Saturday, September 21, 2013

The News from Denver

Nov. 8: It is very likely FERC will approve CIP Version 5 before Thanksgiving, most likely at their meeting on Nov. 21.  Of course, what will be important is the Order they issue with V5.  When that is issued, your reporter will sequester himself until he has figured out what it means, and will post that as soon as possible thereafter.

This week, I was in Denver[i] attending two meetings: the NERC CIPC and EnergySec’s annual Summit meeting.  They were both excellent meetings in their own ways (which are quite different.  The CIPC meetings aren't about cyber security but about all the different efforts under way at NERC to promote physical and cyber security of the BES – including the NERC CIP standards as one important part.  EnergySec’s Summit is all about cyber security of the electric sector, and had one excellent presentation after another on that topic).

In the course of these meetings I talked with a number of people from NERC, the NERC Regional entities, and the utilities.  Of course, a big topic was what will happen with CIP Version 5.  Here are the important things I learned:

  • There is broad consensus that FERC is moving rapidly toward approving Version 5 this fall.  In fact, I’m told it’s very likely they will approve it at their Open Meeting in mid-October.  It seems that if they wait until November or December, they will have a hard time taking such an important step because of the holidays.
  • Does this mean that the four-year period of uncertainty over the next CIP version will finally come to an end?  Well, no.  One piece of uncertainty that will end is whether CIP Version 4 will come into effect.  Approval of Version 5 will activate the V5 Implementation Plan, which will result in the immediate death (unlamented, to be sure) of any chance that V4 will come into effect.
  • However, it seems likely that, at the same time FERC will approve Version 5, they will order NERC to come back – in maybe 6 or 9 months – with a compliance filing (i.e. new CIP version) to address problems they see in Version 5; this will be CIP Version 6, and will be the next version that NERC entities have to comply with (since V6’s implementation plan will kill V5, just as V5’s plan will kill V4.  There’s a wonderful symmetry in the NERC/FERC world).[ii]
  • You might ask, “Aren't you happy about this, since you've been saying for a while that this would happen?”  And I would answer, “No, I’m not.”  I have come to realize lately that the biggest problem in the NERC CIP universe now is the fact that there has been so much uncertainty for so long about the next CIP version.  As I discussed (at seemingly interminable length) in a recent post, the only way this uncertainty can finally come to an end is if FERC approves Version 5 and that is the next version that actually comes into effect.  That obviously won’t happen if FERC approves V5, but then orders up yet another version of CIP.
  • I must distinguish here between the uncertainty that lawyers feel and the uncertainty the rest of us mere mortals feel.  When FERC approves V5 and orders up V6, we mortals will have all we need to be quite certain about the future.  This is because FERC will a) specify a date that NERC has to return Version 6 and b) specify what they want in V6.  NERC will have to do what FERC wants (of course, this is all “voluntary”, since it will be done by a vote of the NERC Board of Trustees, and hopefully the membership as well.  This is a rather Orwellian use of the term voluntary.  “I put a gun to your head.  You will voluntarily do what I tell you, or I’ll pull the trigger.  But the choice is yours, so it’s voluntary.”).  There won’t be any actual uncertainty.
  • But lawyers don’t think that way.  They tend to think – bless their hearts – that if something hasn't been put in the form of a law or an Order, it isn’t real.  This is of course why to this day there are still some entities that are working on CIP Version 4 compliance, even though FERC made it very clear in their NOPR in April that they won’t let V4 come into effect.  The problem is, that is only a statement of intent; there is an actual Order (Order 761) that says that V4 will come into effect next year, and until a new Order changes that, some legal departments require that V4 efforts continue.
  • So these legal departments aren't going to be satisfied when the compliance people assure them, “Don’t worry, we’re convinced that NERC will produce Version 6 just as FERC wants it, and before the deadline they say they want it by.  We should go ahead and start complying with Version 6.”  The lawyers will tell them, “When FERC approves Version 6, you can start complying with it.  Until that day, you will work on compliance with the currently-approved version, which is Version 5.”  This may not be so terrible, since V6 will be a lot like V5 (with one big exception, as discussed below), but it will be unfortunate that there still won’t be real uncertainty until probably the summer or fall of next year (I have been saying there would soon be certainty on the next CIP version for the past 3 or 4 years – so you should take what I say now with a shaker full of salt.  Something else could well come up that will extend the uncertainty further than that.  This “just wait ‘til next year” attitude is one of the environmental hazards of living for a long time in the same town as the Chicago Cubs).
  • If you’re one of the two people who actually read all the way through the recent post I just mentioned (as opposed to just saying you did), you will know I asserted there are ways that FERC could get all of the major things they indicated (in the NOPR) that they want in the next version, without having to require an immediate CIP Version 6.  However, my track record of having the FERC Commissioners take my wonderfully helpful suggestions is zero.  Specifically, I am betting that FERC will decide (if they ever questioned the matter in the first place) that at least one of the things they want can only be achieved through a new version.  Voila, Version 6!
  • And what, you say, are the things FERC really wants changed from V5?  I discussed all of them in the previous post, but I've come to believe that the change FERC most wants is removal of the “Identify, Assess and Correct” language from 17 of the requirements in V5.  In that post, I outlined what I thought was a way they could remove IAC without having to order up a V6, building on comments submitted to FERC by Encari.  However, I've now come to think they won’t listen to Encari on this (don’t feel bad, Encari.  They won’t listen to me, either!). 
  • Now you may ask, “Isn't this good for the industry?  Since the timeline for V6 compliance won’t start until FERC approves V6 late next year, we’ll all get another 9 or 12 months to comply, as opposed to what would have happened if they’d simply approved V5 this year.” To be specific, if FERC approved V5 unchanged this fall, the compliance date for Medium/High impact facilities would be about January 1, 2016, and Lows about January 1, 2017.
  • If FERC doesn't order the V6 implementation plan to be changed from the V5 one, I would agree with this.  However, in their NOPR they said they thought these timelines were too long.  During the week or two that I convinced myself that FERC would approve V5 outright, I came to believe this meant they wouldn't change the compliance date, since anything earlier than the dates just mentioned would be literally impossible for most NERC entities to achieve. 
  • However, I’m not sure FERC will feel generous enough to let the V5 timeline be replicated in V6, given that just developing and approving V6 will take about a year.  I am guessing FERC will shorten both the Medium/High and Low compliance periods by about a year.  If it were to take a year for NERC to develop V6 and FERC to approve it, and if the compliance periods were also shortened by a year in the V6 implementation plan, then the compliance dates would obviously remain what I just suggested above: about January 1, 2016 for Mediums/Highs and January 1, 2017 for Lows.[iii]

