Monday, October 9, 2017

When Should we Start Working on CIP-013 Compliance?

The CIP-013 compliance date – which I’m currently estimating to be the second half of 2019 - may seem like it’s still pretty far off, but it’s really not. There are two components of the delay.

First, FERC has to approve CIP-013, and – as we all know – FERC hasn’t had a quorum for around six months. This recently changed, but they still have a lot of things on their plate to deal with that came in ahead of CIP-013 (such as CIP-003-7, approved by NERC and submitted in early February). I think it’s almost certain FERC won’t approve CIP-013[i] for at least six months and maybe a year; let’s say one year to be safe.

And once FERC has approved CIP-013, the Implementation Plan kicks in. That calls for an implementation date 18 months after FERC approval (of course, this is different for Canada, where each province will have its own implementation date, and some may not implement CIP-013 at all). So it’s very possible that the CIP-013 implementation date will be in late 2019 or early 2020, adding the 18 months to the 12-month estimate for FERC approval.  

Of course, this all assumes FERC will approve CIP-013. They have three options:

  • Approve the standard unchanged, in which case it will come into effect as just discussed.
  • Approve the standard, but at the same time direct NERC to make some further changes. CIP-013-1 would still come into effect according to the Implementation Plan, but at the same time NERC would constitute a new Standards Drafting Team to develop a new version, that will address whatever FERC directed.
  • Remand the standard, which kills it.

Obviously, in both of the first two options, CIP-013 is likely to become effective by late 2919. But were FERC to remand the standard, it would never come into effect.  How likely is FERC to remand it? Normally, I would say the answer is a no-brainer: FERC ordered the standard to be developed last year. Since CIP-013, in my opinion, is very close to what they ordered, why would they not approve it?

The reason why remand isn’t a zero possibility is the turnover at FERC. Only one Commissioner from last July, Cheryl LaFleur, remains on the board – and she dissented from the Order. But her dissent was over the fact that a) the Commission hadn’t gone through their usual Notice of Proposed Rulemaking procedure in this case; and b) the amount of time they were giving NERC to develop the standard was way too short (an opinion I agreed with, in the post linked above). Both of these objections are now water under the bridge, so I believe she is likely to approve CIP-013.

As for the new Commissioners (there are now three in total including LaFleur. There will most likely be five when CIP-013 is approved), all of them come from fairly conventional backgrounds. I – as well as everyone I’ve talked to in the industry about this question – believe they are likely to approve CIP-013.

This has been a long way of saying I expect the implementation date for CIP-013 will be in late 2019. I’ll admit that’s a long time away, although it’s almost exactly the same amount of time as NERC entities had to comply with CIP v5, once FERC had approved it. And as you remember, when the compliance date was extended by three months, the industry was quite glad to have the extra time!

However, the main reason why you shouldn’t put CIP-013 planning off any longer – especially larger NERC entities – is dictated by the following logic:

  1. An important CIP-013 compliance tool is contract language. You will need to try to get vendors to commit – in one way or other – to doing a number of things, including (but not limited to) the six items listed in R1.2. The best way to do this is through language in their contracts.
  2. You aren’t required to renegotiate existing contracts, but contracts come up for renewal all the time. This means you should start trying to include the appropriate language for CIP-013 in every contract that applies to BES Cyber Systems or the software that runs on them. If you don’t, when CIP-013 is finally implemented, you will need to scramble to try to get some other assurance from each vendor that they will in effect follow the contract language you want; if the language is already in the contract, you won’t have to do this.
  3. But how do you find the appropriate contract language? You definitely don’t want to require the same language of every vendor, regardless of risk.  Ideally, you want to tailor each vendor’s language to the vendor’s risk level, as well as to the risk level of the systems or software they sell to you. This means you have to make decisions regarding: a) What will be your criteria for classifying vendors by risk level? b) What will be your criteria for classifying BES Cyber Systems by risk level? For classifying software by risk level? c) Since in principle you have to address all supply chain threats (risks) in your plan, which are the threats that you will try to address through contract language (of course, you do have to include the six threats that form the rationale for R1.2. But what other threats should you also try to address through contract language, as opposed to getting another type of commitment from the vendor)? d) For each risk level, what will be the language you first try to get into the contract, and what will be the language you will finally accept if necessary? Since you aren’t required to address every threat through contract language, at what point will you walk away from the negotiations if the vendor hasn’t met the minimum level of language that you want? In what cases will you simply shut up and sign the contract, even though it doesn’t include any of the language you want? e) etc, etc.

The decisions listed above – and more – are the ones you need to make at the beginning of your CIP-013 planning process. If you don’t make them now, you won’t know what contract language to ask for and contracts will be renewed now that aren’t “CIP-013-ready”. By making these decisions now and asking for appropriate contract language in renewal negotiations, you will be making life much easier for yourself two years from now. This is why you need to start working on CIP-013 compliance very soon.

One more point: I hope you can see that it would be dangerous to wait to start your CIP-013 program until FERC approves the standard, even though there is still some small uncertainty about whether they will. Whenever FERC does approve CIP-013, there will then be only 18 months before you have to have the entire apparatus of CIP-013 up and running. For any NERC entity of a certain size, waiting this long would be very dangerous. And as the man said recently, the nice thing about CIP-013 is that it doesn’t require you to do anything beyond what you should be doing anyway: assessing and classifying risks to the security of your supply chain, then taking risk-prioritized steps to mitigate those risks. So even if FERC remands CIP-013, your money and time are still well spent!

I am currently providing on-site workshops to help your organization prepare for CIP-013 compliance. If you would like to discuss this, please email me at

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.

[i] Throughout this post, when I refer to CIP-013 I really mean “CIP-013-1, CIP-005-6 and CIP-010-3”, since the latter two contain new requirement parts that were approved along with CIP-013 itself.

No comments:

Post a Comment