I must
confess that the title of my most recent post
- “What Do You Need to Do After April 1?” – was somewhat misleading (although I
myself was misled, not just you. I never know how these things will turn out).
It turned out not to offer a real guide to what you need to do after April 1,
but the first part of that guide. It discussed the different types of
requirements in CIP v5 (implicit vs explicit, with the latter divided into
clear and ambiguous), and discussed what NERC entities should do after April 1
with respect to each of these types of requirements.
However, it
didn’t offer any guidance on how the typical NERC entity (with High and/or
Medium impact assets) should approach CIP compliance after April 1. This post
tries to do that.
The premise
of this post is that many, and very likely most, NERC entities will not be very
close to full compliance with CIP v5 on April 1. From what I have seen, a large
number of entities finally started moving in earnest on their v5 compliance
programs very late due to the many uncertainties that hadn’t been resolved (and
still haven’t, of course). When they realized – usually sometime in 2015 – that
there was no point in waiting any longer for compliance guidance to drop from
the sky, they realized that making a huge effort to come into full compliance
by April 1, 2016 would a) require spending a lot of money they didn’t have, and
b) burn out their best people and result in their committing suicide or finding
another job. They decided they’d take their chances with non-compliance rather than
end up with either of these two undesirable outcomes.
Let’s face
it: There are a lot of NERC entities (and I certainly don’t mean YOU, of
course. I’m referring to the utility down the street from you) whose main goal
on April 1 will be limiting the damage from non-compliance as much as possible,
not bringing home a perfect compliance report card and being taken out to
dinner by your glowing parents. What do these entities need to do? Here’s what
I see:
1. As
with all NERC standards, you will need to self-report any non-compliance that
you know of after April 1. There are a number of requirements (definitely the
majority) that I call “clear” in the previous post. For these, there is no real
ambiguity. You have to do what you have always done for NERC compliance: review
all of the requirements and determine which procedures still need work or are
not fully implemented. These need to be self-reported. Of course, you also need
to be working to bring your entity into full compliance with these requirements
as soon as possible.
2. There
are other requirements that are ambiguous. For example, compliance with CIP-002
R1 depends on at least two undefined terms: the word “programmable” in the
Cyber Asset definition, and the phrase “adverse impact on the BES” in the BES
Cyber Asset definition. NERC has published no clear guidance on these items,
and has recently said they need to be drafted as part of the next CIP version
(CIP v7, which won’t come into effect for 3-4 more years). Therefore, it’s up
to the entity to determine and document its own definitions, as well as to
document that they have been used consistently as BES Cyber Systems were
identified. The entity doesn’t need to self-report simply for not having these
definitions documented on April 1, since that isn’t in the requirements.
However, they do have to self-report if they think they may not have properly
identified all Medium and High impact BES Cyber Systems, due to not having
these definitions drawn up or not having applied them consistently.
3. Finally,
there are what I call implicit requirements. A good example of these is the
implicit requirement to have methodologies for identifying and classifying BES
Cyber Systems, ESPs, Protected Cyber Assets, EACMS, PACS, and systems with
External Routable Connectivity. CIP v5 never explicitly requires you to
identify any of these things, but you obviously can’t properly comply with most
of the requirements unless you have first identified them. While you don’t have
to have all of these methodologies fully documented on April 1, you do need to
make sure each methodology has been developed and has been used consistently to
identify what is in scope for CIP v5. If you suspect that some methodologies may
not be adequate or may not have been consistently applied, you need to
self-report non-compliance with the requirements that this affects (for
example, if you don’t think you have identified all of your PCAs, you will need
to self-report for all requirements that apply to PCAs, where you think some
have been missed).
So how
should the Compliance Manager for this hypothetical entity spend his or her
time this April 1 (other than perhaps updating their resume)? First, they need
to identify any and all self reports, and make sure they happen. Second, they
need to make sure mitigation for any of the compliance issues is under way – or
they need to make sure it starts as soon as possible. The last thing they need
to do is document the definitions and methodologies that are required due to
implicit or ambiguous requirements, which do not actually need to be completed
on April 1. As long as your entity is in fact following these definitions or
methodologies, you don’t have to have all of the documentation done until you’re
audited.
This is of
course quite different from the situation in CIP versions 1 through 3. In those
versions, there was certainly some ambiguity, but nothing on the scale of CIP
v5. It’s a whole new world.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
No comments:
Post a Comment