FERC Order 791

Dec. 15: For an update to this post, based on information from the NERC CIPC meeting in Atlanta last week, see this new post.

FERC issued Order 791 on Friday November 22, approving NERC CIP Version 5.  If you’re looking for my rating, I guess I give it 1 ½ thumbs up.  What it does, it does well.  However, it doesn’t do everything I had hoped it would do.  For more on this, read on.  Note that page numbers below refer to the page numbers in the Order itself, not what Adobe Reader™ will show you when you read the PDF version.

As I and others have suspected for a while, FERC is requiring that NERC develop a new version of CIP, even though in the Order they always speak in terms of changes to Version 5.  However, they can’t both approve Version 5 and order it changed.  The changes have to appear in a new version, which will be based on V5.  I believe that version will be called CIP Version 6. 

NERC is to deliver the new version within one calendar year of the effective date of CIP Version 5 (meaning it has to be drafted, balloted by the NERC membership and approved by the Board of Trustees).  On page 145 of the Order, FERC says the effective date will be 60 days after publication of their Order in the Federal Registry.  Since orders are usually published in a few days, this means the effective date of the Order will be in late January, 2014.  So FERC wants the new version by January, 2015.  

FERC directed that NERC include several changes in the new version, which I discuss in sections 1 through 3 below.  The remaining sections of this post discuss other directives (or in two cases, non-directives) in Order 791.

1.  “Identify, Assess and Correct”

The Identify, Assess and Correct language (hereinafter IAC) was one of the signature features of CIP Version 5 when it was approved by NERC.  In their NOPR of last April and again in Order 791, FERC expressed grave misgivings about that language (which is found in 17 requirements in V5).  They made it very clear they find too many ambiguities in the whole idea, and they feel that NERC hasn’t adequately explained how the IAC process will work.  The discussion is quite interesting and worth reading, but I won’t discuss the details here (it starts on page 25 of the Order).

Of course, a lot of people are going to be disappointed by the death of IAC (although they shouldn’t be surprised that it happened, if they read my post in September as well as a couple previous ones).  But I actually think FERC’s discussion should give them more than a few rays of hope.  This is because FERC makes a point of talking nicely about the NERC Reliability Assurance Initiative (on page 42 of the Order).  They say “..the Reliability Assurance Initiative process when fully developed may afford a consistent, informed approach that provides incentives for entities to develop robust internal control programs.”

Briefly, the RAI will essentially do what IAC was intended to do – move the enforcement process from being based on zero tolerance for even the slightest, most insignificant infraction to making sure the entity has a robust program for compliance.  It will not require changes to the standards at all (and it will ultimately apply to all the NERC standards, not just CIP) but rather to the CMEP, which is NERC’s Bible for monitoring and enforcement of compliance.  As far as I know, this is the first time FERC has provided encouraging words about RAI (they mentioned it, although not by name, in the V5 NOPR, but there really wasn’t much information on RAI available last April.  A lot of information has since come out, and a few of the regions are already piloting RAI).

So here’s the hope: If RAI is implemented for CIP before the implementation date for V5, then it really doesn’t matter that IAC isn’t in the language.  You’ll effectively be audited based on IAC anyway.  Of course, there is still a lot of possibility for slippage in this scenario, so I’m not going to place the go-for-broke $5 bet that I normally place when I am quite certain something will happen.[i]

One other interesting point from the IAC discussion: FERC clearly thought NERC didn’t fight hard enough for IAC.  And I have to agree with them.  I was very surprised, when I read NERC’s comments on the NOPR submitted in June, that they were proposing to clear up the enforcement questions that FERC raised in the NOPR - six months after FERC approves V5!  In essence, they were telling FERC, “We admit there are a lot of things that need to be cleared up.  First you approve V5 (with IAC of course), then we’ll clear them up.” 

