CIP Version 5.7879

December 6, 2014: When it became clear that five of the new CIP standards that NERC entities will have to comply with are really going to constitute CIP Version 7, I revised my calculations below to come up with what I think will be the final compliance "version": 6.3940. But I do refer back to this post in the new one, so I don't want to take it down.

I did a post in July, which has proved fairly popular, addressing the timeline for what I called “CIP Version 5.5”; I called it 5.5 because NERC entities will need to comply with a combination of v5 and v6 standards, so you can’t strictly call it one or the other.  I will discuss the timeline in my next post, but first I want to address the weighty matter of what to call this new, hybrid (one is tempted to use the word mongrel, but I don’t think that’s in the NERC glossary) version. 

To comply with this hybrid CIP version, NERC entities will have to implement CIP-002, CIP-005 and CIP-008 from Version 5; these will all bear the “-5” suffix.  From v6, they have to implement CIP-003, CIP-004, CIP-006, CIP-007, CIP-009, CIP-010 and CIP-011; all of these standards will bear the “-6” suffix, except for CIP-010 and -011, which will have the suffix “-2”.  Got all that? 

As I explained in the July post, the reason for this mixture of two versions is that NERC was deathly afraid of talking about a new CIP version, right after the industry had been through the “v5..no wait, v4…no wait, v5!” whiplash; so they called v6 the “CIP v5 Revisions”.  However, NERC rules prohibit any revisions to a standard that has already been approved, so the new standards are really v6. 

I’m not sure how serious a problem this is – presumably, people will print out a set of copies of the actual implemented standards and throw everything else away.  But it’s really silly that the industry would have to go through this, since the two previous times there was a change to the standards (requiring a new submission to FERC), all of the standards were revised.  A good example is CIP v3, where the only standard that changed from v2 was CIP-006.  But NERC still brought all of the standards to the new version number, meaning that today we’re not complying with seven v2 standards and one v3 standard, but simply eight v3 standards.  This approach was evidently deemed way too simple and understandable for NERC this time around, and I guess I have to agree with that.  I might have a heart attack if NERC came out with anything that was simple and understandable.  So instead the industry has two versions to comply with simultaneously.

But this still leaves the weighty problem of what to call the hybrid version.  I admit I chose “v5.5” rather hastily in July; but now I want to be more scientific.  The fact is, the hybrid contains 33 requirements, 7 from v5 standards and 26 from v6 standards.  This means v6 is definitely the heavy hitter on the new team, and it bothers me that I gave both v5 and v6 equal weight when I split the difference and called them v5.5.

The scientific way to do this is to divide the difference between 6 and 5 (6-5=1, for those keeping score at home) proportionally according to the number of requirements from each standard.[i]  Since the dividing line is 26/33 of the way from 5 to 6, this means the correct designation should be 5.7878787878….  I would suggest that, but I don’t think infinitely repeating decimals will work too well in compliance documentation.  So I’ll round it off to 5.7879.

And there you have it.  Not hearing any dissent, I hereby declare the new CIP version to be 5.7879.

  

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

---

[i] Actually, it would be even more scientific to divide it by the number of sub-requirements, but there are some things that are beneath even moi.