On July 6, 2015
NERC emailed me and a couple thousand of my closest friends to say that a
special meeting had been held on July 1 (to which I unfortunately was not
invited – obviously a simple oversight); you can find the attachment to that
email here.
In what may qualify as the understatement of the year, NERC said they called
the meeting because they “became aware that industry continued to have concerns
over the issues after it (NERC) issued CIP Version 5 Memoranda dated April 21,
2015.” Furthermore, the meeting “was organized to discuss a way forward to
resolve the issues and (identify) remaining questions or concerns for
consideration through standards development or other means.”
Let me
summarize what I think are the most important takeaways from this document:
- NERC is withdrawing the Memoranda from April. This is not
hugely surprising, since as I said in this
recent post, half of the regions said they didn’t consider the Memoranda
“auditable”, as NERC had termed them – and I’m sure the other regions
agreed with them.
- Since even I agree that one or two of the Memoranda – and
parts of others – provide good guidance in themselves, NERC does say that
“Portions of their content will be included in industry guidance, as
appropriate.”
- Quite significantly, NERC says that “Guidance documents
will provide approach(es) to meet requirements of the standards, though
entities may have other ways to achieve the same goal.” I interpret this
to mean NERC is admitting they will never be able to provide any sort of
“definitive” guidance on many or even most of the interpretation issues in
CIP version 5; entities are ultimately responsible for determining how
they will define undefined terms like “programmable”, as well as how
they’ll interpret requirements that are vague or contradictory, most
notably CIP-002-5.1 R1. I have been calling this approach “Roll
Your Own”, but others have described it differently. For example, see
the newsletter article by Lew Folkerth of RFC referenced in this
post (to be honest, I like Lew’s methodology better than my own. I want to
write a new post on that soon).
- NERC states that future guidance will be based on the
“Section 11” process, which means Lessons Learned. This is good news,
since this process does allow for stakeholder input. One reason the
Memoranda failed is that there was no input solicited before they were
released in April.[i]
- From a number of references to the “Standards Development
process” in the document, it seems clear that NERC will be working on a few
SARs (Standards Authorization Requests, which if approved can lead to
development of a new standard or definition) to address various issues.
This is of course the only way that problems with the CIP v5 standards (or
any NERC standard) can really be
fixed, but we are talking about a long process – it will take at the bare
minimum two years for a SAR to produce a revised standard, and more likely
three to four years.
- Of course, what is really important is what happens next.
It’s great that a) NERC has withdrawn the Memoranda, b) they’re going
back to Lessons Learned as the primary guidance tool, c) they admit that
entities are empowered to resolve ambiguities for themselves, and d) they’re
restarting the Standards Development engine. But the compliance deadline
remains 4/1/16, and it’s pretty late in the game for NERC to be still developing
guidance at all, let alone putting out a document that provides no
guidance in itself but merely promises guidance is coming on an
unspecified schedule. Remember, the Lessons Learned typically take a long
time to develop. NERC started developing the LLs last September, and since
then only two have been finalized, both on completely non-controversial
topics. The document doesn’t give any timetable for developing new Lessons
Learned, but even some sort of huge rush effort (and there’s no indication
in the document that NERC is planning such an effort) would take at a
minimum three to four months. That puts us in the fourth quarter, less
than six months before the compliance date. Are entities supposed to hold
off starting their compliance efforts until then?
- More importantly, there seem to be only about 20 LLs in
the development process now, and there are many more issues that haven’t
even been acknowledged by NERC (probably hundreds, and I suspect there are even more
lurking in the Attachment 1 criteria. I have more than once compared
issues with those criteria to the Hydra of Greek mythology; if you cut off
one of its heads, two more would grow in its place. It seems as if there
is no end to the questions that can be raised, once you look closely at
any one of the criteria).
- Even more importantly, there are problems with CIP-002 -
and its associated definitions, including Cyber Asset, BES Cyber Asset and
BES Cyber System - that couldn’t be fixed with LLs if you wrote one a day
for the next century; there are fundamental contradictions built into the
standard, which can’t be resolved through parsing the words further.
CIP-002 and these three definitions need to be re-thought and rewritten. I
don’t think this has to be a completely “from scratch” effort. I believe
the way most people now interpret CIP-002 R1 (and Attachment 1, and the
three definitions) is correct, and can provide a consistent methodology
for identification and classification of BES Cyber Systems. However, this
methodology (that more or less everyone is using today) doesn’t in fact
correspond with most of the wording of CIP-002, meaning the only way to
comply with the true meaning of CIP-002 R1 is to violate the requirement
as written[ii].
The standard needs to be rewritten so it provides a consistent methodology
and ontology – both internally consistent and consistent with the
methodology and ontology that virtually all NERC entities are in fact now
using in their compliance programs.
