Wednesday, August 28, 2013

"Facilities, systems and equipment"


All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

Honeywell and EnergySec recently put on a very successful webinar on CIP Version 5; you can view the recording here.  My job in that webinar was to discuss CIP-002-5: specifically, how an entity goes about identifying its assets in scope for Version 5 (both the “big iron” aka facilities like control centers, and the “little iron” aka cyber assets).

In putting together my presentation, this wasn’t the first time I’d set out to describe the V5 asset identification process.  My first time was after FERC’s NOPR in April, when I set out to write a series of posts on how an entity actually complies with Version 5.  I started with CIP-002-5 (of course), but as I began to write my post, I started to realize something pretty disturbing: There is no way an entity could sit down with this standard and learn what it needs to do to comply with CIP Version 5.  A corollary to that statement is that there is no way (as far as I can see) that an auditor could strictly follow the standard to determine whether an entity was in compliance with it.

This post led to a series of three more in which I went into the problems in CIP-002-5 in more depth.  The fifth post in this series (and I’d never planned it as a series, of course) was comments that I submitted to FERC (as part of the NOPR comment period that ended in June), in which I rewrote CIP-002-5 in a way that I believe makes it a usable standard.[i]

As I started working on my webinar presentation, I revisited my previous efforts to make sense of the CIP-002-5 standard as written.  But I noticed something I hadn’t noticed before: the phrase “Facilities, systems and equipment”, which plays a big role in the standard, should simply never have been used at all.  Either because I just didn’t see this the first time around, or more likely because I was already overwhelmed with the other problems in the standard and thought this one was a little less pressing, I missed this in my previous posts (mainly in this post), as well as in the comments I submitted to FERC.

“Facilities, systems and equipment” appears in Sections 4.1 and 4.2 of the standard.  These sections, which are intended to be a precursor to the actual requirements that follow, provide a guideline for a NERC entity to decide whether it does have assets (“big iron”) that will fall under CIP Version 5.  Essentially, if an entity has a NERC functional classification (BA, TOP, etc) that is listed in Section 4.1, all of its owned “Facilities, systems and equipment” are in scope. 

Section 4.2 starts with this paragraph:

Facilities: For the purpose of the requirements contained herein, the following Facilities, systems, and equipment owned by each Responsible Entity in 4.1 above are those to which these requirements are applicable. For requirements in this standard where a specific type of Facilities, system, or equipment or subset of Facilities, systems, and equipment are applicable, these are specified explicitly.

“Facilities” is capitalized because it is a defined term in the NERC Glossary.  Here is the definition:

A set of electrical equipment that operates as a single Bulk Electric System Element (e.g., a line, a generator, a shunt compensator, transformer, etc.)

Now that I look at it more closely, I see two problems with Section 4.2:

  1. If taken literally, the phrase “Facilities, systems and equipment” requires the entity to evaluate every Facility (per the definition), every system, and every piece of equipment it owns for applicability in CIP Version 5.  Leaving aside Facilities for the moment, it implies that the entity needs to list every computer system it owns (whether it’s an EMS balancing load and supply in an entire city or a system sitting on an account clerk’s desk, used for dealing with late bill payers), as well as every piece of equipment it owns (each truck, each pair of wire cutters, etc).  You can imagine this would be a pretty long list in the case of Duke Energy.

  1. Now with regard to “Facilities”, look at the examples shown in the definition: “a generator, a shunt compensator, a transformer”.  Again, following the literal wording of Section 4.2, the entity needs to develop a list of every generator (not a generating station, but presumably every unit in that station, as well as every backup diesel generator in the warehouse), every shunt compensator (I don’t know what that is, but I have a strong feeling that it should never be considered as an asset in CIP Version 5), and every transformer.  And the auditor should ding them if they can’t prove they’ve done that.

Of course, this is nonsense.  It was never the intent of the SDT for the entity to have to develop these lists.  In fact, when the entity gets to Requirement 1, they see this:

Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: [Violation Risk Factor: High][Time Horizon: Operations Planning]

  i.Control Centers and backup Control Centers;
ii.Transmission stations and substations;
iii.Generation resources;
iv.Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements;
v.Special Protection Systems that support the reliable operation of the Bulk Electric System; and
vi.For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.

