Sunday, August 30, 2015

About the CIP v5 Compliance Date….

In my webinar with Karl Perman and Steve Parker of EnergySec on August 19, 2015, (the recording of which is available here), we engaged in a good discussion on whether CIP v5/v6 would be enforceable on April 1, 2016. Our consensus was that it would not be – however, there need to be a few asterisks with this statement. In order to treat this topic appropriately, I will first go over the different statements I’ve made about this issue.

Last December, I wrote a post saying the compliance date for CIP v5 (meaning v5 and v6, and most of the other dates that flow from them) should be moved back at least six months, and hopefully a year.  In that post, I gave two reasons for moving the date back. The first was that at many NERC entities funding had been slow to materialize for the effort – due to the fact that FERC had approved v5 in November of 2013, after most organizations had finalized their 2014 spending plans.

The second reason was that many entities seemed to be dismayed by the many ambiguities in v5. Given the choice between plowing ahead with v5 despite the uncertainty and standing motionless in indecision, it seemed many entities were choosing the latter course.[i]

I was not at all surprised that this post was met with deafening indifference. I realized it was way too early for people to become convinced the situation needed to change – and certainly for NERC to be so convinced. And there was still some possibility that NERC might switch gears and start a massive effort to provide lots of guidance by April 1, 2015 – since I believed that, if a good portion of the ambiguity in v5 were cleared up by that date, the compliance date wouldn’t have to be moved back.

In March of this year, I realized it was certain there wouldn’t be much more guidance by April 1[ii], so I stated in this post: “I think CIP v5 is now in the endgame, by which I mean there will soon be no more possibility that, starting 4/1/16, the v5.5[iii] standards will be enforceable.   Either the compliance date will be pushed back or the Registered Entities will be given a “holiday” – either intentionally or unintentionally – from being assessed Potential Violations (PVs), as long as they’ve made a good faith effort to comply.”

As you can see, at this point I introduced a new idea: Even if NERC and FERC didn’t take some deliberate action to move the v5 compliance date back, the standards would not be strictly enforceable on 4/1/16. My reason for saying that was related to my second reason in the December post: the level of uncertainty regarding what some of the requirements mean (especially CIP-002-5.1 R1) is so great that it is unlikely that auditors will assess PVs for entities that are making a good faith effort to comply, but simply don’t understand one or more aspects of the requirements.

I came back to both of these ideas in a post in early July, where I said “…there is simply no way the interpretation problems of CIP v5 can be addressed in time for the standards to be enforceable on April 1, 2016.” I called on NERC, the regions and the NERC entities first to acknowledge this fact, then decide how they were going to deal with it.

Since I’m a helpful guy, I also laid out my own plan for dealing with it. It involved NERC (and FERC, although I didn’t state that explicitly) taking one or two definite actions to implement a system somewhat like what was put in place for the CIP v1 rollout: each entity had a Compliant date when they had to be compliant with the CIP v1 standards, followed by an Auditably Compliant date a year later. After the AC date, the entity could be audited – with the possibility of PVs being issued. I suggested something like this should be implemented for CIP v5.

A couple people (spoilsports, in my opinion) pointed out to me that the one-year gap in the CIP v1 implementation plan was there mainly so that entities could build up a one-year audit trail, meaning entities needed to collect logs and all of the other documentation showing their state of compliance with every requirement at each point during the year. This is quite true: Since v1 was the first CIP version, and since NERC audits are always based on the period since the previous audit (usually three or six years), there would be nothing to audit right after the v1 Compliant date. But this is obviously not the case with CIP v5, since auditors who come in soon after 4/1/16 will primarily look at the entity’s state of compliance with CIP v3 for the period up until 4/1/16.[iv] However, I did concede the point that it was pretty unlikely my suggestion of having two dates would be taken up.

Soon after this post, FERC issued their NOPR on CIP v6. As I discussed it with a Knowledgeable Party (and wrote about it in this post), I came to notice one interesting fact: If FERC wants to approve v6 in time for the compliance date for most of the v6 requirements to remain at 4/1/16, they would have to make a Herculean effort to analyze all of the comments and make some quick decisions on them. This is because comments are due on the NOPR in late September, but FERC has to approve v6 by the end of Q4 in order for the 4/1/16 date to remain unchanged.