- These problems wouldn’t be insoluble if it weren’t for the
other significant (from a CIP point of view) event that transpired on July
1: As of that day, there are only nine months until the CIP v5 compliance
date. I will cut to the chase: there is simply no way the interpretation problems
of CIP v5 can be addressed in time for the standards to be enforceable on
April 1, 2016. This would be the case even if tomorrow all of the
questions regarding v5 interpretation were miraculously answered[iii]
- and I can guarantee you they won’t be answered tomorrow.
So NERC -
and the whole NERC community – needs to acknowledge reality and admit that CIP
version 5 won’t be enforceable on April 1, 2016. Once that happens (and the
sooner the better), the community can decide – perhaps in some sort of general
meeting – the proper way forward, so that ultimately there will be a CIP v5[iv] that is
well understood and completely enforceable. I have thought a lot about how this
could actually come about; I’ll sketch below how I think this goal can be
achieved (NOTE: I had planned to first write a few posts on why the current
situation is untenable, before I laid out my ideas for the future. But the new
NERC document led me to believe that maybe things are moving faster than I had
thought they were, and it’s important to get these ideas on the table now –
even though almost all of them have appeared separately in my various posts over
the last nine months or so. I still plan to write the other posts in the near
future – especially on why CIP-002 needs to be rewritten).
- The first step is for NERC to get the SAR process moving,
so that CIP-002 and portions of other standards (as well as certain
definitions) can be rewritten. A SAR (or SARs) is needed to rewrite
CIP-002, but probably also to address certain problem areas in other
standards – e.g. a definition of “external
routable connectivity” for CIP-005, and a definition of “software”
for CIP-010 R1.
- Next, NERC needs to acknowledge there is substantial uncertainty
about way too many fundamental questions in CIP version 5 (primarily of
course in CIP-002, but certainly not limited to that standard) for the
standards to be enforceable on April 1, 2016.
- NERC needs to go back to examine the CIP version 1 rollout, where entities had
two compliance dates. The first was their “Compliant” date and the second
– one year later – was their “Auditably Compliant” date. I think the same
principle would work with v5. April 1, 2016 should be the Compliant date.[v]
Entities need to do their best to be compliant on that date, but if
they’re not – and if they’re audited in the following twelve months – they
won’t be assessed any violations. Rather, the auditor will simply note the
areas of improvement required, and discuss with the entity why they missed
the mark on one or more requirements.[vi]
On April 1, 2017, entities will have to be Auditably Compliant[vii],
meaning they can be assessed violations.
- However, I’m not even saying that pushing the Auditably
Compliant date back to 4/1/17 is enough. In order for that to be the case,
there needs to be definitive guidance (presumably from NERC) on all of the major interpretation
issues with CIP v5 – the definitions of “programmable” and External
Routable Connectivity; procedure for determining “adverse impact” on the
BES in the BES Cyber Asset definition; BES Cyber System identification
methodology, etc. – by 4/1/16. This will give NERC entities an entire year
to implement compliance, based on an agreed-upon foundation. I’m not
pretending that this effort in itself won’t be a huge one. When you
consider that exactly two Lessons Learned have been finalized in the last
nine months, and that less than nine months remains before 4/1/16, you can
see why I have doubts even this could happen. But if this guidance hasn’t
been provided by 4/1/16, then the Compliant date also needs to be moved
back – by whatever time it takes to develop complete guidance; and the
Auditably Compliant date needs to be moved back so that it’s still a year
after the Compliant date. For example, let’s say the guidance is complete
on 8/1/16. That would be the new Compliant date, and the Auditably
Compliant date needs to move from 4/1/17 to 8/1/17. I know this sounds
like a very tall order, but we don’t want to end up in the same situation
this time next year that we are in now: less than nine months remaining to auditably comply, and lots of uncertainty still hanging over the meaning of the most
fundamental concepts in CIP v5.
- But there is one big exception to the two-step compliance
process I’ve just described: Since CIP-002 needs to be rewritten so it can
provide a consistent methodology for compliance, it obviously can’t be
enforceable until it is rewritten. And it won’t be rewritten and approved
by 4/1/17. This leads to an issue: How can CIP-003 through CIP-011 be
enforceable if CIP-002 isn’t enforceable? The other standards all assume
the entity has “properly” identified and classified its BES Cyber Systems
in CIP-002 R1. Won’t there be all sorts of problems if NERC tries to
enforce these other standards without at the same time enforcing 002?