Since parts 1.1 through 1.3 take the entity through Attachment 1, what the above is really saying is this: “Forget all the stuff we said in Section 4.2 about Facilities, systems and equipment.  What we really want you to do is consider each of these six types of assets[ii] in Attachment 1.”  Is your response the same as mine:  “Why did you make us go through the effort of listing every Facility, system or piece of equipment we own in Section 4.2, if we really only need to consider these six assets?  Why didn’t you just tell us in 4.2 that these six assets are everything that is in scope for CIP Version 5?  Why even mention ‘Facilities, systems and equipment’ in the first place?”[iii]

I don’t have a good answer for this question, to be honest.  It seems to me the SDT had one meeting too few: before they developed the final draft of V5, they should have called one final meeting just to try to fix the problems in CIP-002-5 (not just this, but all the problems I’ve previously discussed).  The fact that they didn’t do that has left the industry with a standard that nobody can strictly follow and nobody can strictly audit.  There have been a lot of problems with interpreting and auditing CIP Versions 1-3, but the standards themselves don’t lead to logical dead ends like CIP-002-5 does.  My hope is that FERC will order NERC to rewrite CIP-002-5 to address these problems, along with the other changes in Version 5 they are probably going to require.

This is why, in the webinar, I recommended that NERC entities simply disregard the “Facilities, systems and equipment” language in Section 4.2 and instead substitute the six asset types in Section R1.  But if FERC doesn’t order any changes in CIP-002-5, let’s hope the auditors don’t feel inclined to take the wording of Section 4.2 too seriously when it comes time to edit this; let’s hope they have a good sense of humor and consider “Facilities, systems and equipment” to be the SDT’s little joke.  But this isn’t exactly how auditors are supposed to think, is it?

In the rest of this post, I’m going to rewrite my version of CIP-002-5 that I submitted to FERC, to accommodate this change (there are other changes required as well, due to the fact that Facilities reappears in Attachment 1). 


My Original Version
This is what I submitted to FERC as my replacement for CIP-002-5 (for the reasons why I used this wording, see the series of posts):

(I first provided the following definition of Asset, for insertion either in Section 4.2 or in the V5 Definitions document:
An Asset is a Control Center or a group of one or more Facilities at a single location.
(Then I continued with the requirements themselves)

R1. Each responsible Entity shall:
R1.1 Implement a process that considers each of the following Assets or Facilities for purposes of Requirement R2:
i.Control Centers and backup Control Centers;
ii.Transmission stations and substations;
iii.Generation resources;
iv.Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements;
v.Special Protection Systems that support the reliable operation of the Bulk Electric System; and
vi.For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 above.

R1.2 Develop a list of its Assets or Facilities including each type listed in R1.1.
R2. Each Responsible Entity shall identify its High, Medium and Low impact BES Assets or Facilities in parts 1.1 through 1.3:
2.1  Using the criteria in Attachment 1, Section 1, identify its High impact Assets or Facilities;
2.2  Using the criteria in Attachment 1, Section 2, identify its Medium impact Assets or Facilities;
2.3  After removing High and Medium impact Assets or Facilities from the list of Assets or Facilities developed in R1.2, identify the remaining Assets or Facilities as Low impact.
R3. The Responsible Entity shall identify BES Cyber Assets associated with each High, Medium and Low impact Asset or Facility.  Only BES Cyber Assets located at a High impact BES Asset shall be considered to be associated with the High impact BES Asset.  All BES Cyber Assets associated with an Asset or Facility shall be classified with the impact level of that Asset or Facility.
R4. The Responsible Entity shall identify BES Cyber Systems from groupings of one or more BES Cyber Assets. 
R5. The Responsible Entity shall:
2.1 Review the identifications in Requirements R1-R4 and all their parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1, and
2.2 Have its CIP Senior Manager or delegate approve the identifications required by Requirements R1-R4 and all their parts at least once every 15 calendar months, even if it has no identified items in Requirement R1.

