Sept. 22: Yesterday I wrote a post that updates some of the speculation in this post.
I’m not
telling anybody anything they don’t know when I say there is huge uncertainty
now over what FERC will do with respect to NERC CIP Version 5. FERC’s NOPR of April
18, 2013 makes clear they intend to approve Version 5. It also makes clear they want changes made to
it. Sounds pretty simple, right? They’ll make some changes and then they’ll
approve it.
As anyone
who has been reading my blog
posts since then knows, the situation is hardly simple. Under Section 215 of the Federal Power Act of
2005, which gave FERC the ability to impose mandatory reliability standards on
electric utilities through NERC (the “ERO”), FERC can’t do this. They can either completely remand (reject) a
proposed standard or they can approve it without change. Does this mean that, if they want to approve
Version 5, they have to forget their desire to make changes?
No, it
doesn’t. At the same time as FERC
approves a standard, they can order NERC to develop a “compliance filing” that
will incorporate the changes they want; they may or may not order this to be
delivered by a particular date. This
happened when FERC approved CIP Version 2 unchanged in 2009. At the same time as they did that, they
ordered NERC to file a new version in 90 days that incorporated a requirement
for logging ingress and egress for visitors to the PSP, as well as a minor
change regarding testing of incident response plans. This became CIP Version 3. Version 2 came into effect April 1, 2010,
while V3 came into effect October 1, 2010 (and remains in effect today, of
course).
This is why
the scenario I have been using for Version 5 approval and implementation
(discussed below) called for CIP Version 6 to be the next version that NERC
entities would have to comply with: I thought that only by ordering that a new
version be developed could FERC assure the changes they want will be
implemented. The problem is the new
version will probably take a year or even more to be developed by NERC and
approved by FERC; meanwhile, the long period of uncertainty regarding the next
CIP version (which started in at least 2009) will continue. Through reading and talking with various
people, I have come to believe it isn’t acceptable for the uncertainty to
continue even after FERC approves CIP Version 5 (hopefully this year). The industry wants that approval to put an
end to the uncertainty, so they can focus on planning for and implementing CIP
Version 5 compliance.
In this
post, I will first outline my original scenario as well as what I saw as the
only possible alternative to that, which I am calling NERC’s scenario. I will
then outline a possible third scenario (really a range of scenarios) that would
allow FERC[i] to
approve Version 5 without requiring major changes (so Version 5 could still be
the next version that NERC entities had to comply with), while at the same time
getting most of the changes they want.
Does this seem impossible? Just
watch my hands.
My Original
Scenario
As described in this
post, my scenario goes like this:
- FERC approves CIP
Version 5, probably before the end of 2013.
- When approving
Version 5, FERC orders a compliance filing from NERC. It will probably incorporate at least
the major changes they listed in the NOPR (listed below in this post).
- The deadline for
the compliance filing will be maybe 9 months or even a year later (the
changes are major, of course), meaning NERC will come back with Version 6
by the third or fourth quarter of 2014.
- FERC will take one
or at most two quarters to approve Version 6, meaning approval before June,
2015. The implementation plan for
V6 will say it supersedes V5, just as the V5 plan supersedes V4.
- Since the
compliance date for High and Medium impact facilities will be shortened to
about one year, that date will be about July 1, 2016.
- Depending on
whether FERC also moves up the implementation date for Lows, that date
will be about July 1 of either 2017 or 2018.
As I’ve already said, I’m no longer so
comfortable with this scenario. There
are two reasons:
- The comments filed
on the NOPR were overwhelmingly in favor of having FERC approve Version 5
without changes. NERC, EEI and
others made the point eloquently that all the back and forth with V4 or V5
had taken a big toll on the industry, and any further uncertainty would
just make that worse. FERC seems to
be very concerned about this problem (as I believe
their recent order extending the Version 4 implementation date shows).
- I had previously argued
that, under my scenario, the uncertainty would end when FERC approved V5 (likely
this year), since the order for the compliance filing would specify
exactly the changes FERC wanted to be incorporated into V6. That, coupled with the fixed deadline
for NERC to develop and approve V6, meant that entities would know exactly
what they had to comply with and when.
