On October
19, FERC issued a Notice of
Proposed Rulemaking, stating that they intend to approve CIP-003-7, which
was submitted to them early this year after a lively debate
within NERC last year. To be honest, while I skimmed through this document when
it came out, I haven’t had time to spend some quality time with it until this
past weekend. And in doing so, I realized there are a few posts I should write
about it. Here’s the first one.
Every time
FERC has approved a new version of the CIP standards, they have taken the “yes,
but…” approach. They approve the proposed standards, but then they order some
improvements to them. Because the NERC Rules of Procedure don’t allow a
standard to be modified once it has been approved by the NERC Board of Trustees
– and this always happens to a proposed new standard before it is even
submitted to FERC – these improvements always have to be addressed in a new
version of the standard.
So it will
be in this case. NERC will need to start work soon on drafting a new version of
CIP-003 that will address FERC’s further mandate in this NOPR. Since the drafting
team that developed CIP-003-7 is still meeting, I would think this will be
added to their Standards Authorization Request (SAR), rather than NERC’s having
to constitute a new SDT for this task. Meanwhile, FERC will almost certainly
approve CIP-003-7[i],
and that version will presumably come into effect before the new version of
CIP-003 does (which I assume will be CIP-003-8).
Buried
within the NOPR is an interesting notice. In section D paragraphs 45 and 46, FERC
stated their intention to approve the CIP-003-7 Implementation Plan, which was
of course approved and submitted with the proposed standard itself. That plan
calls for an 18-month implementation period (after the date of FERC’s Order
approving the CIP-003-7), but it also calls for the effective date of
CIP-003-6, the currently-approved version, to be replaced with the CIP-003-7
effective date.
The
effective date of CIP-003-6 is Sept. 1, 2018, but this will now be replaced by
the effective date for CIP-003-7; moreover, on the effective date of CIP-003-7,
CIP-003-6 will be “retired”. So what will be the effective date of CIP-003-7? Assuming
FERC approves it in three months (it could be longer), and given that there’s
an 18-month implementation period, this means that NERC entities won’t have to
comply with CIP-003-7 (and specifically, Attachment 1 Sections 2 and 3, since
the rest of the standard is unchanged from v6 and has already come into effect)
until at least 21 months from now, or about July 2019. So NERC entities
effectively have been given close to an additional year to implement specific
controls on electronic and physical access at Low impact sites.
You may want
to include the FERC Commissioners in your holiday card list. They’ve given you
an early present.
The views and opinions expressed here are my own, and do
not reflect those of any organization I work with. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i]
The NOPR just says they propose to approve it. If they had actually approved
it, they would have issued an Order to do so. I am a little surprised that they
wrote a NOPR rather than an Order, since they don’t seem to have any doubt that
they will approve CIP-003-7. It may be that, given that the Commissioners are
all new except for one (Commissioner LaFleur) and therefore only one of them
approved Order
822 (which ordered this change), they want to gather some new comments to
confirm that they should approve it.
No comments:
Post a Comment