(I then proposed this replacement for Attachment 1)

1. High Impact Rating (H)
Assets or Facilities that meet one or more of the following criteria are High impact:
(followed by existing criteria 1.1 – 1.4)
2. Medium Impact Rating (M)
Assets or Facilities that meet one or more of the following criteria, and are not included in Section 1 above, are Medium impact:
(followed by existing criteria 2.1 – 2.13)
3. Low Impact Rating (L)
Assets or Facilities meeting the applicability qualification in Standard Section 4, which are not included in Sections 1 or 2 above, are Low impact:
(followed by the same list of types of assets as in CIP-002-5 Attachment 1 part 3) 


My New Version
These are the changes that need to be made in the above:

  1. The definition of Asset now isn’t needed.  We are going to “define” asset as simply the six types of assets listed in R1.
  2. I will take “Facilities, systems and equipment” out of Section 4.2 and replace it with the list of six asset types (since “Facilities, systems and equipment” appears multiple times in 4.2, I have reproduced the whole section below and changed those references).  This will allow me to remove that same list from R1.
  3. We will replace all of the “Assets or Facilities” with just “assets”.  Again, since we’re no longer specifically defining the word, it isn’t capitalized.  It just means the six types of thingamajigs now listed in Section 4.2.
  4. I’m kind of glossing over one problem in Attachment 1 that I discussed at length before: the fact that “Facilities” rears its head again in Criteria 2.3 – 2.8 in Attachment 1.  As I pointed out then, I believe the main reason the SDT did this was to allow entities to separate out distribution from transmission elements at substations that have both.  To be honest, I can’t see any real purpose in trying to figure out a way to word these six criteria that doesn’t include “Facilities” – so I’m not going to suggest any changes in these criteria (or any of the other criteria, for that matter).  The SDT did do a good job of describing their intent to let the entities “slice and dice” their substations in the Guidance and Technical Basis of the standard.  Hopefully, the auditors will consider that enough authorization for this practice.

Here is my new version:

4.2.       Facilities: For the purpose of the requirements contained herein, the following assets are those to which these requirements are applicable. For requirements in this standard where a specific type of asset or subset of assets is applicable, these are specified explicitly.
i.Control Centers and backup Control Centers;
ii.Transmission stations and substations;
iii.Generation resources;
iv.Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements;
v.Special Protection Systems that support the reliable operation of the Bulk Electric System; and
vi.For Distribution Providers, Protection Systems specified in Applicability section 4.2.1 below.

4.2.1. Distribution Provider: One or more of the following assets owned by the Distribution Provider for the protection or restoration of the BES:
4.2.1.1. Each UFLS or UVLS System that:
4.2.1.1.1. is part of a Load shedding program that is subject to one or more requirements in a NERC or Regional Reliability Standard; and
4.2.1.1.2. performs automatic Load shedding under a common control system owned by the Responsible Entity, without human operator initiation, of 300 MW or more.
4.2.1.2. Each Special Protection System or Remedial Action Scheme where the Special Protection System or Remedial Action Scheme is subject to one or more requirements in a NERC or Regional Reliability Standard.
4.2.1.3. Each Protection System (excluding UFLS and UVLS) that applies to Transmission where the Protection System is subject to one or more requirements in a NERC or Regional Reliability Standard.
4.2.1.4. Each Cranking Path and group of Elements meeting the initial switching requirements from a Blackstart Resource up to and including the first interconnection point of the starting station service of the next generation unit(s) to be started.

