January 21, 2016: FERC approved CIP v6 today. However, the effective date of the Order is 65 days after publication in the Federal Registry. This means it needs to be published in the FR by next Wednesday, in order for the dates below to be valid. Otherwise, the effective date will be in Q2, and some (but not all) of the dates below will move back a quarter. In any case, they won't move back any further than that.
February 26, 2016: I have revised this post to reflect the fact that FERC just moved back the compliance date for all the CIP v5 requirements that affect High and Medium impact BES Cyber Systems to July 1. As I explain in this post, none of the other dates are changed by this action.
On November 8, 2014, I published a post listing the incredibly complicated set of compliance events for CIP versions 5 and 6. This was based on the CIP v5 Implementation Plan (which was of course set in stone with FERC’s approval of v5 in 2013) and the v6 Implementation Plan (which was at the time in its final draft form and seemed very likely to be approved by the NERC ballot body, by the NERC Board of Trustees, and finally by FERC).
February 26, 2016: I have revised this post to reflect the fact that FERC just moved back the compliance date for all the CIP v5 requirements that affect High and Medium impact BES Cyber Systems to July 1. As I explain in this post, none of the other dates are changed by this action.
On November 8, 2014, I published a post listing the incredibly complicated set of compliance events for CIP versions 5 and 6. This was based on the CIP v5 Implementation Plan (which was of course set in stone with FERC’s approval of v5 in 2013) and the v6 Implementation Plan (which was at the time in its final draft form and seemed very likely to be approved by the NERC ballot body, by the NERC Board of Trustees, and finally by FERC).
Until less
than two weeks ago, I saw no need to revise this schedule, and I’ve referred to
it constantly in my posts as the current compliance schedule for v5 and v6.
However, last week I wrote a post
pointing out that FERC’s failure to approve CIP v6 in December 2015 meant that
the v6 compliance dates would be pushed back by at least three months. Even
with that, I didn’t think I needed to do anything more than put a note to this
effect on the original post, and keep referring to that post when I needed to
reference the compliance timeline.
However, a
few days ago Michael Wilson of Tri-State Generation and Transmission wrote in
to question a few of the v6 dates I had in the original post. He also pointed
me to a WECC webinar in which one or two compliance dates were listed that
aren’t even in the v6 Implementation Plan – and therefore weren’t in my
original post (I suppose these could be called “implicit effective dates”, just
as there are “implicit requirements” in v5 and v6).[i]
At this
point, I decided I really needed to rewrite the original post; Michael
collaborated with me to make sure this one was complete and accurate. So here
is my new compliance schedule for CIPs v5 and v6. Note one big caveat: The
dates below are based on the assumption that FERC will approve v6 before April
1, 2016 – meaning the dates in the v6 Implementation Plan will be pushed back
three months. If they go beyond that date, some of the dates will be pushed
back two quarters, and possibly more depending on when FERC approves v6.[ii]
One note:
You may notice that this plan is even more complicated than what was in my
original post (mainly because I left out some of the finer points and of course
missed the “implicit effective dates”). I wish to emphasize that I’m not making this up; this is what’s in
the v6 Implementation Plan. I originally considered the v5 plan to be complicated
because it had two dates, one for Highs/Mediums and one for Lows. That plan now
seems like the paragon of simplicity compared to the v6 plan, which has
separate effective dates not only for individual standards, but for individual
requirements, individual requirement parts, and even particular applicability
categories within a single requirement part.[iii]
July 1, 2016
This is the date both the v5 and v6 standards become effective. As is shown below, the actual compliance dates for many v6
requirements and requirement parts are later.
CIP-002-5.1, CIP-005-5 and CIP-008-5: Highs and Mediums have to comply with these three standards in full. In addition, Lows have to comply with only CIP-002-5.1 R1 and R2 (i.e. they have to identify their “assets containing Low impact BES Cyber Systems” and have the CIP Senior Manager approve the list).
CIP-003-6 - except for R1.2, R2 and Attachment 1 (Lows): The three items listed are all for Lows, and they have other compliance dates.
CIP-003-6 - except for R1.2, R2 and Attachment 1 (Lows): The three items listed are all for Lows, and they have other compliance dates.
CIP-004-6: Entities must comply with this standard in full.
CIP-006-6 (except for R1.10, for Control
Centers that weren’t Critical Assets with CCAs under v3): R1.10 was ordered by FERC in Order 791, and says that cabling
between ESP devices, that itself goes outside a PSP, needs to be physically or
logically protected. This requirement part becomes effective on this
date, except that Control Centers that weren’t Critical Assets under v3 are
given more time to comply.[v]
Once again, folks, I'm not making this stuff up! There's no way I could dream up something so complicated; indeed, I think Rube Goldberg himself would doff his cap in admiration of how complicated the v6 implementation plan is.
