On November 10-12, 2015, I attended the Northeast Power Coordinating Council’s (NPCC) Fall Compliance Workshop near White Plains, NY. It was a very good workshop, with good presentations on both CIP and more general NERC compliance issues such as the Reliability Assurance Initiative (or Risk-Based Compliance Monitoring Enforcement Plan, as it’s now called). I plan to have one or two more posts on that conference. This post discusses one interesting thing I noticed at the conference.
First, I’ll say there was a lot of discussion – both by the speakers and in informal conversations among participants – of the fact that FERC has announced that it will start auditing compliance with CIP v5 and with CIP-014 next year. It appeared that almost everyone was in agreement that the full implications of this announcement may not be known for a while; I have no argument with that idea.
However, there also seemed to be general agreement that this probably will not be such a big deal. I didn’t hear a single entity say they were going to start doing things differently because of the announcement; I also didn’t hear any of the speakers say that things were likely to be very different.
I’ll be blunt: There was a lot of skepticism that FERC really has the manpower and the industry knowledge to pull this off.[i] While I know they have some really top-notch cyber security professionals on their team, I also don’t believe they have the staff today to start doing a number of audits at once - although this partly depends on what you mean by “audit”. NERC’s model includes about 90 days of offsite document discovery and say 1-3 weeks of onsite audit. I’m told that FERC’s audits can – and often do – take years, and the entity being audited can go for months without ever hearing from their auditors. If FERC decides to use their traditional model, they actually could conduct a number of simultaneous audits without a huge staff increase. But I also don’t doubt they could get a lot more audit staff if needed. Remember, they likely won’t be doing any v5 audits until next fall; they certainly aren’t going to come knocking on your door on April 2, 2016.
But the general feeling that things aren’t really going to be too different under FERC went beyond issues of staffing. I feel it was due to the very human reaction to any potentially big news that isn’t immediately accompanied by a change in circumstances. When something big happens far away – say, the stock market crash of 1929 – we cling to the idea that its full impact isn’t known, and we gravitate to the best possible interpretation of what might happen. Of course, just the news that the stock market had crashed didn’t cause any immediate change to the majority of US citizens in 1929, unless they owned significant stock holdings. The reaction of some was glee: “Those guys had it coming.” It was a couple years later, as the banks started failing and unemployment climbed, that there was no denying things had drastically changed.
FERC has confirmed that they will be doing auditing, but they’ve said nothing more. It’s natural to simply assume the best outcome will occur: That they will do a few audits, but just of the “really big guys” (of course, if you work for a “really big guy”, this isn’t much comfort). The regions will continue to do most of the audits, and their approach won’t really change from what it is now.
Folks, I beg to differ. I think FERC is under a lot of pressure today – mainly from their bosses, the US Congress – to crack down on what is perceived to be a lax attitude toward cyber security on the part of the electric power industry. Why do I think that? Just the fact that FERC is going to be doing this auditing, and that it is a big change from the past, makes me believe this isn’t some idle whim of the Commissioners. I’m sure they thought all of this out before making their move. And I’m sure they know how they are going to get the staff they need to handle the audits.
If you want to experience firsthand the pressure FERC is under, I recommend you pick up Ted Koppel’s new book, Lights Out. Whatever your opinion of the book may be, it is going to have a big influence on the public. I doubt the average man on the street has heard of cyber attacks on the grid, except possibly from Hollywood. But that will be different now. In fact, Congressmen and women will read the book and try to jump ahead of their constituents by demanding changes.
I don’t want to exaggerate the influence of Ted Koppel’s book by itself. The point is that pressure on FERC is coming from a lot of directions and is growing, not diminishing. To expect them to back away from the audit idea due to not having the expertise or the manpower is very dangerous. If this is what we’re thinking, we’re just whistling past the graveyard.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] I’ve also heard a couple people question whether FERC even has the authority to conduct these audits. Rest assured, FERC has that authority, although they haven’t been exercising it too much in the past. They are the regulator, not NERC.