The CIP-013
compliance date – which I’m currently estimating to be the second half of 2019 - may seem like it’s still pretty far off, but it’s really not. There are two
components of the delay.
First, FERC
has to approve CIP-013, and – as we all know – FERC hasn’t had a quorum for
around six months. This recently changed, but they still have a lot of things
on their plate to deal with that came in ahead of CIP-013 (such as CIP-003-7,
approved by NERC and submitted in early February). I think it’s almost certain
FERC won’t approve CIP-013[i] for at
least six months and maybe a year; let’s say one year to be safe.
And once
FERC has approved CIP-013, the Implementation Plan kicks in. That calls for an
implementation date 18 months after FERC approval (of course, this is different
for Canada, where each province will have its own implementation date, and some
may not implement CIP-013 at all). So it’s very possible that the CIP-013
implementation date will be in late 2019 or early 2020, adding the 18 months to
the 12-month estimate for FERC approval.
Of course,
this all assumes FERC will approve CIP-013. They have three options:
- Approve the standard unchanged, in which case it will come
into effect as just discussed.
- Approve the standard, but at the same time direct NERC to
make some further changes. CIP-013-1 would still come into effect
according to the Implementation Plan, but at the same time NERC would
constitute a new Standards Drafting Team to develop a new version, that
will address whatever FERC directed.
- Remand the standard, which kills it.
Obviously,
in both of the first two options, CIP-013 is likely to become effective by
late 2919. But were FERC to remand the standard, it would never come into
effect. How likely is FERC to remand it?
Normally, I would say the answer is a no-brainer: FERC ordered
the standard to be developed last year. Since CIP-013, in my opinion, is very
close to what they ordered, why would they not approve it?
The reason
why remand isn’t a zero possibility is the turnover at FERC. Only one
Commissioner from last July, Cheryl LaFleur, remains on the board – and she
dissented from the Order. But her dissent was over the fact that a) the Commission
hadn’t gone through their usual Notice of Proposed Rulemaking procedure in this
case; and b) the amount of time they were giving NERC to develop the standard
was way too short (an opinion I agreed with, in the post linked above). Both of
these objections are now water under the bridge, so I believe she is likely to
approve CIP-013.
As for the
new Commissioners (there are now three in total including LaFleur. There will
most likely be five when CIP-013 is approved), all of them come from fairly
conventional backgrounds. I – as well as everyone I’ve talked to in the industry
about this question – believe they are likely to approve CIP-013.
This has
been a long way of saying I expect the implementation date for CIP-013 will be
in late 2019. I’ll admit that’s a long time away, although it’s almost
exactly the same amount of time as NERC entities had to comply with CIP v5,
once FERC had approved it. And as you remember, when the compliance date was extended
by three months, the industry was quite glad to have the extra time!
However, the
main reason why you shouldn’t put CIP-013 planning off any longer – especially
larger NERC entities – is dictated by the following logic:
- An important CIP-013 compliance tool is contract language.
You will need to try to get vendors to commit – in one way or other – to doing
a number of things, including (but not limited to) the six items listed in
R1.2. The best way to do this is through language in their contracts.
- You aren’t required to renegotiate existing contracts, but
contracts come up for renewal all the time. This means you should start trying
to include the appropriate language for CIP-013 in every contract that
applies to BES Cyber Systems or the software that runs on them. If you don’t,
when CIP-013 is finally implemented, you will need to scramble to try to
get some other assurance from each vendor that they will in effect follow
the contract language you want; if the language is already in the
contract, you won’t have to do this.
- But how do you find the appropriate contract language? You
definitely don’t want to require the same language of every vendor,
regardless of risk. Ideally, you want
to tailor each vendor’s language to the vendor’s risk level, as well as to
the risk level of the systems or software they sell to you. This means you
have to make decisions regarding: a) What will be your criteria for
classifying vendors by risk level? b) What will be your criteria for
classifying BES Cyber Systems by risk level? For classifying software by
risk level? c) Since in principle you have to address all supply chain
threats (risks) in your plan, which are the threats that you will try to
address through contract language (of course, you do have to include the
six threats that form the rationale for R1.2. But what other threats
should you also try to address through contract language, as opposed to
getting another type of commitment from the vendor)? d) For each risk
level, what will be the language you first try to get into the contract,
and what will be the language you will finally accept if necessary? Since
you aren’t required to address every threat through contract language, at
what point will you walk away from the negotiations if the vendor hasn’t
met the minimum level of language that you want? In what cases will you simply
shut up and sign the contract, even though it doesn’t include any of the
language you want? e) etc, etc.
The
decisions listed above – and more – are the ones you need to make at the
beginning of your CIP-013 planning process. If you don’t make them now, you won’t
know what contract language to ask for and contracts will be renewed now that
aren’t “CIP-013-ready”. By making these decisions now and asking for
appropriate contract language in renewal negotiations, you will be making life
much easier for yourself two years from now. This is why you need to start
working on CIP-013 compliance very soon.
One more
point: I hope you can see that it would be dangerous to wait to start your
CIP-013 program until FERC approves the standard, even though there is still
some small uncertainty about whether they will. Whenever FERC does approve
CIP-013, there will then be only 18 months before you have to have the entire
apparatus of CIP-013 up and running. For any NERC entity of a certain size,
waiting this long would be very dangerous. And as the man said
recently, the nice thing about CIP-013 is that it doesn’t require you to do
anything beyond what you should be doing anyway: assessing and classifying
risks to the security of your supply chain, then taking risk-prioritized steps
to mitigate those risks. So even if FERC remands CIP-013, your money and time
are still well spent!
I am currently providing on-site workshops to help your organization prepare for CIP-013 compliance. If you would like to discuss this, please email me at talrich@deloitte.com.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
[i]
Throughout this post, when I refer to CIP-013 I really mean “CIP-013-1,
CIP-005-6 and CIP-010-3”, since the latter two contain new requirement parts
that were approved along with CIP-013 itself.
No comments:
Post a Comment