Saturday, September 21, 2013

The News from Denver

Nov. 8: It is very likely FERC will approve CIP Version 5 before Thanksgiving, most likely at their meeting on Nov. 21.  Of course, what will be important is the Order they issue with V5.  When that is issued, your reporter will sequester himself until he has figured out what it means, and will post that as soon as possible thereafter.

This week, I was in Denver[i] attending two meetings: the NERC CIPC and EnergySec’s annual Summit meeting.  They were both excellent meetings in their own ways (which are quite different.  The CIPC meetings aren't about cyber security but about all the different efforts under way at NERC to promote physical and cyber security of the BES – including the NERC CIP standards as one important part.  EnergySec’s Summit is all about cyber security of the electric sector, and had one excellent presentation after another on that topic).

In the course of these meetings I talked with a number of people from NERC, the NERC Regional entities, and the utilities.  Of course, a big topic was what will happen with CIP Version 5.  Here are the important things I learned:

  • There is broad consensus that FERC is moving rapidly toward approving Version 5 this fall.  In fact, I’m told it’s very likely they will approve it at their Open Meeting in mid-October.  It seems that if they wait until November or December, they will have a hard time taking such an important step because of the holidays.
  • Does this mean that the four-year period of uncertainty over the next CIP version will finally come to an end?  Well, no.  One piece of uncertainty that will end is whether CIP Version 4 will come into effect.  Approval of Version 5 will activate the V5 Implementation Plan, which will result in the immediate death (unlamented, to be sure) of any chance that V4 will come into effect.
  • However, it seems likely that, at the same time FERC will approve Version 5, they will order NERC to come back – in maybe 6 or 9 months – with a compliance filing (i.e. new CIP version) to address problems they see in Version 5; this will be CIP Version 6, and will be the next version that NERC entities have to comply with (since V6’s implementation plan will kill V5, just as V5’s plan will kill V4.  There’s a wonderful symmetry in the NERC/FERC world).[ii]
  • You might ask, “Aren't you happy about this, since you've been saying for a while that this would happen?”  And I would answer, “No, I’m not.”  I have come to realize lately that the biggest problem in the NERC CIP universe now is the fact that there has been so much uncertainty for so long about the next CIP version.  As I discussed (at seemingly interminable length) in a recent post, the only way this uncertainty can finally come to an end is if FERC approves Version 5 and that is the next version that actually comes into effect.  That obviously won’t happen if FERC approves V5, but then orders up yet another version of CIP.
  • I must distinguish here between the uncertainty that lawyers feel and the uncertainty the rest of us mere mortals feel.  When FERC approves V5 and orders up V6, we mortals will have all we need to be quite certain about the future.  This is because FERC will a) specify a date that NERC has to return Version 6 and b) specify what they want in V6.  NERC will have to do what FERC wants (of course, this is all “voluntary”, since it will be done by a vote of the NERC Board of Trustees, and hopefully the membership as well.  This is a rather Orwellian use of the term voluntary.  “I put a gun to your head.  You will voluntarily do what I tell you, or I’ll pull the trigger.  But the choice is yours, so it’s voluntary.”).  There won’t be any actual uncertainty.
  • But lawyers don’t think that way.  They tend to think – bless their hearts – that if something hasn't been put in the form of a law or an Order, it isn’t real.  This is of course why to this day there are still some entities that are working on CIP Version 4 compliance, even though FERC made it very clear in their NOPR in April that they won’t let V4 come into effect.  The problem is, that is only a statement of intent; there is an actual Order (Order 761) that says that V4 will come into effect next year, and until a new Order changes that, some legal departments require that V4 efforts continue.
  • So these legal departments aren't going to be satisfied when the compliance people assure them, “Don’t worry, we’re convinced that NERC will produce Version 6 just as FERC wants it, and before the deadline they say they want it by.  We should go ahead and start complying with Version 6.”  The lawyers will tell them, “When FERC approves Version 6, you can start complying with it.  Until that day, you will work on compliance with the currently-approved version, which is Version 5.”  This may not be so terrible, since V6 will be a lot like V5 (with one big exception, as discussed below), but it will be unfortunate that there still won’t be real uncertainty until probably the summer or fall of next year (I have been saying there would soon be certainty on the next CIP version for the past 3 or 4 years – so you should take what I say now with a shaker full of salt.  Something else could well come up that will extend the uncertainty further than that.  This “just wait ‘til next year” attitude is one of the environmental hazards of living for a long time in the same town as the Chicago Cubs).
  • If you’re one of the two people who actually read all the way through the recent post I just mentioned (as opposed to just saying you did), you will know I asserted there are ways that FERC could get all of the major things they indicated (in the NOPR) that they want in the next version, without having to require an immediate CIP Version 6.  However, my track record of having the FERC Commissioners take my wonderfully helpful suggestions is zero.  Specifically, I am betting that FERC will decide (if they ever questioned the matter in the first place) that at least one of the things they want can only be achieved through a new version.  Voila, Version 6!
  • And what, you say, are the things FERC really wants changed from V5?  I discussed all of them in the previous post, but I've come to believe that the change FERC most wants is removal of the “Identify, Assess and Correct” language from 17 of the requirements in V5.  In that post, I outlined what I thought was a way they could remove IAC without having to order up a V6, building on comments submitted to FERC by Encari.  However, I've now come to think they won’t listen to Encari on this (don’t feel bad, Encari.  They won’t listen to me, either!). 
  • Now you may ask, “Isn't this good for the industry?  Since the timeline for V6 compliance won’t start until FERC approves V6 late next year, we’ll all get another 9 or 12 months to comply, as opposed to what would have happened if they’d simply approved V5 this year.” To be specific, if FERC approved V5 unchanged this fall, the compliance date for Medium/High impact facilities would be about January 1, 2016, and Lows about January 1, 2017.
  • If FERC doesn't order the V6 implementation plan to be changed from the V5 one, I would agree with this.  However, in their NOPR they said they thought these timelines were too long.  During the week or two that I convinced myself that FERC would approve V5 outright, I came to believe this meant they wouldn't change the compliance date, since anything earlier than the dates just mentioned would be literally impossible for most NERC entities to achieve. 
  • However, I’m not sure FERC will feel generous enough to let the V5 timeline be replicated in V6, given that just developing and approving V6 will take about a year.  I am guessing FERC will shorten both the Medium/High and Low compliance periods by about a year.  If it were to take a year for NERC to develop V6 and FERC to approve it, and if the compliance periods were also shortened by a year in the V6 implementation plan, then the compliance dates would obviously remain what I just suggested above: about January 1, 2016 for Mediums/Highs and January 1, 2017 for Lows.[iii]