Such a deal – does anyone wonder why FERC didn’t take it?  If NERC had been really serious about this, they would have busted a__ to clear up the ambiguities this summer, so FERC could have had that information before they made their decision; did they really think that FERC would just trust that NERC had the enforcement all figured out, and just didn’t have the time to write it down before FERC approved V5?  It really seems as if NERC had given up on IAC (perhaps because RAI was moving forward), and didn’t think it would do any good to make much of an effort to change FERC’s mind on it.  They may well have been right, of course; I for one think that, given FERC’s language in the NOPR, there wasn’t much chance of saving IAC.

The bottom line is FERC didn’t change their mind about IAC.  They state on page 40 (paragraph 70), using the driest of humor, “NERC’s proposal that the Commission approve this language in numerous requirements of the CIP version 5 Standards, while postponing a detailed explanation regarding the understanding, compliance implications and proper implementation of the proposed language to a future time, is an inadequate approach.” 

2. The Lows

I had the most admiration for FERC in the way they dealt with Low impact assets.  I thought they a) listened carefully to the comments on their NOPR statements about Lows and adjusted their position accordingly, and b) came up with a solution that makes clear what they want but allows NERC a lot of flexibility in how they achieve that.

FERC said two important things about Low impact assets in their NOPR.  The second (but easier to deal with, so I’ll discuss it first) was their questioning of the language in CIP-002-5 and CIP-003-5 saying that an inventory of cyber assets at Low impact facilities isn’t required.  FERC clearly thought in April that an inventory was needed to protect the Bulk Electric System (or the Bulk Power System, since FERC always uses that term). 

However, the comments they received in June were overwhelmingly against this, because of the huge effort it would take to conduct this inventory (at least for some entities, such as the large government entity that said at a WECC meeting that they had potentially 350,000 cyber assets that would have to be inventoried.  I also know other entities that have had this inventory all along, as a matter of good security and asset management practice).  FERC listened to those comments, and changed their mind.  They state clearly on page 65 of the Order that they don’t think it would be a good idea to require an inventory for the Lows.

The second proposal FERC made about Lows in their NOPR (page 38) was “we propose to direct NERC to develop a modification to CIP-003-5, Requirement R2, to require responsible entities to adopt specific, technically-supported cyber security controls for Low Impact assets, as opposed to the proposed unspecified policies.”  Of course, the comments about this proposal were as negative as they were about inventory.  It’s interesting to see how FERC dealt with this.

Note that, in the NOPR, they were looking for specific controls; I and most people interpreted that to mean they were going to ask NERC to write some specific requirements for Lows (I thought they would be pretty basic, like requirements for a firewall, for locks on the doors, etc).  But that doesn’t seem to be what FERC had in mind (or at least, it’s not what they have in mind now.  It’s not worth using up perfectly good electrons worrying whether or not this constitutes a change in their opinion since the NOPR).

In the Order, (starting on page 61), FERC says “…while we do not require NERC to develop specific controls for Low Impact facilities, we do require NERC to address the lack of objective criteria against which NERC and the Commission can evaluate the sufficiency of an entity’s protections for Low Impact assets.”  So the problem now is having criteria by which NERC and FERC can judge whether an entity is actually protecting its Lows properly.  FERC gives three options to NERC, although they say that other approaches might work as well.

The first option (page 64) is that NERC could define a set of “control objectives” for Lows, but not specific controls.  I believe an example of this might be requiring that the entity take steps to protect the PSP without requiring specific technologies like card readers or specific procedures like escorting of visitors.

The second option is that NERC could require specific controls that would apply to particular sub-categories of Low impact systems (so there might now be Low-Low, Medium-Low and High-Low systems, with specific controls perhaps only being applied to the latter).  I don’t think this option will get a warm reception at NERC, since it’s hard to see how it could be audited without requiring a cyber asset inventory.

