I was torn between calling this post the
second in my Roll Your Own series (the first is here)
and calling it the first post in my new series on “The News from RFC”. I am going to do the latter series because I’m
currently at RFC’s CIP v5 workshop (the first workshop they’ve had on CIP since
CIP v1, according to one of the auditors) in Cleveland, which is turning out to
be extremely interesting - with some great discussions among participants and
the RFC and NERC staff members. I have
already been inspired to write about four posts on topics discussed just today,
and there’s still another half day of the meeting tomorrow. So you have some good posts to look for in
the near future, to liven up your drab, uninteresting lives (as opposed to my
jet-set life in the fast lane, although I did drive to Cleveland from Chicago).
But perhaps the most interesting part of
today’s presentations was during the presentation on CIP-002-5.1 by Lew
Folkerth, a veteran RFC CIP auditor (their first CIP auditor actually, although
he’s just moved from the dark side to the light side, and is now doing CIP
outreach to the RFC members, not auditing).
To set the background, I’m sure you’ve all
read and probably memorized the first post in my Roll Your Own series. But just in case it wasn’t crystal clear or
you live in a state with legalized pot, here is my summary: After hoping
against hope since FERC approved v5 last November that some entity would ride
in on a white horse and clear up all the inconsistencies and ambiguities I see
in v5 and especially in CIP-002-5.1 (and I have variously suggested NERC, FERC,
the Regions, Barack Obama, God, Vladimir Putin, Godzilla, and Judge Judy for
that role – but none of them have stepped up to it), I have come to the
reluctant conclusion that NERC entities are simply going to have to roll their
own interpretations and definitions.
That is, while entities will get some help
from NERC and the regions to clear up a few of the problems in CIP v5, they’re
ultimately going to have to figure things out on their own. And not really “ultimately” at all, but now –
as in 7:49PM Eastern Time on October 2, 2014.
The knight in shining armor (whom I have also referred to as the play character
Godot,
although I wouldn’t exactly call him a white knight) isn’t coming after
all. Entities need to start doing what
the Generation compliance person I described in my last post
is doing – that is, coming up with their own definitions and interpretations to
fill in the holes in CIP v5, and documenting what they’re doing. But people need to get started now, not next
week and certainly not when NERC gets around to addressing all of the issues in
CIP-002-5.1 (which by my calculations will be long after our planet has turned
into another Venus because of global warming, and we’ve all become Crispy
Critters).[i]
To be honest, I just came to this conclusion
last week, and I thought I was way ahead of most other people in the NERC world
in this matter. However, it turns out
that Lew had already reached that conclusion before I did – and he stated it
quite eloquently in his presentation today (you can find his presentation by
going to this
link, then dropping down the lists for 2014 and the CIP v5 workshop. His presentation is the CIP-002-5 one,
although the discussion below isn’t in the slides. Tobias Whitney’s presentation on the CIP
v5/v6 Implementation Plan was also quite interesting, and I’ll have at least a
couple posts on discussions – nay, arguments - that occurred during that
presentation).
I will summarize his argument thus (and I
freely admit that some of this is my own interpolation, since Lew didn’t
discuss every point below – even when he and I sat down later to drown our
sorrows in cheap wine at a free hotel happy hour. So Lew can’t be held responsible for every
word below):
- There are a lot of
problems with the wording of CIP-002-5.1.
I have written over 30 posts on just this topic, so I agree with
him wholeheartedly.
- The last chance
NERC and FERC had to address those problems in a definitive way was when
NERC drew up the Standards Authorization Request (SAR) for the CIP v5
Revisions ordered by FERC in Order 791 last November. FERC could have ordered a complete
rewriting of CIP-002-5 R1 (and perhaps Attachment 1, although I don’t
think that would have made a big difference[ii]),
and NERC could have put that in the SAR even if FERC didn’t order it. Of course, this would have been a huge
distraction and would probably have resulted in NERC’s petitioning FERC to
put off v5 compliance for a year or two.
As it is, v5 compliance will come on 4/1/2016 as scheduled, but with
no certainty available from any source about what “compliance” actually
means for CIP-002-5.1 (and if an entity isn’t sure if its identification of
cyber assets in 002 R1 is correct, then it can’t be sure of anything in
the other v5 – or v6 – standards as well).
- Since Requests for
Interpretation will take a minimum of 2-3 years to be approved (and FERC
remanded the last two CIP RFIs anyway), and since the Compliance
Application Notices (CANs) have been put to a well-deserved death, there
is now simply no mechanism for NERC or the regions to provide definitive
answers to the wording problems in CIP v5. The only avenue left to NERC is some
kinda sorta interpretations (note the lower case i), such as the “Lessons
Learned” documents that the new CIP
v5 Transition Study Group will be putting out. While I’m sure these will be
well-written and helpful, they will be way too late (as of yesterday,
there are 18 months until the v5 compliance date. No entity that has potential High or
Medium impact assets should still be waiting around to start their
compliance program).
- Even more
importantly, the Lessons Learned documents will be far too few. I believe the Cv5TSG has maybe 5-10
documents on their docket right at the moment. I would say there were at least ten
other documents whose need was identified in conversations just at the
meeting today (Tobias Whitney, to his credit, blew off his planned return
home this afternoon – after his morning presentation - to stay through the
full meeting today and tomorrow. It
is certainly a good sign that he realizes the depth of the issues that
need to be addressed). Multiply
this by eight regions, as well as malcontent bloggers like me who have
thrown other problems out there and have promised – one of these days – to
put together a more comprehensive list for NERC, and you get a huge number
of new interpretations (small i, again) that are needed.
