It has come
to my attention that some NERC entities are asking whether the enforcement date
for CIP v5 will be postponed beyond April 1, 2016. I have gone back over
certain posts over the past year, and see that I have gone through four
different stages on this issue. Since I think a discussion of these will shed
light on what may happen in the future regarding CIP v5, I want to outline
them.
1) I
first advocated
for pushing back the compliance date in December, 2014. I always realized it
would take an extraordinary amount of commitment by NERC and FERC for this to
happen (I believe NERC would have to petition FERC, and they would have to
approve the petition). But I felt – and still feel – that this is the right way
to deal with the problem caused by the large amount of uncertainty[i] felt my
many NERC entities regarding interpretation of the CIP v5 standards.
2) This
past July, I wrote another post
advocating that the “Compliant” date for CIP v5 remain 4/1/16, but that an
“Auditably Compliant” date be set for one year later – meaning no Potential Violations (PVs) would be issued until that date, assuming the entity was making a good faith
effort to comply. This suggestion was also met with thunderous silence
(although I acknowledged this would also take a huge amount of commitment by
NERC, FERC and the NERC community, so it was always quite a long shot).
3) I
officially threw in the towel on the idea of the compliance date being
officially pushed back in this
post at the end of August, 2015. That was when I started talking about the
“effective compliance date” – that is, the date (or rather dates) that the
regions would feel comfortable enough with the interpretation of the v5
standards to start issuing PVs[ii]. While
I was prepared to have this be a completely unofficial process (i.e., each
auditor would decide for him/herself when they could start issuing PVs), I did
say it would be much better if there were some sort of informal agreement among
NERC, the Regions and the NERC entities to the effect that PVs wouldn’t be
issued until after X date. The other provision of this agreement would be that
all parties would make a concerted effort to clarify the biggest issues with
CIP V5, like the meaning of “programmable”, ERC, etc. This clarification
wouldn’t constitute anything binding [like an actual Request for Interpretation
would, or a Standards Authorization Request (SAR) – both of which will take years to
bear fruit], but it would at least provide a common framework for entities to
finalize their compliance with v5, and for the Regions to start auditing and
issuing PVs six months or a year after 4/1/16.
4) My
most recent post
on this question was in October, 2015, when I threw in the towel on the idea
that there was any way the effective enforcement date for any of the CIP v5
standards would be earlier than October 1, 2016, and very possibly much later.
I brought up something (in my footnote v) that I’d said early in 2015, to the
effect that the standards couldn’t be effectively enforced until a year after
enough guidance had been provided so that reasonable “interpretations” were
available - from NERC and/or the regions – on all of the major issues in CIP
v5; since I wrote this post in October, I was implicitly saying it was already
too late for v5 to be effectively enforceable even on 10/1/16. Moreover, this
also implied that only if NERC started an aggressive drive to clear up the
ambiguities and contradictions in CIP v5 immediately would there be any real
possibility that the standards might effectively be enforceable on even 4/1/17.[iii]
I don’t
think it will surprise you greatly when I say I see no sign that NERC is making
any sort of effort – aggressive or otherwise – to clarify the many
interpretation issues that remain in CIP v5. In fact, in a NERC webinar on
Friday, December 4, 2015, Tobias Whitney said that the only Lesson Learned
still planned is on patch management (he also stated this in a presentation at
the NERC CIPC meeting in Atlanta on December 15). He also stated that some
issues, including virtualization, External Routable Connectivity and
Interactive Remote Access, will probably go into the SAR process – meaning it will be literally years before these are
addressed. Thus, I have to now say it’s very possible there will be no
meaningful clarification on most of the major issues in CIP v5 until one or
more standards are rewritten and approved by the NERC ballot body and FERC. I
don’t believe this process will take anything less than three years, and
possibly longer than that.[iv]
So now we
come back to my one-year rule. If, as I believe, the standards will not effectively be enforceable until a year after fairly definitive guidance on
major issues has been provided to the NERC community, and if it doesn’t look
like there will be any major guidance until some standards or requirements (and
a few definitions) are rewritten, this means CIP v5 (and v6) will not be
enforceable for at least several years, right?