The third option is that NERC could “define with greater specificity the processes that responsible entities must have for Low Impact facilities under CIP-003-5, Requirement R2.”  In other words, rather than simply require entities to draw up and implement four policies (with no specification of what is in them, as is the case in CIP-003-5 R2 now), NERC could be more specific about the processes that entities need to require in those policies.[ii]

Note that both the first and third options would not require controls that apply to particular cyber assets, which is the big show-stopper for NERC.  As long as controls (or criteria) are just on the site level, I think some can be found that will be acceptable to the membership.[iii]

That being said, I see this whole discussion about Lows as being the most important that will occur as NERC drafts the new CIP version, one which will generate (no pun intended) a lot of interest among the membership.  I think the new SDT meetings on Version 6 may have to be held in Madison Square Garden.  They will certainly be very interesting.

3. “Transient Devices”

The definition of BES Cyber Asset now includes the following parenthetical expression: “(A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calendar days or less, it is directly connected to a network within an ESP, a Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes.)”.  I don’t need to remind you that the definition of BES Cyber Asset is fundamental to CIP Version 5, and the Definitions document that contains it is part of the V5 standards, and has to be approved by FERC.

FERC questioned the wisdom of this provision in their NOPR, and they haven’t backed down from that position.  They point out (starting on page 74) that devices like laptops that are used, no matter how temporarily, within the ESP can cause all sorts of havoc if they introduce viruses and worms into the ESP.  I won’t go into the discussion here, but it’s worth reading all the arguments in this section. 

Even with these concerns, FERC didn’t direct that the language be removed.  If they had, this would have imposed a big burden on NERC entities, since every device that might ever be used – even for ten minutes – within an ESP would have to be forever protected as a BES Cyber Asset/System (or at least a Protected Cyber Asset). 

However, they did direct NERC to develop a new (or modified) standard that provides for cyber security of transient devices (p.80).  I’m guessing NERC will decide to include this in CIP Version 6 (so it might be called CIP-012-1) – I would think this would be preferable to developing a whole new set of standards. 

4. CIP Version 4

The remaining sections of this post deal with statements included in the Order which aren’t changes to be included in the next CIP version.  One of these statements will hopefully put to rest a longstanding bugaboo: FERC makes it clear that CIP Version 4 sleeps with the fishes.  Of course, simply by approving the Version 5 implementation plan, FERC put V4 to rest.  But they made sure to drive the point home on page 6: “CIP-002-4 through CIP-009-4 will not become effective, and CIP-002-3 through CIP-009-3 will remain in effect until the effective date of the CIP version 5 Standards.^”  I hope this will be enough evidence for the legal departments at some large IOU’s to let their compliance people stop working on compliance with CIP Version 4 and start working on Version 5. 

5. Got 15 minutes?

The definition of BES Cyber Asset begins, “ A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System.” 

In their NOPR, FERC seriously questioned why “15 minutes” is in the BCA definition, since it presumably excludes a lot of cyber assets that can affect a Facility but don’t do so within 15 minutes.  You may know the answer to that question: “15 minutes” is really a proxy for “real-time”.  The SDT wanted to only include devices that immediately affect the Facility but couldn’t find appropriate wording, so they decided to be safe and include everything that could affect it within 15 minutes.

Of course, this shows that no good deed goes unpunished, since FERC then seized on the 15 minutes as the problem – implying that devices that may take 3 or 4 days to affect the Facility should also be defined as BES Cyber Assets.  There were a large number of comments stating that the 15 minute provision absolutely needed to be left in the BCA definition.

And guess what: FERC listened!  They didn’t order that this provision be removed.  However, they did order NERC to undertake a survey to determine how this provision will actually be used, and the impact it might have (including how many cyber assets would be excluded or included through leaving it in).  This survey is due within a year, at exactly the same time as NERC will need to submit Version 6 to FERC.[iv]

6. Just what we needed…a new standard!

In their NOPR, FERC had raised the issue of communications.  The previous NERC definition of cyber asset had included “communications networks” as well as “programmable electronic devices”.  In Version 5, the SDT removed those networks from the definition.  In their NOPR, FERC questioned why this was done, and whether it was putting the BES at any risk.[v]

FERC has now decided that communications networks need to be protected by NERC Reliability Standards – but they’re not ordering that these protections be included in NERC CIP.  Instead, FERC orders NERC (pages 86-87) to develop or modify standards for this.

