This is the
fourth and last of a series of posts on the many problems with CIP-002-5.1 R1,
and what both NERC entities and NERC itself need to do to deal with them. The series started with a post
in which I said the compliance date for CIP v5[i] should
be pushed back from its current date, April 1, 2016. It was followed by a post
that listed serious interpretation issues with this requirement (which is of
course the fundamental requirement of
CIP v5), and most recently by a post
describing a high-level “methodology” for complying with this requirement (or
more accurately, showing graphically why it is impossible to develop any sort
of definitive methodology).
To go back
to the first post in the series, the reason I gave for pushing the compliance
date back was that a large number of entities will clearly either a) not be
compliant by 4/1/16; or b) only achieve compliance through a large, very
inefficient expenditure of money – as the huge demand for assistance with v5
runs up against the small number of competent resources available to meet the
demand.
I listed
three reasons why entities won’t be ready by the compliance date, although it’s
possible there are other reasons as well:
- They won’t have budget for CIP v5 until 2015;
- They have been holding back from taking action on v5 due to the many uncertainties in interpretation; or
- They are already spending money on v5, but they aren’t addressing what needs to be done.
You could
say that 1 and 3 are the result of the entity’s actions or inactions, and
aren’t anyone else’s fault (like NERC’s)[ii]. I don’t dispute this, although that doesn’t
in any way mean the date shouldn’t be pushed back. When you have a large number of people not in
compliance with a law or regulation, you have to look at whether a) the law or
regulation imposes too much of a burden for compliance; or b) the
implementation period is too short. I
assert that both of these are true in the case of CIP v5, although addressing
a) will be much harder than addressing b).
But let’s focus on the second reason that a
large number of entities aren’t going to be ready for v5 compliance on 4/1/16:
uncertainties in interpretation. Folks,
this one is entirely NERC’s fault. Since
April of 2013, I’ve written maybe 40-50 posts on problems with CIP-002-5.1 R1
and Attachment 1, culminating (for the moment) with the second post referred to
above. This post describes about 20
problems with CIP-002-5.1 R1 (most quite serious), and I’m sure that there are
a lot of others lying in wait in the “bright-line” criteria (I love that term,
which is FERC’s. It shows they have a
great sense of humor).
Of course,
CIP-002-5.1 R1 (hereinafter referred to as “R1”) is just one of 33 requirements
in CIP v5 (there are more requirements in CIP 6.3940, the “version” that entities
will actually have to comply with)[iii]. However, R1 is definitely the foundation of
v5. The goal of CIP v5 is to protect BES
Cyber Systems. To comply with R1, you
need to identify those BES Cyber Systems.
If you don’t do that properly because you don’t understand what that
requirement means, none of your efforts to comply with the other v5
requirements will really be valid (even though it’s not likely you’ll actually
be assessed PV’s for violating those other requirements, due to a mistake in
complying with R1). It’s like a real
estate salesperson is trying to sell you a house called CIP v5. They say, “It has wonderful bathrooms, a great
kitchen, huge living room…The foundation is rotten and could go at any time…But
LOOK at these bathrooms!”
You may
point out to me that CIP v5, like all NERC standards, was written by a
Standards Drafting Team composed of employees of NERC entities, and it was
approved by a ballot of those entities; therefore, any blame for problems resides
with the NERC entities themselves. While
this isn’t completely true (since NERC staff members played a big role in
guiding the SDT), I’ll stipulate you’re right.
But IMHO, once the NERC Board of Trustees approved v5, ownership passed
to NERC. As problems began appearing
(and they appear with every standard), it was NERC’s responsibility to address
them in a timely fashion, so that entities could comfortably meet the
compliance deadline. Despite some
half-hearted efforts like coming out with some Lessons Learned, NERC hasn’t
definitively addressed any of these issues.
I contend
that yesterday, Jan. 1 2015, was a watershed day for CIP v5. As of that day, there remain exactly 15
months for NERC entities with High and Medium impact BES Cyber Systems to
achieve full v5 compliance for those systems.
