The Timeline for CIP Versions 5 and 6

July 28, 2014: I noticed a lot of people have been going to this post recently.  I think this may be referrals from my recent update of this topic, but if you don't know about that update, please go here.

I attended the first meeting of the NERC CIP Version 5 Revisions Standards Drafting Team in Washington DC February 19-21.  I was glad I did, since it provided a very good perspective on what we can expect to happen with CIP going forward (to the extent that anyone knows, of course – there are a lot of unknowns).  And it was good to be able to discuss various issues with the drafting team members and the observers (there were about 30-35 attendees in all) – even though there won’t be any resolution to those issues for a number of months.

I intend to write two posts about the meeting, one discussing timeline issues and the other discussing everything else I learned there.  Since I think it’s more important to present what I learned about timelines, they will be the subject of this post.  The other will follow soon.

I think most of you already know the timeline for CIP Version 5.  The Medium and High impact assets need to comply by April 1, 2016; the Lows need to comply by April 1, 2017.  Nothing of this has changed.  However, what has changed is my thinking on the likelihood that CIP v5 will even come into effect.

Before I discuss that, I need to point out that the drafting team is preparing a new CIP version, which will most likely be called CIP Version 6.  Those of you who have been reading my posts for a while won’t be surprised by this statement, since I’ve been saying there will be a v6 since my post on FERC’s NOPR last April.[i]   However, everybody from NERC who was at the meeting bent over backwards to make it clear that v6 will not be in any way a “new” standard like v5 is.[ii]  Rather, it is simply v5 with the changes FERC ordered, nothing more.[iii]

I have said several times (including in my post on Order 791) that I don’t think CIP v5 will ever actually come into effect – that it will be superseded by v6, just as v5 superseded v4.  It seemed to me that forcing entities to comply with v5, which has the “Identify, Assess and Correct” language in 17 requirements, couldn’t be followed by requiring compliance with v6, which won’t have IAC (since one of the tasks FERC ordered NERC to do is to remove that language).  This would amount to cruel and unusual punishment and might lead many NERC entities to sue for whiplash. 

I brought this issue up to the SDT during the meeting.  Scott Mix of NERC pointed out to me that it really wasn’t going to be a big problem to do this – i.e. to have v5 come into effect, followed by v6.  NERC will simply need to make sure people understand that they should ignore the IAC language in v5 – and instruct the auditors to ignore it as well.[iv]  And he pointed out there is a precedent for this: When FERC approved CIP Version 1 in Order 706 in 2008, one of the many changes they said they wanted was removal of the language regarding “reasonable business judgment” (i.e. the idea that in some cases an entity could waive strict compliance with the wording of a requirement based on their own judgment of what was reasonable).   Since CIP v2, which removed that language, didn’t come into effect until after the compliance dates for v1, NERC let entities know to simply ignore that language in v1.  This isn’t necessarily a really elegant way to do things (it might not even be legal, although I ain’t no lawyer), but as long as it’s likely to work, that’s fine with me.

The upshot of this is that I was wrong in thinking v5 wouldn’t come into effect.  I now believe it will, and on the dates that have already been announced: April 1, 2016 for Medium and High assets, and April 1, 2017 for Lows.  However, keep in mind that these dates are for compliance only with the requirements in CIP v5 as filed with FERC in January, 2012.  They have nothing to do with the four changes[v] that FERC ordered NERC to make in CIP v5.  Those changes will be in v6.

So when will v6 come into effect?  When I believed that v6 would supersede v5, I also believed there would be an accelerated timeline for v6 – since FERC would look askance at the idea of v5 not coming into effect at all and v6 only coming into effect long after what was supposed to be the v5 compliance date. 

But there is no longer a need to accelerate the v6 timeline a lot – the new requirements in v6 are all completely unknown[vi] at this point, and won’t be known for sure until the end of this year, when NERC intends to have them approved and sent to FERC.  FERC won’t approve them for probably at least six months after that, say the third quarter of 2015. So if compliance with v6 became mandatory on the same dates as compliance with v5 will, High and Medium entities would have no more than 6-9 months from FERC approval of v6 to come into compliance with it on April 1, 2016.  And Lows would have only about a year and a half.  I contend that isn’t enough time at all, given the current complete uncertainty on what the new v6 requirements will be.

So if the SDT agrees with me and decides to keep the v6 implementation plan the same as the v5 one (i.e. “first day of the ninth calendar quarter…”), this would mean the v6 implementation date for Highs and Mediums would be late 2017, and for Lows would be late 2018.  But remember, these dates would effectively just be for the three new sets of requirements that FERC mandated – for transient devices, “communications networks”, and more specific Low requirements.  All the rest of v6 (i.e. what’s identical with v5) will have already come into effect in 2016 (Medium/Highs) and 2017 (Lows).