Unlike with transient devices, I don’t think NERC will include this new standard in CIP Version 6.  Transient devices are computers, and CIP is for protecting computers.  But communications networks are quite different, and I believe NERC will decide to address this in a separate standard, or perhaps as part of the existing COM standards.

7. Mark your calendars

FERC raised three issues in the NOPR that they don’t want to drop, but also don’t want to use to order changes to CIP.  These include “communications security” (which here means communications between devices within a Facility, and whether they should be encrypted or not), “remote access” (specifically whether the provisions in the current CIP Version 5 are adequate or not), and whether CIP Version 5 adequately addresses FERC’s provision in Order 706 to adopt as much of the NIST Risk Management Framework as possible.

It’s not surprising that the comments regarding these three items varied widely.  So FERC has decided (p. 122) to have NERC call a conference within 180 days to discuss these three items – and in a comprehensive manner, as opposed to piecemeal.  The question will be whether these three items need to be included in CIP going forward or not, and perhaps more generally how they can be addressed to protect the BES.

8. I’ve left the best for last

The big question on a lot of people’s minds is the implementation dates for CIP Version 5 (and 6).  When will High, Medium and Low impact Facilities have to comply?[vi]  Well guess what…it isn’t simple.  But when was there anything about NERC compliance that was simple?

What is simple is the timeline for Version 5.  All of the V5 standards say that V5 will become effective “on the later of July 1, 2015, or the first calendar day of the ninth calendar quarter after the effective date of the order providing applicable regulatory approval.”[vii]  Here we go:

1. As I’ve already mentioned, the effective date for V5 is 60 days after publication in the Federal Register, which means sometime in late January 2014.
2. The first day of the ninth calendar quarter after that is April 1, 2016.  This is the date that Highs and Mediums will have to comply with V5.
3. Since the Low date is a year later, Lows have to comply on April 1, 2017.

That’s simple, right?  The real question is, what about Version 6?  Will it supersede V5 (just like V5 has superseded V4), or will V5 come into effect, followed by V6?  And will its implementation plan have the same timeline as the V5 one – 24 months for High and Mediums and 36 months for Lows?

I was expecting FERC to say something about the implementation plan for the new version in the Order, but it is silent on that.[viii]  So let’s assume that Version 6’s implementation plan is just like Version 5’s, except it doesn’t say anything about superseding an earlier plan.  What’s that timeline?

1. FERC has ordered V6 to be delivered to it by January 2015. 
2. Let’s assume FERC takes just less than two quarters to approve V6 (which is reasonable since most of V6 will be the same as V5) – let’s say they approve it on June 30, 2015 (and I know they approved at least a couple CIP versions on the last day of a calendar quarter, which of course meant the effective date was three months earlier than if FERC had waited ‘til the next day – the first day of a new quarter – to approve it).
3. The first day of the ninth calendar quarter after June 30, 2015 is July 1, 2017.  So that would be the compliance date for Highs and Mediums for Version 6.
4. A year later than that would be the Low date, or July 1, 2018.

So think about it.  In this scenario, High and Medium Facilities will have to comply with CIP Version 5 on April 1, 2016, and with Version 6 on July 1, 2017.  What does that mean?  For one thing, it means the entity has to put together a whole compliance program based on Identify, Assess and Correct (remember, FERC just approved Version 5 without change, since that’s the only way they can approve standards); then 18 months later, they have to go back to a “zero-tolerance” program.  Think about what that would entail, in terms of documentation, training, etc.  Sounds like a lot of fun, right?

There’s more.  From the auditors’ point of view, on April 1, 2016 they will need to allow transient devices to be used for up to 30 days within the ESP without any cyber security standards applying to them – even though they know these will be in place the following year and they know what they will be (since V6 will have been approved in 2015).  They will also need to just audit Low facilities based on the four policies required by CIP-003-5 R2, rather than the presumably beefed-up requirements of CIP Version 6.