4.2.2. Responsible Entities listed in 4.1 other than Distribution Providers:
All BES assets.
4.2.3. Exemptions: The following are exempt from Standard CIP-002-5:
4.2.3.1. Cyber Assets at assets regulated by the Canadian Nuclear Safety Commission.
4.2.3.2. Cyber Assets associated with communication networks and data communication links between discrete Electronic Security Perimeters.
4.2.3.3. The systems, structures, and components that are regulated by the Nuclear Regulatory Commission under a cyber security plan pursuant to 10 C.F.R. Section 73.54.
4.2.3.4. For Distribution Providers, the systems and equipment that are not included in section 4.2.1 above.
(Now I skip down to R1)

R1. Each responsible Entity shall:
R1.1 Implement a process that considers each of the assets from Section 4.2 for purposes of Requirement R2.
R1.2 Develop a list of its assets including each type listed in Section 4.2.
R2. Each Responsible Entity shall identify its High, Medium and Low impact BES assets in parts 1.1 through 1.3:
2.1  Using the criteria in Attachment 1, Section 1, identify its High impact assets;
2.2  Using the criteria in Attachment 1, Section 2, identify its Medium impact assets;
2.3  After removing High and Medium impact assets from the list of assets developed in R1.2, identify the remaining assets as Low impact.
R3. The Responsible Entity shall identify BES Cyber Assets associated with each High, Medium and Low impact asset.  Only BES Cyber Assets physically located at a High impact BES Asset shall be considered to be associated with the High impact BES Asset.[iv]  All BES Cyber Assets associated with an asset shall be classified with the impact level of that asset.[v]
R4. The Responsible Entity shall identify BES Cyber Systems from groupings of one or more BES Cyber Assets. 
R5. The Responsible Entity shall:
2.1 Review the identifications in Requirements R1-R4 and all their parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1, and
2.2 Have its CIP Senior Manager or delegate approve the identifications required by Requirements R1-R4 and all their parts at least once every 15 calendar months, even if it has no identified items in Requirement R1.

(I now propose this replacement for Attachment 1)

1. High Impact Rating (H)
Assets that meet one or more of the following criteria are High impact:
(followed by existing criteria 1.1 – 1.4)
2. Medium Impact Rating (M)
Assets that meet one or more of the following criteria, and are not included in Section 1 above, are Medium impact:
(followed by existing criteria 2.1 – 2.13)
3. Low Impact Rating (L)
Assets meeting the applicability qualification in Standard Section 4, which are not included in Sections 1 or 2 above, are Low impact:
(followed by the same list of types of assets as in CIP-002-5 Attachment 1 part 3) 

This is the CIP-002-5 I wish I’d submitted to FERC in June, not the other one.  I don’t believe I can amend my official comments, so I’m not sure how I’ll get this to the attention of the Commissioners.  Maybe I’ll sneak in and post it in their bathroom (of course, that doesn’t reach the one female Commissioner.  Maybe I’ll wrap this post around a rock and throw it through her window).  Or maybe they’ll read the post.








[i] Note that, in all of this, I’m not contesting what I believe to be the intention of the Standards Drafting Team in writing CIP-002-5.  I’m just saying those intentions were poorly translated into words.  I have tried to do that translation myself.

[ii] Of course, the fact that R1 refers to assets (a term that is undefined in both the NERC Glossary and the V5 Definitions) is a problem in itself.  What the h___ happened to Facilities?  This becomes more of a problem when Facilities suddenly reappears in some of the criteria in Attachment 1.  I deal with that later in this post.

[iii] Note that, even though CIP does ultimately deal with systems (BES Cyber Systems, to be exact), listing them as in scope in Section 4.2 isn’t needed.  4.2 is where you find out what “big iron” (aka assets) is in scope.  Once you’ve run all of those assets through Attachment 1, you then identify the BES Cyber Systems associated with those assets.  You don’t even think about systems before then.

As always when I get into these religious questions, I need to point out that many knowledgeable people (including SDT members) don’t agree with me on this.  They seem to think there is some independent evaluation of a cyber asset’s H/M/L impact level on the grid – different from the evaluation of the asset’s (big iron) impact.  On the other hand, I have never heard a clear explanation of how this will happen, although I can certainly see why the wording of CIP-002-5 leads these people to believe that.  This is why I rewrote the standard – to eliminate this type of confusion.

[iv] In case you’re wondering why this sentence is in here, I refer you to this post.  If you go to right before the Summary at the end, you’ll see a section that was added June 22.  This is where I explain why I put that sentence in.  It has to do with the fact that the SDT (rightfully) wanted only cyber assets physically located at control centers to be BES Cyber Assets, while for other assets like generation that isn’t the case.