The moral of this story?  There are four:

  1. You should circle October 17 on your calendar.  This is the day of FERC’s Open Meeting, where they’ll announce they’re approving Version 5 – if they do so in October.
  2. You won’t ever have to comply with Version 5, any more than you will with Version 4.  Your next CIP compliance version will be 6, and it will probably be approved by FERC in the fall of 2014.
  3. Version 6 will have the IAC language removed, so it will be based on the much-loved “zero tolerance” approach of the previous CIP versions.[iv]
  4. I’m betting maybe $5 (that’s a big bet for me) that the compliance timelines will be shortened in Version 6, so they will be effectively what they would have been if FERC approved V5 outright this fall.
All opinions expressed in this post are mine, not necessarily those of Honeywell International, Inc.

Oct. 23: I have just updated my previous post that speculates on the actual compliance dates for V5/V6. You can see that here.

[i] We've all heard about the flooding in Colorado, but I learned some pretty amazing details from a person in the Colorado Public Utility Commission who is working hard on trying to restore electric service.  He said this wasn't a 100-year flood; it was a 1000-year one.  He said the previous record one-day rainfall in Colorado was four inches.  This time, there were some areas that got ten inches in one day.  When you get those huge volumes of water rushing down through those mountain canyons, you’re in a lot of trouble.

[ii]  An Interested Party pointed out to me that CIP Version 3 was ordered as a compliance filing when FERC approved Version 2, and both standards ended up coming into effect - V2 on 4/1/2010 and V3 on 10/1/2010.  However, V3 in no way conflicted with V2 - it added a requirement for escorted access in the PSP and another small change.  Since I believe FERC will order the "Identify, Assess and Correct" language be removed in V6, this would constitute a very substantial change.  How could they possibly allow V5 with IAC to be in effect for a year or so, followed by V6 without IAC?

