In my
webinar with Karl Perman and Steve Parker of EnergySec on August 19, 2015, (the
recording of which is available here),
we engaged in a good discussion on whether CIP v5/v6 would be enforceable on
April 1, 2016. Our consensus was that it would not be – however, there need to
be a few asterisks with this statement. In order to treat this topic appropriately,
I will first go over the different statements I’ve made about this issue.
Last
December, I wrote a post
saying the compliance date for CIP v5 (meaning v5 and v6, and most of the other
dates that flow from them) should be moved back at least six months, and
hopefully a year. In that post, I gave
two reasons for moving the date back. The first was that at many NERC entities
funding had been slow to materialize for the effort – due to the fact that FERC
had approved v5 in November of 2013, after most organizations had finalized
their 2014 spending plans.
The second reason
was that many entities seemed to be dismayed by the many ambiguities in v5.
Given the choice between plowing ahead with v5 despite the uncertainty and
standing motionless in indecision, it seemed many entities were choosing the
latter course.[i]
I was not at
all surprised that this post was met with deafening indifference. I realized it
was way too early for people to become convinced the situation needed to change
– and certainly for NERC to be so convinced. And there was still some
possibility that NERC might switch gears and start a massive effort to provide
lots of guidance by April 1, 2015 – since I believed that, if a good portion of
the ambiguity in v5 were cleared up by that date, the compliance date wouldn’t
have to be moved back.
In March of
this year, I realized it was certain there wouldn’t be much more guidance by
April 1[ii], so I
stated in this
post: “I think CIP v5 is now in the endgame, by which I mean
there will soon be no more possibility that, starting 4/1/16, the v5.5[iii]
standards will be enforceable. Either the compliance date will be
pushed back or the Registered Entities will be given a “holiday” – either
intentionally or unintentionally – from being assessed Potential Violations
(PVs), as long as they’ve made a good faith effort to comply.”
As you can
see, at this point I introduced a new idea: Even if NERC and FERC didn’t take
some deliberate action to move the v5 compliance date back, the standards would
not be strictly enforceable on 4/1/16. My reason for saying that was related to
my second reason in the December post: the level of uncertainty regarding what some
of the requirements mean (especially CIP-002-5.1 R1) is so great that it is unlikely
that auditors will assess PVs for entities that are making a good faith effort
to comply, but simply don’t understand one or more aspects of the requirements.
I came back
to both of these ideas in a post
in early July, where I said “…there is simply no way the interpretation
problems of CIP v5 can be addressed in time for the standards to be enforceable
on April 1, 2016.” I called on NERC, the regions and the NERC entities first to
acknowledge this fact, then decide how they were going to deal with it.
Since I’m a
helpful guy, I also laid out my own plan for dealing with it. It involved NERC
(and FERC, although I didn’t state that explicitly) taking one or two definite
actions to implement a system somewhat like what was put in place for the CIP
v1 rollout: each entity had a Compliant date when they had to be compliant with
the CIP v1 standards, followed by an Auditably Compliant date a year later. After
the AC date, the entity could be audited – with the possibility of PVs being
issued. I suggested something like this should be implemented for CIP v5.
A couple
people (spoilsports, in my opinion) pointed out to me that the one-year gap in
the CIP v1 implementation plan was there mainly so that entities could build up
a one-year audit trail, meaning entities needed to collect logs and all of the
other documentation showing their state of compliance with every requirement at
each point during the year. This is quite true: Since v1 was the first CIP
version, and since NERC audits are always based on the period since the
previous audit (usually three or six years), there would be nothing to audit
right after the v1 Compliant date. But this is obviously not the case with CIP
v5, since auditors who come in soon after 4/1/16 will primarily look at the
entity’s state of compliance with CIP v3 for the period up until 4/1/16.[iv]
However, I did concede the point that it was pretty unlikely my suggestion of
having two dates would be taken up.
Soon after
this post, FERC issued their NOPR on CIP v6. As I discussed it with a
Knowledgeable Party (and wrote about it in this
post), I came to notice one interesting fact: If FERC wants to approve v6 in
time for the compliance date for most of the v6 requirements to remain at
4/1/16, they would have to make a Herculean effort to analyze all of the
comments and make some quick decisions on them. This is because comments are
due on the NOPR in late September, but FERC has to approve v6 by the end of Q4
in order for the 4/1/16 date to remain unchanged.