[v] I admit I still have a lot of problems with this sentence.  It’s in there because this is another of those religious issues I discussed in a previous footnote.  Going hand-in-hand with the idea that there is an independent H/M/L impact analysis of each cyber asset is the idea that you can have differing impact levels of cyber assets at each asset – e.g. a control center could have High, Medium and Low impact assets.  I admit there are at least a couple cases where this is likely.  One is at a 1500MW generating station where some of the cyber systems don’t themselves affect 1500MW of capacity.  Another is when an entity creates separate networks at a High or Medium impact asset, with some networks containing BES Cyber Systems and others not containing any.  I think all the cyber assets on the former would be High or Medium (in line with the asset itself), and all of the cyber assets on the latter would be Lows.  This is one of many reasons I strongly recommend a V5 asset identification guidance document be written (in fact, I think I must have said that about ten times in the webinar).  To get back to the sentence in question, it would be nice if it were modified to allow for these two exceptions (and there may be others as well), but this may be too awkward and it might have to go.  But I do want some sentence in CIP-002-5, or at least the Guidance, stating clearly that, in general, all cyber assets take the value of the asset (big iron) they’re associated with.

Monday, August 12, 2013

FERC’s Extension of Time for CIP Version 4

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

September 2: I have moved away from my view that Version 6 will likely be the next CIP version NERC entities have to comply with.  As usual, it's quite complicated.  You can read all about it here.

Today, August 12, FERC approved a petition by the trade organizations to extend the compliance date for CIP Version 4 for six months, from April 1 to October 1, 2014.  Several people have emailed me to ask why they did this.  Chairman Wellinghoff isn’t returning my calls lately, but this is the scenario I see:

  1. FERC’s April NOPR on CIP Version 5 made it clear they don’t intend to let V4 come into effect.  They propose to do that by approving V5 before April 1, 2014, which will stop the clock on V4.  I doubt they have changed this intention at all.
  2. However, they were receiving reports that this wasn’t good enough for some legal departments; since there was a FERC order saying V4 would come into effect and no order contradicting that, these departments – at large IOU’s – felt they had no choice but to keep plowing ahead on V4 (and a series of posts I recently did describing how one entity was still being forced by their lawyers to keep spending money on V4 compliance may have added to this perception.  Never doubt the power of the press!).
  3. NERC had also made it clear they weren’t going to do or say anything that might make these lawyers happy.  Technically, of course, there is nothing they could do or say at this point that would provide perfect legal cover for the lawyers – the whole matter is in FERC’s hands now, from a legal point of view.
  4. Meanwhile, the trade organizations petitioned to push back the V4 compliance date.  Today, FERC jumped on that opportunity to reiterate that they have no intention of letting V4 come into effect.
At first, I had the idea that maybe this meant FERC was planning on taking a lot more time to approve V5 (and order changes in it, as I and many others believe will happen.  The changed version will most likely be V6, of course); an Interested Party by whom I often run these things takes that point of view.  Since NERC seems to believe FERC will approve V5 this fall, this would mean that FERC has decided they need at least another 6 months to think about it before they act on V5 - so the approval date probably won't be until the third quarter of 2014.

This is possible (since when they approve V5 they will have to have worked out exactly what changes they want to order NERC to make, and that's no small job), but I doubt it.  I think this is all part of the new “Friendly Neighborhood Regulator” image that FERC is trying very hard to portray to the industry.  Nothing wrong with that, of course!

We're well over 500 signups, but you can still register for the EnergySec / Honeywell webinar on CIP Version 5 on August 21.  Here are the details and registration link.  If you can't attend this, sign up anyway in order to receive the link to the recording when it is available soon after the webinar.

Wednesday, August 7, 2013

Scott Mix’s CIP V5 Presentation to TRE

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

On July 31, Scott Mix of NERC gave an all day presentation to TRE (Texas Reliability Entity) on CIP Version 5.  The event was also broadcast as a webinar; about 100 people attended this way, including myself.