To be
honest, I don’t think v5 will go several years without being enforceable, even
if there is no more guidance provided. I think that, after maybe a year of
audits where mainly Areas of Concern (not PVs) are issued, both the auditors
and the entities may have developed a pretty good understanding of what the v5
standards mean, even if this understanding is never codified in any document
put out by NERC or the Regions.
Let me
summarize what I’m saying:
I’m
definitely not saying that PVs won’t be issued soon after 4/1/16 to entities
that for whatever reason haven’t made a real effort to comply with parts of CIP
v5. For example, I realize there are a lot of questions on how to identify and
classify BES Cyber Systems, but there are many cases where it should be pretty
obvious that something is a Medium or High BCS – let’s say a relay controlling
a 500kV line or the EMS in a High control center. If an entity doesn’t make
such a designation, they might be the recipient of a PV. Another example: If an
entity has decided they’re not going to comply with say CIP-007-6 R2 (patch
management) for some of the BCS they’ve identified, I’d say they are likely to
get a PV or two for that. Or if an entity has decided that a substation that
clearly has 3,000 points under Criterion 2.5 isn’t in fact Medium impact, they
will also have a lot of explaining to do, even if it’s on April 2, 2016.
On the other
hand, if an entity has interpreted the phrase “External Routable Connectivity”
in such a way that the relays in a particular substation – connected serially
to an RTU that then connects routably to the control center – do not have ERC,
and if an auditor doesn’t agree with them on this when they’re audited in say
November 2016, I don’t believe the auditor will issue them a PV because his
opinion on this very contentious issue isn’t the same as theirs. He/she will
probably call this an Area of Concern, but until the auditor feels there is a
consensus across the NERC community on what exactly constitutes and doesn’t
constitute ERC, they won't issue a PV. I’m guessing (maybe “hoping” is a
better word) that around 4/1/17 there will be consensus on ERC and other major
issues. So if that same entity gets audited say in June, 2017 and the same
discrepancy is found, it’s very possible they would receive one or more PVs for
this.[v]
So let’s say
you know of a few entities – and I’m sure you’re not one of them (wink, wink) –
that will still be deficient in CIP v5 compliance on April 1, 2016, despite
their best efforts over the past couple of years. What happens to those entities?
Are they just off the hook, in the same way as the entity who is almost completely
compliant (I don’t think any entities will be 100% compliant, since nobody
knows now what that term even means, given the remaining uncertainties)?
Definitely
not. They’ll still need to self-report every requirement – that they know of –
for which they’re non-compliant. On the other hand, I can’t believe they would
need to self-report that they had used the wrong definition of “programmable”,
since there is no agreed-upon definition (they do need to document the
definition they used, show how they derived it, and show that it was
consistently applied across all of their assets. See this
and subsequent posts for discussion of my “roll your own” approach). And these
entities obviously need to continue their work to come into compliance as soon
as possible after 4/1/16.
There was
one significant development after my October post on enforceability: the news
that FERC will start doing some CIP v5 audits themselves next year. What does
this mean for the above discussion? Specifically, will FERC be able to effectively
make the v5 standards enforceable before 4/1/17 (since I’m guessing this will
be the effective date if just NERC and the Regions are doing audits)? I don’t
think so, unless FERC makes an effort to provide guidance on the many profound
interpretation issues in v5. Without guidance, how could an auditor – NERC,
FERC, or Regional - possibly assess a violation when there is a simple
difference of opinion on an ambiguous requirement or definition? In other
words, I don’t think the fact that FERC has entered the auditing picture makes
any difference for when CIP v5 will be enforceable.
Before I go,
I want to make one further point: This post has discussed one meaning of the
word “enforceable” when applied to NERC standards – that is, “enforceable” in
the sense that auditors will write PVs and entities will generally accept them.
My conclusion was that CIP v5 will be enforceable in that sense around 4/1/17.