CIP-007-6: This standard needs to be complied with in full, but there is
an exception for certain devices under R1.2; compliance for these devices is
due at a later date. These devices are “Nonprogrammable communication
components located inside both a PSP and an ESP,” which is a new item added to
the Applicability section of R1.2 in the v6 version of the standard (this is
also the first time NERC CIP requirements have applied to devices that are not
Cyber Assets).
CIP-009-6: Entities must comply with this standard in full.
CIP-010-2 except for R4
CIP-011-2: Entities must comply with this standard in full.
April 1, 2017
CIP-006-6 R1.10: For Control Centers that weren’t Critical Assets (with CCAs) under
v3, R1.10 now becomes effective.
CIP-007-6 R1.2 for certain devices: See the discussion of CIP-007-6 above.
CIP-010-2 R4: This is the requirement for transient devices.
CIP-003-6 R1.2, R2 and Attachment 1 – These are the Requirements that apply to Low impact
assets in v6. R1.2 – which requires four policies, without specifying their
content - is the same as R2 in CIP-003-5 (which is superseded by its v6 counterpart).
The new R2 is the one that addresses FERC’s mandate in Order 791 for specific
requirements for Lows. There are essentially two parts to this
Requirement. First, the Requirement itself calls for a plan to address the four
areas in Attachment 1; this plan must be in place on April 1, 2017.
The other part of R2 is contained in
Attachment 1, which provides the detail on what is required for those four
areas, each in its own section. However, entities only have to comply
with the first and fourth sections of Attachment 1 on April 1, 2017; these are the
security awareness policy and incident response plan. For sections two
and three – physical and electronic access controls – entities need to have
policies developed (due to R1.2) on April 1, 2017, but the controls themselves don’t
have to be implemented until later.
September 1, 2018
On this date, Lows have to implement
Sections 2 and 3 of CIP-003-6 Attachment 1. These sections mandate
physical and electronic access controls.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
I had also made a mistake by stating that FERC’s non-action in December, 2015
meant that all of the v6 compliance dates will be moved back at least three
months. The Low impact requirements in v6 will still become effective on the
same dates as previously - April 1, 2017 or Sept. 1, 2018.
[ii]
My original post started with the following four caveats. These still apply:
1)
The v5 plan included dates for “Initial
Performance of Certain Periodic Requirements”; these are the dates by which you
need to perform each of the annual (i.e. 15-month) or quarterly
requirements. Since these are in the v5
Implementation Plan, they refer just to the v5 standards; however, the v6
Implementation Plan simply refers to the v5 plan for the Initial Performance
dates [I’m not linking the final version of this plan because it’s buried in
the 3300-page filing for v6. If you would like me to send you the copy I’m
working with – the draft prepared for the final NERC ballot (although it refers
to v7 as well as v6 - long story) - email me at talrich@deloitte.com.]. This means that, to determine these dates for
the v6 plan, you have to go back to the v5 plan and fill in the appropriate v5
or v6 standard numbers (e.g. CIP-002-5.1, CIP-003-6, etc.).
2)
In the v5 plan, there’s a table for “Planned or
Unplanned Changes Resulting in a Higher Categorization”; this refers mainly to
new assets that are acquired or commissioned.
Again, the v6 plan simply refers you back to the v5 plan for this. There was a similar provision for versions 2
and 3, contained in a separate document whose acronym was “IPFNICCANRE”.
However, that document is no longer valid once v5 comes into effect in April.
3)
The v6 plan includes a section (consisting of a
single sentence) providing for “Unplanned Changes Resulting in Low Impact
Categorization”. This is a new concept
in CIP v6; it didn’t appear at all in the v5 plan, perhaps because complying
for new Low impact assets wasn’t a big deal under v5 given what was required (or
not required) by CIP-003-5 R2.
4)
Of course, the implementation schedules for
Canada are different than for the US.
Those vary by province and not all the provinces are implementing v5 (at
least not yet). Even the ones
implementing it may be implementing slightly different versions (since the
FERC-approved standards have no force in Canada, each province is free to
modify any NERC standards as they see fit, or not implement them at all) –
except for probably Ontario, New Brunswick and perhaps Nova Scotia, which tend
to follow the FERC-approved standards almost to the letter.
[iii]
There’s also a separate date based on whether the facility had Critical Cyber
Assets under CIP v3 – which of course isn’t in any way related to the v5 or v6
standards themselves. I’m surprised there aren’t also separate dates that
depend on whether the person implementing v5 compliance is left- or
right-handed - although I should be careful what I say, for fear the v7 implementation plan may contain such a provision!
[iv]
This exception isn’t in the v6 implementation plan, but was pointed out by WECC
in a recent webinar; Michael called my attention to this.
[v]
Note I got this wrong in my original post. I thought that R1.10 compliance was
postponed for everybody, but Michael pointed out it is just for these specific
Control Centers.
No comments:
Post a Comment