Note: I decided a while ago I would prepare a post to appear on April 1, discussing whether entities felt they had successfully come into compliance with CIP v5 by that date. This included interviewing compliance people at a few NERC entities, which I did in late January and early February. Of course, the compliance date was subsequently moved back to July 1, so in fact this post could have appeared on that date. But I’ve decided to still run it today, since – as you can read below – I was very surprised to discover that NERC entities are almost universally in complete compliance with CIP v5. I would almost say now that there was no need to move the date back as I advocated, but I’m sure there are still a few entities that will appreciate having the extra three months to tidy up a few minor issues.
As the sun rises today, April 1, 2016, I am pleased to announce I have determined that CIP version 5 has been a huge success. As far as I can see, NERC entities feel they have come into full compliance with the CIP v5 standards, and they are confident that they clearly understand their obligations for maintaining compliance going forward. My congratulations go out to NERC for the outstanding job they have done in rolling out CIP v5.
To judge how well US utilities had come into compliance, I decided to interview three electric utilities – an IOU, a cooperative and a municipal. Let’s start with the IOU. It is admittedly a small IOU, but this choice was deliberate. I had anticipated that the small utilities might have the hardest time coming into compliance, since they don’t necessarily have the resources to devote to resolving what I perceived (wrongly, as it turns out) to be the many ambiguities and contradictions in the wording of the requirements of CIP v5.
For the IOU representative, I chose an old friend: Fred Anderson, CEO and Director of Compliance for Anderson’s Electric Utility and Screen Door Repair in West Overshoe, Nebraska. When I interviewed him in late January, Fred was quite upbeat. “Believe it or not, I think we have this thing beat, Tom. Not only do I believe we’ll be 100% compliant on April 1, I also think we know almost to a certainty what we will need to do to maintain that state of compliance indefinitely into the future. Not only do we have all the processes and procedures in place to maintain compliance, but all our SMEs have been trained and re-trained on what to do. They all know exactly what their requirements mean, and they have everything they need to do for compliance built into their schedules for the next two years.”
I asked if perhaps AEU had encountered any challenges related to understanding what the v5 requirements meant or how to comply with them. He grinned, “No, we really didn’t. I know you’ve been writing day and night for close to three years about all of the problems in the CIP v5 wording, but we really haven’t come across any significant issues in that regard. And if we did, we found that NERC had almost always already come up with a Lesson Learned that specifically addressed this issue. It was simply uncanny, the way they seem to have thought through all the possible issues with the wording of v5 years ago, and made sure that all of the guidance we needed was in place long before we even realized we might need it.”
For the coop representative, I interviewed another old friend: Janet Millman, Manager Reliability Standards Compliance for Southern North Dakota Energy Cooperative in God’s Little Acre, ND. We talked in early February, and she was just as upbeat as Fred. “You really blew this one, Tom. I don’t know where you got this idea that there was so much uncertainty about the meaning of the CIP v5 requirements. I will admit that you do have to spend some real quality time with the requirements – it’s not like the meaning jumps out at you the first time you read them. But once you do that, I don’t see how you could say there’s any uncertainty at all. Other than for a few minor wording problems, the meaning of all the CIP v5 requirements is right there in the wording.[i]
Finally, for the municipal, I chose Greater Eggwhite Power & Lighting in Eggwhite, NC. Once again, I have an old friend there – Jim Halfinch, Director of Reliability Compliance and Janitorial Services. Jim wasn’t quite as upbeat as were Janet and Fred. “I’ll be honest with you, Tom. We did have a few problems at the outset. One of the biggest was the word “Programmable” in the definition of Cyber Asset. We thought the first draft Lesson Learned that NERC came out with on this subject in early 2015 was quite good, and we started identifying our Cyber Assets using that definition.
“Then NERC turned around in April of last year and came up with a completely different definition in one of the Memoranda, and they withdrew the draft Lesson Learned. Not only did they change definitions, but they said this one was “mandatory”. That really threw us for a loop, since we’d already invested a lot of effort in identifying Cyber Assets based on the old definition; it now looked like all that effort was wasted.
“However, in early July NERC withdrew all the Memoranda and said they’d go back to using Lessons Learned. But they didn’t do a Lesson Learned on this topic, and then they said last December they were going to refer this matter to the Standards Drafting Team for inclusion in CIP v7. Since v7 won’t be in force for three or four years at least, this means we had to come up with our own definition. We looked for the original draft Lesson Learned but found it had been removed from NERC’s web site, along with other Lessons Learned (as well as the Memoranda) that were abandoned for one reason or another.
“Fortunately, we discussed this question with some of our peers, and referred back to your post on this topic from 2014[ii], and we’re quite happy with what we came out with. We have used the same approach in a few other areas where we’ve had issues. So I really can’t complain; we are now compliant and I’d say we know exactly what we need to do going forward.”
I was pleased to hear Jim say this, since I’ve found quite a few utilities with Medium or High impact assets for whom the lack of a clear definition of Cyber Asset (and other missing definitions, ambiguities and contradictions) has been a huge stumbling block and has delayed their compliance efforts substantially. So I asked him, “What made it so much easier for you than for the other utilities with Medium and High impact assets?” He replied, “Oh, we don’t have any of those. We’re all Low impact.”
I was quite surprised when he said this. I was about to point out to him that he didn’t need to do all of this work if he just had Low impact assets, since there is no need to identify BES Cyber Systems (and therefore no need to identify Cyber Assets or BES Cyber Assets) for Low assets. However, I decided just to thank him for his time and end the conversation. I realize that, if I’d brought this up, he would have argued with me, pointing out that a Low asset is “defined” in CIP-002-5.1 R1 as an “asset containing Low impact BES Cyber Systems”. How (he would have asked) could you possibly identify Low assets without first identifying Low BCS? I would then have had to explain to him that this is just one of those “Between Us Girls” areas where there’s an implicit understanding between NERC and the entities – in this case, it is the understanding that “asset containing Low impact BCS” actually means “Low impact asset”, although that phrase is strictly verboten in the prevailing orthodox interpretation of CIP v5.
I would further have had to explain that the wording of Attachment 1 of CIP-002-5.1 shouldn’t really be taken literally, since it’s actually a relic of the first draft of CIP v5, in which entities were implicitly required to identify all BCS – regardless of impact level – before they even started classifying them High, Medium or Low impact. But that would have just ruined Jim’s day and probably made him hate me forever. I’ve already done that with enough friends in the industry.
So there you have it. Other than for a few entities – like GEP&L – who have perhaps done more work than they had to, I’d say that CIP v5 has been a resounding success. I certainly hope the rollouts of v6, v7, the new CIP Supply Chain standard(s), and other new CIP versions will be equally successful.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] I must admit that I found this implicit criticism of me a little unfair. I have spent an enormous amount of quality time with the CIP v5 standards. Unlike Janet, I have found many problems with the wording that I haven’t been able to resolve. But I’ll admit that, just because a requirement is worded badly enough that there can be no consistent interpretation of it, this doesn’t mean people won’t come up with their own agreed-upon interpretation. And I’m sure that if a CIP v5 fine ever gets appealed to the civil courts, any judge will be quite capable of overlooking the fact that the wording is contradictory and there are missing definitions, and still uphold the fine. After all, in the legal world, what really matters in the end is whether everybody had good intentions at the outset, not any particular words they may have written in a regulation or a contract. That’s why there are seldom any serious disagreements about what laws, regulations, or contracts mean. Of course, this is a good thing, since otherwise there might be lots of litigation tying up the court system and wasting valuable resources.
[ii] I told him he wasn’t alone in looking at that post. It has had 892 hits as of yesterday.