I realize there are ways these problems can be mitigated.  For example, NERC could say they simply wouldn’t audit based on IAC, and instead would use the old “zero-tolerance” approach.  But what about an entity that thought its compliance program was wonderful and they wanted to be audited to the exact wording of the 17 requirements that have IAC in V5?  NERC would obviously have to accommodate them.  But that would cause a lot more work for the auditors, since they would have to have two different auditing regimes – one for V5 without IAC, one with.

It seems to me that NERC will want to have Version 6 do the same thing to V5 as V5 has now done to V4: send it to sleep with the fishes once FERC approves V6.  Of course, since (in my timelines above), V6 would be approved on June 30, 2015 and V5 wouldn’t become effective until April 1, 2016, this would be perfectly doable.

Does this mean that CIP Version 3 will remain in effect until July 1, 2017?  Well, here you get into politics and game theory.  My guess is that, should NERC decide to have V6 supersede V5, they will also shorten the implementation timeline for V6 so that the compliance dates were approximately what they would have been had V5 come into effect.  Why would they do this?  Because otherwise, Papa FERC (although “Mama FERC” might be more appropriate, since Chairman Wellinghoff made the surprise announcement on Thursday that he will step down next week and Commissioner LaFleur will step in as interim Chairwoman.  Congratulations to Commissioner LaFleur!  I’m sure she’ll do an excellent job; she certainly seems to have a good understanding of the issues surrounding NERC CIP.  And that’s all that matters for FERC, right?) might be unhappy.  They thought they were doing NERC a big favor by not shortening the V5 timeline as they’d hinted in the NOPR; now they will find it effectively being lengthened by a year and a half, unless NERC proactively shortens the V6 timeline.

The bottom line on this: NERC entities need to prepare for compliance with CIP Version 5 or 6 on April 1, 2016 for High and Medium impact Facilities, and a year later for Lows.  You might end up getting a quarter or two more to comply (although you won’t know if this is going to happen for probably a year and a half from now).  But you’re risking big problems if you don’t aim for these dates as of now.

CIP-002-5

A few of you may have noticed that I’ve spilled a few electrons this year (in fact, about ten whole posts) writing about problems with the wording in CIP-002-5, and suggesting that these problems really need to be fixed in order for CIP Version 5 / 6 to have a firm foundation; you may also know I actually rewrote CIP-002-5 and submitted that version to FERC during the NOPR comment period.   And you may not know – but it is true - that I have a lot of readers among the staff at FERC.  So…what did the FERC Commissioners say about this issue in Order 791?

I’ll break the suspense: they said nothing about it.  What does that mean for this idea?  Will NERC still want to rewrite CIP-002 as part of the Version 6 drafting effort?  Well, I highly doubt NERC is going to feel overly motivated to include that in the SDT’s marching orders for Version 6, since those folks will have all the FERC mandates on their plates, and a short deadline to address them all.  I also suspect that NERC couldn’t address these issues in V6 even if they wanted to, since Version 6 will be a compliance filing – its purpose is to address the specific directives in FERC Order 791, not go off on some wild tangents not ordered by FERC.

So maybe the answer is a guidance document?  After all, I think I’ve mentioned that about 100 times since I got on this kick right after the NOPR was issued.  Well, I would still like to see a guidance document, but let’s face it: a guidance from NERC can’t override the wording of a standard.  Let’s say someone interprets CIP-002-5 in a way that seems justified (and given the ambiguities in it, all sorts of interpretations would be justified), but gets a fine because their interpretation didn’t match the guidance.  They can take it to court (since NERC standards are regulatory law); the judge will look at the entity’s actions, agree they were plausible within the wording of CIP-002-5, ask if the NERC guidance document had any legal force (which it wouldn’t), and give them a get out of jail free card.

I continue to see this as a problem, whether or not the FERC Commissioners do.  And I don’t see any good way to address it, other than rewriting CIP-002 as part of the V6 drafting effort (Interpretations carry legal force, but they take a couple years to be approved, and in any case they focus on very narrow issues.  IMHO, there are so many problems with CIP-002-5 that no single Interpretation could fix that standard.  And of course CAN’s have been abandoned).

