In arguments over the finer points of CIP Version 5, people will often bring up something called “the intent of the Standards Drafting Team” to justify their opinions. I have been skeptical of such arguments for some time, but this was really brought home to me this week as I discussed – via email – the transfer-trip relay issue (which turns out to be a lot more complicated than I’d thought – or than I believe NERC thought – a few months ago. But I don’t think there’s ever been a NERC CIP issue I’ve looked at that didn’t turn out to be more complicated than I’d realized at first. I will do a new post when I think I know what this discussion is all about).
The email discussion was with two quite knowledgeable and respected actors in the NERC CIP world. They were arguing on completely different sides of the issue at hand. Both were making quite persuasive arguments, and both were invoking the “intent of the SDT”. One referred to conversations he’d had with a couple of the principal SDT members; the other referred to minutes from a couple of the SDT meetings.
So how could you decide which of these two people better understood the intent of the SDT? You probably guessed the answer: you can’t. There is simply no good way to discern the intent of the SDT other than in the two records they have provided us: the CIP v5 standards themselves and the “Guidance and Technical Basis” sections included with each standard. These were voted on and approved both by the SDT members and the NERC ballot body. If the members of the SDT didn’t make their intent clearly known in these documents, they don’t now get a second chance to “clarify” what they said. That ship has sailed.
Someone may point out that courts examine the intent of Congress all the time when ruling on the meaning of a law. What’s different about the SDT? The difference is that the debates[i] in Congress are recorded word-for-word, and a record is made of how each Congressman or Senator voted on each bill. If I want to discern the intent of Congress regarding a particular bill, I just need to look at what each person said who ended up voting for that bill. This of course wasn’t done for SDT meetings; there wasn’t even a summary of what each person said, or of the differing opinions that were offered on a particular topic.
This isn’t to say that someone did something wrong; I don’t think other NERC meetings (other than perhaps the Board of Trustees meetings) are recorded any differently. It just means that the meeting minutes were never intended to be used as a record in a legal sense; it also means that people can’t come back now and mine those minutes for compliance guidelines. Furthermore, it means that SDT members can’t now pontificate on what the SDT meant. How could one ever discern whether they are right or not?
Moreover, consider the following[ii]:
- The CSO 706 SDT (the official name of the v5 SDT) met over four years, and the personnel changed markedly during that time. The different issues were debated at different meetings, with different participants (the makeup of the SDT changed substantially over the four years, including the Chairman and Vice-Chairman). Most of the drafting of the actual requirements occurred in subcommittee meetings conducted by phone, for which I don’t think there were any minutes at all. And even if there were detailed notes of what was said at the SDT meetings, it would be almost impossible to trace the different threads as they were discussed over four years, by a changing cast of characters.
- The minutes of the CSO 706 SDT meetings were always fairly short and high-level, mostly consisting of statements like “X was discussed”, “Y was discussed”, etc. Those minutes were simply never intended to provide any guidance when it came to interpret the standards. This is partly because it would have been very expensive to produce a literal transcript of the meetings.
- Most importantly, the minutes can’t be used for interpretation because of what I call the fundamental problem with NERC standards (and especially with CIP): The standards are written by engineers, but they’re interpreted by lawyers. Engineers focus on solving a technical problem – in this case, writing a standard that the committee and the NERC ballot body will approve - and feel their job is done when that has been accomplished. This means the SDT members – engineers and cyber security professionals – didn’t worry about recording how the wording came to be; they just wanted to come out with something that worked.[iii] But in interpreting a standard, lawyers want to be able to discern why this particular wording was adopted. They will get no help from the minutes.
- Of course, talking to individual members of the SDT – no matter how high-ranking they were – also doesn’t do any good. They are simply individual members and their opinions are their own. The SDT members finished their work in 2012. If they want to influence current debates, let them do so – but their opinions shouldn’t be given any more weight than mine or yours.
You might ask why this is so important. If the SDT members want to give us their advice now, however unofficial it is, what harm is there in that? My answer is: There’s no harm, as long as you don’t attribute any more significance to that advice than what you read in my posts, or what someone from the utility next door tells you; in other words, as long as you don’t treat this advice like you would advice that’s coming from NERC or your region. But there certainly would be harm if an auditor tried to issue a PV based on a claim that he/she knows “the intent of the SDT”. If that happens, you need to raise a big red flag immediately.
Of course, we now come back to the question of how the various ambiguities or inconsistencies in CIP v5 do get resolved, absent some sort of action by NERC. Folks, that’s what my “Roll Your Own” posts are about. As I’ve said many times, this isn’t a wonderful situation – where entities need to come up with their own interpretations of the meaning of requirements that can potentially result in $1 million/day penalties if violated – but that’s the way it is.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.
[i] I’m engaging in a quaint old idea – that Congress “debates” bills. Nowadays, members make statements for the media. I think it has been many years since there was a real debate in Congress.
[ii] In the next few paragraphs, I’m restating an argument I made in this post from last March. The author gave me permission to do this, albeit grudgingly.
[iii] At an RFC compliance meeting last year, a story was told that illustrated very well the difference between lawyers and engineers (and also priests). I don’t know whether it’s true or not, but it certainly has the ring of truth. It seems that, in medieval times, a priest, a lawyer and an engineer were all sentenced to be guillotined together. On the appointed day, the priest was first. He put his head in the apparatus, the executioner pulled the cord, and the blade fell – but it stopped halfway down. The priest looked up and exclaimed, “God has spoken! He doesn’t want me to die. You must free me!” And they did.
The lawyer was next. He put his head in the apparatus, the cord was pulled…and again, the blade stuck halfway down. The lawyer exclaimed, “I was sentenced to have my head placed in the guillotine and have the cord pulled. This has been done. You cannot now repeat the process. You must set me free!” And they did. Finally, the engineer came up. He put his head in, the cord was pulled, and the blade got stuck again. He looked up, studied the apparatus for a minute and then exclaimed, “Aha. I see your problem….”