The big problem with this argument is that many corporate legal
departments will only let actions be taken (or not taken) on the basis of
FERC orders, not what amount legally to just statements of intent (I wrote
about this problem recently in regard to Version 4, since some IOU’s are
to this day still pushing ahead with their Version 4 implementation tasks
– due to a lack of any order saying Version 4 won’t come into effect). These legal departments won’t consider
Version 6 to be real until FERC approves it in mid-2015 (i.e. at step 4 in
my scenario). At this point, the
Highs and Mediums will only have one year to comply with V5 (since I’m
assuming FERC will shorten the compliance period as they hinted in the
NOPR), and all hell will break loose as a big scramble goes on to comply
in one year – this isn’t good for the industry or for FERC. It is best if FERC’s order approving V5
actually orders the new version, period – and that version subsequently
comes into effect`. But that
requires a different scenario from mine.
NERC’s
“Scenario”
What does NERC think will happen? They haven’t come out with a specific
scenario, but it’s implicit in their NOPR comments. If FERC listens to them and approves Version
5 unchanged, and that happens in 2013 as I know NERC believes, then V5
obviously will come into effect and not be superseded by a Version 6. The compliance date for High and Mediums will
be around January 1, 2017, and for Lows a year later. FERC might order a new version of CIP
(Version 6), but it won’t have a near-term deadline (and perhaps no deadline at
all). Version 6 will go through the
normal channels for a revised standard: a Standards Authorization Request
(SAR), constitution of a new Standards Drafting Team, drafting by the team, a
round of ballots (there were four for Version 5) and finally approval by the
NERC Board of Trustees. Easily a
three-year process, maybe more. This
means Version 5 will be in effect a minimum of 3 or 4 years, which most people
would argue (I think) is a decent amount of time.
The big problem with this scenario is it
ignores all of the changes that FERC said, in their NOPR, they really
wanted. It assumes FERC will agree to
forget about those changes, or just order them to be included in Version 6
(meaning they will be four years away).
Given the tone of the NOPR, it’s hard to see FERC doing that.
A Third
Scenario
If it is possible, we need a third scenario. In it, FERC will need to address two goals: a)
eliminating the prospect of an additional year of uncertainty for the industry
(as happens in NERC’s scenario but not in mine), and b) getting the changes
they want (which happens in my scenario but not in NERC’s). To achieve a), FERC
has to approve Version 5 unchanged and make
clear it will in fact come into effect.
Given that, how do they achieve as much of goal b) as possible? Is it even possible for this to happen?
At this point, it’s important to look at the
four major changes FERC wants in Version 5, and ask how FERC would achieve each
of these in a new scenario. These
changes (stated in the NOPR) are:
1.
“Specific, technically-supported cyber
security controls” for BES Cyber Systems at Low impact facilities;
2.
Shortening
the implementation period, at least for Medium and High impact facilities;
3.
Two
changes in the definition of BES Cyber Asset (removal of the “15-minute”
criterion and of the sentence exempting laptops used for less than 30 days
within the ESP); and
4.
Removal
of the “identify, assess and correct” language in 17 requirements;
Let’s start with number one. Change number one wouldn’t have to be in
Version 5 for FERC to approve it. It
could be incorporated in a compliance filing coming soon afterwards (maybe six
months?). In other words, FERC could
approve V5 as it now stands, but require a compliance filing to address item
one. You may now (rightfully) ask, “But didn’t you
say you wanted to avoid a compliance filing that would just prolong the
uncertainty?”