- This might sound like a big problem, but I don’t really
think it is. As I said above, NERC entities – and the regions and NERC
itself – are almost all on roughly the same page as to how to comply with
CIP-002 R1: First you identify your assets (and perhaps Facilities) that
are High or Medium impact through Attachment 1 (the “big iron”). Next, you
identify the BES Cyber Assets and BES Cyber Systems that control those
assets (the “little iron”). If the asset/Facility is High impact, the BCS
are High; if Medium, the BCS are Medium. Finally, the entity takes its
list of BES assets, subtracts those that are High and Medium impact, and
identifies the remainder – those containing at least one control system –
as “assets containing a Low impact BES Cyber System”. The problem of
course is that CIP-002 isn’t written this way, leaving two choices: either
every single NERC entity will be in violation of CIP-002, or CIP-002 needs
to be rewritten so it reflects how everyone is actually trying to comply
with it (as well as to clear up problems like the missing definitions). I
submit that the latter is the more sensible approach.
- Of course, the above is a simplification of the process that entities are using to
comply with CIP-002, but it is in principle one that can be followed
(indeed, it is basically the same process as with CIP versions 1-3, with
the exception that there are now three classes of assets, rather than just
two – Critical Assets and others). What is needed is for all parties (meaning
NERC, the eight Regional Entities, and a healthy majority of the NERC
entities subject to all of CIP v5) to agree that, until CIP-002 can be
rewritten so that it actually reflects this process, they will abide by
the above methodology (with a lot more detail added, of course) as the
official “interpretation” of CIP-002-5.1. I don’t think there should be
any actual PVs issued for CIP-002 R1 until the standard is rewritten[viii].
But I do think that, with this general understanding in place, it will be
possible for an auditor to accept an entity’s lists of High and Medium BCS
as legitimate, meaning that CIP-003 through -011 will be enforceable.
- The corollary of the above is, of course, that CIP-002
will never be enforceable until it is rewritten. But my opinion is this
will happen whether or not NERC officially acknowledges it. Given the huge
problems with 002, I find it very hard to believe that auditors will issue
PVs – or certainly that those PVs will turn into actual violations – if
the entity has made a good faith effort to comply. Let’s say the entity
has based their “Programmable” definition on the January Lesson Learned,
while the auditor believes that NERC’s April Memorandum is a better guide.
Is the auditor really going to write a PV, given that the entity was
following what was NERC’s official guidance early this year – and that
NERC withdrew the Memorandum two months after issuing it? No, the auditor
isn’t going to issue a PV. This makes CIP-002 unenforceable, whether or
not it’s officially declared so. But it’s much better for this to be made
official, so that CIP-002 is indisputably unenforceable. If that doesn’t
happen, there will be a bunch of fruitless arguments at audit time over –
in this case – the “true” meaning of “Programmable”, which of course can
never be determined before CIP-002 is rewritten[ix].
So whether or not NERC officially declares it so, CIP-002 R1 will be
unenforceable on 4/1/16; of that I am certain.[x]
- Once CIP-002 is rewritten (and approved by the NERC ballot
body, the BoT and FERC), along with perhaps portions of other v5
standards, there will actually be a CIP version 5 that can be completely
complied with. Which is a good thing, because I think v5 is an excellent
family of standards. It can be the basis[xi]
for NERC cyber security standards going forward many years.[xii]
Note: My analysis of FERC's recent NOPR raised the idea that the whole complicated process described above could be avoided if FERC simply delays approving CIP v6 until 2016. There will be no extraordinary actions required either on NERC's or FERC's part, if this happens. Of course, this assumes that FERC agrees with me that NERC entities should be given more time to become auditably compliant with CIP v5/v6. For more on this idea, see this post.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
Another reason they failed was that they were described as providing
“auditable” guidance – meaning there was no discretion as to whether an entity
followed them or not. This of course went over like a lead balloon, and was the
chief reason why there was such a big revolt against the Memoranda.
[ii]
I describe what I mean by this further on in this post.
[iii]
I wrote a post
on January 2 saying it was now too late for v5 to be enforceable on 4/1/16, and
I continue to believe that is the case – the big problems with CIP v5 would
have all needed to be resolved in some way by the end of last year, for the
4/1/16 date to have a chance of succeeding. The main problem is CIP-002, since
that is the foundation for the rest of the standards. Until entities can be
sure they’ve properly classified their BES assets and Facilities, and properly
identified and classified their BES Cyber Systems, there is simply no way they
can be sure the rest of their compliance program is good. While I said this in
January, it is obviously much more compelling today: If the entities all knew
tomorrow exactly how to comply with CIP-002 (and the other standards, since
they aren’t free of ambiguities either), there still wouldn’t be enough time to
finalize their asset identification and get all the standards complied with by
4/1/16. And as you can see by reading the NERC document on the July 1 meeting,
there is zero chance that all the important issues will be addressed in even
three months: NERC doesn’t give any timelines at all for providing guidance,
and in fact doesn’t even list what guidance actually needs to be provided. But three
months from now is six months before the compliance date, and even that would
be way too late to allow the 4/1/16 enforcement date to be retained. So it has
to go.
