If you haven’t read this blog lately, you may not know that I am now calling for the compliance dates for CIP Versions 5/6/7 to be pushed back – hopefully by a year, but at least by six months. I don’t rate the chances of this happening as very high currently, but I do think momentum for this proposal will grow sharply as this year goes on – and entities begin to realize how far they actually are from being able to affordably meet the April 1, 2016 date.
Note that the word “affordably” is important. There is a limited supply of CIP-experienced consulting resources available, and I know that many if not most of them are already effectively committed for the remainder of the runup to compliance. An entity that is late to the game can always find competent network or IT security consultants and pay for them to get intensive training in CIP; I know at least one entity that is doing that now (although I think they believe their millions are actually going toward implementation of CIP v5 compliance. That can’t happen until the consultants they’ve hired actually understand it). But this approach dramatically increases the cost of compliance; a large percentage of this increased cost could be alleviated if NERC entities were given more time to comply. As someone who witnessed – and, truth be told, benefited from – the spending frenzy in the final days of the Y2K runup, I would very much like not to see so much wasted money this time around, even if a few of those wasted dollars might end up in my pocket.
The compliance date needs to be pushed back because many – and from what I hear, most - entities are far from where they need to be at this point, if they are to comply by 4/1/16. I listed three reasons for this in my first post on this subject, but last week the head of CIP compliance for a large generation entity pointed out another reason to me.
Several of the criteria in Attachment 1 require the entity to classify a Facility as Medium impact if they have received a notification from an authority like a Transmission Planner that the Facility is important for some particular reason. In the case of Criterion 2.3, the reason is that a generating unit is necessary to avoid an Adverse Reliability Impact on the grid. In Criterion 2.6, the reason is that a generating plant or Transmission Facility is “critical to the derivation of…IROLs..and their associated contingencies.” Criteria 2.7 – 2.9 depend on similar notifications.
The CIP compliance manager’s complaint to me was straightforward: the entity just received, within the last month, unexpected notice that three of their plants were critical to derivation of IROLs, so they are now Medium impact. And what’s the problem with this? Well, it’s now less than 15 months ‘til the compliance date, that’s what. There is a lot of work required to bring a generating station into compliance; they are going to have to really sweat it out to make the 4/1/16 date. Moreover, they will almost inevitably spend a lot more money to comply than they would have if they had been given notice in a more timely fashion, say early last year, when there would have been 24 months to comply.
I haven’t heard complaints from Transmission entities about receiving late notices under 2.6, so this might possibly be a problem limited to Generation. In any case, that doesn’t alleviate the injustice that’s been done to these entities (and of course, generating entities don’t normally have cost recovery like utilities do on the T&D side. Every extra dollar they spend due to having received the notice so late comes right from their pockets).
The clock keeps ticking – 14 ½ months remain for compliance as of last Thursday. I’m not going to let this go.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.