In the
post I did two days ago on the ISO New England emails, I stated that there
were only three “legal” ways out of ISO NE’s dilemma – how to designate just
the particular BES Cyber Systems that perform the AVR function in generating
plants as Medium impact, while not making the whole plant, or even one unit,
Medium impact as well. I also said that
I was sure ISO NE wouldn’t pursue any of the three. Therefore, I suggested an “illegal” option –
getting NERC to issue a “ruling” on the issue, even though it has no status
under the Rules of Procedure – as the best approach possible (and one which I
believe will be used very frequently, as the myriad of hidden issues in the
bright-line criteria bubble up to the surface as entities try to make sense of
the criteria).
However, an
Interested Party pointed out to me that there is a fourth “legal” option: “Write a Standards Authorization Request
outlining the specific dilemma and asking for the issue to be fixed through a
change in the Criterion.” Under the NERC
Rules of Procedure, any entity can write a SAR for a change to an existing
standard or even a completely new standard.
This is perfectly true. In fact,
I’d add a fifth legal option: submitting a Request for Interpretation on this
issue to NERC.
Both of
these options are quite legal, but they both have the same problem: they will
take at the very minimum two years to yield fruit (a revised standard in one
case, an Interpretation on this issue in the other case), and probably longer
than that (the RFI also faces the challenge that FERC may reject the
Interpretation once it has been drafted and approved by the NERC ballot body. This happened with two Interpretations of CIP
v3 in 2012).
I should have said that there were only
three legal options that might conceivably result in guidance to the generators
in New England in time for them to come into compliance with CIP v5 by April 1,
2016. There are two legal options that
will provide guidance to entities sometime after the compliance date, but that
leaves the possibility that generators will a) not be in compliance next April
or b) be in Medium compliance for a plant or unit that it turns out didn’t have
to be Medium impact after all.
I have of
course advocated
for NERC (or somebody else) to write a SAR to rewrite the entire CIP-002-5.1,
not just Criterion 2.6. I think that is
a much better approach, rather than trying to write a SAR for each problem in
CIP-002-5.1 R1 and Attachment 1. You
could write literally hundreds of SARs and still not be any closer to fixing
the fundamental problems with these two items.
NERC needs to simply start over and write these clean. However, this will definitely not solve the
problems in time to help people for initial compliance. That’s why I’m also saying (in the same post)
that R1 needs to be declared an “open” requirement, and that the compliance
dates for CIP v5 and v6 need to be pushed back by a year (in this
post).
And by the way, with every passing day (and
with every glass of red wine), I become more certain that all of these three
things will happen – or at least two of them.
Anyone up for a bet?
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
No comments:
Post a Comment