In the post I did two days ago on the ISO New England emails, I stated that there were only three “legal” ways out of ISO NE’s dilemma – how to designate just the particular BES Cyber Systems that perform the AVR function in generating plants as Medium impact, while not making the whole plant, or even one unit, Medium impact as well. I also said that I was sure ISO NE wouldn’t pursue any of the three. Therefore, I suggested an “illegal” option – getting NERC to issue a “ruling” on the issue, even though it has no status under the Rules of Procedure – as the best approach possible (and one which I believe will be used very frequently, as the myriad of hidden issues in the bright-line criteria bubble up to the surface as entities try to make sense of the criteria).
However, an Interested Party pointed out to me that there is a fourth “legal” option: “Write a Standards Authorization Request outlining the specific dilemma and asking for the issue to be fixed through a change in the Criterion.” Under the NERC Rules of Procedure, any entity can write a SAR for a change to an existing standard or even a completely new standard. This is perfectly true. In fact, I’d add a fifth legal option: submitting a Request for Interpretation on this issue to NERC.
Both of these options are quite legal, but they both have the same problem: they will take at the very minimum two years to yield fruit (a revised standard in one case, an Interpretation on this issue in the other case), and probably longer than that (the RFI also faces the challenge that FERC may reject the Interpretation once it has been drafted and approved by the NERC ballot body. This happened with two Interpretations of CIP v3 in 2012).
I should have said that there were only three legal options that might conceivably result in guidance to the generators in New England in time for them to come into compliance with CIP v5 by April 1, 2016. There are two legal options that will provide guidance to entities sometime after the compliance date, but that leaves the possibility that generators will a) not be in compliance next April or b) be in Medium compliance for a plant or unit that it turns out didn’t have to be Medium impact after all.
I have of course advocated for NERC (or somebody else) to write a SAR to rewrite the entire CIP-002-5.1, not just Criterion 2.6. I think that is a much better approach, rather than trying to write a SAR for each problem in CIP-002-5.1 R1 and Attachment 1. You could write literally hundreds of SARs and still not be any closer to fixing the fundamental problems with these two items. NERC needs to simply start over and write these clean. However, this will definitely not solve the problems in time to help people for initial compliance. That’s why I’m also saying (in the same post) that R1 needs to be declared an “open” requirement, and that the compliance dates for CIP v5 and v6 need to be pushed back by a year (in this post).
And by the way, with every passing day (and with every glass of red wine), I become more certain that all of these three things will happen – or at least two of them. Anyone up for a bet?
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.