[iii] A CIP compliance manager sent me an email this week reminding me that the V5 compliance plan is actually hugely more complicated than just two dates.  There are about 15 sub-requirements that have separate compliance dates from the other requirements.  Implementing CIP Version 5 will be much more complicated than implementing any previous version, with the possible exception of V1 (with its infamous Tables and the different stages on the road to compliance).  I will have another post on this issue, but I’ll wait until FERC issues their order.

[iv] Even though IAC won’t be in CIP Version 6, all is not lost for the idea of focusing on having a program to “identify, assess and correct” deficiencies, rather than on every single tiny deficiency itself.  NERC’s Reliability Assurance Initiative will endeavor to accomplish the same goal – and not just for the CIP standards, but all NERC standards.  It is possible that RAI will be in place by the time the CIP V6 compliance date rolls around.  It is also possible that FERC will put the kibosh on RAI for the same reasons as IAC (although they did point out in their NOPR that their obvious dislike for IAC doesn't necessarily extend to RAI, which is still being defined).

Notice: Honeywell has produced three white papers on CIP Version 5 - what's in it and how you can comply with it.  They aren't posted yet, but to get copies, just email me at

Friday, September 6, 2013

NERC Releases the Final CIP Version 5 Transition Plan

Nov. 26: For my analysis of what FERC Order 791 means, including timeline for CIP V5/V6 and the transition to them, please see this exceedingly long post.

Nov. 8: It is very likely FERC will approve CIP Version 5 before Thanksgiving, most likely at their meeting on Nov. 21.  Of course, what will be important is the Order they issue with V5.  When that is issued, your reporter will sequester himself until he has figured out what it means, and will post that as soon as possible thereafter.

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

Yesterday, NERC released the final, approved version of the CIP Version 5 Transition Plan.  I see very little that has changed since the preliminary plan was released.  Since I wrote a post on that plan (which has gotten close to 500 hits in the 6 weeks since I posted it), I have just updated that a little (plus I took “preliminary” out of the title).  Please read that post for a discussion of what’s in the plan.

Tuesday, September 3, 2013

WWWD (What Will Wellinghoff Do?)

Sept. 22: Yesterday I wrote a post that updates some of the speculation in this post.

I’m not telling anybody anything they don’t know when I say there is huge uncertainty now over what FERC will do with respect to NERC CIP Version 5.  FERC’s NOPR of April 18, 2013 makes clear they intend to approve Version 5.  It also makes clear they want changes made to it.  Sounds pretty simple, right?  They’ll make some changes and then they’ll approve it.

As anyone who has been reading my blog posts since then knows, the situation is hardly simple.  Under Section 215 of the Federal Power Act of 2005, which gave FERC the ability to impose mandatory reliability standards on electric utilities through NERC (the “ERO”), FERC can’t do this.  They can either completely remand (reject) a proposed standard or they can approve it without change.  Does this mean that, if they want to approve Version 5, they have to forget their desire to make changes?

No, it doesn’t.  At the same time as FERC approves a standard, they can order NERC to develop a “compliance filing” that will incorporate the changes they want; they may or may not order this to be delivered by a particular date.  This happened when FERC approved CIP Version 2 unchanged in 2009.  At the same time as they did that, they ordered NERC to file a new version in 90 days that incorporated a requirement for logging ingress and egress for visitors to the PSP, as well as a minor change regarding testing of incident response plans.  This became CIP Version 3.  Version 2 came into effect April 1, 2010, while V3 came into effect October 1, 2010 (and remains in effect today, of course).

This is why the scenario I have been using for Version 5 approval and implementation (discussed below) called for CIP Version 6 to be the next version that NERC entities would have to comply with: I thought that only by ordering that a new version be developed could FERC assure the changes they want will be implemented.  The problem is the new version will probably take a year or even more to be developed by NERC and approved by FERC; meanwhile, the long period of uncertainty regarding the next CIP version (which started in at least 2009) will continue.  Through reading and talking with various people, I have come to believe it isn’t acceptable for the uncertainty to continue even after FERC approves CIP Version 5 (hopefully this year).  The industry wants that approval to put an end to the uncertainty, so they can focus on planning for and implementing CIP Version 5 compliance.

