In one of
the most famous Sherlock Holmes stories,
the sleuth solves the mystery of a suspicious death by keying on the fact that
a dog didn’t bark when an intruder supposedly entered a home to commit a crime.
The fact that it didn’t bark meant a member of the household was the criminal.
In the same way, the fact that FERC didn’t do something on December 10, 2015,
that they were expected to do, has almost as much importance as if they had taken
an affirmative action.
Those keeping
score at home know that FERC still hasn’t approved CIP version 6. CIP v6 was
submitted to them by NERC last February[i], and
FERC issued a Notice of Proposed Rulemaking (NOPR) in July, indicating they
intended to approve it. Even the fact that they issued a NOPR rather than an
order approving v6 surprised many in the industry, including me, as I noted
at the time.
The NOPR
asked for comments on several issues, which you can read about in the post I
just linked and in its sequel, Part
II. The comments were about a few areas that FERC might like to have NERC
improve, such as developing a transient electronic device requirement for Low
impact assets. As always when FERC solicit comments, there was a cutoff date
for receiving them – in this case late September.
When NERC
submitted v6 they also submitted an implementation
plan[ii], as
they always do with new or revised standards. The plan had specific dates for
different parts of v6 (in fact, it had a plethora of dates. See this
post for the complete set of v5 and v6 implementation dates, although also read
the note I just put on that post). However, each effective date listed in the
plan is followed by the words “or the first day of the first calendar quarter
that is three calendar months after the date that the standard is approved by
an applicable governmental authority.”
In the US,
the “applicable governmental authority” is of course FERC. Since a number of
the v6 standards come due on April 1, 2016 (at which point they’ll replace
their v5 counterparts), and since the dates for other standards or requirements
(or in some cases, requirement parts!) are all based on the 4/1/16 date, this
means that if FERC doesn’t approve v6 this month, literally all of the dates in
the v6 compliance plan will move back one quarter – although that assumes that
FERC will approve v6 by March, 2016. If they don’t do that, all the dates go
back another quarter. And if they still don’t approve v6 by June 2016, the date
goes back yet another quarter…etc.
So what’s
the dog that didn’t bark in this case? If FERC were going to approve v6 this
month, they would have to do so at their monthly “Sunshine Meeting” (don’t you
just love that term? Only in Washington could they think up something like that)
on December 17. But for them to even take up v6, it would have to be on the
meeting agenda. The agenda was
released on December 10 and guess what? V6 wasn’t on it. Therefore, v6 won’t be
approved in Q4 2015.
This means
the compliance dates for all of the v6 standards are now officially pushed back
at least three months.[iii]
Assuming FERC approves v6 before April 2016, here are the new dates for some of
the more important standards/requirements:
- The date for CIP-010-2 R4 – for Transient Electronic
Devices – will move from 1/1/17 to 4/1/17.
- The due date for the security awareness policy and the
incident response plan required for Low impact assets by CIP-003-6 R2 will
move from 4/1/17 to 7/1/17.
- However, the due date for the four policies for Low impact
assets mandated in CIP-003-6 R1.2, will not move. This is because CIP-003-6 R1.2 is identical to CIP-003-5
R2 – which was always scheduled to come into effect on 4/1/17. The latter
requirement would have been superseded by CIP-003-6 R1.2 had v6 gone into
effect on that date. Now, it won’t be superseded until v6 does actually come
into effect. But since the two requirements are identical, the four policies
will still be due on 4/1/17.
- The last compliance date in the v6 Implementation Plan is
September 1, 2018, when the physical and electronic access controls for
Low impact assets, mandated by CIP-003-6 R2, come due. This date will also
be moved back, but by four months rather than three. Why four, you ask?
Well, it’s pretty simple: As Scott Mix of NERC admitted at a recent NERC meeting, the CIP v5
Revisions Standards Drafting Team made a mistake when they assigned the
9/1/18 date. They seem to have forgotten that the first day of the fourth
quarter is October 1, not September 1. Since the Implementation Plan
doesn’t say “three months after…(FERC approval)”, but rather the language
in the fourth paragraph above, this means this date will move to January
1, 2019. Now you know.
The
discussion so far has been all mechanics. How about the human element? First,
why is FERC taking this action – or more correctly, not taking this action? The
only explanation I can think of (and I want to thank a longtime FERC observer
for sharing her thoughts on this with me) is that the FERC staff is finding it
more difficult than they originally thought to make a decision on the questions
for which they solicited comments.
When the
NOPR came out, I noted in this post
that the amount of time between the due date for comments (near the end of
September 2015), and the date FERC had to issue their order in time not to
force the v6 compliance dates to move back, was pretty short – less than three
months. However, since I and most others believed FERC didn’t want the v6 dates moved back, it seemed
logical to assume they were sure they could complete their considerations in
time to be able to approve v6 in December.
However, it
seems somebody miscalculated at FERC – or perhaps they were surprised by the
volume of comments and perhaps the level of opposition expressed – and they
have decided they simply need more time in approving v6.[iv]
You might
wonder – given that I’ve said various times that I see no possibility FERC will
simply reject v6 (and I certainly still believe that) – why approving v6 should
require so much consideration. However, FERC’s hesitation isn’t over the
question of whether or not to approve v6. It is actually due to the changes
they may order – i.e. the different questions they asked for comments on in the
NOPR.
