Today,
Friday the 13th (!), NERC filed CIP Version 6 with FERC. The standards filed have of course been well known
for a while, since they have been commented and balloted on. But there was one surprise – a mildly
pleasant one (but only mildly).
The most
interesting aspect of this filing (pointed out to me by Lew Folkerth of RFC) is that CIP version 7 - which I welcomed last November – seems to have died a quiet, unlamented
death, a mere three months after its birth.
Version 7, we hardly knew ye. What
was the cause of death?
Of course,
that’s a long story (what isn’t a
long story, in the NERC world?). For
those who may have become frustrated and stopped keeping score at home:
- In Order 791 in November 2013, FERC approved CIP v5 but ordered four changes to it.
- NERC’s rules state that no changes can be made to a standard once it has been approved. Therefore the changes would have to go into a new version.
- There have been two previous occasions where NERC made changes to just parts of a CIP version – going from v2 to v3 and from v3 to v4. In both cases, all the standards were “revised” to the new version level, even though just one standard was actually changed (CIP-006 in the former case, CIP-002 in the latter). This meant that, going forward, entities had to comply with only one version.
- Because of the “version fatigue” that set in during the runup to CIP v5 approval, where the entities were whiplashed by a version that looked something like CIP v5 (called CIP-010-1 and CIP-011-1, not to be confused with the CIP-010-1 and CIP-011-1 in Version 5), then by CIP v4, and finally by the CIP v5 we all know and love today, NERC staff members developed the idea that they would be strung up from the highest tree if they told the membership, “Guess what, we have a NEW CIP standard for you!”
- Thus, even though NERC did put together a Standards Drafting Team and started work on the changes ordered by FERC, they called these changes the “CIP Version 5 Revisions”. I at first assumed they were just going to rename all the v5 standards as V6 versions (i.e. CIP-002 through -009 would be “-6”, and -010 and -011 would be “-2”). So I was dismayed when the new SDT released their first drafts of the revised standards last summer. This was when I found that three of the standards - CIP-002, -005 and -008 – hadn’t been revised. Since those standards remained at the v5 level, this meant that entities would have to comply with three v5 standards and seven v6 ones. I thought, “This is terrible. What could possibly be worse?”
- I got my answer to that question in November. There had just been a crucial ballot on v6, where two of the four changes ordered by FERC had passed, but two hadn’t. This put NERC in a bind, because FERC had mandated that two of the four changes (removing “Identify, Assess and Correct” as well as providing protection for “communications networks”) be submitted to them by Feb. 3, 2015. Fortunately, the two that had passed were the ones with the deadline. NERC thought at the time that there was no longer enough time to make adjustments so that the two standards that hadn’t passed - CIP-003 (Lows) and CIP-010 (Transient Electronic Devices) – could make it out of the balloting in time to be submitted before FERC’s deadline. So they decided to submit to FERC the two changes that had passed first, then submit the remaining two once they had also passed the ballot.[i]
- But when NERC’s Board of Trustees approved a new set of standards with the suffix “-6”, this meant that the remaining standards – still being balloted - needed to be called v7. And sure enough, in this post in November, I heralded the birth of CIP Version 7 – tongue firmly in cheek. I followed this up with a post setting out the schedule for compliance with all three versions.
- But it turns out that NERC didn’t file v6 with FERC after the Board approved the standards last fall. It seems the SDT moved quickly to address the issues in CIP-003 and -010, and got approval on the next ballot (there was still a final ballot required – which used to be called the “recirculation ballot” – but that was accomplished in January). So the wizards at NERC realized that, with a little luck, they would be able to incorporate the v7 standards into the v6 filing, saving FERC the trouble of having to approve both versions, and NERC the embarrassment of having to explain why two approvals were needed in the first place.
- Of course, NERC didn’t quite meet FERC’s deadline of Feb. 3, since they just filed the standards today. They had requested a ten-day extension from FERC in January.
Thus, what
was filed today was both the v6 and v7 standards. However, NERC put a nice flourish on this by
getting the Board in January to also rename the v7 standards as v6 ones.[ii] This means that all of the revised standards
will be v6 ones – i.e. with suffixes “-6” or “-2”, not also “-7” or “-3”.
My first
full-time boss was a man who always said, when some minor break had come his
way or someone had made a big deal about conveying a minor benefit, “Thank God
for small favors”. This is how I look at
this latest development. It is certainly
nice that the industry doesn’t have to comply with v5, v6 and v7, but only with
v5 and v6. It would of course be nicer
if they only had to comply with v6 and not v5 at all, but that’s water under
the bridge (the SDT co-chair admitted in their last webinar that they would
have done things differently if they had it to do over again). But I’ll take the small favor.
One point
before I go. A compliance person at a
NERC entity said to me last week that they were getting ready to comply with
CIP v5 “and then versions 6 and 7”. I
wanted to tell him that he was looking at it the wrong way. He needs to look at CIP versions 5 and 6 as one version. It has a complicated compliance
schedule, I’ll agree (and the fact that all the new standards are v6 now,
not v6 and v7, doesn’t change the compliance schedule at all); but the fact is
that entities need to be working on compliance for all of the new standards, not just the three v5 ones.
To remind
people of this need, I had named
the “compliance version” of CIP as v6.3940 in November, reflecting the fact
that most of the standards that entities have to comply with are v7 ones. Since v7 is gone, I need to change that. Last July, I named
the unholy mixture of v5 and v6 as v5.5; I later revised
that to v5.7879 (reflecting, again tongue-in-cheek, the fact that there are 7 v6 standards and just 3 v5 ones). I could go back to
either name, but since 5.5 is a little simpler to deal with, I’m going to – at least
a lot of the time - start referring to the compliance standards as CIP v5.5,
not v5. Who knows, maybe it will go
viral.
Feb. 14: I've updated my post from last November on the compliance schedule for the new CIP versions. I have removed all references to CIP v7 (which has now not only passed away, but officially become an "unperson" as in the novel "1984") and replaced them with the appropriate v6 references. Since I've heard some people actually did take my suggestion to print out the post and put it on their wall, I regret to say they will need to do that again. Since there will be no more changes to CIP v5.5 (unless FERC orders them), I think you won't have to do this again.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
I’m leaving out a sordid detail here – the “-X” standards. If you must read about this sorry event, you
can do that here.
[ii]
However, there needed to be another step for this to happen. The v7 standards themselves needed to be
renamed as v6 , while the v7 Implementation Plan needed to be revised (so it
only referred to “-6” and “-2” standards, with no “-7” or “-3” ones). NERC seems to have done that, before they were ratified by the Board (but after the final ballot, which was for the v7 standards). I personally wonder if the Board has the
authority to amend standards – even for such a small change – without having
another ballot. In any case, I’m
personally glad they did, and will be glad to testify in court in favor of the Board members, if they’re sued for this egregious violation of the NERC Rules
of Procedure.
No comments:
Post a Comment