Roll Your Own, Part II: An Auditor Agrees!

I was torn between calling this post the second in my Roll Your Own series (the first is here) and calling it the first post in my new series on “The News from RFC”.  I am going to do the latter series because I’m currently at RFC’s CIP v5 workshop (the first workshop they’ve had on CIP since CIP v1, according to one of the auditors) in Cleveland, which is turning out to be extremely interesting - with some great discussions among participants and the RFC and NERC staff members.  I have already been inspired to write about four posts on topics discussed just today, and there’s still another half day of the meeting tomorrow.  So you have some good posts to look for in the near future, to liven up your drab, uninteresting lives (as opposed to my jet-set life in the fast lane, although I did drive to Cleveland from Chicago).

But perhaps the most interesting part of today’s presentations was during the presentation on CIP-002-5.1 by Lew Folkerth, a veteran RFC CIP auditor (their first CIP auditor actually, although he’s just moved from the dark side to the light side, and is now doing CIP outreach to the RFC members, not auditing).

To set the background, I’m sure you’ve all read and probably memorized the first post in my Roll Your Own series.  But just in case it wasn’t crystal clear or you live in a state with legalized pot, here is my summary: After hoping against hope since FERC approved v5 last November that some entity would ride in on a white horse and clear up all the inconsistencies and ambiguities I see in v5 and especially in CIP-002-5.1 (and I have variously suggested NERC, FERC, the Regions, Barack Obama, God, Vladimir Putin, Godzilla, and Judge Judy for that role – but none of them have stepped up to it), I have come to the reluctant conclusion that NERC entities are simply going to have to roll their own interpretations and definitions. 

That is, while entities will get some help from NERC and the regions to clear up a few of the problems in CIP v5, they’re ultimately going to have to figure things out on their own.  And not really “ultimately” at all, but now – as in 7:49PM Eastern Time on October 2, 2014.  The knight in shining armor (whom I have also referred to as the play character Godot, although I wouldn’t exactly call him a white knight) isn’t coming after all.  Entities need to start doing what the Generation compliance person I described in my last post is doing – that is, coming up with their own definitions and interpretations to fill in the holes in CIP v5, and documenting what they’re doing.  But people need to get started now, not next week and certainly not when NERC gets around to addressing all of the issues in CIP-002-5.1 (which by my calculations will be long after our planet has turned into another Venus because of global warming, and we’ve all become Crispy Critters).[i]

To be honest, I just came to this conclusion last week, and I thought I was way ahead of most other people in the NERC world in this matter.  However, it turns out that Lew had already reached that conclusion before I did – and he stated it quite eloquently in his presentation today (you can find his presentation by going to this link, then dropping down the lists for 2014 and the CIP v5 workshop.  His presentation is the CIP-002-5 one, although the discussion below isn’t in the slides.  Tobias Whitney’s presentation on the CIP v5/v6 Implementation Plan was also quite interesting, and I’ll have at least a couple posts on discussions – nay, arguments - that occurred during that presentation).

I will summarize his argument thus (and I freely admit that some of this is my own interpolation, since Lew didn’t discuss every point below – even when he and I sat down later to drown our sorrows in cheap wine at a free hotel happy hour.  So Lew can’t be held responsible for every word below):

1. There are a lot of problems with the wording of CIP-002-5.1.  I have written over 30 posts on just this topic, so I agree with him wholeheartedly.
2. The last chance NERC and FERC had to address those problems in a definitive way was when NERC drew up the Standards Authorization Request (SAR) for the CIP v5 Revisions ordered by FERC in Order 791 last November.  FERC could have ordered a complete rewriting of CIP-002-5 R1 (and perhaps Attachment 1, although I don’t think that would have made a big difference[ii]), and NERC could have put that in the SAR even if FERC didn’t order it.  Of course, this would have been a huge distraction and would probably have resulted in NERC’s petitioning FERC to put off v5 compliance for a year or two.  As it is, v5 compliance will come on 4/1/2016 as scheduled, but with no certainty available from any source about what “compliance” actually means for CIP-002-5.1 (and if an entity isn’t sure if its identification of cyber assets in 002 R1 is correct, then it can’t be sure of anything in the other v5 – or v6 – standards as well). 
3. Since Requests for Interpretation will take a minimum of 2-3 years to be approved (and FERC remanded the last two CIP RFIs anyway), and since the Compliance Application Notices (CANs) have been put to a well-deserved death, there is now simply no mechanism for NERC or the regions to provide definitive answers to the wording problems in CIP v5.   The only avenue left to NERC is some kinda sorta interpretations (note the lower case i), such as the “Lessons Learned” documents that the new CIP v5 Transition Study Group will be putting out.  While I’m sure these will be well-written and helpful, they will be way too late (as of yesterday, there are 18 months until the v5 compliance date.  No entity that has potential High or Medium impact assets should still be waiting around to start their compliance program). 
4. Even more importantly, the Lessons Learned documents will be far too few.  I believe the Cv5TSG has maybe 5-10 documents on their docket right at the moment.  I would say there were at least ten other documents whose need was identified in conversations just at the meeting today (Tobias Whitney, to his credit, blew off his planned return home this afternoon – after his morning presentation - to stay through the full meeting today and tomorrow.  It is certainly a good sign that he realizes the depth of the issues that need to be addressed).  Multiply this by eight regions, as well as malcontent bloggers like me who have thrown other problems out there and have promised – one of these days – to put together a more comprehensive list for NERC, and you get a huge number of new interpretations (small i, again) that are needed.
5. Since I estimate that the Cv5TSG can do maybe one Lessons Learned document a month, I imagine it will be 5-10 years for them to address all of the problems that can reasonably be expected to be identified, say, this year.  But since, as people implement and then try to comply with v5 in earnest, I predict the identified problems will grow rapidly in future years (I’d be tempted to refer to a certain incipient epidemic in Africa as a metaphor here, but that is far more serious.  While a few CIP professionals may commit suicide because of the v5 problems, the death toll from ebola will be exponentially greater before it is contained).  Thus, the need for CIP v5 Lessons Learned won’t diminish until long after CIP v5 and v6 have been replaced by v7.  On the bright side, I suppose that’s one way to finally solve the problem.

