When I started this blog at the beginning of
2013, one
of my first posts was about the need to move the CIP v4 compliance date
back. It seems I’m now doing the same
thing for v5, less than two years later.
I’ve been spending a lot of time lately, on the
phone and in person, with NERC entities of various sizes (well, super large to
medium size); I always ask how they are coming on their CIP v5 program. To a man/woman, they all first tell me the
program is moving along well. Once we’ve
gotten past that formality, a little digging usually reveals it really isn’t
going along quite so smoothly, although the entity also may be in denial and
not realize how far they are from being compliant on April 1, 2016.
One problem is funding. I know at least a couple large entities that aren’t
going to officially get a dime in v5 funding until 2015. They’re then going to have to scramble – and fight
over a small pool of consulting resources – to get everything done next year (and
you definitely need to have your entire v5 program in place by the end of
2015. You then should have an assessment
to see what you may have missed; that leaves you at least a couple months to
fill any remaining gaps by April 1, 2016).
This might
seem pretty short-sighted of those entities.
Why didn’t they budget any money for v5 in their 2014 spending
plans? However, you have to consider the
history. Until April 2013 when FERC
upset the applecart and issued their NOPR
, the only thing set in stone was that CIP v4 would come into effect April 1,
2014. And even with the NOPR, I know a
lot of NERC compliance people had a big problem
convincing their management and legal teams that v5 was really coming. There was good reason for their reluctance: V4
was approved, while v5 was still just a wishful statement by FERC. It was only when FERC approved v5 on November
22, 2013 that it became crystal clear it would
come into effect. Of course, most
entities had already done their 2014 budgeting by that date.
So that’s one problem. A bigger problem has been the huge amount of
uncertainty about what the wording of the CIP v5 standards means - especially
my favorite standard, CIP-002-5.1. Of
course, a lot of this uncertainly has been caused by irresponsible bloggers
trying to split hairs over fine points of the wording. But leaving such riff-raff aside, NERC and
the regions have been honest that more guidance is needed. Yet it has been slow
in coming, and many entities have decided they can’t wait any longer for all
the holes to be filled in, and they’ve “rolled
their own” solutions to do the job.
But other entities haven’t quite been able to
give up the cherished belief that NERC ought to tell them what the standards mean, not they NERC. This is a relic of the quaint old tradition
(going back say 4,000 years to the Code of Hammurabi),
in which it’s the authorities that interpret the laws, while the people obey
them. I’m afraid NERC entities need to discard
such outmoded concepts. This is the
brave new world of NERC CIP Version 5, where any official interpretation help
will be late in coming and inconclusive, and perhaps won’t come at all. You have to roll your own solutions, or simply
not do anything at all.
It is the latter option – not doing anything
at all – that has been embraced wholeheartedly by a number of NERC entities;
since there is no other clear path forward, doesn’t it make sense that’s the
best thing to do, pending better clarification?
I’ve compared
this attitude to that of the heroes of the play Waiting
for Godot, one of the greatest plays ever written. In it, two men spend the entire play standing
on a virtually empty stage, waiting for someone named Godot to come; they have
already been waiting for some time.
Godot sends a messenger every day to say he can't come but he will for sure the next day, yet the fact remains: The protagonists know all along Godot isn’t coming, and they’ve
always known that (in fact, they’re not at all sure why they’re waiting for him in the first place). But even at the end of the play, when it’s
clearer than ever Godot will never come[i],
they continue to wait. They say they're through with waiting, but they just stand there as the curtain falls.
I don’t want to press this analogy too far
(Samuel Beckett, the playwright, was of course writing about the human
condition in general, not NERC CIP v5).
But it does seem to me that entities that are waiting for all
ambiguities to be cleared up in v5 are in the same position as these two
hapless gentlemen. Deep in their hearts,
they realize help won’t be coming – or at least not enough of it. But they keep waiting.
I’ve now discussed two types of entities that
are in danger of not meeting the 4/1/16 deadline. One is those that haven’t had the funding
available. The other is those that may
have funding, but are paralyzed by the fact that there are so many holes still
to be filled in the interpretation of v5.