[iv]
As usual, by “CIP v5” I mean the three standards from the actual v5, as well as
the seven v6 standards (likely to be approved by FERC on Friday, July 17), that
make up what everyone calls “CIP version 5”.
[v]
In this post, I’m slinging a bunch of items around that NERC “should do”. I realize full well that NERC by itself
doesn’t have the authority to change compliance dates, etc; FERC has that. But
just petitioning FERC out of the blue on all of this probably won’t work,
either. That’s why I think there need to be meetings of NERC, FERC, the regions
and the entities, at which all of this is discussed and a consensus reached.
None of what I’m advocating can be considered a purely formal process, and it
will fail if it is addressed as such. Instead of being based on the letter of
NERC’s Rules of Procedure, it will be based on a consensus among NERC, the
Regional Entities, and the NERC entities themselves. Extraordinary times require
extraordinary measures.
[vi]
I’m assuming here that the entity has made a good faith effort to comply – read
all the guidance they can, worked hard on compliance with all the v5
requirements, etc. If they have just sat back and done very little, they should
be assessed whatever violations apply. Having said this, I know this will
require that some clear line is drawn between what constitutes a good faith
effort and a “bad faith” one. This is another question that will simply have to
be resolved through consensus among NERC, FERC, the regions and the entities.
It can’t be addressed through some sort of SAR process, in time for that to do
any good.
[vii]
Some of the v6 compliance dates may have to be pushed back along with the first
v5 date (for a complete list of v5 and v6 dates, see this
post). For example, the four v6 requirements that come due on January 1, 2017
will obviously have to be pushed back at least three months and maybe more. But
I think some of the compliance dates – such as for the two Low impact
requirements – may not need to be pushed back, since they may not be seriously
affected by pushing the 4/1/16 date (for Highs/Mediums) back a year. These are
all matters for discussion with the NERC community, and of course will require
FERC approval.
[viii]
Except, again, for an entity that doesn’t care about the whole process and
doesn’t really try to comply with CIP-002 at all. They should be treated
severely, although the same provision I mention in footnote vi above applies
here.
[ix]
If NERC only wanted to fix the “Programmable” definition, they could issue a
SAR for just that; it might be developed and approved in around a year. But given
the many problems in CIP-002, I don’t think just defining "Programmable" helps; the standard
and its closely related definitions (especially “programmable” and “adversely
impact”; possibly one or two others like “associated with”) need to be fixed at
the same time. I'll have more to say on this in one of my soon-to-come posts on how to fix CIP-002.
[x]
The reason I’m certain of this is that the enforceability of CIP, or any other
NERC standard, is ultimately up to the US court system. NERC can issue
violations and FERC can uphold them, but in the end any violation can be
appealed (and I know entities have at least seriously considered doing this, although there haven't been any cases that have gone through so far). I’m sure that a judge won’t have to spend 15 minutes reading
CIP-002-5.1 R1 to realize it’s too vague and contradictory to be enforceable.
When that happens, it’s game over for CIP-002 (and perhaps for all of CIP v5); once
all NERC entities know this has happened, you can be sure the auditors won’t
want to waste their time issuing PVs that are sure to be thrown out if appealed
– and the entities will know they only have to threaten to appeal in order to
get NERC and FERC to back off a violation. It will be a very ugly scene, and
for that reason I don’t think it will ever actually come to pass. I have faith
that good sense will prevail, and may be prevailing already. And if good sense
comes to the NERC community, maybe there’s even hope for Congress!
[xi]
There is another “step” that I’m less certain about, so I’ll put it in a
footnote; it regards the Attachment 1 criteria. I did a post in 2012 – which I
reproduced here
in 2013 – that said that, no matter how many problems there were with the
bright-line criteria, it is useless to try to spend a lot of time refining
them. I don’t think God Himself could write a set of short criteria that would
capture the huge variability of the electric power industry. The only realistic
way to deal with the many problems that have already come up with the BLC – and
the exponentially larger number that will come up in future years – is to have
some sort of “Supreme Court of BLC”, that will rule on each BLC dispute. This
may seem arbitrary, but it’s still better than the RBAMs in CIP v1-3; FERC
obviously thinks those were even more arbitrary, and intentionally so. Having
“bright-line criteria” (FERC’s term, I believe) was in principle a good idea,
but I just don’t see it ever working without some sort of arbitration mechanism
like this.
[xii]
I’m not naïve enough to say there won’t need to be any future versions of CIP (in fact, it seems that FERC is already proposing further extensions and changes to the CIP standards, in their July 16 NOPR).
But I think the framework of the standards – once CIP-002 is fixed – can carry
CIP forward for many years after that. Of course, IMHO the best thing would be
a purely risk-based standard like CIP-014, as I described at the end of this
post. I don’t see that happening very soon, though.
No comments:
Post a Comment