In this post, I will first outline my original scenario as well as what I saw as the only possible alternative to that, which I am calling NERC’s scenario. I will then outline a possible third scenario (really a range of scenarios) that would allow FERC[i] to approve Version 5 without requiring major changes (so Version 5 could still be the next version that NERC entities had to comply with), while at the same time getting most of the changes they want.  Does this seem impossible?  Just watch my hands.

My Original Scenario
As described in this post, my scenario goes like this:

  1. FERC approves CIP Version 5, probably before the end of 2013.
  2. When approving Version 5, FERC orders a compliance filing from NERC.  It will probably incorporate at least the major changes they listed in the NOPR (listed below in this post).
  3. The deadline for the compliance filing will be maybe 9 months or even a year later (the changes are major, of course), meaning NERC will come back with Version 6 by the third or fourth quarter of 2014.
  4. FERC will take one or at most two quarters to approve Version 6, meaning approval before June, 2015.  The implementation plan for V6 will say it supersedes V5, just as the V5 plan supersedes V4.
  5. Since the compliance date for High and Medium impact facilities will be shortened to about one year, that date will be about July 1, 2016.
  6. Depending on whether FERC also moves up the implementation date for Lows, that date will be about July 1 of either 2017 or 2018.

As I’ve already said, I’m no longer so comfortable with this scenario.  There are two reasons:

  1. The comments filed on the NOPR were overwhelmingly in favor of having FERC approve Version 5 without changes.  NERC, EEI and others made the point eloquently that all the back and forth with V4 or V5 had taken a big toll on the industry, and any further uncertainty would just make that worse.  FERC seems to be very concerned about this problem (as I believe their recent order extending the Version 4 implementation date shows).
  2. I had previously argued that, under my scenario, the uncertainty would end when FERC approved V5 (likely this year), since the order for the compliance filing would specify exactly the changes FERC wanted to be incorporated into V6.  That, coupled with the fixed deadline for NERC to develop and approve V6, meant that entities would know exactly what they had to comply with and when.  The big problem with this argument is that many corporate legal departments will only let actions be taken (or not taken) on the basis of FERC orders, not what amount legally to just statements of intent (I wrote about this problem recently in regard to Version 4, since some IOU’s are to this day still pushing ahead with their Version 4 implementation tasks – due to a lack of any order saying Version 4 won’t come into effect).  These legal departments won’t consider Version 6 to be real until FERC approves it in mid-2015 (i.e. at step 4 in my scenario).  At this point, the Highs and Mediums will only have one year to comply with V5 (since I’m assuming FERC will shorten the compliance period as they hinted in the NOPR), and all hell will break loose as a big scramble goes on to comply in one year – this isn’t good for the industry or for FERC.  It is best if FERC’s order approving V5 actually orders the new version, period – and that version subsequently comes into effect`.  But that requires a different scenario from mine.
NERC’s “Scenario”
What does NERC think will happen?  They haven’t come out with a specific scenario, but it’s implicit in their NOPR comments.  If FERC listens to them and approves Version 5 unchanged, and that happens in 2013 as I know NERC believes, then V5 obviously will come into effect and not be superseded by a Version 6.  The compliance date for High and Mediums will be around January 1, 2017, and for Lows a year later.  FERC might order a new version of CIP (Version 6), but it won’t have a near-term deadline (and perhaps no deadline at all).  Version 6 will go through the normal channels for a revised standard: a Standards Authorization Request (SAR), constitution of a new Standards Drafting Team, drafting by the team, a round of ballots (there were four for Version 5) and finally approval by the NERC Board of Trustees.  Easily a three-year process, maybe more.  This means Version 5 will be in effect a minimum of 3 or 4 years, which most people would argue (I think) is a decent amount of time.

The big problem with this scenario is it ignores all of the changes that FERC said, in their NOPR, they really wanted.  It assumes FERC will agree to forget about those changes, or just order them to be included in Version 6 (meaning they will be four years away).  Given the tone of the NOPR, it’s hard to see FERC doing that.

