Thursday, August 1, 2013

Yet Another Dialog Inspired by “The Real Cost of CIP V4"


All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

August 12: I just posted my analysis of what FERC's order today - extending the compliance date for CIP Version 4 - means.

The following dialog has taken place in response to my original announcement of the post on The Real Cost of CIP Version 4 in the LinkedIn “Compliance to NERC Standards” discussion group.  Since many of you probably aren't members of that group (although I do recommend you join it, as well as the 3 or 4 others that focus on NERC and NERC CIP in LinkedIn), I’m reproducing it here.

I’m doing this because I’m sure a lot of you are facing the same problem as my anonymous correspondent at a large IOU: While he and everybody else is sure that NERC CIP Version 4 won’t ever come into effect, his legal department – being lawyers, after all – won’t allow the entity to stop their efforts to become compliant with Version 4 by April 1, 2014.  They are asking for legal proof that V4 won’t come into effect (or at least won’t be audited by NERC), but such proof is proving elusive.

I.  The dialog was with a prominent NERC compliance consultant.  The consultant opened with this comment:
I am surprised that if this is a large IOU that they didn't have anyone in constant contact with NERC and FERC so that they would have known that late last year NERC had requested that FERC bypass v4. Our staff are in daily contact with these agencies/groups as well as all 8 regions and we were advising our 100+ clients in November and December what the intent was. 

“I think a lot of the blame lays (sic) at the feet of the IOU and/or their consultants for not being proactive. As I am sure most people are aware, NERC requires you (registered entities) to constantly check and "scrub" the NERC and regional websites as they can't babysit everyone. As NERC has eluded to over the years..."ignorance of the requirements is no excuse for not complying"...the same could be said of not establishing strong relationships with NERC and the regions and staying in contact with them.”


II.  Here is my correspondent’s response:
We constantly monitor NERC’s and FERC’s pronouncements, and were well aware that NERC had requested that FERC bypass V4 last year. We were also well aware that NERC had said just the opposite in November 2011 – that they were serious about V4 coming into effect before V5.  And we were further aware that the question whether V4 was bypassed was in FERC’s hands, not NERC’s – and FERC’s intention to have V4 come into effect had been clearly stated in Order 761. 

“We do not place our future compliance risk on hearsay. From a legal standpoint , we can only budget and plan for what is officially voted and approved. Still today they are talking about transitioning from 3 to 5 but have not officially lifted the deadline for v4. To have ignored v4 based on anything less than an official change of the compliance date would have been considered by legal counsel as a 'compliance risk'. Are you offering legal counsel than can hold up to litigation?”


III. The consultant responded thusly:
Tom - your contact stated, ‘We do not place our future compliance risk on hearsay.’ If hearsay is information coming from both NERC and FERC...then I can't offer any advice. As for the litigation...I am not aware of anyone having had to go to court yet but do know that by stacking the evidence we have in the form of emails, voice recording etc, I could and would make a strong case that NERC and FERC have no intention of letting v4 see the light of day...that would hold up to any litigation.”


IV.  My correspondent sent in the following reply today.  Should there be any further dialog, I will continue to post it below, and put a notice at the top saying I did so and when.
"The only “evidence” of FERC’s intentions, from a legal point of view, is Order 761.  If you have emails or voice recordings directly from three FERC Commissioners (not staff) saying they definitely won’t let V4 come into effect (and you can prove they did come from Commissioners), please make them available to the NERC community so we can all feel safe ignoring V4 from now on.  Absent that, there is nothing anyone at FERC can tell you that would “hold up to litigation” if we contested a huge fine for non-compliance with Version 4.

"As for NERC, I point you to Scott Mix’s presentation to TRE yesterday.  He spent a whole hour discussing Version 4 and the transition to it (slides 11-29); at no point did he say that V4 wouldn’t come into effect (I’m told many people were disappointed by this, as I certainly was when I heard about it). In fact, he said specifically that the possibility can't be ruled out, which is why he spent so much time on V4.

“If NERC were to come out with a document stating flatly that they won’t audit against V4 if it does come into effect (they can’t state it won’t come into effect at all, since that’s not their decision anymore), that would be a big benefit for the industry.  However, it seems clear from Scott’s presentation that they aren’t going to do this – they’ll wait for FERC to approve V5, which hopefully won’t be too long from now."



No comments:

Post a Comment