If you haven’t
read this blog lately, you may not know that I am now calling
for the compliance dates
for CIP Versions 5/6/7 to be pushed back – hopefully by a year, but at least by
six months. I don’t rate the chances of
this happening as very high currently, but I do think momentum for this
proposal will grow sharply as this year goes on – and entities begin to realize
how far they actually are from being able to affordably meet the April 1, 2016
date.
Note that the
word “affordably” is important. There is
a limited supply of CIP-experienced consulting resources available, and I know
that many if not most of them are already effectively committed for the remainder
of the runup to compliance. An entity
that is late to the game can always find competent network or IT security consultants
and pay for them to get intensive training in CIP; I know at least one entity
that is doing that now (although I think they believe their millions are
actually going toward implementation of CIP v5 compliance. That can’t happen until the consultants they’ve
hired actually understand it). But this
approach dramatically increases the cost of compliance; a large percentage of
this increased cost could be alleviated if NERC entities were given more time
to comply. As someone who witnessed –
and, truth be told, benefited from – the spending frenzy in the final days of
the Y2K runup, I would very much like not to see so much wasted money this time
around, even if a few of those wasted dollars might end up in my pocket.
The
compliance date needs to be pushed back because many – and from what I hear, most
- entities are far from where they need to be at this point, if they are to
comply by 4/1/16. I listed three reasons
for this in my first post on this subject, but last week the head of CIP
compliance for a large generation entity pointed out another reason to me.
Several of
the criteria in Attachment 1 require the entity to classify a Facility as
Medium impact if they have received a notification from an authority like a
Transmission Planner that the Facility is important for some particular
reason. In the case of Criterion 2.3,
the reason is that a generating unit is necessary to avoid an Adverse
Reliability Impact on the grid. In Criterion
2.6, the reason is that a generating plant or Transmission Facility is “critical
to the derivation of…IROLs..and their associated contingencies.” Criteria 2.7 – 2.9 depend on similar
notifications.
The CIP
compliance manager’s complaint to me was straightforward: the entity just
received, within the last month, unexpected notice that three of their plants
were critical to derivation of IROLs, so they are now Medium impact. And what’s the problem with this? Well, it’s now less than 15 months ‘til the
compliance date, that’s what. There is a
lot of work required to bring a generating station into compliance; they are
going to have to really sweat it out to make the 4/1/16 date. Moreover, they will almost inevitably spend a
lot more money to comply than they would have if they had been given notice in
a more timely fashion, say early last year, when there would have been 24
months to comply.
I haven’t
heard complaints from Transmission entities about receiving late notices under
2.6, so this might possibly be a problem limited to Generation. In any case, that doesn’t alleviate the
injustice that’s been done to these entities (and of course, generating
entities don’t normally have cost recovery like utilities do on the T&D
side. Every extra dollar they spend due
to having received the notice so late comes right from their pockets).
The clock
keeps ticking – 14 ½ months remain for compliance as of last Thursday. I’m not going to let this go.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
No comments:
Post a Comment