If you have
Low impact assets, you probably know the deadline for compliance with Sections
1 and 4 of Attachment 1 of CIP-003-6 R2 is this April 1. However, you may not
know that you are required to have your first exercise of your incident
response plan (under Section 4) completed by April 1. To be honest, I didn’t
know that until today either; I had thought it was simply an area of ambiguity, so the
regions would be on their own to say what they wanted their entities to do –
and they couldn’t issue a PV if the entity hasn’t exercised its plan before
that date.
However,
today a longtime NERC compliance professional emailed me to ask me this
question. I took this quite seriously since this is someone who has been
working closely with the CIP standards since version 1; if he wasn’t sure, I
knew I needed to investigate this. So I checked with two regional CIP auditors (from
different regions) and with Lew Folkerth of RF, who was a CIP auditor but now
provides great insight on CIP to RF members (and to the whole NERC community,
through the RF newsletter and frequent posts by me, such as this
one).
All of them
said the same thing: A NERC entity with one or more Low impact BES assets (more
specifically, one or more assets that contain a Low impact BES Cyber System)
needs to complete their first incident response plan exercise before April 1.
Moreover, this isn’t some arbitrary decision made by NERC or the regions; it’s
baked into the implementation plans for CIP v5 and v6 (but it’s a complicated
story to figure out – hence the fact that there is so much confusion on this
question). Here is what Lew said by email:
Lew said: “Where
the ERO is coming from on this is that the V5 Implementation Plan (October 26,
2012) states that the initial performance for CIP-003-5 R2 is “on or before the
effective date of CIP-003-5 R2…”
The V5
Revisions Implementation Plan (January 23, 2015) states “The following sections
of the Implementation Plan for Version 5 CIP Cyber Security Standards (Version
5 Plan) remain the same: Initial Performance of Certain Periodic Requirements –
For those requirements with recurring periodic obligations, refer to the
Version 5 Plan for compliance dates. – These compliance dates are not extended
by the effective date of CIP Version 5 Revisions[i].”
However, Lew
did send another email that said “If an entity is not going to complete testing
of its Cyber Security Incident response plan as required by CIP-003-6 R2
Attachment 1 Section 4.5, then the entity should self-report this issue to its
Region as soon as possible. The entity will have an opportunity to work with
the Region’s Enforcement Group and to explain the misunderstanding, and that
the testing was completed as soon as practical after the issue was identified.”
A word to
the wise – as well as to the merely tardy.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
[i]
What the two quotes say together is that the CIP v5 initial performance dates
for periodic requirements (those that have to be done periodically, like every
15 months) apply to v6 as well. Since the initial performance date specified
for CIP-003 R2 in v5 was April 1, 2017, and since that date is unchanged in v6,
there shouldn’t be any question that entities with Low assets need to exercise
their response plans by April 1.
But this ignores an important fact: What was CIP-003 R2
in CIP v5 is now CIP-003 R1.2 in v6 (and there was no R1.2 in v5, only R1). So
I would really read the two quotes as saying that the initial performance date
for CIP-003 R1.2 in v6 is the same as that for CIP-003 R2 in v5. And what about
CIP-003-6 R2? That really should have been addressed separately in the v6
implementation plan – i.e. the SDT should have specifically listed the initial
performance date for R2 as April 1.
I do think this is a legitimate problem, but not one
that’s likely to be addressed before April 1. So I just suggest we all put it
down on the List of Unfair Things in NERC CIP – by my latest count, this is
number 4,527 - and work on getting the CSIRP exercised by that date. For the
last word on this subject, I quote my favorite philosopher, Jimmy Carter, who
said “Life is unfair”.
No comments:
Post a Comment