A Third Scenario
If it is possible, we need a third scenario.  In it, FERC will need to address two goals: a) eliminating the prospect of an additional year of uncertainty for the industry (as happens in NERC’s scenario but not in mine), and b) getting the changes they want (which happens in my scenario but not in NERC’s). To achieve a), FERC has to approve Version 5 unchanged and make clear it will in fact come into effect.  Given that, how do they achieve as much of goal b) as possible?  Is it even possible for this to happen?

At this point, it’s important to look at the four major changes FERC wants in Version 5, and ask how FERC would achieve each of these in a new scenario.  These changes (stated in the NOPR) are:

1.        “Specific, technically-supported cyber security controls” for BES Cyber Systems at Low impact facilities;
2.       Shortening the implementation period, at least for Medium and High impact facilities;
3.       Two changes in the definition of BES Cyber Asset (removal of the “15-minute” criterion and of the sentence exempting laptops used for less than 30 days within the ESP); and
4.       Removal of the “identify, assess and correct” language in 17 requirements;

Let’s start with number one.  Change number one wouldn’t have to be in Version 5 for FERC to approve it.  It could be incorporated in a compliance filing coming soon afterwards (maybe six months?).  In other words, FERC could approve V5 as it now stands, but require a compliance filing to address item one.   You may now (rightfully) ask, “But didn’t you say you wanted to avoid a compliance filing that would just prolong the uncertainty?”

I did, but that wouldn’t happen in this case.  Version 5 would be approved and would come into effect based on the existing 2-3 year implementation plan.  But there would be a single new standard developed – it might be CIP-012-1 or maybe CIP-003-6 – that would include the specific requirements that FERC wants for Lows. Since I’m guessing FERC would give NERC 6-9 months to develop this standard (it won’t be easy, of course.  The industry has long resisted the idea of specific requirements for cyber assets at Low impact facilities), it would still be approved well in advance of the implementation date for the rest of the Version 5 standards.  It might be timed to come into effect after that date, meaning simply that for the first 9-12 months (allowing a quarter for FERC approval after NERC submits the new standard) after the compliance date for Lows in V5, the Lows would only have to comply with CIP-003-5 R2, which requires four policies.  When the new standard kicked in, they would also have to follow whatever specific requirements appeared in that.[ii]

Let’s say the implementation period for this new standard is three years.  Here is the scenario that implements this change:

  1. FERC approves Version 5 at the end of 2013.  Since they approve it unchanged, the implementation dates remain as they currently read (two years for High/Mediums, three years for Lows).
  2. At the same time, FERC orders NERC to develop the new standard and deliver it to them within nine months.
  3. By September 30, 2014, NERC delivers CIP-012-1 (or CIP-003-6) to FERC. 
  4. Medium and High facilities will have to comply with CIP-002-5 through CIP-011-1 about January 1, 2016.  Lows will have to comply about January 1, 2017.
  5. Lows to comply with the new standard around January 1, 2018 (again, this includes the nine months NERC takes to develop the new standard and submit it to FERC, and the three months FERC takes to approve it).

How about the second change FERC wants: shortening the implementation timeline?  My response is: In this scenario, why would they want to do that?  I believe FERC threatened in the NOPR to move up the implementation dates because, when they wrote the NOPR, they were looking at a scenario a lot like my original one: After they approved V5, there would be a year or more for NERC to develop V6 and for FERC to approve it.  If FERC didn’t shorten the implementation timeline for High/Mediums in Version 6 (say to one year), Highs and Mediums would have more than three years from the V5 approval date to comply with V6 (the two years in the implementation plan plus another year while V6 was being developed).  FERC could reasonably argue that, since they ordered the V6 compliance filing the day they approved V5, any entity would have known what requirements would be in V6, as well as the fact that the implementation timeline for V6 would be one year not two.  Any prudent entity would have started their V6 preparations upon V5 approval, if not earlier. 