Lew’s argument, then, is that NERC entities need to accept the fact that they will in the end be responsible for figuring out what the requirements and definitions of CIP v5/v6 actually mean.  He recommends that entities:

1. Take a “mainstream” approach to interpreting the v5 requirements (and definitions).  That is, don’t try to torture the requirement until it says exactly what you want it to say, like that your 3,000MW plant doesn’t actually meet criterion 2.1.
2. Document what you do, document what you do and document what you do (did I mention you should document what you do?).  When the auditor comes knocking, you need to be completely prepared to show him that – in the absence of definitive guidance from NERC or your region – you have done your best to come up with your own interpretation/definition of whatever question is at issue at the moment.  If the auditor really thinks you’re way off, you should ask him or her this question: Given the information I had available at the time I needed to do this particular compliance activity, what other choice did I have?  Your documentation will make the case that what you did was the most reasonable course under the circumstances.
3. In coming up with your own interpretations and definitions, you need to try to divine the “intent” of the standard.  By that, I don’t think Lew meant the actual intent of the v5 Standards Drafting Team (as I said in this post, divining that is an impossible task).  I think he meant the intent that can be gleaned from a close reading of all of CIP v5 (and the Guidance and Technical Basis sections included with the standards) – that is, what the SDT probably really wanted to do, but fell short of in various ways.  Of course, this is a very inexact exercise at best – but hey, that’s all that’s left to CIP compliance professionals in these dark times (I guess it’s not the only thing left.  As I’ve pointed out repeatedly, McDonald’s is still hiring, and I’ve heard the McDonald’s stores in Lewiston, ND – the heart of the fracking boom – are offering $20 an hour and a $500 signing bonus).
4. One thing that Lew didn’t say, but that was recommended by another auditor to me recently, is that entities need to pay close attention to the Lessons Learned documents as they come out from the Cv5TSG, as well as any guidance provided by the regions.  As I’ve said, all of these documents will be too little and too late to be of much help, but if you ignore them completely and they end up completely contradicting one or more of your “self-rolled”[iii] interpretations or definitions, you will have a much harder time justifying what you did to the auditor.   Of course, it may be that a particular Lesson Learned will have come out way too late for you to incorporate it into your program; in that case, you need to document that fact as well.
5. Lew did point out that audit teams don’t typically want to spend a huge amount of time going into minute detail on particular points, like whether your interpretation of Criterion 2.5 was a good one or not.  What you need to do is present a good management-level report that succinctly summarizes what you did and why you did it.

Of course, when you think about it, this is pretty sad.  We have a CIP auditor for one of the regions admitting in a public meeting that NERC entities won’t be able to fully comply with CIP v5 unless they step up and write their own definitions and interpretations.  This isn’t a great situation, given that the standards in question carry potential $1MM/day penalties for violations.  But it is what it is, I guess.

For the third post in this "Roll Your Own" series, go here.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

---

[i] The only music I remember that played over the loudspeakers at today’s meeting was during one of the breaks, when an excerpt from Wagner’s opera Die Walkure (the second of four in his Ring series) suddenly started playing.  This excerpt was from the beginning of the long farewell sung by Wotan – the chief of the gods – at the end of the opera, as he says goodbye forever to his most beloved daughter and foretells the destruction of himself and all the other gods, as well as their home, Valhalla.  I wondered if this was a deliberate comment on the prospects of both NERC and CIP version 5, but I concluded it was just chance that it was played.

[ii] My basic take on Attachment 1’s problems is that I don’t think anybody short of God (and I’m not so sure about Him either) could have written a concise set of bright-line criteria that would have taken account of the tremendous variability in the electric power industry, where each utility is very different from its neighbors, each region is very different from the other regions, each ISO’s area has very different rules, etc.  It was FERC’s idea to have NERC develop the criteria in the first place.  While it was a good idea in theory, it will prove a disaster in practice.  I used to think that maybe a 30-40 page guide – like the excellent guide to identifying Critical Assets that NERC put out in 2009 – was what was needed to make the BLC usable. I now think a comprehensive guideline would easily run into the hundreds of pages or more, and I’m sure new problems would keep popping up anyway.    

[iii] I hereby propose two new NERC terms: 1) A “self-rolled” definition is one that an entity had to make up to fill a hole in the NERC glossary – such as the need for a definition of “programmable” discussed in my last post; 2) A “self-rolled” interpretation of a requirement is an entity’s rewriting of a requirement so it actually makes sense – as opposed to CIP-002-5.1 R1 for example.  I expect NERC to quickly move to add these to the Glossary, although I realize they will first need to be balloted.  You will support these, won’t you?