Tuesday, August 4, 2015

FERC’s NOPR, Part III: Will It Move the CIP v5 Compliance Date Back?

I admit this post is kind of wild speculation, but an interesting thought occurred to me as I was working on my two posts on FERC’s NOPR that were published last week. The thought relates to a previous post in which I stated (although not for the first time), that the enforcement date for CIP v5 should be pushed back a year from 4/1/16 – because there is no way NERC can provide enough guidance on dealing with the ambiguities in v5 for entities to be certain about their compliance obligations in time to be compliant by that date.

However, I admitted in that post that to make this happen would require a large number of pieces to fall into place: NERC, FERC and the entities would have to be in fairly close agreement on what needs to be done about the v5 enforcement date, and they’d all have to agree to go beyond what’s written in the v5 standards and the NERC Rules of Procedure. Also, FERC would have to issue one or two Orders to facilitate things. It could be done, but we’re talking about a lot of work on a lot of people’s part, as well as a big loss of face by NERC and FERC.

But as I was working on my NOPR posts, and corresponding with a Knowledgeable Person on questions about the v6 Implementation Plan, I saw a way in which FERC could move the v5 enforcement date back without anybody losing too much face, and without extraordinary changes to the Rules of Procedure. More importantly, if FERC were planning to do this, it would explain a big question I have: why FERC didn’t just approve the v6 standards in an Order, and also release a NOPR on the different topics they want to get feedback on. Instead, they issued a NOPR that said they intend to approve v6 with no firm date for doing so, and meanwhile brought up a number of pretty thorny issues they want addressed, supposedly very quickly.

Here’s what I’m thinking:

1.       As you hopefully know by now, the CIP standards that entities will actually have to comply with will be a mixture of v5 and v6. This mixture includes the v5 versions of CIP-002, CIP-005 and CIP-008, along with the v6 versions of all the other standards (there were no v6 versions developed for 002, 005 and 008, which is why those three v5 standards will “survive”).

2.       The compliance date for the v5 standards is effectively set – by the v5 Implementation Plan approved by FERC in Order 791 in 2013 – at April 1, 2016.

3.       The v6 standards also have that compliance date (with a bunch of exceptions – see this post), but with the provision that FERC has to approve the v6 standards more than three months before that date. Moreover, FERC might actually have to approve v6 up to six months before the compliance date (i.e., this October), depending on how the words “effective date” are interpreted. This means FERC has to approve v6 by December 2015 at the latest and possibly as early as October - if the v6 standards are to be enforced on 4/1/16.

4.       Given that we’re now between three and six months away from when v6 has to be approved, I – and others – found it quite odd that FERC didn’t just issue an Order approving them on July 16. Instead, they issued a NOPR that indicates they are seriously thinking of ordering a few big changes in v6. In addition to that, they are thinking of having NERC develop an entirely new standard dealing with supply chain security. They are asking for comments on all of these things, which are due 60 days from publication of the NOPR in the Federal Register; this most likely means comments are due in late September.

5.       Given this (and I here acknowledge my debt to an Interested Party for pointing out these finer points, although the speculation about the implications is entirely mine), it means the FERC staff will have, at the most, less than 90 days (September to December) and maybe even less than 30 days (September to October) to sort through the sure-to-be-voluminous comments on these important matters and make their recommendation to the Commissioners. Plus the Commissioners will need some time to decide whether or not they’ll follow those recommendations, which time also has to come out of the 30-90 days. In the worst case, if the most conservative interpretation of “effective date” is adopted, FERC would have less than four weeks for the staff and Commissioners to do the work necessary to make the decision to approve v6. Why would FERC put themselves in this kind of position, if they were sure when they wrote the NOPR that they would approve v6 (and I still believe it's inevitable they will approve it)?

6.       This is why I found it so strange that FERC issued a NOPR. They could have issued an Order approving v6, along with a NOPR requesting comments on the changes they would like to see. Assuming they want to approve the v6 standards in time for the compliance date not to have to be moved back, they are leaving themselves almost no time to make some very weighty decisions (whether to require protections for all control center-to-control center communications, whether to effectively require auditing of connectivity of individual cyber assets at Low assets, whether to extend CIP-010 R4 to bring Transient Cyber Assets used at Low impact assets into scope, whether to order the new supply chain standard, and more. All of this is discussed in my two previous posts on the NOPR).

7.       But what if the above assumption is wrong? What if FERC actually intends to have lots of time to make these decisions? In other words, what if FERC has already decided that it wouldn’t be the worst thing in the world if the v6 compliance date were moved back? If they took say nine months to do their analysis and issued their Order approving v6 in June 2016, this would result in the v6 compliance date moving back to October 1, 2016 or January 1, 2017; if they took a year for their analysis (and you may remember they took 17 months to approve CIP v1), it might move the compliance date back to April 1, 2017.

8.       You may point out – as the Interested Party did to me – that the v5 Implementation Plan is already the law of the land, meaning that if FERC doesn’t approve the v6 standards this year, all ten of the v5 standards will still take effect on 4/1/16.   I don't see a problem with this, since many NERC entities (including some large ones) have already switched their CIP compliance programs entirely over to preparing for compliance with v5. The Regional Entities aren't enforcing v5 now - just encouraging entities to start working on it. That policy could continue after 4/1/16, until a date when it was agreed that the v5 standards should be enforceable (ignoring the "Identify, Assess and Correct" language, of course - which all Regions and entities are doing now). That date might be made the same as the date that v6 becomes enforceable. For example, if FERC delays approving v6 long enough that the v6 date becomes 4/1/17, the v5 "Enforceable" date could be made to coincide with that. This would effectively result in the entire v5-v6 enforcement date structure being moved back by a year, although some of the requirement-specific dates in the v6 Implementation Plan would have to be moved back by consensus - which I don't think would be hard to achieve.

9.    Moving the date back would of course have the nice side benefit of giving NERC and the industry time to develop all of the guidance that will be necessary for entities and auditors to understand CIP v5 and v6. This would allow v5 and v6 to really be enforceable on the revised v6 compliance date.

Let me summarize what I’ve just said: Since FERC didn’t approve the v6 standards on July 16 but instead issued a NOPR asking for comments on some fairly substantial changes to the standards, this now leads to the possibility that they won’t approve v6 in time for those standards to be effective on 4/1/16. This could lead to the enforcement date for both the v5 and v6 standards being moved back (as I've advocated), without requiring any additional FERC Orders or changes to the NERC Rules of Procedure. And this might possibly be what FERC wants to happen anyway.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

1 comment:

  1. The day after I put up this post, I made a substantial revision to it; what you just read is the revised version. The nature of that revision is described in this post: http://tomalrichblog.blogspot.com/2015/08/you-may-want-to-reread-yesterdays-post.html