I’m sure it was never FERC’s intention that Highs and Mediums would only have one year from Version 5 approval to comply with V5; that would have created a huge problem.  I think they really wanted that period to be two years[iii].   This means that, for FERC to get their second change, nothing has to change in the scenario just outlined.  High/Mediums will have two years from V5 approval to comply with the next CIP version – i.e. with V5.

How about the third change, in the definition of BES Cyber Asset (there are really two changes they want in that definition, of course)?  It’s pretty easy, as it turns out.  FERC can simply order the change as a compliance filing (I’m told the change is really in the NERC Glossary – meaning this change wouldn’t require a new CIP Version.  It seems Definitions that are approved with a standard – as this one was – all move to the NERC Glossary upon approval of the standard by NERC, so that’s where this and the other entries in the V5 Definitions document now reside).

The fourth of these changes, removing “Identify, Assess and Correct” (IAC) from the 17 CIP V5 requirements where it is now found, is the most problematic.  If FERC really doesn’t want this language in Version 5, it’s hard to see how they can approve V5 at all – if, as we’re assuming in this scenario, they really do intend for V5 to come into effect.  After all, it’s written into 17 of the most problematic requirements in Version 5.

Is there some way FERC could approve V5, with all of the IAC language, while still “removing” it in another way?  If there isn’t, this whole post has probably been for naught: FERC really is caught between my and NERC’s scenarios, and there is no “third scenario” as I’ve tried to show here.

As you’ve probably guessed, I think there is a way FERC can do this (and now the plot really thickens, I’ll warn you).  It’s important to note that Identify, Assess and Correct has more to do with how a requirement is enforced than with the requirement itself.  That is, IAC is in essence “grafted on” to regular requirements.  For example, requirement part[iv] 2.1 of CIP-007-5 (which deals with patch management) reads:

(The entity must have) A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists.

However, Requirement R2, the “parent” requirement for 2.1, reads:

Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented processes that collectively include each of the applicable requirement parts in CIP-007-5 Table R2 – Security Patch Management.

I think you’ll agree with me that 2.1 could easily stand on its own, even if it weren’t part of R2.  In fact, it was originally on its own.  IAC was added to seventeen of the V5 requirements only in mid-2012, more than a year and a half after the first formal draft of V5.  IAC is literally a description of the manner in which the entity has to implement[v] 2.1, not part of 2.1 itself (and the same goes for the other 16 V5 requirements with the IAC language).

How does this help FERC?  Because their problems with IAC could potentially be eliminated by a change other than changing the 17 requirements themselves.  Again, this would eliminate the additional year (or thereabouts) of uncertainty while the standards were being rewritten for a compliance filing.  In other words, FERC could perhaps order a change in how the 17 IAC requirements are enforced, while leaving the wording of all the V5 requirements the same as it is now. 

There are probably multiple ways this change could be accomplished, but one was suggested by the consulting firm Encari in their comments on FERC’s NOPR.   You are encouraged to read those comments, but I will also share with you part of an email that Mark Simon sent me, summarizing their argument.  Mark is a Compliance Consultant with Encari.

Encari suggests the IAC problem could be addressed, from FERC’s perspective, by eliminating references to IAC in the Version 5 VSL table.  Here is what Mark says in an email:

In general, for CIP v1-v4, I view the VSL Table as the source of the problem with zero-tolerance for CIP violations.  I also believe CIP v5 ineffectively addresses this problem by replacing measures of violations in the VSL Table with a no-violation policy so long as IAC is deemed present.  The problem with IAC is that auditors have too much leeway in how they will measure it; either they will see and love it, or they won't see it as anything more than a poor excuse for maintaining compliance.

IAC is a great concept when it is uncoupled from the concept of measurement.  We did not recommend its removal from the standards themselves, just the VSL Table.  Leaving IAC in the standards formalizes the recognition of IAC as a mitigating factor (culture of compliance) for violations, but it cannot or should not be used to measure the severity of violations.  

You don’t necessarily have to follow every nuance of Mark’s statement in order to get the main idea of what I’m saying: there are ways that FERC can get around their problem with Identify, Assess and Correct in V5, without having to order a new version be developed.  Encari suggests changes to how the VSL’s are written.[vi]  However, there might be other changes that could accomplish the same purpose (e.g. changes to instructions to auditors on how to audit requirements with IAC[vii]).  So the fourth major change that FERC mentioned in their NOPR also doesn’t pose an insurmountable barrier to approving Version 5 without changes (and intending for it to come into effect).

