Tuesday, February 2, 2016

What Should I REALLY do after April 1?

I must confess that the title of my most recent post - “What Do You Need to Do After April 1?” – was somewhat misleading (although I myself was misled, not just you. I never know how these things will turn out). It turned out not to offer a real guide to what you need to do after April 1, but the first part of that guide. It discussed the different types of requirements in CIP v5 (implicit vs explicit, with the latter divided into clear and ambiguous), and discussed what NERC entities should do after April 1 with respect to each of these types of requirements.

However, it didn’t offer any guidance on how the typical NERC entity (with High and/or Medium impact assets) should approach CIP compliance after April 1. This post tries to do that.

The premise of this post is that many, and very likely most, NERC entities will not be very close to full compliance with CIP v5 on April 1. From what I have seen, a large number of entities finally started moving in earnest on their v5 compliance programs very late due to the many uncertainties that hadn’t been resolved (and still haven’t, of course). When they realized – usually sometime in 2015 – that there was no point in waiting any longer for compliance guidance to drop from the sky, they realized that making a huge effort to come into full compliance by April 1, 2016 would a) require spending a lot of money they didn’t have, and b) burn out their best people and result in their committing suicide or finding another job. They decided they’d take their chances with non-compliance rather than end up with either of these two undesirable outcomes.
Let’s face it: There are a lot of NERC entities (and I certainly don’t mean YOU, of course. I’m referring to the utility down the street from you) whose main goal on April 1 will be limiting the damage from non-compliance as much as possible, not bringing home a perfect compliance report card and being taken out to dinner by your glowing parents. What do these entities need to do? Here’s what I see:

1.       As with all NERC standards, you will need to self-report any non-compliance that you know of after April 1. There are a number of requirements (definitely the majority) that I call “clear” in the previous post. For these, there is no real ambiguity. You have to do what you have always done for NERC compliance: review all of the requirements and determine which procedures still need work or are not fully implemented. These need to be self-reported. Of course, you also need to be working to bring your entity into full compliance with these requirements as soon as possible.

2.       There are other requirements that are ambiguous. For example, compliance with CIP-002 R1 depends on at least two undefined terms: the word “programmable” in the Cyber Asset definition, and the phrase “adverse impact on the BES” in the BES Cyber Asset definition. NERC has published no clear guidance on these items, and has recently said they need to be drafted as part of the next CIP version (CIP v7, which won’t come into effect for 3-4 more years). Therefore, it’s up to the entity to determine and document its own definitions, as well as to document that they have been used consistently as BES Cyber Systems were identified. The entity doesn’t need to self-report simply for not having these definitions documented on April 1, since that isn’t in the requirements. However, they do have to self-report if they think they may not have properly identified all Medium and High impact BES Cyber Systems, due to not having these definitions drawn up or not having applied them consistently.

3.       Finally, there are what I call implicit requirements. A good example of these is the implicit requirement to have methodologies for identifying and classifying BES Cyber Systems, ESPs, Protected Cyber Assets, EACMS, PACS, and systems with External Routable Connectivity. CIP v5 never explicitly requires you to identify any of these things, but you obviously can’t properly comply with most of the requirements unless you have first identified them. While you don’t have to have all of these methodologies fully documented on April 1, you do need to make sure each methodology has been developed and has been used consistently to identify what is in scope for CIP v5. If you suspect that some methodologies may not be adequate or may not have been consistently applied, you need to self-report non-compliance with the requirements that this affects (for example, if you don’t think you have identified all of your PCAs, you will need to self-report for all requirements that apply to PCAs, where you think some have been missed).

So how should the Compliance Manager for this hypothetical entity spend his or her time this April 1 (other than perhaps updating their resume)? First, they need to identify any and all self reports, and make sure they happen. Second, they need to make sure mitigation for any of the compliance issues is under way – or they need to make sure it starts as soon as possible. The last thing they need to do is document the definitions and methodologies that are required due to implicit or ambiguous requirements, which do not actually need to be completed on April 1. As long as your entity is in fact following these definitions or methodologies, you don’t have to have all of the documentation done until you’re audited.

This is of course quite different from the situation in CIP versions 1 through 3. In those versions, there was certainly some ambiguity, but nothing on the scale of CIP v5. It’s a whole new world.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

No comments:

Post a Comment