- Since I estimate
that the Cv5TSG can do maybe one Lessons Learned document a month, I
imagine it will be 5-10 years for them to address all of the problems that
can reasonably be expected to be identified, say, this year. But since, as people implement and then
try to comply with v5 in earnest, I predict the identified problems will
grow rapidly in future years (I’d be tempted to refer to a certain incipient
epidemic in Africa as a metaphor here, but that is far more serious. While a few CIP professionals may commit
suicide because of the v5 problems, the death toll from ebola will be
exponentially greater before it is contained). Thus, the need for CIP v5 Lessons
Learned won’t diminish until long after CIP v5 and v6 have been replaced
by v7. On the bright side, I
suppose that’s one way to finally solve the problem.
Lew’s argument, then, is that NERC entities
need to accept the fact that they will in the end be responsible for figuring
out what the requirements and definitions of CIP v5/v6 actually mean. He recommends that entities:
- Take a “mainstream”
approach to interpreting the v5 requirements (and definitions). That is, don’t try to torture the
requirement until it says exactly what you want it to say, like that your
3,000MW plant doesn’t actually meet criterion 2.1.
- Document what you
do, document what you do and document what you do (did I mention you
should document what you do?). When
the auditor comes knocking, you need to be completely prepared to show him
that – in the absence of definitive guidance from NERC or your region –
you have done your best to come up with your own interpretation/definition
of whatever question is at issue at the moment. If the auditor really thinks you’re way
off, you should ask him or her this question: Given the information I had available
at the time I needed to do this particular compliance activity, what other
choice did I have? Your documentation will make the case that what you did was the most reasonable course under the circumstances.
- In coming up with
your own interpretations and definitions, you need to try to divine the “intent”
of the standard. By that, I don’t
think Lew meant the actual intent of the v5 Standards Drafting Team (as I
said in this
post, divining that is an impossible task). I think he meant the intent that can be
gleaned from a close reading of all of CIP v5 (and the Guidance and
Technical Basis sections included with the standards) – that is, what the
SDT probably really wanted to do, but fell short of in various ways. Of course, this is a very inexact exercise
at best – but hey, that’s all that’s left to CIP compliance professionals
in these dark times (I guess it’s not the only thing left. As I’ve pointed out repeatedly, McDonald’s
is still hiring, and I’ve heard the McDonald’s stores in Lewiston, ND –
the heart of the fracking boom – are offering $20 an hour and a $500
signing bonus).
- One thing that Lew
didn’t say, but that was recommended by another auditor to me recently, is
that entities need to pay close attention to the Lessons Learned documents
as they come out from the Cv5TSG, as well as any guidance provided by the
regions. As I’ve said, all of these
documents will be too little and too late to be of much help, but if you
ignore them completely and they end up completely contradicting one or
more of your “self-rolled”[iii]
interpretations or definitions, you will have a much harder time
justifying what you did to the auditor.
Of course, it may be that a particular Lesson Learned will have
come out way too late for you to incorporate it into your program; in that
case, you need to document that fact as well.
- Lew did point out
that audit teams don’t typically want to spend a huge amount of time going
into minute detail on particular points, like whether your interpretation
of Criterion 2.5 was a good one or not.
What you need to do is present a good management-level report that
succinctly summarizes what you did and why you did it.
Of course, when you think about it, this is
pretty sad. We have a CIP auditor for
one of the regions admitting in a public meeting that NERC entities won’t be
able to fully comply with CIP v5 unless they step up and write their own
definitions and interpretations. This
isn’t a great situation, given that the standards in question carry potential
$1MM/day penalties for violations. But it
is what it is, I guess.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
The only music I remember that played over the loudspeakers at today’s meeting was during
one of the breaks, when an excerpt from Wagner’s opera Die Walkure
(the second of four in his Ring
series) suddenly started playing. This
excerpt was from the beginning of the long farewell sung by Wotan – the chief
of the gods – at the end of the opera, as he says goodbye forever to his most
beloved daughter and foretells the destruction of himself and all the other
gods, as well as their home, Valhalla. I
wondered if this was a deliberate comment on the prospects of both NERC and CIP version 5, but I
concluded it was just chance that it was played.
[ii]
My basic take on Attachment 1’s problems is that I don’t think anybody short of God (and I’m not so
sure about Him either) could have written a concise set of bright-line criteria
that would have taken account of the tremendous variability in the electric
power industry, where each utility is very different from its neighbors, each
region is very different from the other regions, each ISO’s area has very
different rules, etc. It was FERC’s idea
to have NERC develop the criteria in the first place. While it was a good idea in theory, it will
prove a disaster in practice. I used to think
that maybe a 30-40 page guide – like the excellent guide
to identifying Critical Assets that NERC put out in 2009 – was what was needed
to make the BLC usable. I now think a comprehensive guideline would easily run
into the hundreds of pages or more, and I’m sure new problems would keep
popping up anyway.
[iii]
I hereby propose two new NERC terms: 1) A “self-rolled” definition is one that
an entity had to make up to fill a hole in the NERC glossary – such as the need
for a definition of “programmable” discussed in my last post; 2) A “self-rolled”
interpretation of a requirement is an entity’s rewriting of a requirement so it
actually makes sense – as opposed to CIP-002-5.1 R1 for example. I expect NERC to quickly move to add these to
the Glossary, although I realize they will first need to be balloted. You will support these, won’t you?
No comments:
Post a Comment