To summarize this discussion of FERC’s four changes, I believe FERC could still get all of them without having to order NERC to develop a new compliance filing that substantially rewrites all the Version 5 standards – a filing that could easily take a year to develop and get approved by the NERC ballot body and would lead to further uncertainty, which I believe is no longer tolerable.

How does the IAC discussion change the Third Scenario outlined above?  Here is the final version of that scenario:

  1. FERC approves Version 5 at the end of 2013.  Since they approve it unchanged, the implementation dates remain as they currently read.
  2. At the same time, FERC orders NERC to develop the new standard for Lows (CIP-012-1 or CIP-003-6) and deliver it to them within (maybe) nine months.  This addresses the first change that FERC wants to see in V5.
  3. Also at the same time, FERC orders NERC to change the definition of BES Cyber Asset in the NERC glossary.  This addresses the third change FERC wants to see in V5.
  4. Also also at the same time, FERC orders NERC to redraft the VSL tables so that references to IAC are removed from the VSL’s for the 17 requirements that now include IAC.  This addresses the fourth change.  FERC gives NERC 90 days to do this, but this shouldn’t require a new version number for CIP.  NERC delivers this in the first half of 2014.
  5. By September 30, 2014, NERC will deliver CIP-012-1 (or CIP-003-6) to FERC.  FERC should approve it about three months later.
  6. Medium and High facilities will have to comply with CIP-002-5 through CIP-011-1 about January 1, 2016.
  7. Lows will have to comply with V5 (probably including CIP-003-5 R2) around January 1, 2017.
  8. Lows will have to comply with CIP-012-1 or CIP-003-6 (i.e. the new standard requiring specific controls) around January 1, 2018.

Finally, the Summary!
As has happened before, this has been a much longer post than I thought it would be, so I’ll summarize it now.  Until recently, it seemed to me it was inevitable there would be a long period of continued uncertainty even after FERC approves CIP Version 5, during the year or so that NERC will be developing Version 6.  But it seemed to me this was inevitable, because I didn’t think there was any way that FERC could make the changes they seem to want to make in V5, without having NERC take a year or so to make substation changes – in what would be Version 6.  In my original scenario, Version 6 would be the next version NERC entities would have to comply with, and that would take a fair amount of time to develop.

The only alternative I saw to this was NERC’s “scenario”, which included FERC’s approving CIP Version 5 as is, with no compliance filing required.  This would be great from NERC’s point of view but seemed very unrealistic, since it would require FERC to forget the major concerns they raised about V5 in their NOPR.

However, through reading and discussions with various parties I have come to believe it is simply unacceptable that there continue to be uncertainty much longer regarding CIP Version 5.  I have also come to believe there is a possible third scenario (more specifically, a range of possible scenarios) that would allow FERC to approve V5 and still achieve the major changes they seemed to be asking for in the NOPR.

What’s the moral of this story?  If you’re FERC, you can literally have your cake and eat it, too.

[i] I realize that the title of this post is open to amendment since Jon Wellinghoff is retiring as FERC chairman, and Ron Binz will replace him once he is confirmed by the Senate.  However, I thought WWWD had a better ring to it than WWWOBD – What Will Wellinghoff or Binz Do? Oct 5: Well, I guess it will be Wellinghoff for a while longer, until the President can find a new candidate foolish enough - I'm sorry, I meant to say qualified enough - to go through Senate confirmation.

[ii] An Interested Party and I have discussed this issue and have agreed to disagree (actually, I’m not sure he agreed, but – hey, it’s my blog after all).  He thinks that for Lows to comply with CIP-003-5 R2 as now written (i.e, having four policies), and then turn around 9-12 months later and comply with a new standard with specific requirements, would be unworkable.  I don’t agree with that, but if it were true, there would be a remedy: NERC could just say they won’t audit the Lows on compliance with CIP-003-5 R2, since it could be considered as being replaced by the requirement(s) in the new standard.