But there is a stronger meaning of the word, namely that a violation and fine
are likely to be upheld if appealed to the court system (which is always a
recourse for any NERC entity that feels it has been unfairly penalized). Will
CIP v5 ever be enforceable in this sense? I will soon have a post out on this
question.
P.S.
A well-known auditor for one of the NERC Regional Entities wishes to add
the comment below. It doesn’t contradict what I said above, but it does provide
a better idea of what a “good faith effort to comply” would entail. One thing
he mentions, that I have mentioned in other posts but not in this one, is that
the entity needs to show that, in cases where a requirement is ambiguous, they
considered all available guidance from NERC and their region; and if they
decided they didn’t think the guidance was appropriate, they will need to
document why.
The auditor
says, “CIP V5 audits will begin in early April. As far as any guidance to
the Regional auditors regarding how to handle vague requirements (such as
application of auditor discretion), I will yield to NERC to publicly publish
whatever guidance they may have or will provide to the auditors.
“What I will
say is that the entity will have to tell a compelling story at audit. My
team, at least, will not go into an audit with a pre-determined expectation of
what represents compliance unless there is an explicit expectation stated in
the requirement. But the entity will not be able to simply lay a document
before us and declare it meets compliance, expecting the auditor to accept the
document at face value. We are all aware of the discussions within the
V5TAG, the issues being brought to the Standards Drafting Team, and the
guidance issued by NERC (Lessons Learned, FAQs, etc.) and will certainly
consider that background information when evaluating an entity’s
compliance. What my team and I will never do is “guarantee” that we will
treat something as an Area of Concern as opposed to something else like a
possible violation. Our determination of a finding must be based upon the
facts and circumstances presented at the time of the compliance monitoring activity.
What we will do, up through the end of March, is provide our entities as much
outreach as we can, including answering questions and conducting site
visits. After April 1, we will still conduct extensive outreach for Low
Impact BCS. It is up to the entity to take advantage of our outreach,
which we have not been bashful about encouraging every opportunity we have.”
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
A recent Bridge Energy Group Utility Industry Survey found
that 68 percent of utilities believe their organization is “not well prepared”
for CIP v5 compliance. And a WECC survey of their members, discussed by Dr. Joe
Baugh of WECC at the NERC CIPC meeting in Atlanta on December 15, showed that
confusion over the meaning of the standards was the number one CIP v5
compliance problem (by a large margin) cited by respondents.
[ii]
This applies to cases where the violation is caused by a genuine difference of
opinion between the auditor and the entity over something that is unclear or undefined
in CIP v5, such as the definition of “programmable”.
[iii]
The reasoning for this is that an aggressive effort of interpretation of issues
like ERC, “programmable” and the meaning of the BCA definition would require a
lot of meetings with the industry and the regions, and would take at a minimum
six months.
[iv]
You may point out that, besides the SAR process, there is the Request for
Interpretation process, which can also provide definitive guidance. The RFI
process is shorter. I think the few successful RFI’s for CIP v3 took around two
years to come into effect, including development of the Interpretation by the
Interpretations Drafting Team, voting on it by the NERC membership, submittal
to FERC, and FERC’s ultimate approval (although FERC remanded the last two v3
RFIs that were submitted to it). However, RFIs by definition have to focus just
on an interpretation of a narrow bit of wording in one requirement. They don’t
address issues like missing definitions or anything that requires rewriting a
requirement. The big issues in v5 are all not addressable through RFIs.
[v]
As I’ve already said, Tobias Whitney of NERC has listed several areas of
ambiguity, including ERC, that will be the subject of Standards Authorization
Requests (SARs); in other words, NERC has decided the only way these can be
addressed is by rewriting one or more requirements (in the case of ERC, this
would require rewriting the definition to clarify when there is ERC, and when
not, when there are both routable and serial communications in a particular
communications stream). I asked him whether PVs would be issued for these
areas, pending this rewriting. While he definitely didn’t rule that out (and
I’m sure there could be instances where it is clear that the entity has
deliberately misinterpreted ERC, in which case there would be PVs), he did say
that the main emphasis would be on designating Areas of Concern.
No comments:
Post a Comment