I did, but that wouldn’t happen in this
case. Version 5 would be approved and
would come into effect based on the existing 2-3 year implementation plan. But there would be a single new standard
developed – it might be CIP-012-1 or maybe CIP-003-6 – that would include the
specific requirements that FERC wants for Lows. Since I’m guessing FERC would
give NERC 6-9 months to develop this standard (it won’t be easy, of
course. The industry has long resisted
the idea of specific requirements for cyber assets at Low impact facilities),
it would still be approved well in advance of the implementation date for the
rest of the Version 5 standards. It
might be timed to come into effect after that date, meaning simply that for the
first 9-12 months (allowing a quarter for FERC approval after NERC submits the
new standard) after the compliance date for Lows in V5, the Lows would only
have to comply with CIP-003-5 R2, which requires four policies. When the new standard kicked in, they would
also have to follow whatever specific requirements appeared in that.[ii]
Let’s say the implementation period for this
new standard is three years. Here is the scenario that implements this
change:
- FERC approves
Version 5 at the end of 2013. Since
they approve it unchanged, the implementation dates remain as they currently
read (two years for High/Mediums, three years for Lows).
- At the same time,
FERC orders NERC to develop the new standard and deliver it to them within
nine months.
- By September 30,
2014, NERC delivers CIP-012-1 (or CIP-003-6) to FERC.
- Medium and High
facilities will have to comply with CIP-002-5 through CIP-011-1 about
January 1, 2016. Lows will have to
comply about January 1, 2017.
- Lows to comply
with the new standard around January 1, 2018 (again, this includes the
nine months NERC takes to develop the new standard and submit it to FERC,
and the three months FERC takes to approve it).
How about the second change FERC wants:
shortening the implementation timeline? My
response is: In this scenario, why would they want to do that? I believe FERC threatened in the NOPR to move
up the implementation dates because, when they wrote the NOPR, they were looking
at a scenario a lot like my original one: After they approved V5, there would
be a year or more for NERC to develop V6 and for FERC to approve it. If FERC didn’t shorten the implementation
timeline for High/Mediums in Version 6 (say to one year), Highs and Mediums
would have more than three years from the V5 approval date to comply with V6
(the two years in the implementation plan plus another year while V6 was being
developed). FERC could reasonably argue
that, since they ordered the V6 compliance filing the day they approved V5, any
entity would have known what requirements would be in V6, as well as the fact
that the implementation timeline for V6 would be one year not two. Any prudent entity would have started their V6
preparations upon V5 approval, if not earlier.
I’m sure it was never FERC’s intention that
Highs and Mediums would only have one year from
Version 5 approval to comply with V5; that would have created a huge
problem. I think they really wanted that
period to be two years[iii]. This means that, for FERC to get their
second change, nothing has to change in the scenario just outlined. High/Mediums will have two years from V5 approval
to comply with the next CIP version – i.e. with V5.
How about the third change, in the definition
of BES Cyber Asset (there are really two changes they want in that definition,
of course)? It’s pretty easy, as it
turns out. FERC can simply order the
change as a compliance filing (I’m told the change is really in the NERC
Glossary – meaning this change wouldn’t require a new CIP Version. It seems Definitions that are approved with a
standard – as this one was – all move to the NERC Glossary upon approval of the
standard by NERC, so that’s where this and the other entries in the V5
Definitions document now reside).
The fourth of these changes, removing
“Identify, Assess and Correct” (IAC) from the 17 CIP V5 requirements where it
is now found, is the most problematic.
If FERC really doesn’t want this language in Version 5, it’s hard to see
how they can approve V5 at all – if, as we’re assuming in this scenario, they
really do intend for V5 to come into effect.
After all, it’s written into 17 of the most problematic requirements in
Version 5.
Is there some way FERC could approve V5, with
all of the IAC language, while still “removing” it in another way? If there isn’t, this whole post has probably
been for naught: FERC really is caught between my and NERC’s scenarios, and
there is no “third scenario” as I’ve tried to show here.
As you’ve probably guessed, I think there is
a way FERC can do this (and now the plot really thickens, I’ll warn you). It’s important to note that Identify, Assess
and Correct has more to do with how a requirement is enforced than with the requirement itself. That is, IAC is in essence “grafted on” to
regular requirements. For example,
requirement part[iv] 2.1
of CIP-007-5 (which deals with patch management) reads:
(The
entity must have) A patch management process for tracking, evaluating, and
installing cyber security patches for applicable Cyber Assets. The tracking
portion shall include the identification of a source or sources that the
Responsible Entity tracks for the release of cyber security patches for
applicable Cyber Assets that are updateable and for which a patching source
exists.
