Wednesday, October 28, 2015

Big News: FERC will start Auditing CIP v5 Compliance

Nov. 4: On Nov. 2, at least one NERC region sent an email to their members confirming what is reported in the first paragraph below. Also, EnergyWire has an article today stating that a FERC spokesperson has confirmed this.

Kevin Perry, the Director of Critical Infrastructure Protection (and Chief CIP Auditor) of SPP Regional Entity, provides a CIP update at each of the SPP RE Board of Trustees meetings. At the meeting on October 26, 2015, Kevin’s final slide included the following statement: “FERC expected to conduct CIP V5 and CIP-014-2 audits beginning in 2016.” This was followed by two bullet points: “SPP RE will cancel planned audit activities for a registered entity if FERC steps in” and “Regions and NERC may observe FERC-led audits”.

Translation: FERC is going to start choosing entities it wants to audit for CIP. A FERC audit may supersede a planned audit by one of the Regions. The Regions and NERC can only observe FERC audits, not participate in them. Kevin’s slides are in the single file with all of the meeting slides, accessible here (Kevin’s presentation starts on slide 28; the slide in question is his slide number 13. I haven’t had a chance to ask Kevin if he deliberately chose 13 to be the number of the slide that delivers this news – or that he chose to reveal this so close to Halloween).

I am told that Kevin also said that FERC would have an official announcement of this policy change soon, and that - at the moment - nothing is known for sure on what entities will be targeted for FERC audits. The above are the only facts I have. But I’m going to speculate on what they may mean:

  • It’s safe to say that FERC’s audit approach will be very different from NERC’s, probably much tougher. It’s also important to remember that FERC can audit whenever it wants; it doesn’t have to follow the three- or six-year schedule in the NERC CMEP (Compliance Monitoring Enforcement Plan). You could have had a CIP audit this year, and FERC will audit you next year.
  • Also, there is no time limit on FERC audits. I know of at least one audit (of all the NERC standards, including CIP) that took multiple years. Hopefully, that won’t be the norm.
  • It’s also probably safe to say that the lucky entities chosen for FERC audits will be among the larger ones.
  • Can anything be said about how FERC might address the various areas of controversy in CIP v5? Normally, of course, FERC doesn’t have anything to say about NERC standards once they’ve approved them – unless they also ask for specific changes, which then get incorporated in new standards (as happened with the changes FERC ordered when they approved CIP v5 in 2013; these were incorporated into the CIP v6 standards).
  • However, FERC did surprise me and others by weighing in quite forcefully on the meaning of External Routable Connectivity in their NOPR (Notice of Proposed Rulemaking) for CIP v6, issued in July. In the NOPR, they discussed NERC’s new concept of Low-Impact External Routable Connectivity (LERC), and disagreed quite forcefully with NERC’s idea that a “protocol break”, somehow involved with the transition from routable to serial communications, would terminate LERC (they didn’t rule out that something else might break LERC, but they also didn’t make any suggestions on what that something else might be – see this post for some ideas on that topic).
  • Of course, in their NOPR, FERC was talking about LERC, not ERC – so technically their comments have no bearing on ERC. But as I pointed out in this post, FERC’s arguments against the idea of a protocol break can just as easily be applied to ERC as to LERC. With the news that FERC will start auditing v5, these arguments suddenly take on new significance.

I must admit that the first question that came to my mind when I read Kevin’s slide was what impact FERC’s move would have on the idea of CIP v5 “enforceability”, which I had conveniently just addressed in my most recent post. In that post, I said that the CIP v5 standards won’t be “effectively enforceable” (i.e., PVs assessed) until the regions are comfortable that they understand them[i]; I said that in general this won’t happen for at least six to 12 months after April 1, 2016.

I also said that the effective enforcement dates for CIP-002-5.1 R1 and the concept of ERC are currently “never”; that is, until R1 and the definition of ERC are rewritten to address the many ambiguities and contradictions in the current language, it is unlikely any auditor is going to issue a PV if his/her opinion on an issue differs from the entity’s opinion – as long as the entity has made a good faith effort to understand the issue in question and document why they arrived at that conclusion. For example, if the auditor and the entity have different opinions on the meaning of the words “affect the Bulk Electric System” in the definition of BES Cyber Asset – and the entity has documented how they researched that issue and came up with their interpretation – I don't believe any auditor will issue a PV because in her/his opinion the entity has not properly identified their BES Cyber Assets.

There may well be a few other “inherently ambiguous” requirements that will require rewriting (a 2-3 year process, of course) before they can be effectively enforced. Let’s designate as “ambiguous requirements” the following: CIP-002 R1, requirements where ERC comes into play, and perhaps one or two other requirements. All the other requirements will be “non-ambiguous” requirements, although of course there’s always some ambiguity in any requirement that could ever be written in the English language.