But there’s another entity that is probably
even worse off than both of these. This
is an entity that thinks they are on the road to full compliance. They’re mounting a big effort to understand the CIP v5 standards, and
they’re producing various presentations and documents on what v5 means, both in
general and for them. But they’re not
actually doing what needs to be done for compliance: deciding what policies,
processes and technologies need to be in place for v5, then implementing them.
I say this type of entity is worse off
because they don’t know it. They think that every PowerPoint and position
paper is moving them further toward compliance, when at best they’re pretty much
standing still. The fact is, you’re on a
fool’s errand if you think you can approach v5 compliance from first
principles. I’ve written probably 25-30
posts just on CIP-002-5.1, and the only conclusion I’ve been able to reach
about first principles in that standard is that there are none (more accurately,
it was built on two or three very different first principles, and the contradictions
between them were never reconciled).
Richard Feynman, one of the greatest
physicists of the 20th century, famously said (about quantum
mechanics, literally the foundation of modern physics and the reason I’m able
to type this post on a computer that doesn’t take up multiple rooms and cost
millions of dollars), “If you think you understand quantum mechanics,
you don't understand quantum mechanics.”
Unfortunately, the same applies to CIP v5: If you think that developing
a deep understanding of what v5 means will help you comply with it, you don’t
understand v5 in the first place. Put
down your PowerPoints; pick up your pen and start writing your v5 policies and
procedures. Those are what CIP v5 means.
I’m sure
there are other reasons why entities aren’t ready for v5. But I don’t need to know all the many
reasons, nor do I need a survey or focus groups to tell me this: The majority
of NERC entities won’t be ready for CIP v5 compliance by 4/1/2016, or if they
do actually make the date it will be because they’ve spent far too many
ratepayer dollars (or shareholder dollars) than they should have[ii].
So I’m
saying the main v5[iii]
compliance date should be pushed back – at least six months, hopefully a
year. Of course, this would mean that
all the other compliance
dates would have to be pushed back as well.
What’s the mechanism for this to happen?
Beats me, but it certainly seems something could be worked out among
NERC, FERC and the regions. Something has to be worked out anyway, given the
interpretation problems (and you'll hear more from me on these interpretation problems very soon. You might want to put me on your spam list while there's still time) and the fact that the ship has sailed on any effort to
deal with them in a “legal” way. These
are extraordinary times, requiring extraordinary measures.
What are the
chances the date actually will be
pushed back? I’d say they’re slightly
better than those of the Cubs winning the World Series next year. But you never know. It’s been “Wait ‘til next year” for 106 years
here in Chicago; one of these centuries, next year will come.
This post is the first of four posts that describe why the v5 compliance date needs to be moved back, and what else needs to be done to address the serious problems in CIP-002-5.1, the foundation of all the CIP v5 (or more explicitly CIP v6.3940) standards. The next post in this series is here.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
VLADIMIR:
You have a message from Mr. Godot.
BOY:
Yes Sir.
VLADIMIR:
He won't come this evening.
BOY:
No Sir.
VLADIMIR:
But he'll come tomorrow.
BOY:
Yes Sir.
VLADIMIR:
Without fail.
BOY:
Yes Sir
(silence)
(silence)
.…….
VLADIMIR:
What does he do, Mr. Godot?
…..
BOY:
He does nothing, Sir.
(silence)
(silence)
……
BOY:
What am I to tell Mr. Godot, Sir?
VLADIMIR:
Tell him ….tell him you saw me and that…..that you saw
me…..
[ii]
Of course, given that I’m a CIP consultant, and given that the greater part of
the money these entities waste will be on consultants, you might say this is
the best thing that could happen for me.
But the fact is, there aren’t that many consultants who can really help
right away in the v5 effort, although there are a lot who will say they can - meaning they’re happy to
learn the ropes on your dime. These
people will come out in droves – correction, are coming out in droves – and the
majority of the consultant spending in 2015 will be on them. As I said, after an entity has spent a huge
amount on these people, it may well be compliant on 4/1/16. But it wouldn’t have to be this way, if
entities were given more time to comply.
They could actually take their time and become compliant in an
efficient, cost-effective manner.
[iii]
And when I say “v5”, I mean the combination of v5, 6 and 7 standards that
entities will actually have to comply with.
I’ve named this Version
6.3940, but I know everyone will continue to refer to the whole thing as
v5; I’ll continue to do so as well, at least at times.
No comments:
Post a Comment