Yet there remain a huge number of uncertainties about definitions of
terms used in v5 and interpretation of wording (especially in R1, but the
uncertainties are certainly not limited to that requirement). NERC has put out about ten “Lessons Learned”[iv] and FAQ
documents on v5 issues, most still in draft form. That is just about the only “guidance” they
have provided (and all these documents will ever be is guidance. The only official Interpretations – which carry
the full force of Requirements - of the v5 wording won’t be approved for years).
NERC has
also put out a list
of 23 issues (ten of which are in R1) that they plan to
address in future Lessons Learned or FAQs.
One or two have already been addressed in draft form, so there are about
21 issues they say they really really want to get to one of these days. My guess is at most one, maybe two, of these
will be addressed each month in 2015; so just addressing the issues NERC has
said they’ll address will take all year.
And these are just a portion of the issues that are actually out there
(I believe only two of the problems with R1 that I pointed out in my second post
were even on NERC’s list to address at all).
If you assume there are at least 40-60 other serious issues to be
addressed (including the 18 from my post), this means the Lessons Learned
process will have them all nailed down by around the end of 2017, running at
its current pace. Does anyone else see a
teeny teeny problem with leaving the compliance date at 4/1/16?
NERC, I’m
sorry to say this, but the ship has sailed.
Entities needed to start their compliance process six months ago, but at
the latest they should start it tomorrow (OK, I’ll give them ‘til Monday Jan.
5). I was hoping you (NERC) would get a
good number of these issues addressed by the end of 2014, so that entities could
start off 2015 by a) identifying all their cyber assets/systems in scope for
v5; b) conducting a gap assessment to see what they need to do; and finally c)
rolling up their sleeves and implementing what they need to fill those
gaps. Because you only addressed one or
two of the CIP-002-5.1 R1 issues, the entities simply don’t have enough guidance
for them to start this process as they need to: with a comprehensive effort to
identify all cyber assets in scope for v5 (BCAs, BCS, ESPs, PCAs, EAPs, etc).
You’ve taken
a remarkably leisurely approach to the Lessons Learned effort, NERC (for
instance, the last LLs were posted in November). I appreciate that you all have family
commitments, etc, but this approach has eliminated any remaining possibility
that entities will be able to competently and efficiently comply with CIP v5 by
4/1/16.
So this is
what you need to do, NERC:
- As I believe I’ve just mentioned, the compliance dates for v5 need to be pushed back - a minimum of six months, but preferably a year.
- You need to declare CIP-002-5.1 R1 an “open” requirement. I doubt there’s any provision for doing this in the Rules of Procedure, but I also doubt there’s ever been a requirement that’s been both a) so extremely critical, and b) so vague and contradictory. You need to simply declare that any entity that makes a good faith effort to understand R1, and that properly studies and applies all the appropriate Lessons Learned, etc, will never be assessed a PV for violating R1.
I know you’re not going to like this
idea, NERC (in fact, you’re not going to like any of the ideas in this
post). But you know what? It really doesn’t matter whether or not you
declare R1 an open requirement; it will be that of its own accord. There is simply no way any self-respecting
auditor will assess a PV for R1, on an entity that has made a good-faith effort
to comply. And this is because there’s
no way any assessed violation of R1
would ever be upheld in a court of law – the requirement is simply too
contradictory and vague. What auditor
wants to waste their time (and credibility) writing PVs that have zero chance
of ever being upheld?
- You need to bust your a__ providing guidance on v5. No more one or two Lessons Learned a month. You need to a) come up with a full list of ambiguities, etc. in all the CIP v5 standards; and b) make a plan to address each of these – through Lessons Learned, FAQs, fatwas, Papal encyclicals, or whatever means you have – by at a very minimum a year before the new (initial) compliance date for v5. For example, if you put off the initial compliance date for a year to April 1, 2017, you need to address all of the ambiguities in v5 by April 1, 2016.
