Tuesday, November 25, 2014

CIP v7 and the Final (?) Compliance Schedule for CIP v6.3940


Today, NERC posted five revised CIP standards (and the related Implementation Plan and Definitions documents) for comment.  These will constitute CIP v7, and will be balloted Dec. 30 – Jan. 8. 

My initial birth announcement for CIP v7 only referred to twins – that is, at the time it looked like only two CIP v6 standards would be revised to v7, CIP-003-6 and CIP-010-2; they will now be CIP-003-7 and CIP-010-3.  However, in their never-ending quest for perfection, the SDT decided that three other requirements also needed to be revised: CIP-004-6, CIP-007-6 and CIP-011-2; these will now become CIP-004-7, CIP-007-7 and CIP-011-3.[i]  In addition, the Implementation Plan and two Definitions documents (for the Low impact requirement changes) are also changing.  This means there are now eight documents that need to be approved for CIP v7; instead of giving birth to twins, NERC is the Octomom.  We’ll all have to pray for a successful delivery.

First Things First
The first thing I want to do in this post is to update my recent post in which I designated the new compliance version of CIP – that is, the version you’ll actually have to comply with – to be v5.7879 (there was actually an infinitely repeating decimal, 5.78787878….  I decided this wouldn’t work too well in compliance documentation, so I rounded it off).  Little did I know that less than three weeks later I would have to change that number.

I can’t use the same algorithm to compute the new number, since that assumed there were only going to be two versions of the CIP standards to comply with at one time.  Silly me, I once again underestimated NERC’s ability to make everything as complicated as possible – as you can see, the industry now has three versions to implement simultaneously.[ii] 

So I’ve come up with a new algorithm: I multiply the number of requirements in each version (7 in v5, 6 in v6 and 20 in v7) by the version number (5, 6 or 7) and divide their sum by the total number of requirements (33).  This yields 6.39393939…, which I’ll round off to 6.3940 just because I’m that kind of guy.  So this is the new compliance version: 6.3940!  I won’t be so bold as to say this time that this isn’t likely to change, since I thought that before.  I wouldn’t be at all surprised if some new glitch causes the SDT to have to revise one or more of the v7 standards; that will yield – are you sitting down? – CIP v8!  Speaking of which, maybe I’ll have a V8™ now.

What Has Changed?
The second thing I want to do is discuss the changes that are in the new v7 standards and the other three documents.  Briefly (or as brief as I can be, which isn’t saying much), here are the substantive changes (you can find the documents here):

Implementation Plan:  The substantive change here is that the compliance date for CIP-003-7 Attachment 1 Section 2 (physical access controls for Low impact assets) has been pushed back from April 1, 2018 to Sept. 1, 2018.

CIP-003-7:  The changes from v6 are some wording changes in Attachments 1 and 2, and a lot of changes in the Guidance; of course, there are more substantial changes from v5, since this standard now includes the Low impact requirement changes ordered by FERC.

CIP-004-7:  There has been a change in one requirement part, minor VSL changes, and a few new sentences in the Guidelines and Technical Basis section.  All of these changes are related to the new requirement for Transient Electronic Devices and Removable Media.

CIP-007-7:  There are small VSL changes and two sentences in the Guidance (again, all related to Transients).

CIP-010-3:  From v6, there are changes in the VSLs, Attachments 1 and 2, and the Guidance.  The big change from v5 is the requirement for Transient Electronic Devices and Removable Media, CIP-010-3 R4.

CIP-011-3:  The only change in this standard is in the Guidance section.

Definitions:  CIP v6 had two documents with new Definitions, related to the new Low impact requirement.  These definitions have been tweaked some.

The New Implementation Schedule
As I mentioned above, there has been one change to the implementation schedule.  Therefore I revised my recent post on the schedule for CIP v5.7879, which I'm now calling 6.3940 of course.  So please go there to get the Final (???) implementation schedule for CIP v6.3940.


The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.


[i] This leaves only two standards proudly bearing the CIP v6 designation: CIP-006-6 and CIP-009-6; this is down from eight v6 standards a week ago.  My, how the great have fallen!

[ii] I’ve come to believe that some NERC managers’ bonuses are based on their ability to make things as complicated as possible.  This would perhaps explain why we’re seeing this sudden flurry of complicating activity toward the end of the year – the managers are panicking as they suddenly realize NERC CIP compliance isn’t quite as complicated as it could possibly be.  I must say, if my suspicion is true, these managers have richly deserved their bonuses this year!  I never thought it could be this complicated.

No comments:

Post a Comment