Many of you will know I have been complaining for quite some time that NERC needs to step forward and start providing some guidance on the many interpretation issues that are found in CIP version 5, and especially in CIP-002-5.1 R1 and Attachment 1 (my particular obsession). I wish to announce that NERC does seem to have taken one step in that direction.
I’m told that NERC has formed a “CIP Version 5 Transition Stakeholders Group”, consisting of representatives of NERC, the eight regions, the six entities that participated in the Transition Study, some drafting team members, and some “industry representatives” (my source thinks the latter may be members of the NERC CIPC). And what is this distinguished group going to do? Well, it seems they’re going to come up with answers to questions about CIP v5 from NERC entities (that would be you) – I’m told you just have to email those to Tobias Whitney or Steve Noess of NERC (I’ll do a post on the questions I would like to ask; anyone who has suggestions they’d like to have me include can email them to me at email@example.com).
What is the legal basis for this group? That’s interesting. I’m told it comes from Section 11 of Appendix 3a of the NERC Rules of Procedure (the page is numbered 43, but it seems to be page 174 of the actual document. Don’t ask me why they couldn’t just number all the pages consecutively). That section, called the “Process for Approving Supporting Documents”, discusses “documents that may be developed to enhance stakeholder understanding and implementation of a Reliability Standard.” Six types of documents are described; the first one, “Reference”, is described as
Descriptive, technical information or analysis or explanatory information to support the understanding and interpretation of a Reliability Standard. A standard reference may support the implementation of a Reliability Standard or satisfy another purpose consistent with the reliability and market interface principles.
And who is authorized to prepare these documents? You’ll be surprised to hear that it is “any entity”. So as long as you’re an entity – that is, you exist – you’re authorized to prepare them (presumably, Peter Pan is excluded. But you could argue even he’s an entity, albeit fictional). It seems the new CV5TSG (remember, you heard that acronym here first!) is as much an entity as anyone else is, so they will take it upon themselves to prepare documents.
Section 11 goes on to say that the NERC Standards Committee “shall authorize the posting of all supporting references that are linked to an approved Reliability Standard.” It seems that any document that meets the definition of “reference” above will be posted. I guess that’s what the new CV5TSG will be doing – preparing references on questions regarding CIP v5.
Is this a good thing? Definitely. Is it going to be enough? Well, that depends on your definition of “enough”. If you’re looking for interpretations of the v5 standards that will serve as mandatory guides to the auditors (and therefore for the NERC entities themselves), you’ll be disappointed. There is no way this group can do Interpretations. As I’ve discussed previously, NERC simply cannot produce official interpretations of any standard without going through the entire Request for Interpretation process, which could easily take two years or more. There is no way that the current interpretation issues with CIP v5 can be dealt with in that time frame; they need to be addressed much more quickly.
But my guess is the group will produce well-reasoned documents that may clarify some important points. I’m told they’ll be similar to the “Lessons Learned” documents that have already been posted, which have been well-written if not particularly earth-shattering. Note that the quote above does say references can “support the understanding and interpretation of a Reliability Standard.” If the CV5TSG actually produces documents that do that, this will be a significant step forward.
But there’s a catch (of course). We’re now just over 18 months away from April 1, 2016, when High and Medium impact assets (and their owners/operators) need to be 100% compliant with CIP Version 5. There are lots of questions that need to be answered (you could go to almost any one of my posts since the end of April 2013 and find at least three or four) quite quickly – especially on CIP-002-5 R1 and Attachment 1, which of course are the foundation for everything else in CIP version 5. How likely is it that this team will be able to address most if not all of the significant questions soon enough for that to be of help – say by the end of this year at the latest?
And here, Dear Readers, is the bad news: I think it’s highly unlikely this will happen. I’m going to spend a little time discussing what’s at stake here:
- Those of you who were involved with NERC CIP compliance four or five years ago know that the NERC CIPC published two very good guidelines on the CIP-002 asset identification process: one on identifying Critical Assets, the other on identifying Critical Cyber Assets (if you need a copy of these, you can email me and I’ll send them to you. Alternatively, you could spend a couple hours looking for them on the NERC website). These were both excellent documents, and the latter still provides good insights into issues like “external routable connectivity” that remain in CIP v5.
- I think it would be great if similar guidelines were developed now, although – given that the identification and classification of “big iron” and “little iron” are so intertwined in CIP-002-5.1 – this would need to be a single document. This would really be the right thing to do, and it is what I have been in part requesting since 2012. But this is simply not going to happen. I believe the two previous documents took around a year to develop, and even if the team started now, the new document would arrive way too late for it to be of help in the initial identification of BES Cyber Systems, prior to the April 1, 2016 date[i] (I keep threatening to write my own mini-version of this document as a post, and I intend to do it soon).
- So the best we can hope for is answers to specific questions. While not being the comprehensive approach I’d prefer (at least for the CIP-002-5.1 questions), it’s certainly better than nothing.
- So what are the questions the new team will be addressing? My contact says efforts are underway on the following topics: a) Grouping BES Cyber Assets into BES Cyber Systems; b) a definitive discussion of the “far-end” transfer-trip relay issue (this was already addressed in an email from Steve Noess, but I guess the new document would be more thoroughgoing and would carry more official weight - although I of course CAN’T call it an interpretation); c) Virtual Systems and VLANs (which has been an issue since CIP V1, so this is certainly needed); d) Disaggregation of BES Cyber Assets at a generating plant (I assume this refers to the fact that BES Cyber Systems identified through what I call the “top-down” approach need to then be disaggregated into their component cyber assets. See this post); and “perhaps” even e) What the word “programmable” means in the definition of BES Cyber Asset (my next post will address this issue, which is a pretty big one, especially for generating plants).
- What will be the pace at which the group turns out these documents? Remember, these are people who all have day jobs. They’ll be meeting once a month (I doubt for more than two days). Even though I know that work is already proceeding on some of these questions (the virtualization question has been under discussion by a group of the NERC CIPC for at least a few months), I sincerely doubt they’ll be able to turn out more than say two documents a month. So the list above can perhaps be completely taken care of this year.
- That’s wonderful, but what about all of the other 5,689 “interpretation” questions on CIP version 5? It won’t do most entities a lot of good to have them addressed even next year, let alone in 2017 or 2018.
- There is another initiative I know that’s going on, which is that NERC is providing uniform training on CIP v5 for all of the auditors in the regions. Again, that’s great and really needs to happen, but is that training really going to address a lot of the other questions that the CV5TSG won’t be able to address in the near future? I can assure you that won’t happen.
So what are we left with for all of the other v5 problems (and now I’m even more motivated to come up with a list of issues that I see. I hope some people will email me their issues as well; I promise to list them all, without attribution of course)? I’m afraid they will ultimately be dealt with using the time-tested NERC method: auditor discretion. Isn’t that wonderful?
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.
[i] This doesn’t mean it shouldn’t be done, since entities will always be coming into the CIP program, adding new Medium or High impact assets, etc. But I certainly don’t see any movement to do that, so this is all academic.