The moral of this story?  There are four:

  1. You should circle October 17 on your calendar.  This is the day of FERC’s Open Meeting, where they’ll announce they’re approving Version 5 – if they do so in October.
  2. You won’t ever have to comply with Version 5, any more than you will with Version 4.  Your next CIP compliance version will be 6, and it will probably be approved by FERC in the fall of 2014.
  3. Version 6 will have the IAC language removed, so it will be based on the much-loved “zero tolerance” approach of the previous CIP versions.[iv]
  4. I’m betting maybe $5 (that’s a big bet for me) that the compliance timelines will be shortened in Version 6, so they will be effectively what they would have been if FERC approved V5 outright this fall.
All opinions expressed in this post are mine, not necessarily those of Honeywell International, Inc.

Oct. 23: I have just updated my previous post that speculates on the actual compliance dates for V5/V6. You can see that here.

[i] We've all heard about the flooding in Colorado, but I learned some pretty amazing details from a person in the Colorado Public Utility Commission who is working hard on trying to restore electric service.  He said this wasn't a 100-year flood; it was a 1000-year one.  He said the previous record one-day rainfall in Colorado was four inches.  This time, there were some areas that got ten inches in one day.  When you get those huge volumes of water rushing down through those mountain canyons, you’re in a lot of trouble.

[ii]  An Interested Party pointed out to me that CIP Version 3 was ordered as a compliance filing when FERC approved Version 2, and both standards ended up coming into effect - V2 on 4/1/2010 and V3 on 10/1/2010.  However, V3 in no way conflicted with V2 - it added a requirement for escorted access in the PSP and another small change.  Since I believe FERC will order the "Identify, Assess and Correct" language be removed in V6, this would constitute a very substantial change.  How could they possibly allow V5 with IAC to be in effect for a year or so, followed by V6 without IAC?

[iii] A CIP compliance manager sent me an email this week reminding me that the V5 compliance plan is actually hugely more complicated than just two dates.  There are about 15 sub-requirements that have separate compliance dates from the other requirements.  Implementing CIP Version 5 will be much more complicated than implementing any previous version, with the possible exception of V1 (with its infamous Tables and the different stages on the road to compliance).  I will have another post on this issue, but I’ll wait until FERC issues their order.

[iv] Even though IAC won’t be in CIP Version 6, all is not lost for the idea of focusing on having a program to “identify, assess and correct” deficiencies, rather than on every single tiny deficiency itself.  NERC’s Reliability Assurance Initiative will endeavor to accomplish the same goal – and not just for the CIP standards, but all NERC standards.  It is possible that RAI will be in place by the time the CIP V6 compliance date rolls around.  It is also possible that FERC will put the kibosh on RAI for the same reasons as IAC (although they did point out in their NOPR that their obvious dislike for IAC doesn't necessarily extend to RAI, which is still being defined).

Notice: Honeywell has produced three white papers on CIP Version 5 - what's in it and how you can comply with it.  They aren't posted yet, but to get copies, just email me at


  1. I'm not a lawyer, nor am I fond of lawyers, but in fairness to lawyers, I think you should realize that it's not just lawyers that are focused on compliance with v4 until it is rescinded by FERC action.

    State public service commissions (PSCs) routinely audit utility expenditures, and do not hesitate to deny cost recovery for compliance expenditures that are not required by duly approved rules and laws. But so long as a rule is valid, i.e. CIPv4, the legal entities have an obligation to comply and can be penalized for failing to do so. Penalties for failure to comply can also have negative cost recovery repercussions.

    So in addition to lawyers, it's accountants, compliance groups, technical staff, and management that continue to follow a course of action that is perceived to be "prudent" in the eyes of the PSC with jurisdiction.

    1. Very good point! I hadn't thought of that.

  2. 10/17: FERC didn't approve Version 5 in their meeting today. Their next meeting is 11/21, so look for it then. Otherwise, December is very likely. At NERC's GridSecCon this week, they were still quite sure V5 would be approved this year.