Remember
that NERC’s rules say a standard can’t be changed once it has been approved by
the NERC Board of Trustees; this step is taken before the standard is even
submitted to FERC. So when FERC orders changes to v6 at the same time that it
approves the standards, these changes won’t appear in the v6 standards.
Instead, whatever changes FERC decides it wants will have to be part of new
standards – in other words, CIP v7. Once FERC enters its Order approving v6 and
(perhaps) ordering some changes, NERC will need to constitute a drafting team (it
could consist of the members of the CIP v5 Revisions SDT that drafted v6, but
it might also be a new team), then have them go through a drafting and
balloting process similar to what happened with v6 (since v6 was developed
because of four changes FERC ordered when they approved v5 in 2013). In other
words, v6 will almost certainly go into effect sometime in 2016 or early 2017,
followed by v7 about two years later.
In my post
in which I raised the possibility that FERC wouldn’t approve CIP v6 in time for
the compliance schedule to remain on its original timeline, I went further than
that. I also speculated that FERC might actually want to see the v6 compliance dates moved back. The reason for this
is that it shouldn’t be hard for FERC staff members to see that the CIP v5
standards won’t be “enforceable” on 4/1/16 – in the sense that they’ll be well
enough understood in the NERC community that auditors will feel comfortable writing
Potential Violations for requirements about which serious interpretation issues
exist (unfortunately, this applies to a lot of requirements in v5). And if they
haven’t discovered this on their own, they’ve seen it in my blog posts,
including this
one. I wondered in the post – and I still wonder – whether FERC thinks they
might be able to help the v5 “enforceability” problem by delaying the
implementation of v6.
But how
would FERC’s delaying the v6 implementation date (by not approving v6 until say
May or June 2016) help with the “enforceability” problem with CIP v5? After all,
CIP v5 will come into effect on 4/1/16 no matter what happens with v6[v]. Let’s
be clear: I don’t think v5 will be any more or less enforceable because of the
v6 delay. However, I do think that, if FERC delays v6 approval until say next
May or June (and thus delays v6 implementation by six months), NERC may decide
they want to announce that v5 enforcement will be delayed by the same amount of
time.
Of course,
this would amount to making a virtue of necessity, since as I’ve already said I
don’t think v6 will be effectively enforceable before 10/1/17 at the earliest –
and one of my next posts will state that I don’t believe v5 will be effectively
enforceable until approximately 4/1/17. But if NERC were to actually state
this, it would remove a lot of uncertainty – since I believe there are still a
few people in the NERC community that don’t take everything I say in my posts
to be the gospel truth.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
In fact, it was Friday, February 13. I believe this explains a lot.
[ii]
You may notice the plan linked has a “-7” after some standards, and a “-3”
after CIP-010 and -011. This is because when the “CIP Version 5 Revisions” were
finally passed by the NERC ballot body it included some v6 and some v7
standards. However, to somewhat mitigate the version confusion, the standards
actually approved by the NERC Board of Trustees all had version 6 suffixes
(“-6” and “-2”). This is discussed in the first post linked above. I swear I’m
not making this stuff up. I could never dream of creating anything as
complicated as the “CIP v5/then v6/then v7/then v6 again” saga – except perhaps
the “CIP v4/no, v5/no, v4/no, v5” saga.
[iii]
In this discussion, I’m assuming that FERC, when they finally approve v6, won’t
also order NERC to revise the implementation plan so compliance would still be
due on the original schedule. While I’m sure that’s theoretically possible, I
don’t think it’s likely they’d do that.
[iv]
A couple people wondered if FERC might be delaying approval of v6 specifically
because of the supply chain security issue that they asked for comments on in
the NOPR. FERC has now scheduled a Technical
Meeting on January 28, 2016, and it is quite understandable they wouldn’t
want to make a decision on this topic until after that meeting. However, just
because FERC asked for comments on this issue in the v6 NOPR doesn’t mean they
need to do something one way or the other on it when they approve v6. They
could issue a separate order once they have finished their considerations on
this topic (and that would make a lot of sense, since supply chain security is
a completely new direction for the CIP standards, like CIP-014 was).
[v]
You may wonder what happens with the “Identify, Assess and Correct” language in
17 of the CIP v5 requirements, which will be removed in their v6 counterparts.
If all of v5 ends up coming into effect on 4/1/16 (rather than three v5
standards and seven v6 ones, which would have happened had FERC approved v6 in
December), that language will supposedly be enforceable. Yet I believe
literally all NERC entities are implementing v5 compliance under the assumption
that they won’t have to comply with that language. They are safe in continuing
on this course, since I believe all of the NERC Regions have formally or
informally announced that “IAC” won’t be enforced regardless of what happens
with v6, and perhaps NERC has stated this as well. If you haven’t seen or heard
an announcement from your Region, just call them.
No comments:
Post a Comment