However, Requirement R2, the “parent”
requirement for 2.1, reads:
Each Responsible Entity shall
implement, in a manner that identifies, assesses, and corrects deficiencies,
one or more documented processes that collectively include each of the
applicable requirement parts in CIP-007-5 Table R2 – Security Patch
Management.
I think you’ll agree with me that 2.1 could
easily stand on its own, even if it weren’t part of R2. In fact, it was originally on its own. IAC was added to seventeen of the V5
requirements only in mid-2012, more than a year and a half after the first
formal draft of V5. IAC is literally a
description of the manner in which the
entity has to implement[v]
2.1, not part of 2.1 itself (and the same goes for the other 16 V5 requirements
with the IAC language).
How does this help FERC? Because their problems with IAC could
potentially be eliminated by a change other than changing the 17 requirements
themselves. Again, this would eliminate
the additional year (or thereabouts) of uncertainty while the standards were
being rewritten for a compliance filing.
In other words, FERC could perhaps order a change in how the 17 IAC
requirements are enforced, while leaving the wording of all the V5 requirements
the same as it is now.
There are probably multiple ways this change
could be accomplished, but one was suggested by the consulting firm Encari in
their comments
on FERC’s NOPR. You are encouraged to
read those comments, but I will also share with you part of an email that Mark
Simon sent me, summarizing their argument.
Mark is a Compliance Consultant with Encari.
Encari suggests the IAC problem could be
addressed, from FERC’s perspective, by eliminating references to IAC in the
Version 5 VSL table. Here is what Mark
says in an email:
In general, for CIP v1-v4, I view
the VSL Table as the source of the problem with zero-tolerance for CIP
violations. I also believe CIP v5 ineffectively addresses this problem by
replacing measures of violations in the VSL Table with a no-violation policy so
long as IAC is deemed present. The problem with IAC is that auditors have
too much leeway in how they will measure it; either they will see and love it,
or they won't see it as anything more than a poor excuse for maintaining
compliance.
IAC is a great concept when it is
uncoupled from the concept of measurement. We did not recommend its
removal from the standards themselves, just the VSL Table. Leaving IAC in
the standards formalizes the recognition of IAC as a mitigating factor (culture
of compliance) for violations, but it cannot or should not be used to measure the
severity of violations.
You don’t necessarily have to follow every
nuance of Mark’s statement in order to get the main idea of what I’m saying:
there are ways that FERC can get around their problem with Identify, Assess and
Correct in V5, without having to order a new version be developed. Encari suggests changes to how the VSL’s are
written.[vi] However, there might be other changes that
could accomplish the same purpose (e.g. changes to instructions to auditors on
how to audit requirements with IAC[vii]). So the fourth major change that FERC
mentioned in their NOPR also doesn’t pose an insurmountable barrier to
approving Version 5 without changes (and intending for it to come into effect).
To summarize this discussion of FERC’s four
changes, I believe FERC could still get all of them without having to order
NERC to develop a new compliance filing that substantially rewrites all the
Version 5 standards – a filing that could easily take a year to develop and get
approved by the NERC ballot body and would lead to further uncertainty, which I
believe is no longer tolerable.
How does the IAC discussion change the Third
Scenario outlined above? Here is the
final version of that scenario:
- FERC approves
Version 5 at the end of 2013. Since
they approve it unchanged, the implementation dates remain as they
currently read.
- At the same time,
FERC orders NERC to develop the new standard for Lows (CIP-012-1 or
CIP-003-6) and deliver it to them within (maybe) nine months. This addresses the first change that
FERC wants to see in V5.
- Also at the same
time, FERC orders NERC to change the definition of BES Cyber Asset in the
NERC glossary. This addresses the
third change FERC wants to see in V5.
- Also also at the
same time, FERC orders NERC to redraft the VSL tables so that references
to IAC are removed from the VSL’s for the 17 requirements that now include
IAC. This addresses the fourth
change. FERC gives NERC 90 days to
do this, but this shouldn’t require a new version number for CIP. NERC delivers this in the first half of
2014.