[iii] At this point, I need to point out that I have not had input from anybody at FERC on anything in this post – even though the whole post is speculation about what they’ll do.  I do have friends on the FERC staff, but I would never put any of them in the position of losing their job by asking them to provide me some inside information (and they would lose it, beyond a doubt).  Plus there is the issue: What would be the value of any insider information I received?  The staff members don’t make decisions for the Commissioners, and are frequently as surprised as anyone else by those decisions.  And the Commissioners aren’t even allowed to talk to the other Commissioners about anything relating to their decisions (this must make for some strange lunchroom conversations – all about the weather, how the Nationals are doing, etc), let alone some scruffy blogger.

There have been a couple people who seem to think I have such inside information about FERC.  I hate to disappoint them, but I don’t.  In this and other posts, I’m only trying to go through some of the logic that the Commissioners and staff members might possibly also go through, to come up with guesses about what their decisions might be.  If this makes you want to cancel your subscription to this blog, I’ll be glad to refund every cent you paid.

[iv] “Requirement part” is the new term for “sub-requirement” in all new NERC standards, not just CIP V5.  For an explanation of this change (which has much more behind it than just a preference for the new words), see my post on Scott Mix’s recent presentation to TRE.

[v] And by implication, it is a description of how the entity will be audited for compliance with 2.1 and the other IAC requirements.  Of course, this is what FERC doesn’t like about IAC.  For a good discussion of this topic, you should listen to Steve Parker of EnergySec’s discussion in the recent joint Honeywell / EnergySec webinar on Version 5.  Some clown blabbers on for what seems like an eternity before Steve starts; fortunately, you can fast forward past him.

[vi] Since the VSL tables are independent of the standards, I don’t believe that, for FERC to order a change in them, a rewriting of the standards themselves would be required.  FERC could order NERC to provide updated VSL tables in a short-term compliance filing (probably 90 days).  The job of doing this would probably fall to one or two NERC staff members.  They would need to remove the references to IAC in the VSL’s for those 17 standards.  This might still need to be balloted, but I would think it’s doable in 90 days.

[vii] My Interested Party friend doesn’t agree with Encari that this change would solve the problem.  He thinks that auditors would still have to audit compliance with IAC, as long as the IAC language is in the requirement.  Mark retorts that this shouldn’t matter, since any audit finding that an entity had violated IAC for a particular requirement wouldn’t result in a penalty since there would be no VSL covering it (that is, once NERC had changed the VSL tables per FERC’s order); he doesn't think there can be a penalty without a VSL covering the violation.  And the IP retorts to Mark that "There are numerous instances where a violation has been found and upheld even though the VSL did not include language specific to the facts and circumstances of the violation."  If this discussion continues, I'm going to open up a new post for it - this is really about the role of VSL's, not about IAC.
However, regarding IAC, it is clear that, even though Encari's proposal may solve FERC's problem, it doesn't save what many NERC entities were hoping would be one of the big benefits of IAC: not having to report every single violation, no matter how inconsequential, of the underlying standard.  I'm afraid that, if FERC was serious about what they said about IAC in the NOPR, this hope will be frustrated for now (Encari's proposal would limit the damage by at least allowing IAC to be considered as a mitigating factor in assessing penalties).  But there is possible hope on the horizon, in the form of the Reliability Assurance Initiative (RAI), a program NERC is discussing
 that would essentially bring IAC to all NERC standards, not just CIP - and it would do it through how the standards are audited and enforced (CMEP), rather than through rewriting the standards themselves.  In their NOPR, FERC made clear that their opinions about IAC weren't meant to prejudge RAI (although they didn't use that term, since I don't think it had been announced yet).

Since attending three regional meetings in late May and early June where IAC / RAI was a big topic, I have wanted to write a post about this.  I even came up with a catchy title: “IAC, RAI: Is NERC SOL?”.  However, various other things have come up that I felt needed to be addressed more urgently.  And, to be honest, this post would require a lot of time (especially reading up on RAI), which I haven’t had.  So this footnote may have to suffice for a discussion of IAC for the time being.  As I mentioned in footnote v, Steve Parker gave a very good discussion of IAC in our webinar two weeks ago, which you may want to listen to.

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.