This was an excellent presentation.  If you missed it, you’ll be glad to know that the slides are available here, but I don’t believe a recording was made.  However, I did take a lot of notes and am glad to share them with you.[i]  The notes aren’t a summary of what he said, but rather a set of things he said that I found quite interesting.  So I’ll just list them in the order he said them.

·         There are two ways in which FERC can approve a standard: issue an Order or approve a Rule.  The latter first requires a NOPR and comment period, as happened with CIP Version 4[ii] and will happen with Version 5 (they have issued the V5 NOPR but haven’t approved V5 yet).  Some of the previous CIP versions, like Version 3, were approved with a simple Order.  I speculate that Version 6 will be approved with an Order, since the NOPR and comment period for V5 really count for V6 as well.

·         He discussed a topic I recently wrote a blog post about: the fact that CIP Version 4 was pushed through approval by NERC very quickly (it was first discussed in the spring of 2010 and received final approval – after three ballots – in December of the same year).  He says the reason V4 was pushed through was panic on the part of various people at NERC and some of the larger NERC entities; they believed that Congress was about to effectively take power industry cyber security regulation away from FERC and write their own legislation.  He freely admitted this may have been a mistake; I agree with that statement. 

·         He pointed out that NERC and almost all of the other commenters on the Version 4 NOPR supported Version 4.  However, NERC’s tone changed markedly a year later, when it became clear that CIP Version 5 would finally be approved by the NERC membership – and since V4 wasn’t in effect yet and everyone preferred Version 5, it made sense to try to push V5 instead.

·         One difference between the V4 and V5 Implementation Plans is that, in the V4 plan, the effective date is the first day of the eighth calendar quarter after approval,[iii] while the V5 plan says the same except for the ninth quarter.  He admitted that the Standards Drafting Team had simply miscounted with Version 4.  They wanted to provide two years for compliance, but ended up providing seven quarters.  They got it right in Version 5 (perhaps with some engineering help – those people know how to count).

·         The definition of BES Cyber Asset in Version 5 includes the provision that a cyber asset’s loss has to impact the BES within 15 minutes.  Scott said the SDT would have preferred to use the term “Real-time”.  However, the problem was that this is a defined NERC term, and the definition is “Present time as opposed to future time.”  This definition would have been totally useless in this case, so they settled on 15 minutes instead.  Given that FERC has challenged the “15 minutes” provision in their NOPR, it will be interesting to see what they propose to replace it with (although they may just leave out any mention of time at all, meaning every cyber asset whose loss would affect the BES ever – even a year from now – would have to be a BES Cyber Asset).

·         In Version 5, the word “facility” appears sometimes in lower and sometimes in upper case.  Scott says this was deliberate, since in some cases they wanted to use the NERC Glossary definition and sometimes not.[iv]

·         Scott pointed out there is no NERC definition for a “substation”, just as there isn’t for “control center” (although for the latter, there is a definition within Version 5 itself.  I believe that may become the NERC Glossary definition when V5 is approved).  In fact, the IEC itself doesn’t have a definition,[v] although they’re working on it now.  Just goes to show that the most important definitions are the ones that cause the most contention and thus never get written.

·         I submitted a question, which he answered.  The question regarded the “1500MW rule” in Criterion 2.1 of Attachment 1 of CIP-002-5.  I asked whether an entity, claiming that particular cyber systems at a large plant weren’t BES Cyber Systems because they didn’t control 1500MW of generation, would have to prove that they weren’t networked with other systems that did control 1500MW; that seems to me to be the assumption behind this rule.  Scott said the entity would have to show this was the case.[vi]

·         One of the most important discussions in Scott’s talk was CIP Version 4 – he spent an hour going over compliance timeline, bright-line criteria, etc.  This was quite interesting given that almost nobody – himself included, I’m sure – believes V4 will actually come into effect.[vii]  He pointed out that Version 4 can’t be ruled out until FERC actually approves Version 5, which in effect “stops the clock” on V4.[viii]

·         One excellent question that Scott took was what happens to open TFE’s for Version 3 when V5 comes into effect.  Scott didn’t know, but agreed this will need to be decided once FERC rules on V5.