- By September 30,
2014, NERC will deliver CIP-012-1 (or CIP-003-6) to FERC. FERC should approve it about three
months later.
- Medium and High
facilities will have to comply with CIP-002-5 through CIP-011-1 about
January 1, 2016.
- Lows will have to
comply with V5 (probably including CIP-003-5 R2) around January 1, 2017.
- Lows will have to
comply with CIP-012-1 or CIP-003-6 (i.e. the new standard requiring specific
controls) around January 1, 2018.
Finally,
the Summary!
As has happened before, this has been a much
longer post than I thought it would be, so I’ll summarize it now. Until recently, it seemed to me it was
inevitable there would be a long period of continued uncertainty even after
FERC approves CIP Version 5, during the year or so that NERC will be developing
Version 6. But it seemed to me this was
inevitable, because I didn’t think there was any way that FERC could make the
changes they seem to want to make in V5, without having NERC take a year or so
to make substation changes – in what would be Version 6. In my original scenario, Version 6 would be
the next version NERC entities would have to comply with, and that would take a
fair amount of time to develop.
The only alternative I saw to this was NERC’s
“scenario”, which included FERC’s approving CIP Version 5 as is, with no
compliance filing required. This would
be great from NERC’s point of view but seemed very unrealistic, since it would
require FERC to forget the major concerns they raised about V5 in their NOPR.
However, through reading and discussions with
various parties I have come to believe it is simply unacceptable that there
continue to be uncertainty much longer regarding CIP Version 5. I have also come to believe there is a
possible third scenario (more specifically, a range of possible scenarios) that
would allow FERC to approve V5 and still achieve the major changes they seemed
to be asking for in the NOPR.
What’s the moral of this story? If you’re FERC, you can literally have your
cake and eat it, too.
[i]
I realize that the title of this post is open to amendment since Jon
Wellinghoff is retiring as FERC chairman, and Ron Binz will replace him once he
is confirmed by the Senate. However, I
thought WWWD had a better ring to it than WWWOBD – What Will Wellinghoff or
Binz Do? Oct 5: Well, I guess it will be Wellinghoff for a while longer, until the President can find a new candidate foolish enough - I'm sorry, I meant to say qualified enough - to go through Senate confirmation.
[ii]
An Interested Party and I have discussed this issue and have agreed to disagree
(actually, I’m not sure he agreed, but – hey, it’s my blog after all). He thinks that for Lows to comply with
CIP-003-5 R2 as now written (i.e, having four policies), and then turn around
9-12 months later and comply with a new standard with specific requirements,
would be unworkable. I don’t agree with
that, but if it were true, there would be a remedy: NERC could just say they won’t
audit the Lows on compliance with CIP-003-5 R2, since it could be considered as
being replaced by the requirement(s) in the new standard.
[iii]
At this point, I need to point out that I have not had input from anybody at
FERC on anything in this post – even though the whole post is speculation about
what they’ll do. I do have friends on
the FERC staff, but I would never put any of them in the position of losing
their job by asking them to provide me some inside information (and they would lose it, beyond a doubt). Plus there is the issue: What would be the
value of any insider information I received?
The staff members don’t make decisions for the Commissioners, and are
frequently as surprised as anyone else by those decisions. And the Commissioners aren’t even allowed to
talk to the other Commissioners about anything relating to their decisions (this
must make for some strange lunchroom conversations – all about the weather, how
the Nationals are doing, etc), let alone some scruffy blogger.
There have been a couple people who seem to think I
have such inside information about FERC.
I hate to disappoint them, but I don’t.
In this and other posts, I’m only trying to go through some of the logic
that the Commissioners and staff members might possibly also go through, to
come up with guesses about what their decisions might be. If this makes you want to cancel your subscription to
this blog, I’ll be glad to refund every cent you paid.
[iv]
“Requirement part” is the new term for “sub-requirement” in all new NERC
standards, not just CIP V5. For an
explanation of this change (which has much more behind it than just a
preference for the new words), see my post
on Scott Mix’s recent presentation to TRE.
