I admit this
post is kind of wild speculation, but an interesting thought occurred to me as
I was working on my two posts
on FERC’s NOPR that were published last week. The thought relates to a previous
post
in which I stated (although not for the first time), that the enforcement date
for CIP v5 should be pushed back a year from 4/1/16 – because there is no way
NERC can provide enough guidance on dealing with the ambiguities in v5 for
entities to be certain about their compliance obligations in time to be
compliant by that date.
However, I
admitted in that post that to make this happen would require a large number of
pieces to fall into place: NERC, FERC and the entities would have to be in
fairly close agreement on what needs to be done about the v5 enforcement date,
and they’d all have to agree to go beyond what’s written in the v5 standards
and the NERC Rules of Procedure. Also, FERC would have to issue one or two
Orders to facilitate things. It could be done, but we’re talking about a lot of
work on a lot of people’s part, as well as a big loss of face by NERC and FERC.
But as I was
working on my NOPR posts, and corresponding with a Knowledgeable Person on
questions about the v6 Implementation Plan, I saw a way in which FERC could move
the v5 enforcement date back without anybody losing too much face, and without
extraordinary changes to the Rules of Procedure. More importantly, if FERC were
planning to do this, it would explain a big question I have: why FERC didn’t
just approve the v6 standards in an Order, and also release a NOPR on the
different topics they want to get feedback on. Instead, they issued a NOPR that
said they intend to approve v6 with no firm date for doing so, and meanwhile
brought up a number of pretty thorny issues they want addressed, supposedly
very quickly.
Here’s what
I’m thinking:
1. As
you hopefully know by now, the CIP standards that entities will actually have
to comply with will be a mixture of v5 and v6. This mixture includes the v5
versions of CIP-002, CIP-005 and CIP-008, along with the v6 versions of all the
other standards (there were no v6 versions developed for 002, 005 and 008,
which is why those three v5 standards will “survive”).
2. The
compliance date for the v5 standards is effectively set – by the v5
Implementation Plan approved by FERC in Order 791 in 2013 – at April 1, 2016.
3. The
v6 standards also have that compliance date (with a bunch of exceptions – see this
post), but with the provision that FERC has to approve the v6 standards more
than three months before that date. Moreover, FERC might actually have to
approve v6 up to six months before the compliance date (i.e., this October), depending
on how the words “effective date” are interpreted. This means FERC has to
approve v6 by December 2015 at the latest and possibly as early as October - if
the v6 standards are to be enforced on 4/1/16.
4. Given
that we’re now between three and six months away from when v6 has to be
approved, I – and others – found it quite odd that FERC didn’t just issue an
Order approving them on July 16. Instead, they issued a NOPR that indicates
they are seriously thinking of ordering a few big changes in v6. In addition to
that, they are thinking of having NERC develop an entirely new standard dealing
with supply chain security. They are asking for comments on all of these
things, which are due 60 days from publication of the NOPR in the Federal Register; this
most likely means comments are due in late September.
5. Given
this (and I here acknowledge my debt to an Interested Party for pointing out
these finer points, although the speculation about the implications is entirely
mine), it means the FERC staff will have, at the most, less than 90 days
(September to December) and maybe even less than 30 days (September to October)
to sort through the sure-to-be-voluminous comments on these important matters
and make their recommendation to the Commissioners. Plus the Commissioners will
need some time to decide whether or not they’ll follow those recommendations,
which time also has to come out of the 30-90 days. In the worst case, if the most conservative interpretation
of “effective date” is adopted, FERC would have less than four weeks for the staff and Commissioners to do the work necessary to make the decision to approve v6. Why would FERC put themselves in this kind of position, if they were sure when they wrote the NOPR that they would approve v6 (and I still believe it's inevitable they will approve it)?
6. This
is why I found it so strange that FERC issued a NOPR. They could have issued an
Order approving v6, along with a NOPR requesting comments on the changes they
would like to see. Assuming
they want to approve the v6 standards in time for the compliance date not to
have to be moved back, they are leaving themselves almost no time to make some
very weighty decisions (whether to require protections for all control center-to-control center communications, whether to
effectively require auditing of connectivity of individual cyber assets at Low
assets, whether to extend CIP-010 R4 to bring Transient Cyber Assets used at
Low impact assets into scope, whether to order the new supply chain standard,
and more. All of this is discussed in my two previous posts on the NOPR).
7. But
what if the above assumption is wrong? What if FERC actually intends to have lots of time to make
these decisions? In other words, what if FERC has already decided that it
wouldn’t be the worst thing in the world if the v6 compliance date were moved back? If they took say
nine months to do their analysis and issued their Order approving v6 in June
2016, this would result in the v6 compliance date moving back to October 1,
2016 or January 1, 2017; if they took a year for their analysis (and you may
remember they took 17 months to approve CIP v1), it might move the compliance
date back to April 1, 2017.
8. You
may point out – as the Interested Party did to me – that the v5 Implementation
Plan is already the law of the land, meaning that if FERC doesn’t approve the
v6 standards this year, all ten of the v5 standards will still take effect on
4/1/16. I don't see a problem with this, since many NERC entities (including some large ones) have already switched their CIP compliance programs entirely over to preparing for compliance with v5. The Regional Entities aren't enforcing v5 now - just encouraging entities to start working on it. That policy could continue after 4/1/16, until a date when it was agreed that the v5 standards should be enforceable (ignoring the "Identify, Assess and Correct" language, of course - which all Regions and entities are doing now). That date might be made the same as the date that v6 becomes enforceable. For example, if FERC delays approving v6 long enough that the v6 date becomes 4/1/17, the v5 "Enforceable" date could be made to coincide with that. This would effectively result in the entire v5-v6 enforcement date structure being moved back by a year, although some of the requirement-specific dates in the v6 Implementation Plan would have to be moved back by consensus - which I don't think would be hard to achieve.
9. Moving
the date back would of course have the nice side benefit of giving NERC and the industry time to develop all of the
guidance that will be necessary for entities and auditors to understand CIP v5 and v6. This would allow v5 and v6 to really be enforceable on the
revised v6 compliance date.
Let me summarize what I’ve just said:
Since FERC didn’t approve the v6 standards on July 16 but instead issued a NOPR
asking for comments on some fairly substantial changes to the standards, this
now leads to the possibility that they won’t approve v6 in time for those
standards to be effective on 4/1/16. This could lead to the enforcement date
for both the v5 and v6 standards being moved back (as I've advocated), without requiring any additional FERC Orders or changes to the NERC Rules of Procedure. And this might possibly be what FERC wants to happen
anyway.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
The day after I put up this post, I made a substantial revision to it; what you just read is the revised version. The nature of that revision is described in this post: http://tomalrichblog.blogspot.com/2015/08/you-may-want-to-reread-yesterdays-post.html
ReplyDelete