When FERC said they were going to approve CIP
version 5 in their April 2013 NOPR, I immediately drew the conclusion that CIP
v5 wouldn’t be the next version that entities had to comply with; it would be a
new version 6. My reasoning, outlined in
this
post, was this:
- Given the tone of
the NOPR, it was clear that FERC wasn’t going to approve v5 unchanged.
- Since NERC’s Rules
of Procedure don’t allow changes to be made to a standard after it has
been approved by the Board of Trustees (and all of the v5 standards were
so approved at the end of January 2013), the changes would have to be in a
“compliance filing” ordered by FERC when they approved 2013. The revised standards would have to have
a new version number, which would almost certainly be v6.
- I also didn’t
think it was likely that v5 would ever be allowed to come into effect
before v6. I felt the changes
ordered by FERC (especially removal of the “Identify, Assess and Correct”
language, which FERC strongly suggested they would order when they wrote
the NOPR, and indeed they did mandate in Order 791) would make it almost
impossible to have a smooth transition from v5 to v6. I therefore thought that v6 would “sunset”
v5, just as v5 would “sunset” v4 when it was approved, and the next
compliance version would be v6.
I continued to hold this position when Order
791 came out last November. In a post
two days later, I argued that it was likely that the v6 standards would come
into effect on the same dates as the v5 standards, so they would clearly
supersede v5.
However, after attending the first meeting of
the “CIP Version 5 Revisions” drafting team in February, I changed my
opinion. As discussed in this
post, I was convinced at the meeting, by the smooth-tongued Scott Mix, that there
was really no problem with v5 coming into effect before v6; all NERC has to do
is let it be known they won’t consider IAC in their auditing, and all will be
well.
At that point, my official position became
that v5 would be the next version, followed after some period of time by v6.[i] That is, until I saw the official first
drafts of the drafting team’s work (now being balloted by NERC). Then I realized two things. First, the drafting team hasn’t produced new
versions of all the v5 standards. Specifically,
they have only revised CIP-003, -004, -006, -007, -009, -010, and -011. They have left CIP-002, -005, and -008
exactly as they were. You might wonder
why this is unusual, since the latter three standards must not have needed
changing.
But this hasn’t been the previous
practice. For example, in the CIP v2 to
v3 transition, the only standard that was changed in v3 (I believe) was
CIP-006; yet all of the standards were revised so that there was a “-3” at the
end of them. Similarly, when CIP v4 was
developed, only CIP-002 was changed in substance, but all of the other
standards were revved to v4. The fact
that this hasn’t been done this time means that the next compliance version of
CIP won’t be v5 or v6; rather, it will be the mixture of v5 and v6 standards I’ve
just described.
Is this a problem? No, it isn’t in theory. But it does mean that NERC entities need to
be careful with the version of the standard they’re using. With versions 1-3, you could tell simply by
the “-1”, “-2” or “-3” which version you were dealing with. Now, you need to have a little cheat sheet
telling you that you should always be using the “-6” versions of CIP-003, -004,
-006, -007, -009, and the “-5” versions of CIP-002, -005 and -008. And how about CIP-010 and -011? Those were “-1” in the original v5, but they
have both been revved to “-2”. So you
need to use the latter. And since the
next CIP compliance version will be a mixture of 5 and 6, it may be better to
just call it v5.5 (except I know everyone – including me – will continue to
call it v5).
So I can
guarantee you won’t hear a NERC employee refer to CIP version 6, even though
most of the standards currently being balloted have a “-6” suffix. Instead, it’s “CIP Version 5 Revisions”. Whatever…
At this point, you may ask (and if not, I’ll
ask for you) “Why don’t we just simplify things and bring CIP-002, -005 and
-008 to v6? Then there will be a
complete set of v6 standards, and we’ll just comply with those.” I have to say, that’s an excellent
question. The answer is simple: After
the debacle with CIP Version 4 – then v5 – then v4 – and finally v5, I think
most people at NERC are convinced that if they introduce a new improved CIP
version, they’ll all be strung up from the nearest lamppost by an angry crowd
of NERC entities.
And there is reason for that fear, since the
CIP v4 debacle did result in real
costs to a number of entities. On
the other hand, it simply isn’t the case that v6 is being foisted on the industry
as part of some nefarious plan to generate more paperwork (and perhaps justify
more jobs at NERC?). V6 has only come
about because FERC required changes in v5, and these can’t be included in the
current version. V6 is nothing more or
less than what FERC ordered (I actually wish it were more than what FERC ordered.
For example, I would like to see CIP-002-5 R1 and Attachment 1
completely rewritten. I believe I’ve
mentioned this once or twice before – like in over 20 posts. However, it ain’t happening, meaning we have
to go to plan B. Or C. Or D….But something
needs to be done).
The second thing I noticed is that, unlike
what I expected, the compliance dates for the new standards are almost all
exactly the same as they were for the “classic” version 5 standards – that is,
High and Medium impact facilities need to comply on April 1, 2016, while Lows
need to comply on April 1, 2017. This
may be hard to see from the wording of the new Implementation
Plan, but hear me out. For most of
the standards, the plan reads like this:
Reliability Standard CIP-003-6
shall become effective on the later of April 1, 2016 or the first day of the
first calendar quarter that is three months after the date that the standard is
approved by an applicable governmental authority.