- You need to write a SAR[v] for a new version of CIP-002 (which of course would be the first and perhaps only CIP Version 8 standard). Even though I’m assuming you’ll listen to what I said in the paragraph above this (after all, you always listen to me!), there is simply no way that R1 can be made whole without completely rewriting it. And if you’re not sure what’s wrong with the current standard and don’t feel like plowing through the 40 or so posts I’ve written on that topic (who can blame you for that? I get tired of looking at them myself), I’ll be glad to make a couple suggestions. Once a new CIP-002 R1 is in place, then I think CIP v5 (of course, I mean v6.3940) will be a completely enforceable version. There are certainly problems with the other standards beyond CIP-002, but in my opinion they are all fixable through Lessons Learned or other documents; the problems with the current 002 are not fixable without a complete rewrite.
I must admit
these four “suggestions” are based on an assumption: that rewriting CIP-002
will be a 2-3 year process, including writing the SAR, constituting a new SDT, drawing
up and balloting a few drafts before final approval by NERC, submitting the new
version to FERC, awaiting their approval, and addressing any changes FERC may
require when they approve it. A further assumption
is that it would be unacceptable to leave CIP v3 in place during this entire
process.
If either of
these assumptions isn’t correct, then what I recommend is much simpler: NERC
needs to start the process of rewriting CIP-002, and leave CIP v3 in place
until the new version (CIP-002-8, by my calculations) is ready.
Of course,
you may well ask what is the likelihood that NERC will take up any of my suggestions? I refer you back to the first post in this
series, where I said the likelihood was about that of the Chicago Cubs winning
the World Series in 2015. Quite small,
yet still greater than zero.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
In this and other posts, when I say “CIP v5”, I’m almost always referring to
what I call CIP 6.3940,
the specific mix of v5, v6 and v7 CIP standards that NERC entities will
actually have to comply with. Everyone
still refers to it as “CIP v5”, and that’s fine with me – as long as nobody is
looking any more at any of the “real” v5 standards except for CIP-002, -005 and
-008. All the others have been replaced
by their v6 or v7 versions.
[ii]
I would say that blame for Number 1 can actually largely be attributed to
FERC. I believe they approved CIP version
4 in April 2012 not because they intended to see it come into effect, but as a
way to put pressure on the NERC membership to quickly approve CIP v5 (the first
draft of v5 had just gone down to resounding defeat, with no standard gaining
more than I think about a 20% positive vote).
Unfortunately, by approving v4, the signal they sent (especially to the
Legal and Compliance departments at large IOUs) was that v4 would come into effect, regardless of
whether or when CIP v5 was approved. So
a lot of money and effort were wasted on v4 compliance efforts, which I
documented in a series of posts (starting with this
one) last summer.
A year and a day after FERC approved v4 (and undoubtedly
due to a lot of frantic lobbying by NERC), FERC issued a NOPR
saying they intended to approve v5, and that v4 would never come into
effect. Yet some of those IOU Legal
departments a) continued to tell people to work on v4, since after all that was
still the law of the land; and b) wouldn’t allow expenditures on v5 because it
wasn’t actually approved, and because FERC had made it clear they wanted some
changes in it. FERC did approve v5 in
November 2013, but that was past the date that most large utilities (and IPP’s)
had prepared their 2014 budgets; hence a lot of NERC entities (some quite
large) won’t have v5 budget until sometime in 2015.
[iii]
There are problems in most of the other requirements as well – there always
are. However, the R1 problems are serious
enough that I now contend there is no single methodology that can be written
down for R1 compliance that conforms to all of the wording in R1 and Attachment
1; there are just too many missing definitions, holes in interpretation, and
out-and-out contradictions. The third
post in this series drove home that point in nauseating detail.
[iv]
Of course, to speak of “Lessons Learned”, when the v5 standards probably
haven’t been fully implemented yet by any
large NERC entity, is kind of strange.
These aren’t really lessons learned but non-binding interpretations
(with a lower-case i). True Interpretations,
which are binding, will take probably three years to go through the whole
process of drafting, balloting, and approval (or not) by FERC; they obviously
won’t solve anyone’s problems with compliance by 4/1/16.
[v]
Standards Authorization Request
No comments:
Post a Comment