Wednesday, July 15, 2015

Nine Months

On July 6, 2015 NERC emailed me and a couple thousand of my closest friends to say that a special meeting had been held on July 1 (to which I unfortunately was not invited – obviously a simple oversight); you can find the attachment to that email here. In what may qualify as the understatement of the year, NERC said they called the meeting because they “became aware that industry continued to have concerns over the issues after it (NERC) issued CIP Version 5 Memoranda dated April 21, 2015.” Furthermore, the meeting “was organized to discuss a way forward to resolve the issues and (identify) remaining questions or concerns for consideration through standards development or other means.”

Let me summarize what I think are the most important takeaways from this document:

  1. NERC is withdrawing the Memoranda from April. This is not hugely surprising, since as I said in this recent post, half of the regions said they didn’t consider the Memoranda “auditable”, as NERC had termed them – and I’m sure the other regions agreed with them.
  2. Since even I agree that one or two of the Memoranda – and parts of others – provide good guidance in themselves, NERC does say that “Portions of their content will be included in industry guidance, as appropriate.”  
  3. Quite significantly, NERC says that “Guidance documents will provide approach(es) to meet requirements of the standards, though entities may have other ways to achieve the same goal.” I interpret this to mean NERC is admitting they will never be able to provide any sort of “definitive” guidance on many or even most of the interpretation issues in CIP version 5; entities are ultimately responsible for determining how they will define undefined terms like “programmable”, as well as how they’ll interpret requirements that are vague or contradictory, most notably CIP-002-5.1 R1. I have been calling this approach “Roll Your Own”, but others have described it differently. For example, see the newsletter article by Lew Folkerth of RFC referenced in this post (to be honest, I like Lew’s methodology better than my own. I want to write a new post on that soon).
  4. NERC states that future guidance will be based on the “Section 11” process, which means Lessons Learned. This is good news, since this process does allow for stakeholder input. One reason the Memoranda failed is that there was no input solicited before they were released in April.[i]
  5. From a number of references to the “Standards Development process” in the document, it seems clear that NERC will be working on a few SARs (Standards Authorization Requests, which if approved can lead to development of a new standard or definition) to address various issues. This is of course the only way that problems with the CIP v5 standards (or any NERC standard) can really be fixed, but we are talking about a long process – it will take at the bare minimum two years for a SAR to produce a revised standard, and more likely three to four years.
  6. Of course, what is really important is what happens next. It’s great that a) NERC has withdrawn the Memoranda, b) they’re going back to Lessons Learned as the primary guidance tool, c) they admit that entities are empowered to resolve ambiguities for themselves, and d) they’re restarting the Standards Development engine. But the compliance deadline remains 4/1/16, and it’s pretty late in the game for NERC to be still developing guidance at all, let alone putting out a document that provides no guidance in itself but merely promises guidance is coming on an unspecified schedule. Remember, the Lessons Learned typically take a long time to develop. NERC started developing the LLs last September, and since then only two have been finalized, both on completely non-controversial topics. The document doesn’t give any timetable for developing new Lessons Learned, but even some sort of huge rush effort (and there’s no indication in the document that NERC is planning such an effort) would take at a minimum three to four months. That puts us in the fourth quarter, less than six months before the compliance date. Are entities supposed to hold off starting their compliance efforts until then?
  7. More importantly, there seem to be only about 20 LLs in the development process now, and there are many more issues that haven’t even been acknowledged by NERC (probably hundreds, and I suspect there are even more lurking in the Attachment 1 criteria. I have more than once compared issues with those criteria to the Hydra of Greek mythology; if you cut off one of its heads, two more would grow in its place. It seems as if there is no end to the questions that can be raised, once you look closely at any one of the criteria).
  8. Even more importantly, there are problems with CIP-002 - and its associated definitions, including Cyber Asset, BES Cyber Asset and BES Cyber System - that couldn’t be fixed with LLs if you wrote one a day for the next century; there are fundamental contradictions built into the standard, which can’t be resolved through parsing the words further. CIP-002 and these three definitions need to be re-thought and rewritten. I don’t think this has to be a completely “from scratch” effort. I believe the way most people now interpret CIP-002 R1 (and Attachment 1, and the three definitions) is correct, and can provide a consistent methodology for identification and classification of BES Cyber Systems. However, this methodology (that more or less everyone is using today) doesn’t in fact correspond with most of the wording of CIP-002, meaning the only way to comply with the true meaning of CIP-002 R1 is to violate the requirement as written[ii]. The standard needs to be rewritten so it provides a consistent methodology and ontology – both internally consistent and consistent with the methodology and ontology that virtually all NERC entities are in fact now using in their compliance programs.
  9. These problems wouldn’t be insoluble if it weren’t for the other significant (from a CIP point of view) event that transpired on July 1: As of that day, there are only nine months until the CIP v5 compliance date. I will cut to the chase: there is simply no way the interpretation problems of CIP v5 can be addressed in time for the standards to be enforceable on April 1, 2016. This would be the case even if tomorrow all of the questions regarding v5 interpretation were miraculously answered[iii] - and I can guarantee you they won’t be answered tomorrow.