This in
itself would be hard for FERC to do, but it could be even worse. FERC not only needs to
approve v6 in Q4, but their approval needs to be published in the Federal
Register. In some cases (like with CIP v5), there is then a 60-day waiting period before the Order becomes effective. So even though FERC approved v5 on November 22, 2013, it took more than
two months for that approval to be effective, at the beginning of February 2014 . So if a) there is a 60-day waiting period for approval of v6 to be effective, and b) the effective date (not the date the Order is published in the Federal Register) is the one that is considered the "approval" date, then FERC has to approve v6 in October in order for the v6 compliance date not to be pushed back. While approving in December would be a stretch for FERC, approving in October is close to impossible (it may even violate the laws of physics, probably Newton's First Law). But there is a good deal of uncertainty about a) and b) above, so I won't say it's at all certain that the date will be pushed back.[v]
Let’s look
at FERC’s record for making decisions on new CIP versions. They issued their
NOPR on v5 in April of 2013; comments were due in June. Once they were in, FERC
took another five months - until November – to analyze them and make their
decision. With CIP v1, the interval was around 14 months (on the other hand,
Order 706 – which approved v1 – was around 600 pages long. No wonder it took so
long to develop). The comments have to be first analyzed by FERC staff members,
who then forward their recommendations to the five Commissioners – then the
Commissioners take a while to make their decision. How can FERC possibly do all
of this in two months, let alone one?
So I’d say
it’s very possible that the implementation dates for the CIP v6 standards[vi] will be
pushed back some amount of time. Of course, the v5 standards – including the
eight that are going to be replaced by new v6 standards – will all take effect
on 4/1/16; they were approved in 2013, and their compliance date is set in
stone. However, in practice I find it very hard to imagine that any auditor
would decide to issue PVs to entities for violating compliance with v5
standards that are sure to be replaced by v6 ones. Thus, in the case that the
v6 compliance date is pushed back, I think v5 enforcement will be delayed as
well.
The post
I just referred to speculates that FERC’s likely delay in approving CIP v6 might
even be a sign of their desire to see the v5/v6 compliance dates moved back. I
said this because many observers (including me) expected FERC to issue an Order
approving v6 in July, which would have ensured there would be no delay at all.
The fact that they issued a NOPR instead of an Order, which makes it possible
v6 won’t be approved in time to avoid a delay, leads me to believe that FERC
doesn’t think a delay would be a big problem. In fact, they may have
deliberately decided to issue a NOPR, knowing that this would give them a means
for delaying v6 implementation that doesn’t require further action by either
FERC or NERC; in other words, v6 compliance (and almost certainly v5
compliance) will be delayed just because of the natural process of approving
new standards.
However,
let’s say FERC does end up approving v6 in time for compliance with v5 and v6
to be due on 4/1/16. As I said above, because of the current confusion over the
meaning of many of the requirements in CIP v5 and v6 (especially CIP-002-5.1
R1, the foundation for all of the other requirements), I still don’t see any
possibility that there will be PVs issued for v5 non-compliance for some time
after 4/1/16. This assumes that the entity in non-compliance has made a good
faith effort to comply, but has simply not understood something – or more
likely, they have understood one point (perhaps the definition of
“programmable”) one way, but the auditor understands it differently. Since
there will be no definitive resolution of any serious interpretation issue
until a SAR or RFI bears fruit at least two to three years from now, I can’t see any auditor issuing a PV in such
a case.
There is
plenty of evidence for what I’ve just said. I’ve heard one region state very
explicitly that they don’t expect to be coming down hard on people for honest
misunderstanding of the requirements for some time after 4/1/16; I’m told other
regions have made similar statements. In fact, I had a long conversation with an
important compliance person for one of the regions last week, who was totally
in agreement on this. In our webinar on August 19, Steve and Karl– who have
more dealings with the regions than I do – also both agreed with me on this
point.
There are a
few further points I want to make:
- The requirement for a good faith effort is important.
Obviously, everything I’ve just said doesn’t apply if an entity thinks
they’re above the law and they don’t need to take the time to come into
CIP compliance. I don’t personally know of any entities who have that
attitude, but it’s possible there are a few. You still need to aim to be
fully compliant on 4/1/16, and not slack off your efforts just because of
something you read in a blog post.
- One point the regional compliance person I just mentioned
made to me is that entities that exhibit “massive ignorance” (I think that
was his wording) regarding one or more important issues in v5/v6 will not
receive a “get out of jail free” card. What he means by this is an entity
that has not made any effort to seek out available guidance on a
particular topic – such as the meaning of ERC – won’t get a lot of
sympathy if their interpretation is far off the mark. The moral of this
story is that you need to keep up your efforts to understand v5 by paying
attention to all of the new draft Lessons Learned, what your Regional
Entity says in their compliance meetings, etc. And of course, if you want
to discuss a specific issue, you can always call your Region to find out
their opinion on it.