So how will FERC’s coming into the audit picture change the effective enforcement dates? In the case of the non-ambiguous requirements where I’m saying there won’t be PVs issued for at least six months for good-faith compliance efforts, I don’t think FERC auditors are going to be much harder than NERC Regional auditors. They will understand that there has been so much confusion about what the CIP v5 standards mean in general – confusion which will unfortunately not be cleared up in any meaningful sense right up until 4/1/16, and beyond that as well – that entities need more time to be held compliant to the letter of the requirement (they also need time to develop their evidence record, as Tobias Whitney acknowledged at GridSecCon two weeks ago).[ii]

What about the ambiguous requirements: CIP-002 R1 and those that apply to assets with ERC? I also believe the same rule will apply for FERC as for NERC auditors: No PVs will ever be issued until there is definitive clarification of the current requirements. Since it appears that NERC will not provide such definitive clarification, I’ve been saying they need to be rewritten.

But, while FERC can’t officially issue new requirements or revise existing ones, FERC can issue its own clarifications of areas of ambiguity in CIP v5. In particular, as I said above, I think FERC’s discussion of LERC in their CIP v6 NOPR can easily be read as applying directly to ERC. And here the impact is profound: I believe entities need to review their own “definition” of ERC[iii] (and every entity with serially-connected devices at an asset that has a routable connection to the outside world needs to figure out for themselves how they will determine whether or not there is ERC in any particular case) to make sure it conforms with what FERC wrote in their NOPR. If it doesn’t conform, they need to make it conform – and they will need to rethink (and probably re-do) their identification of BES Cyber Systems with ERC if there is a discrepancy. If FERC is going to audit you, it's safe to assume that FERC will apply the reasoning in the NOPR to determine whether or not your cyber assets have ERC.

The same consideration will apply for any other guidance that FERC may issue. Unlike guidance issued by NERC, such as the Lessons Learned and FAQs, you need to consider FERC’s guidance to be written in stone.[iv] So if FERC decides to clarify the various issues in CIP-002 (which I’ve been writing about in my series of posts on “Rewriting CIP-002”, starting with this one), you will need to pay close attention to this guidance, and re-do your original BES Cyber System identification and classification methodology to conform to whatever they say it should be (and then re-apply that methodology wherever needed). On the other hand, and in my opinion, the problems with CIP-002 R1 and Attachment 1 are so profound that FERC may not want to wade into the problem directly[v]; they may simply issue an order that CIP-002-5.1 needs to be rewritten (at least I hope they will!).[vi]

To summarize: There’s a new sheriff in town. Every NERC entity needs to rethink a lot of what they may have considered settled decisions on CIP v5 compliance; and I think they’ll probably determine they have to do a lot of things differently given that FERC could be their auditor. Of course, FERC’s official announcement may clarify what they intend to do. And it also may not.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

[i] I also said that, for an entity that hasn’t made a good-faith effort to understand or comply with a particular requirement, the effective enforcement date won’t be delayed beyond 4/1/16. The delayed effective date only applies to good-faith efforts to comply, for which there is a disagreement between the auditor and the entity about the meaning of the requirement in question. It doesn’t apply when the entity hasn’t made an effort to determine the proper interpretation, or even worse, has chosen an interpretation solely because it will make its compliance effort easier (for example, an entity that decided that only processors of 500 mhz and higher are “programmable”).

[ii] On the other hand, I think it is likely that FERC will be less tolerant in general of violations of the “little stuff”, which the NERC Regions are less likely to be concerned about – a missed signature, etc. This could actually turn out to be the biggest difference between FERC’s and NERC’s auditing of the CIP standards.

[iii] Of course, this isn’t a dictionary-type definition. Rather, it’s a procedure for determining whether or not there is ERC, in the case of a communications stream that contains both routable and non-routable elements.

[iv] Technically, of course, even FERC can’t issue “binding” interpretations. But since they have to approve all enforcement actions including fines, your only recourse if you disagree with FERC’s interpretation of an issue is to take it to court. I don’t believe any such appeal has ever been adjudicated.

[v] Except perhaps to provide a “definition” of Programmable. This wouldn’t in itself make CIP-002 enforceable, but it would be a good interim step during the 2-3 years it will take for the standard to be rewritten.

[vi] I think this would be the right thing to do; in fact, I thought it was the right thing to do in 2013, when I very helpfully “rewrote” CIP-002 to make it clearer. I’m very glad FERC didn’t order NERC to follow what I wrote back then, because I didn’t understand a lot of the problems in CIP-002-5.1. And even now I’m not saying that CIP-002 needs to be rewritten along the lines I’m suggesting. My primary motive has always been for CIP-002 to be rewritten so it is unambiguous and can be consistently followed; I’m not so worried about the particular concepts that would be in the rewritten version.

No comments:

Post a Comment