I’m not at all sure what the solution to this is, to be honest.  I guess sometimes there aren’t solutions.  To quote the philosopher Jimmy Carter, “Life is unfair”.

Here ends my story.  I’d love to hear any and all comments on this.  You can either post them below or email them to me at tom.alrich@honeywell.com.

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

---

[i] FERC actually said on page 43 that modifying the CMEP would be one way for NERC to effectively get IAC without modifying the standards – that’s what RAI would do, although I guess there could be an interim modification just for CIP (i.e. a “partial RAI”), to make sure that was in place before the enforcement date for V5.  In any case, FERC is clearly encouraging NERC along the CMEP path, but also doesn’t think including this language in the standards themselves (like NERC tried to do with IAC) is at all workable.

[ii] I have joked that, the way CIP-003-5 R2 reads now, an entity could have the following as any of the four policies (say the physical security controls policy): “In order to protect physical security, we will provide ice cream to all employees on Thursdays.”  So as long as the entity actually provided ice cream on Thursdays, they would be fulfilling the policy and couldn’t be found non-compliant.

[iii] Not that being acceptable to the NERC membership really is a gating factor here.  NERC has to provide FERC with a new CIP version that includes what FERC wants, period.  If the membership votes down whatever gets drafted, the Board is empowered – in fact obligated – to override the membership.  The Federal Power Act of 2005 leaves FERC holding all the cards here.

[iv] I don’t want to take implications out too far, but it is interesting that both V6 and the survey results are due at the same time.  This means that, if FERC were to look at the survey results and decide a change were needed – perhaps changing the 15 minutes to 15 hours, or eliminating it altogether – NERC wouldn’t be able to include that in V6.  Assuming FERC approves V6, they would need to order a new compliance filing with this change, which would be V7.  And NERC would have to deliver that next….But this way lies madness.  I’m not going to think about this anymore.

[v] In practice, the fact that communications networks were included in the cyber asset definition was meaningless in CIP Versions 1-3, since they were excluded from being covered by the standards.

[vi] As Carter Manucy of FMPA reminded me a couple months ago, there are actually about 8 compliance dates for V5, not just the two I’m accustomed to thinking of: one for Highs and Mediums and the other for Lows.  This is because the V5 Implementation Plan lists separate “initial performance dates” for specific periodic requirements. We agreed that I’ll post his complete timeline, but only after the FERC Order on V5, so it can be more than hypothetical.  I should have this up fairly soon.

[vii] Scott Smith of Portland General Electric pointed something interesting out to me: On page 11 of the Order, FERC quotes NERC’s V5 Petition (which was submitted on Jan. 31, 2013, requesting approval of V5) as saying the standards will be effective on “the first day of the eighth calendar quarter after a Final Rule is issued in this docket.”  NERC obviously hadn’t read their own standards when they wrote this, since every one of the ten CIP Version 5 standards refers to the ninth quarter.  However, since FERC is approving the V5 standards in Order 791, not the Petition, I don’t see this as a legal problem – just some bad proofreading on NERC’s part.

Interestingly enough, NERC made this mistake once before, and it had more important consequences then.  In Scott Mix’s August presentation on V5 before TRE, he mentioned that the V4 standards officially said eight, not nine calendar quarters; so the compliance date for V4 ended up being April 1 2014 rather than July 1. This was a mistake, since the SDT had really intended for the date to be the first day of the ninth quarter.  Scott said the SDT had now learned how to count (which isn’t a bad thing, since half the SDT are engineers).  But it seems the proofreaders still have to learn to read; they obviously didn’t look at the V5 standards when they mentioned eight quarters.

[viii] In fact, the Order always refers to changes in Version 5, even though that can’t happen.  I assume this is some sort of FERC-speak, because they certainly know the rules.  I did go back and review the Order approving Version 2, since that did the same thing as Order 791 does: it approved V2 but ordered a new version with a few changes (much more minor than in this case.  They also gave NERC just 90 days to come back with the new version).  That Order also talked about changes to V2, even though what came back was V3, not a changed V2.