So NERC - and the whole NERC community – needs to acknowledge reality and admit that CIP version 5 won’t be enforceable on April 1, 2016. Once that happens (and the sooner the better), the community can decide – perhaps in some sort of general meeting – the proper way forward, so that ultimately there will be a CIP v5[iv] that is well understood and completely enforceable. I have thought a lot about how this could actually come about; I’ll sketch below how I think this goal can be achieved (NOTE: I had planned to first write a few posts on why the current situation is untenable, before I laid out my ideas for the future. But the new NERC document led me to believe that maybe things are moving faster than I had thought they were, and it’s important to get these ideas on the table now – even though almost all of them have appeared separately in my various posts over the last nine months or so. I still plan to write the other posts in the near future – especially on why CIP-002 needs to be rewritten).

  1. The first step is for NERC to get the SAR process moving, so that CIP-002 and portions of other standards (as well as certain definitions) can be rewritten. A SAR (or SARs) is needed to rewrite CIP-002, but probably also to address certain problem areas in other standards – e.g. a definition of “external routable connectivity” for CIP-005, and a definition of “software” for CIP-010 R1.
  2. Next, NERC needs to acknowledge there is substantial uncertainty about way too many fundamental questions in CIP version 5 (primarily of course in CIP-002, but certainly not limited to that standard) for the standards to be enforceable on April 1, 2016.
  3. NERC needs to go back to examine the CIP version 1 rollout, where entities had two compliance dates. The first was their “Compliant” date and the second – one year later – was their “Auditably Compliant” date. I think the same principle would work with v5. April 1, 2016 should be the Compliant date.[v] Entities need to do their best to be compliant on that date, but if they’re not – and if they’re audited in the following twelve months – they won’t be assessed any violations. Rather, the auditor will simply note the areas of improvement required, and discuss with the entity why they missed the mark on one or more requirements.[vi] On April 1, 2017, entities will have to be Auditably Compliant[vii], meaning they can be assessed violations.
  4. However, I’m not even saying that pushing the Auditably Compliant date back to 4/1/17 is enough. In order for that to be the case, there needs to be definitive guidance (presumably from NERC) on all of the major interpretation issues with CIP v5 – the definitions of “programmable” and External Routable Connectivity; procedure for determining “adverse impact” on the BES in the BES Cyber Asset definition; BES Cyber System identification methodology, etc. – by 4/1/16. This will give NERC entities an entire year to implement compliance, based on an agreed-upon foundation. I’m not pretending that this effort in itself won’t be a huge one. When you consider that exactly two Lessons Learned have been finalized in the last nine months, and that less than nine months remains before 4/1/16, you can see why I have doubts even this could happen. But if this guidance hasn’t been provided by 4/1/16, then the Compliant date also needs to be moved back – by whatever time it takes to develop complete guidance; and the Auditably Compliant date needs to be moved back so that it’s still a year after the Compliant date. For example, let’s say the guidance is complete on 8/1/16. That would be the new Compliant date, and the Auditably Compliant date needs to move from 4/1/17 to 8/1/17. I know this sounds like a very tall order, but we don’t want to end up in the same situation this time next year that we are in now: less than nine months remaining to auditably comply, and lots of uncertainty still hanging over the meaning of the most fundamental concepts in CIP v5.
  5. But there is one big exception to the two-step compliance process I’ve just described: Since CIP-002 needs to be rewritten so it can provide a consistent methodology for compliance, it obviously can’t be enforceable until it is rewritten. And it won’t be rewritten and approved by 4/1/17. This leads to an issue: How can CIP-003 through CIP-011 be enforceable if CIP-002 isn’t enforceable? The other standards all assume the entity has “properly” identified and classified its BES Cyber Systems in CIP-002 R1. Won’t there be all sorts of problems if NERC tries to enforce these other standards without at the same time enforcing 002?
  6. This might sound like a big problem, but I don’t really think it is. As I said above, NERC entities – and the regions and NERC itself – are almost all on roughly the same page as to how to comply with CIP-002 R1: First you identify your assets (and perhaps Facilities) that are High or Medium impact through Attachment 1 (the “big iron”). Next, you identify the BES Cyber Assets and BES Cyber Systems that control those assets (the “little iron”). If the asset/Facility is High impact, the BCS are High; if Medium, the BCS are Medium. Finally, the entity takes its list of BES assets, subtracts those that are High and Medium impact, and identifies the remainder – those containing at least one control system – as “assets containing a Low impact BES Cyber System”. The problem of course is that CIP-002 isn’t written this way, leaving two choices: either every single NERC entity will be in violation of CIP-002, or CIP-002 needs to be rewritten so it reflects how everyone is actually trying to comply with it (as well as to clear up problems like the missing definitions). I submit that the latter is the more sensible approach.
  7. Of course, the above is a simplification of the process that entities are using to comply with CIP-002, but it is in principle one that can be followed (indeed, it is basically the same process as with CIP versions 1-3, with the exception that there are now three classes of assets, rather than just two – Critical Assets and others). What is needed is for all parties (meaning NERC, the eight Regional Entities, and a healthy majority of the NERC entities subject to all of CIP v5) to agree that, until CIP-002 can be rewritten so that it actually reflects this process, they will abide by the above methodology (with a lot more detail added, of course) as the official “interpretation” of CIP-002-5.1. I don’t think there should be any actual PVs issued for CIP-002 R1 until the standard is rewritten[viii]. But I do think that, with this general understanding in place, it will be possible for an auditor to accept an entity’s lists of High and Medium BCS as legitimate, meaning that CIP-003 through -011 will be enforceable.
  8. The corollary of the above is, of course, that CIP-002 will never be enforceable until it is rewritten. But my opinion is this will happen whether or not NERC officially acknowledges it. Given the huge problems with 002, I find it very hard to believe that auditors will issue PVs – or certainly that those PVs will turn into actual violations – if the entity has made a good faith effort to comply. Let’s say the entity has based their “Programmable” definition on the January Lesson Learned, while the auditor believes that NERC’s April Memorandum is a better guide. Is the auditor really going to write a PV, given that the entity was following what was NERC’s official guidance early this year – and that NERC withdrew the Memorandum two months after issuing it? No, the auditor isn’t going to issue a PV. This makes CIP-002 unenforceable, whether or not it’s officially declared so. But it’s much better for this to be made official, so that CIP-002 is indisputably unenforceable. If that doesn’t happen, there will be a bunch of fruitless arguments at audit time over – in this case – the “true” meaning of “Programmable”, which of course can never be determined before CIP-002 is rewritten[ix]. So whether or not NERC officially declares it so, CIP-002 R1 will be unenforceable on 4/1/16; of that I am certain.[x]
  9. Once CIP-002 is rewritten (and approved by the NERC ballot body, the BoT and FERC), along with perhaps portions of other v5 standards, there will actually be a CIP version 5 that can be completely complied with. Which is a good thing, because I think v5 is an excellent family of standards. It can be the basis[xi] for NERC cyber security standards going forward many years.[xii]
Note: My analysis of FERC's recent NOPR raised the idea that the whole complicated process described above could be avoided if FERC simply delays approving CIP v6 until 2016. There will be no extraordinary actions required either on NERC's or FERC's part, if this happens. Of course, this assumes that FERC agrees with me that NERC entities should be given more time to become auditably compliant with CIP v5/v6. For more on this idea, see this post.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