- You may wonder about self-reporting. Unless the compliance
date is officially moved back (or FERC de
facto moves it back by delaying approval of v6), I don’t think there’s
any possibility that an entity won’t
have to self-report any CIP v5 violations that are found after 4/1/16. Of
course, I don’t think a PV will be assessed for a self-reported violation unless
the Region decides there is a lack of good faith – but again, it isn’t
likely that a PV will be issued for a simple misunderstanding of a
requirement or definition.
- When it comes to ambiguity, not all of the CIP v5
standards and requirements are in the same boat. In particular,
CIP-002-5.1 R1 stands out because it is not only ambiguous but
self-contradictory. Even more importantly, the way that 99% of the
entities and auditors are interpreting this requirement (and Attachment 1)
directly contradicts a good part of the wording (Don’t get me wrong here:
I have no problem with the fact that compliance practice violates the
wording, since I believe the way entities are complying with R1 makes much
more sense than the way it is written. But the requirement will never be
enforceable until the words are changed to match the practice). I have complained
about this requirement in at least 50 posts in the past 2 ½ years, and
there will be more coming soon. I see no way that this requirement can be
fixed other than rewriting it; in my opinion, this needs to be done ASAP
(including definitions of “programmable” and “adversely impact the BES”,
since the lack of these is very much part of the problems with R1).
- Since I’m not talking now about an official rollback of
the compliance date (or of a separate enforcement date), I’m not sure when
CIP v5 and v6 will actually be enforceable. It’s not something that will
be announced by NERC, but it will occur region-by-region, as the auditors
and the entities both decide that NERC has sufficiently addressed the
ambiguities in v5 and v6 (my guess is it will be about a year after
4/1/16)[vii].
And I think it’s almost certain that the current version of CIP-002 will
never be enforceable until it is rewritten.[viii]
- However, if the process of rewriting CIP-002 were started
today with a SAR, it would be at least three years before the final
product was available; this doesn’t do much good for entities as they
prepare for compliance next year. NERC should develop a comprehensive
Lesson Learned (or some other document) setting out how NERC understands
the BES Cyber System identification and classification process in R1. This
document needs to be developed ASAP, and in my opinion should be ready at
least a year before the regions expect compliance to be enforceable. The
document won’t be very different from the guidance that the regions have
already provided on compliance with R1. The difference is that the
document will need to admit that it contradicts some of the current
wording of the requirement, since that is the only way to come out with a
coherent, consistent “story” of the asset identification process in CIP
v5. I will very shortly start a series of two or three posts that make
this point.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
I hear there are some entities that are still paralyzed by indecision. Of course,
this is far more serious than it was last year.
[ii]
Indeed, on that date there were only two finalized Lessons Learned posted,
neither of which was on a controversial topic. I think there’s only one more up
today.
[iii]
I have sometimes referred to the amalgam of CIPs v5 and v6 that entities will
actually have to comply with as “v5.5”. Most of the time, I just say v5 like
everyone else does (including NERC) – although I know there are some people who
don’t really understand this, and think
CIP v6 is a new version that entities will have to implement after they’ve
implemented v5.
[iv]
Of course, all of the regions have made some provision for entities to be able
to move to v5 compliance, in whole or part, before the 4/1/16 date. However,
after 4/1/16, they can only be subject to PVs on what they have done since that
date.
[v]
I had the details wrong when I first put up this post. I appreciate an Interested Party for setting me straight on this.
[vii]
While I’m fairly resigned to the idea that there will never be a formal process
pushing back the enforcement date – assuming FERC doesn’t delay approving v6 –
I’m still not comfortable with the idea that this will all be done informally.
It would be nice if NERC – or maybe the regions acting on their own – made some
sort of statement saying that for a certain period of time there should be no
PV’s issued for violations caused by honest confusion (or something to that
effect). As I said in a previous post on
this topic, it would also be nice if the Chicago Cubs won the World Series this
year – but what do you know, they’re still in contention at the beginning of September! So don’t rule out miracles.
[viii]
You may wonder how CIP-002 could be unenforceable yet all of the other
standards could be enforceable, given that 002 is the foundation for the other
standards. I actually think this is possible. The auditors will accept whatever
list of BES Cyber Systems the entity has come up with, as long as they can show
a plausible process for identifying and classifying them. But once that list is
accepted, they can still hold the entity to compliance with the other
standards.
No comments:
Post a Comment