·         One change in V5 is that the word “sub-requirement” is gone, replaced by “requirement part”.  I had thought this was just a wording preference change, but Scott pointed out it had a real impact on compliance: you can be written up for violating a sub-requirement, but not part of a requirement.  So there will be no more violations of anything other than full requirements under V5 (this change is evidently being made across the NERC standards).

·         He said NERC’s analysis of the CIP Version 5 NOPR identified the following: requests for comment on 48 topics, directives for change on 11 topics, and an indication FERC “may” direct change on 16 topics.[ix]  I don’t think this little nugget will help you pass audits any better, but I was surprised there was that much in the NOPR.

·         He gave quite an interesting discussion of the question of requirements for Low impact facilities in Version 5.  As you probably know, V5 as currently written just requires the Lows to have four policies in place; in their NOPR, FERC said they wanted specific technical requirements for Lows.  Scott began by quoting Sun Tzu: “He who defends everything, defends nothing.”  The meaning of this for Version 5 is that, if entities have to spread themselves too thin defending everything they have, they aren’t going to be nearly as effective as if they concentrate on providing a higher level of defense for the most important facilities (i.e. the Highs and Mediums).  Scott said he is willing to see more specific requirements for Lows in Version 5, but not ones that are cyber asset specific.

·         He pointed out that FERC seems to be strongly motivated now to move Version 5 through the approval process.  They took just three months to issue their NOPR after NERC submitted V5 (Jan-April 2013), vs. six months for V4 (Feb-Sept 2011); this was in spite of the fact that V5 is much more of a change than V4 was (V4 just changed CIP-002, while V5 changed all the standards).  He thought this was a sign that FERC wouldn’t wait too long to approve V5; he expects them to do so later this year (although I’ve heard that some people at NERC think it could even happen in September – Scott is clearly not one of them).




[i] I’m told he did a similar presentation for FRCC, and he may be coming to a Regional Entity near you.  Check your local listings.

[ii] Scott mentioned that, in Sept. 2011, the NERC cognoscenti were expecting FERC to simply issue an order approving Version 4.  Instead, they issued a NOPR, got comments, and issued Order 761 approving it in April 2012.

[iii] So the implementation date for Version 4, which was approved in the second quarter of 2012, is April 1, 2014, the first day of the eighth quarter after that.

[iv] I have posted extensively about what I see as the sloppiness in CIP-002-5 with respect to how facilities (control centers, substations, generating stations, etc) are referred to.  I think it’s bad that two terms – asset (not a defined NERC term) and Facility (defined in the NERC Glossary) – are used almost interchangeably.  Now I hear that the SDT really intended there to be three terms, with lower case “facility” being the third.  Somehow this doesn’t fill me with any more confidence in CIP-002-5 than the low amount I already had.  If you’re going to use two or three different terms, you need to make clear the difference between them.  Unfortunately, the SDT didn’t do this.  This is one reason why I rewrote CIP-002-5 and submitted that to FERC during the NOPR comment period (although the main reason was simply my own satisfaction, since I’m not at all expecting my comments to be taken to heart).

[v] He may have said IEEE.  I’m sure they don’t either, though.

[vi] He may say that, but Criterion 2.1 certainly doesn’t, nor do I see anything in the Guidelines.   I think at the least this points out the need for something I’ve been advocating for: specific guidance on applying the bright-line criteria, beyond the very limited guidance included with CIP-002-5.

[vii] His lengthy discussion of the V4 bright-line criteria is relevant to V5, however, since most of the V5 criteria are little changed from V4.

[viii] This is a very important question, which I have dealt with in three recent blog posts: this, this, and this.

[ix] Scott admitted there might be some overlap between the first category and the other two.


Notice: Honeywell has produced three white papers on CIP Version 5 - what's in it and how you can comply with it.  They aren't posted yet, but to get copies, just email me at tom.alrich@honeywell.com

Thursday, August 1, 2013

Yet Another Dialog Inspired by “The Real Cost of CIP V4"


All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

August 12: I just posted my analysis of what FERC's order today - extending the compliance date for CIP Version 4 - means.