So CIP-003-6 will become effective on April
1, 2016 (the same day as CIP-003-5, of course), unless FERC doesn’t approve it
until January 1, 2016 or later. And what
is the chance that the latter will happen?
Very small. Since the new
standards will all be presented to FERC by the beginning of February of next
year, and since FERC is likely to be happy with them (after all, these new
standards are simply what FERC ordered, and FERC staff members have been riding
herd on the SDT to make sure they produced something the Commissioners would
like, although I’m sure they were always careful to say they didn’t know what
the Commissioners would like), it is very
unlikely that FERC won’t approve them fairly quickly, and certainly before
January 1, 2016.
In other words, there will be no v5 standards
that will come into effect, only to be superseded by v6 standards. The three v5 standards that don’t have v6
versions will remain in effect, and in fact the compliance dates for v5.5 are
for the most part unchanged from those of v5.
Of course, this being NERC, there are
exceptions to the statement that the compliance dates are the same for the v6
standards as for their v6 predecessors.
Here are the exceptions:
- This really isn’t
an exception, but compliance with CIP-003-6 R2 – the only requirement that
applies to Low impact assets – is due on April 1, 2017 (the same date as
CIP-003-5 R2) or nine months after the effective date of CIP-003-6 itself. This means that, if FERC doesn’t approve
CIP-003-6 until April 1, 2016 or later, the compliance date for CIP-003-6
R2 will be later than April 1, 2017.[ii] But there is almost no chance that will
happen.[iii]
- CIP-004-6 is the
only v6 standard that requires FERC approval six months before April 1,
2016, in order for it to be effective on that date. Since FERC will get the v6 standards
from NERC in early February, 2015, this means they would have to approve
them before October 1, 2015; if they approve them in the fourth quarter,
then CIP-004-6 will become effective July 1, 2016 (while the other v6
standards will still come into effect April 1). I won’t say this is impossible, although
I still think it is less likely than that FERC will approve all of the v6
standards before October 1.
- There is an
exception regarding CIP-006-6
R1.10[iv]:
For new high or medium impact BES
Cyber Systems at Control Centers identified by CIP-002-5.1 which were not identified
as Critical Cyber Assets in CIP Version 3, Registered Entities shall not be
required to comply with Reliability Standard CIP-006-6, Requirement R1, Part
1.10 until nine calendar months after the effective date of Reliability
Standard CIP-006-6.
This
states that control centers that weren’t Critical Assets under v3 have an
additional nine months to comply with this one requirement part – so their date
is January 1, 2017.
- The next exception may seem small but is probably huge:
Registered Entities shall not be
required to comply with the elements of Reliability Standard CIP-007-6, Requirement
R1, Part 1.2 that apply to PCAs and nonprogrammable communication components
located inside a PSP and inside an ESP and associated with High and Medium
Impact BES Cyber Systems until six calendar months after the effective date of
Reliability Standard CIP-007-6.
This
states that, for the purposes of compliance with CIP-007-6
R1.2, Protected Cyber Assets and “nonprogrammable communication components”
inside an ESP have an additional six months to comply, for an effective date of
October 1, 2016.
- Here is the last exception:
Registered Entities shall not be
required to comply with Reliability Standard CIP-010-2, Requirement R4 until
nine calendar months after the effective date of Reliability Standard
CIP-010-2.
CIP-010-2
R4 is the new requirement for Transient Cyber Assets and Removable Media. This says that the effective date for this
requirement – for all entities with High and Medium assets (the only ones
subject to the requirement) – is January 1, 2017. This is of course a big exception, but
probably reflects the SDT’s estimate of the effort that will be required to
comply with this requirement.
So there you have it – the timeline for CIP
version 5.5. If somebody creative wants
to put this into an actual visual timeline, I’ll publish it. Otherwise, this is left as an exercise for
the reader.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
There is a precedent for a smooth transition like the above. When FERC approved CIP version 2 in the fall
of 2009, they ordered a single change – a requirement for providing escorted
physical access to non-authorized visitors to a Critical Asset. NERC developed this requirement, added it to
CIP-006-2, and changed the version number of all the v2 standards to v3. CIP version 2 came into effect on April 1,
2010, while v3 came into effect on October 1, 2010. This transition was possible because there
was nothing changed or removed from v2; just the one requirement was
added. In the case of the v5-v6
transition, that was certainly not the case, so I didn’t see that it would be
possible to have a similar transition happen as had with v2-v3.
[ii]
Here’s why I say this: As has just been said, the compliance date for CIP-003-6
will be April 1, 2016 or three months after FERC approval. If FERC waits until April 1, 2016 or later to
approve the standard, then the effective date for the standard will be July 1,
2016 or later. Since that date is nine
months before April 1, 2017, in this case CIP-003-6 R2 would have an effective
date later than April 1, 2017. However,
there is just about zero chance that FERC will dawdle this long in approving
CIP-003-6.
[iii]
And this is a pretty significant point.
I had really expected that the new requirement for Lows would have a
compliance date 9 months or even longer after April 1, 2017. Given the number of Low impact assets that
most NERC entities have, it really behooves them to start planning for the Low
compliance effort now. I have had a
couple large entities tell me that, regardless of problems they see with the High
and Medium impact assets, it’s the Lows that scare them – simply because of
their number.
[iv]
This requirement is for protection of cabling that connects devices in an ESP, which
itself exits the PSP. It was one of the
four items mandated by FERC in Order 791.
No comments:
Post a Comment