[i] Another reason they failed was that they were described as providing “auditable” guidance – meaning there was no discretion as to whether an entity followed them or not. This of course went over like a lead balloon, and was the chief reason why there was such a big revolt against the Memoranda.

[ii] I describe what I mean by this further on in this post.

[iii] I wrote a post on January 2 saying it was now too late for v5 to be enforceable on 4/1/16, and I continue to believe that is the case – the big problems with CIP v5 would have all needed to be resolved in some way by the end of last year, for the 4/1/16 date to have a chance of succeeding. The main problem is CIP-002, since that is the foundation for the rest of the standards. Until entities can be sure they’ve properly classified their BES assets and Facilities, and properly identified and classified their BES Cyber Systems, there is simply no way they can be sure the rest of their compliance program is good. While I said this in January, it is obviously much more compelling today: If the entities all knew tomorrow exactly how to comply with CIP-002 (and the other standards, since they aren’t free of ambiguities either), there still wouldn’t be enough time to finalize their asset identification and get all the standards complied with by 4/1/16. And as you can see by reading the NERC document on the July 1 meeting, there is zero chance that all the important issues will be addressed in even three months: NERC doesn’t give any timelines at all for providing guidance, and in fact doesn’t even list what guidance actually needs to be provided. But three months from now is six months before the compliance date, and even that would be way too late to allow the 4/1/16 enforcement date to be retained. So it has to go.