[v]
And by implication, it is a description of how the entity will be audited for
compliance with 2.1 and the other IAC requirements. Of course, this is what FERC doesn’t like
about IAC. For a good discussion of this
topic, you should listen
to Steve Parker of EnergySec’s discussion in the recent joint Honeywell /
EnergySec webinar on Version 5. Some
clown blabbers on for what seems like an eternity before Steve starts;
fortunately, you can fast forward past him.
[vi]
Since the VSL tables are independent of the standards, I don’t believe that,
for FERC to order a change in them, a rewriting of the standards themselves would
be required. FERC could order NERC to
provide updated VSL tables in a short-term compliance filing (probably 90
days). The job of doing this would
probably fall to one or two NERC staff members.
They would need to remove the references to IAC in the VSL’s for those
17 standards. This might still need to
be balloted, but I would think it’s doable in 90 days.
[vii]
My Interested Party friend doesn’t agree with Encari that this change would
solve the problem. He thinks that
auditors would still have to audit compliance with IAC, as long as the IAC
language is in the requirement. Mark
retorts that this shouldn’t matter, since any audit finding that an entity had
violated IAC for a particular requirement wouldn’t result in a penalty since
there would be no VSL covering it (that is, once NERC had changed the VSL
tables per FERC’s order); he doesn't think there can be a penalty without a VSL covering the violation. And the IP retorts to Mark that "There
are numerous instances where a violation has been found and upheld even though
the VSL did not include language specific to the facts and circumstances of the
violation." If this discussion continues, I'm going to open up a new post for it - this is really about the role of VSL's, not about IAC.
However, regarding IAC, it is clear that, even though Encari's proposal may solve FERC's problem, it doesn't save what many NERC entities were hoping would be one of the big benefits of IAC: not having to report every single violation, no matter how inconsequential, of the underlying standard. I'm afraid that, if FERC was serious about what they said about IAC in the NOPR, this hope will be frustrated for now (Encari's proposal would limit the damage by at least allowing IAC to be considered as a mitigating factor in assessing penalties). But there is possible hope on the horizon, in the form of the Reliability Assurance Initiative (RAI), a program NERC is discussing
that would essentially bring IAC to all NERC standards, not just CIP - and it would do it through how the standards are audited and enforced (CMEP), rather than through rewriting the standards themselves. In their NOPR, FERC made clear that their opinions about IAC weren't meant to prejudge RAI (although they didn't use that term, since I don't think it had been announced yet).
Since attending three regional meetings in late May and early June where IAC / RAI was a big topic, I have wanted to write a post about this. I even came up with a catchy title: “IAC, RAI: Is NERC SOL?”. However, various other things have come up that I felt needed to be addressed more urgently. And, to be honest, this post would require a lot of time (especially reading up on RAI), which I haven’t had. So this footnote may have to suffice for a discussion of IAC for the time being. As I mentioned in footnote v, Steve Parker gave a very good discussion of IAC in our webinar two weeks ago, which you may want to listen to.
that would essentially bring IAC to all NERC standards, not just CIP - and it would do it through how the standards are audited and enforced (CMEP), rather than through rewriting the standards themselves. In their NOPR, FERC made clear that their opinions about IAC weren't meant to prejudge RAI (although they didn't use that term, since I don't think it had been announced yet).
Since attending three regional meetings in late May and early June where IAC / RAI was a big topic, I have wanted to write a post about this. I even came up with a catchy title: “IAC, RAI: Is NERC SOL?”. However, various other things have come up that I felt needed to be addressed more urgently. And, to be honest, this post would require a lot of time (especially reading up on RAI), which I haven’t had. So this footnote may have to suffice for a discussion of IAC for the time being. As I mentioned in footnote v, Steve Parker gave a very good discussion of IAC in our webinar two weeks ago, which you may want to listen to.
All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.
No one would ever write a post this long. You realize it's almost 5,000 words? Almost a novella. Anyway, for those who need to know, utterly indispensable. You do us all a great service, Tom. Many thanks. ab
ReplyDeleteThanks, Andy. I'm currently in therapy for People who Write Lengthy Blog Posts. Unfortunately, it doesn't seem to be working....
ReplyDelete