This in itself would be hard for FERC to do, but it could be even worse. FERC not only needs to approve v6 in Q4, but their approval needs to be published in the Federal Register. In some cases (like with CIP v5), there is then a 60-day waiting period before the Order becomes effective. So even though FERC approved v5 on November 22, 2013, it took more than two months for that approval to be effective, at the beginning of February 2014 . So if a) there is a 60-day waiting period for approval of v6 to be effective, and b) the effective date (not the date the Order is published in the Federal Register) is the one that is considered the "approval" date, then FERC has to approve v6 in October in order for the v6 compliance date not to be pushed back. While approving in December would be a stretch  for FERC, approving in October is close to impossible (it may even violate the laws of physics, probably Newton's First Law). But there is a good deal of uncertainty about a) and b) above, so I won't say it's at all certain that the date will be pushed back.[v]

Let’s look at FERC’s record for making decisions on new CIP versions. They issued their NOPR on v5 in April of 2013; comments were due in June. Once they were in, FERC took another five months - until November – to analyze them and make their decision. With CIP v1, the interval was around 14 months (on the other hand, Order 706 – which approved v1 – was around 600 pages long. No wonder it took so long to develop). The comments have to be first analyzed by FERC staff members, who then forward their recommendations to the five Commissioners – then the Commissioners take a while to make their decision. How can FERC possibly do all of this in two months, let alone one?

So I’d say it’s very possible that the implementation dates for the CIP v6 standards[vi] will be pushed back some amount of time. Of course, the v5 standards – including the eight that are going to be replaced by new v6 standards – will all take effect on 4/1/16; they were approved in 2013, and their compliance date is set in stone. However, in practice I find it very hard to imagine that any auditor would decide to issue PVs to entities for violating compliance with v5 standards that are sure to be replaced by v6 ones. Thus, in the case that the v6 compliance date is pushed back, I think v5 enforcement will be delayed as well.

The post I just referred to speculates that FERC’s likely delay in approving CIP v6 might even be a sign of their desire to see the v5/v6 compliance dates moved back. I said this because many observers (including me) expected FERC to issue an Order approving v6 in July, which would have ensured there would be no delay at all. The fact that they issued a NOPR instead of an Order, which makes it possible v6 won’t be approved in time to avoid a delay, leads me to believe that FERC doesn’t think a delay would be a big problem. In fact, they may have deliberately decided to issue a NOPR, knowing that this would give them a means for delaying v6 implementation that doesn’t require further action by either FERC or NERC; in other words, v6 compliance (and almost certainly v5 compliance) will be delayed just because of the natural process of approving new standards.

However, let’s say FERC does end up approving v6 in time for compliance with v5 and v6 to be due on 4/1/16. As I said above, because of the current confusion over the meaning of many of the requirements in CIP v5 and v6 (especially CIP-002-5.1 R1, the foundation for all of the other requirements), I still don’t see any possibility that there will be PVs issued for v5 non-compliance for some time after 4/1/16. This assumes that the entity in non-compliance has made a good faith effort to comply, but has simply not understood something – or more likely, they have understood one point (perhaps the definition of “programmable”) one way, but the auditor understands it differently. Since there will be no definitive resolution of any serious interpretation issue until a SAR or RFI bears fruit at least two to three years from now,  I can’t see any auditor issuing a PV in such a case.

There is plenty of evidence for what I’ve just said. I’ve heard one region state very explicitly that they don’t expect to be coming down hard on people for honest misunderstanding of the requirements for some time after 4/1/16; I’m told other regions have made similar statements. In fact, I had a long conversation with an important compliance person for one of the regions last week, who was totally in agreement on this. In our webinar on August 19, Steve and Karl– who have more dealings with the regions than I do – also both agreed with me on this point.

There are a few further points I want to make:

  1. The requirement for a good faith effort is important. Obviously, everything I’ve just said doesn’t apply if an entity thinks they’re above the law and they don’t need to take the time to come into CIP compliance. I don’t personally know of any entities who have that attitude, but it’s possible there are a few. You still need to aim to be fully compliant on 4/1/16, and not slack off your efforts just because of something you read in a blog post.
  2. One point the regional compliance person I just mentioned made to me is that entities that exhibit “massive ignorance” (I think that was his wording) regarding one or more important issues in v5/v6 will not receive a “get out of jail free” card. What he means by this is an entity that has not made any effort to seek out available guidance on a particular topic – such as the meaning of ERC – won’t get a lot of sympathy if their interpretation is far off the mark. The moral of this story is that you need to keep up your efforts to understand v5 by paying attention to all of the new draft Lessons Learned, what your Regional Entity says in their compliance meetings, etc. And of course, if you want to discuss a specific issue, you can always call your Region to find out their opinion on it.
  3. You may wonder about self-reporting. Unless the compliance date is officially moved back (or FERC de facto moves it back by delaying approval of v6), I don’t think there’s any possibility that an entity won’t have to self-report any CIP v5 violations that are found after 4/1/16. Of course, I don’t think a PV will be assessed for a self-reported violation unless the Region decides there is a lack of good faith – but again, it isn’t likely that a PV will be issued for a simple misunderstanding of a requirement or definition.
  4. When it comes to ambiguity, not all of the CIP v5 standards and requirements are in the same boat. In particular, CIP-002-5.1 R1 stands out because it is not only ambiguous but self-contradictory. Even more importantly, the way that 99% of the entities and auditors are interpreting this requirement (and Attachment 1) directly contradicts a good part of the wording (Don’t get me wrong here: I have no problem with the fact that compliance practice violates the wording, since I believe the way entities are complying with R1 makes much more sense than the way it is written. But the requirement will never be enforceable until the words are changed to match the practice). I have complained about this requirement in at least 50 posts in the past 2 ½ years, and there will be more coming soon. I see no way that this requirement can be fixed other than rewriting it; in my opinion, this needs to be done ASAP (including definitions of “programmable” and “adversely impact the BES”, since the lack of these is very much part of the problems with R1).
  5. Since I’m not talking now about an official rollback of the compliance date (or of a separate enforcement date), I’m not sure when CIP v5 and v6 will actually be enforceable. It’s not something that will be announced by NERC, but it will occur region-by-region, as the auditors and the entities both decide that NERC has sufficiently addressed the ambiguities in v5 and v6 (my guess is it will be about a year after 4/1/16)[vii]. And I think it’s almost certain that the current version of CIP-002 will never be enforceable until it is rewritten.[viii]
  6. However, if the process of rewriting CIP-002 were started today with a SAR, it would be at least three years before the final product was available; this doesn’t do much good for entities as they prepare for compliance next year. NERC should develop a comprehensive Lesson Learned (or some other document) setting out how NERC understands the BES Cyber System identification and classification process in R1. This document needs to be developed ASAP, and in my opinion should be ready at least a year before the regions expect compliance to be enforceable. The document won’t be very different from the guidance that the regions have already provided on compliance with R1. The difference is that the document will need to admit that it contradicts some of the current wording of the requirement, since that is the only way to come out with a coherent, consistent “story” of the asset identification process in CIP v5. I will very shortly start a series of two or three posts that make this point.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

[i] I hear there are some entities that are still paralyzed by indecision. Of course, this is far more serious than it was last year.

[ii] Indeed, on that date there were only two finalized Lessons Learned posted, neither of which was on a controversial topic. I think there’s only one more up today.

[iii] I have sometimes referred to the amalgam of CIPs v5 and v6 that entities will actually have to comply with as “v5.5”. Most of the time, I just say v5 like everyone else does (including NERC) – although I know there are some people who don’t really understand this, and think CIP v6 is a new version that entities will have to implement after they’ve implemented v5.

[iv] Of course, all of the regions have made some provision for entities to be able to move to v5 compliance, in whole or part, before the 4/1/16 date. However, after 4/1/16, they can only be subject to PVs on what they have done since that date.

[v] I had the details wrong when I first put up this post. I appreciate an Interested Party for setting me straight on this.

[vi] To see the full compliance schedule for v5 and v6, see this post.

[vii] While I’m fairly resigned to the idea that there will never be a formal process pushing back the enforcement date – assuming FERC doesn’t delay approving v6 – I’m still not comfortable with the idea that this will all be done informally. It would be nice if NERC – or maybe the regions acting on their own – made some sort of statement saying that for a certain period of time there should be no PV’s issued for violations caused by honest confusion (or something to that effect).  As I said in a previous post on this topic, it would also be nice if the Chicago Cubs won the World Series this year – but what do you know, they’re still in contention at the beginning of September! So don’t rule out miracles.

[viii] You may wonder how CIP-002 could be unenforceable yet all of the other standards could be enforceable, given that 002 is the foundation for the other standards. I actually think this is possible. The auditors will accept whatever list of BES Cyber Systems the entity has come up with, as long as they can show a plausible process for identifying and classifying them. But once that list is accepted, they can still hold the entity to compliance with the other standards.

No comments:

Post a Comment