[iv] As usual, by “CIP v5” I mean the three standards from the actual v5, as well as the seven v6 standards (likely to be approved by FERC on Friday, July 17), that make up what everyone calls “CIP version 5”.

[v] In this post, I’m slinging a bunch of items around that NERC “should do”.  I realize full well that NERC by itself doesn’t have the authority to change compliance dates, etc; FERC has that. But just petitioning FERC out of the blue on all of this probably won’t work, either. That’s why I think there need to be meetings of NERC, FERC, the regions and the entities, at which all of this is discussed and a consensus reached. None of what I’m advocating can be considered a purely formal process, and it will fail if it is addressed as such. Instead of being based on the letter of NERC’s Rules of Procedure, it will be based on a consensus among NERC, the Regional Entities, and the NERC entities themselves. Extraordinary times require extraordinary measures.

[vi] I’m assuming here that the entity has made a good faith effort to comply – read all the guidance they can, worked hard on compliance with all the v5 requirements, etc. If they have just sat back and done very little, they should be assessed whatever violations apply. Having said this, I know this will require that some clear line is drawn between what constitutes a good faith effort and a “bad faith” one. This is another question that will simply have to be resolved through consensus among NERC, FERC, the regions and the entities. It can’t be addressed through some sort of SAR process, in time for that to do any good.

[vii] Some of the v6 compliance dates may have to be pushed back along with the first v5 date (for a complete list of v5 and v6 dates, see this post). For example, the four v6 requirements that come due on January 1, 2017 will obviously have to be pushed back at least three months and maybe more. But I think some of the compliance dates – such as for the two Low impact requirements – may not need to be pushed back, since they may not be seriously affected by pushing the 4/1/16 date (for Highs/Mediums) back a year. These are all matters for discussion with the NERC community, and of course will require FERC approval.

[viii] Except, again, for an entity that doesn’t care about the whole process and doesn’t really try to comply with CIP-002 at all. They should be treated severely, although the same provision I mention in footnote vi above applies here.

[ix] If NERC only wanted to fix the “Programmable” definition, they could issue a SAR for just that; it might be developed and approved in around a year. But given the many problems in CIP-002, I don’t think just defining "Programmable" helps; the standard and its closely related definitions (especially “programmable” and “adversely impact”; possibly one or two others like “associated with”) need to be fixed at the same time. I'll have more to say on this in one of my soon-to-come posts on how to fix CIP-002.

[x] The reason I’m certain of this is that the enforceability of CIP, or any other NERC standard, is ultimately up to the US court system. NERC can issue violations and FERC can uphold them, but in the end any violation can be appealed (and I know entities have at least seriously considered doing this, although there haven't been any cases that have gone through so far). I’m sure that a judge won’t have to spend 15 minutes reading CIP-002-5.1 R1 to realize it’s too vague and contradictory to be enforceable. When that happens, it’s game over for CIP-002 (and perhaps for all of CIP v5); once all NERC entities know this has happened, you can be sure the auditors won’t want to waste their time issuing PVs that are sure to be thrown out if appealed – and the entities will know they only have to threaten to appeal in order to get NERC and FERC to back off a violation. It will be a very ugly scene, and for that reason I don’t think it will ever actually come to pass. I  have faith that good sense will prevail, and may be prevailing already. And if good sense comes to the NERC community, maybe there’s even hope for Congress!

[xi] There is another “step” that I’m less certain about, so I’ll put it in a footnote; it regards the Attachment 1 criteria. I did a post in 2012 – which I reproduced here in 2013 – that said that, no matter how many problems there were with the bright-line criteria, it is useless to try to spend a lot of time refining them. I don’t think God Himself could write a set of short criteria that would capture the huge variability of the electric power industry. The only realistic way to deal with the many problems that have already come up with the BLC – and the exponentially larger number that will come up in future years – is to have some sort of “Supreme Court of BLC”, that will rule on each BLC dispute. This may seem arbitrary, but it’s still better than the RBAMs in CIP v1-3; FERC obviously thinks those were even more arbitrary, and intentionally so. Having “bright-line criteria” (FERC’s term, I believe) was in principle a good idea, but I just don’t see it ever working without some sort of arbitration mechanism like this.

[xii] I’m not na├»ve enough to say there won’t need to be any future versions of CIP (in fact, it seems that FERC is already proposing further extensions and changes to the CIP standards, in their July 16 NOPR). But I think the framework of the standards – once CIP-002 is fixed – can carry CIP forward for many years after that. Of course, IMHO the best thing would be a purely risk-based standard like CIP-014, as I described at the end of this post. I don’t see that happening very soon, though.

No comments:

Post a Comment