Friday, September 19, 2014

The New CIP-002-5.1 RSAW Draft

I wrote lengthily (not that I ever write any other way) and bitterly about the first draft of the CIP-002-5.1 RSAW in this post in late June.  The second drafts of the RSAWs were released this week, so I eagerly downloaded the new CIP-002 document to see whether it would be better.  Surely, I naively thought, there must have been some big improvements.

Boys and girls, I hate to tell you this: The world doesn’t always (or even usually) follow what we may wish.   So I have good news and bad news for you.  The good news is that all of the statements that I found objectionable in the first draft have been removed.  And what’s the bad news?

The bad news is that NERC has replaced those statements with….nothing.  That’s right, nothing.  All of the statements I cited in the original post were found in a set of blue boxes, labeled “Evidence Requested”, “Compliance Assessment Approach” or “Notes to Auditor”.  The first and third boxes have simply disappeared[i].  And the Compliance Assessment Approach box now consists of nothing but a recitation of CIP-002-5.1 R1, preceded by the words “Verify that…” in several places.

It’s hard to express how depressing this is.  After originally implying that the RSAW’s would shed light on some of the problems with CIP v5, it seems NERC has now completely given up on that idea, and has reduced the CIP-002-5.1 RSAW (and I haven’t read the others yet) to simply a recitation of the requirements.  This wouldn’t be all bad if NERC were at the same time working feverishly on addressing the interpretation problems with that standard; but I see absolutely no sign of that.

Meanwhile, of course, we’re approaching October 1, exactly 18 months from the High/Medium compliance date for v5.  What are entities to do, with no guidance on these issues?  They really can’t go full bore ahead with their v5 compliance programs until they’re satisfied that they’ve identified what’s in scope correctly.  And since the only official (or even unofficial) guidance currently available is the wording of the standard itself, in all its glorious inconsistency and ambiguity, this has to be making a lot of people nervous (or they simply haven’t started their v5 process in any meaningful sense).

Of course, people will find a solution, one way or the other.  I will soon start a series of posts that will discuss how people are “rolling their own” definitions and interpretations.  What else can they do?

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

[i] This isn’t entirely true, since there still is a heading labeled “Auditor Notes”.  However, it is completely blank.  Did someone start to write some notes, run into problems, then just give up?  Are they going to add them back in a future draft?  Another in a long line of NERC mysteries.

10/16: It was pointed out to me that this end note doesn't mean anything, since the Auditor Notes are always left blank in the RSAWs.  They're for the auditors to literally write notes during their audit. Of course, that doesn't affect the argument in the body of the post.  I hope to revisit this problem shortly.

No comments:

Post a Comment