I do want to discuss the Low impact implementation date in more detail, since there is a lot of interest in that.  I believe it is just about certain that CIP-003-5 R2, the single requirement in v5 that applies to Lows, will still come into effect on April 1, 2017 as currently scheduled.  However, the new Low requirements being developed in v6 will presumably come into effect on the separate v6 implementation schedule that will be determined by the current SDT (and I’m currently guessing the compliance date for these requirements will be late 2018, as I just said).

However, there is one reason why I hesitate in making this prediction.  That is because FERC gave the SDT three or four options for how they will implement FERC’s mandate that they develop specific requirements for Lows.  One of those options is that they simply “flesh out” what needs to be in the four policies that are currently mandated by CIP-003-5 R2[vii]  - i.e. state what must be addressed in each policy.  If the SDT follows this option, then it’s possible that the Low entities would have to implement the fleshed-out policies on the v5 compliance date of April 1, 2017.  I don’t think that would be completely fair (since as I’ve said, the content of v6 won’t be known until the end of this year, and probably won’t be approved by FERC until the second half of 2015), but I guess it could happen.  To quote the philosopher Jimmy Carter, “Life is unfair”.

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

---

[i] While I was right that there will be a v6, I was wrong in my reasons for thinking so.  I thought it was the Federal Power Act itself that forbids any modification of a standard, once it is approved by FERC.  I’ve now learned the real reason is that NERC’s rules don’t allow a standard to be modified once it has been approved by the Board of Trustees and sent to the regulators (FERC and the regulatory bodies in each Canadian province); so the changes FERC ordered – which are of course what the new SDT is working on – need to be in a new standard.  And NERC’s numbering conventions pretty well require that the new version be v6, not v5a, v5.1, or something like that.

[ii] The NERC people are clearly walking on eggshells on this issue.  The community is so upset about the whole “v4…no, v5…no, v4…no, wait a minute, it’s v5 after all” saga that I think they’re worried they’ll be strung up on the nearest tree if they let it be known now that v6 is coming.  But they’re absolutely right that v6 won’t be a major change like v5 was; in any case, it’s mandated by FERC.

It might help if the CIP versions after v1 had been numbered as they should have been: v2 should have been 1.1, v3 should have been 1.2, v4 should have been 1.3 (or something like that).  These were all very incremental changes.  V5, on the other hand, is a major rewriting of CIP, so it should be called CIP v2.  If it were, then v6 could be called v2.1, and nobody would get apoplectic about that.

[iii] There is a small exception to this statement. Steve Noess of NERC did say that, if someone points out a “no brainer” change that should be made in the existing wording – such as changing a word that everyone agrees was the wrong one to use in the first place – the SDT could make it.  Of course, what the SDT won’t do is open up more fundamental issues like the problems with CIP-002-5 R1 that I’ve been bringing up in my posts for nine months or so – they have enough on their plate already.  This just reaffirms what Steve had said in answer to my question about this at the December CIPC meeting.

I have come to agree with Steve on this point; the SDT simply doesn’t have time to open any fundamental discussions of the standards, even if changes are needed to address basic inconsistencies in some of the wording.  This is why I’ve been saying that the problems I’ve been pointing out with CIP-002-5 R1 will have to be dealt with by the regions, in their interpretations of v5.  Fortunately, at least one of the regions does seem to be stepping up to the plate on this, so all may not be lost (however, this isn’t the entire solution, since all of the regions need to agree on a common interpretation.  I will be hearing more about another region’s interpretation this week, and may have more to report on this front soon).

[iv] NERC won’t simply say to ignore the language without explanation as to why, since there is a very good reason.  The reason NERC doesn’t think removal of IAC from v5 is a big problem is that the Reliability Assurance Initiative (RAI) will essentially accomplish the same thing (and for all NERC standards, not just CIP), without requiring any changes to wording in standards.  See my Part II post on the SDT meeting for more on this.

[v] I can name these by heart after all the discussion about them at the SDT meeting: 1) Removal of IAC; 2) Requirements for transient devices used in the ESP for less than 30 days; 3) More-specific requirements for Low impact assets; and 4) Protection of “communication networks”.  I will discuss what was said on each of these in my Part II post.

[vi] What is currently known is that IAC won’t be in v6.  However, even though it will remain in the 17 requirements where it’s found in v5, I’ve already said that NERC will effectively tell all concerned to pretend it isn’t there.  Having it removed in v6 will simply confirm that fact.

[vii] At the SDT meeting, it was pointed out several times that CIP-003-5 R2 says absolutely nothing about what the four policies should be – only that the Low entity needs to have policies for cyber security awareness, physical security controls, etc.  I have been joking that an entity could state that their – say - awareness policy was “Everybody at Headquarters will get ice cream on Thursdays.”  As long as they made sure that those lucky employees got ice cream every Thursday, they would be in complete compliance with that part of the requirement.