC directive on this issue, NERC will encourage the Regional Entities not to audit for strict compliance with CIP Version 4.  Instead, NERC will encourage the Regional Entities to recommend to their members that any assets, not currently critical under CIP Version 3, be instead prepared for CIP Version 5 compliance.[i]

Oh, and one more thing before I let you go, NERC.  It seemed in the discussion of the Transition Implementation Study (included with the proposed transition plan) that the final plan might not come out until the study was completed – i.e. in Q2 2014.  I hope I’m wrong about this interpretation.  Needless to say, since Version 4 will come into effect on the first day of that quarter (if it comes into effect at all), it will obviously not help any NERC entity if the V5 plan – even with the statement above – comes out after that!  The final plan really needs to come out very soon (tomorrow would be fine with me), since some NERC entities are incurring stranded V4 compliance costs as I write this sentence.

Please let me know as soon as possible (you can comment below or send me an email at when and how you will address this issue.

Respectfully yours,

Tom Alrich
Overall Nuisance and NERC/FERC Scold

[i] This recommendation is valid because, as far as I – speaking as Tom Alrich – know, there are few if any assets that would be Critical Assets under the Version 4 bright-line criteria that wouldn’t also be High or Medium impact under the Version 5 criteria.  And also because any assets that are currently Critical Assets under Version 3, that would remain critical under the Version 4 criteria, wouldn’t have to have anything done to them to remain in compliance under V4 – since CIP-003 through CIP-009 remain the same in V4 as in V3. 

The only exception to this statement – and this once again proves my ironclad rule that no exception-less statement can be made about anything having to do with NERC – would be >1500MW plants, where the provision in CIP-002-4 R2 about Critical Cyber Assets would make V4 compliance different from V3.  But that’s not worth worrying about now, since again the chances of V4 actually coming into effect are very remote indeed.

No comments:

Post a Comment