The following dialog has taken place in response to my original announcement of the post on The Real Cost of CIP Version 4 in the LinkedIn “Compliance to NERC Standards” discussion group.  Since many of you probably aren't members of that group (although I do recommend you join it, as well as the 3 or 4 others that focus on NERC and NERC CIP in LinkedIn), I’m reproducing it here.

I’m doing this because I’m sure a lot of you are facing the same problem as my anonymous correspondent at a large IOU: While he and everybody else is sure that NERC CIP Version 4 won’t ever come into effect, his legal department – being lawyers, after all – won’t allow the entity to stop their efforts to become compliant with Version 4 by April 1, 2014.  They are asking for legal proof that V4 won’t come into effect (or at least won’t be audited by NERC), but such proof is proving elusive.

I.  The dialog was with a prominent NERC compliance consultant.  The consultant opened with this comment:
I am surprised that if this is a large IOU that they didn't have anyone in constant contact with NERC and FERC so that they would have known that late last year NERC had requested that FERC bypass v4. Our staff are in daily contact with these agencies/groups as well as all 8 regions and we were advising our 100+ clients in November and December what the intent was. 

“I think a lot of the blame lays (sic) at the feet of the IOU and/or their consultants for not being proactive. As I am sure most people are aware, NERC requires you (registered entities) to constantly check and "scrub" the NERC and regional websites as they can't babysit everyone. As NERC has eluded to over the years..."ignorance of the requirements is no excuse for not complying"...the same could be said of not establishing strong relationships with NERC and the regions and staying in contact with them.”


II.  Here is my correspondent’s response:
We constantly monitor NERC’s and FERC’s pronouncements, and were well aware that NERC had requested that FERC bypass V4 last year. We were also well aware that NERC had said just the opposite in November 2011 – that they were serious about V4 coming into effect before V5.  And we were further aware that the question whether V4 was bypassed was in FERC’s hands, not NERC’s – and FERC’s intention to have V4 come into effect had been clearly stated in Order 761. 

“We do not place our future compliance risk on hearsay. From a legal standpoint , we can only budget and plan for what is officially voted and approved. Still today they are talking about transitioning from 3 to 5 but have not officially lifted the deadline for v4. To have ignored v4 based on anything less than an official change of the compliance date would have been considered by legal counsel as a 'compliance risk'. Are you offering legal counsel than can hold up to litigation?”


III. The consultant responded thusly:
Tom - your contact stated, ‘We do not place our future compliance risk on hearsay.’ If hearsay is information coming from both NERC and FERC...then I can't offer any advice. As for the litigation...I am not aware of anyone having had to go to court yet but do know that by stacking the evidence we have in the form of emails, voice recording etc, I could and would make a strong case that NERC and FERC have no intention of letting v4 see the light of day...that would hold up to any litigation.”


IV.  My correspondent sent in the following reply today.  Should there be any further dialog, I will continue to post it below, and put a notice at the top saying I did so and when.
"The only “evidence” of FERC’s intentions, from a legal point of view, is Order 761.  If you have emails or voice recordings directly from three FERC Commissioners (not staff) saying they definitely won’t let V4 come into effect (and you can prove they did come from Commissioners), please make them available to the NERC community so we can all feel safe ignoring V4 from now on.  Absent that, there is nothing anyone at FERC can tell you that would “hold up to litigation” if we contested a huge fine for non-compliance with Version 4.

"As for NERC, I point you to Scott Mix’s presentation to TRE yesterday.  He spent a whole hour discussing Version 4 and the transition to it (slides 11-29); at no point did he say that V4 wouldn’t come into effect (I’m told many people were disappointed by this, as I certainly was when I heard about it). In fact, he said specifically that the possibility can't be ruled out, which is why he spent so much time on V4.

“If NERC were to come out with a document stating flatly that they won’t audit against V4 if it does come into effect (they can’t state it won’t come into effect at all, since that’s not their decision anymore), that would be a big benefit for the industry.  However, it seems clear from Scott’s presentation that they aren’t going to do this – they’ll wait for FERC to approve V5, which hopefully won’t be too long from now."