FERC’s New NOPR, Part II: You Need to Lose the Idea of CIP “Versions”

This is the second in a series of four posts on the NOPR that FERC released in October; you can read the first one here. As I said in the first post, I just got the chance to spend quality time with the NOPR this past weekend, and I’m writing 4 or 5 posts on interesting things I learned from it.

In the NOPR, FERC said two things. First, they intend to approve CIP-003-7, making this the first “version 7” CIP standard to come into effect. Second, they ordered NERC to draft two important changes to CIP-003-7. This, coupled with the fact that NERC’s Rules of Procedure require these changes to be made in a new version of the standard, ensures that a NERC drafting team will start work on the first “version 8” CIP standard in early 2018.

I’m sure some of you remember when it was possible to state clearly that all of the CIP standards in effect were part of the same version. Less than two years ago, all of the CIP standards in effect had a “-3” after them[i]; there was no question that we were living in the “CIP version 3” world. When the “CIP version 5” standards came into effect in July 2016, we now had two sets of suffixes. Standards CIP-002 through CIP-009 all had “-5” or “-5.1” after them[ii]. Standards CIP-010 and CIP-011 both had “-1” after them, since these were new standards; but they had been developed and balloted with the “-5” standards, so there wasn’t any confusion about their being part of “CIP v5”.

However, when FERC approved CIP v5 they ordered modifications, as they have done when they approved every other CIP version. These required new versions of the standards being modified, as explained above in this post. NERC put together a standards drafting team to make these modifications, but they were explicitly not referred to as the “CIP version 6” drafting team. Instead, they were dubbed the “CIP Version 5 Revisions” SDT, giving the somewhat misleading impression that it was possible to modify a NERC standard without incrementing the version number[iii].

Previously, whenever FERC had approved a new CIP version but ordered changes, all of the CIP standards had been “revved” to the new version, even if they weren’t affected by those changes. For example, when FERC approved CIP v2 in 2009, they ordered a single modification: revision of CIP-006 to add a requirement for escorted access of visitors into the ESP. However, the team that developed this modification to CIP-006 also incremented the version number for all the other CIP standards, so they all had the “-3” suffix when they came into effect in 2010.

However, the CIP v6 team opted not to do this, and instead only incremented the version number of the standards that were modified (I had assumed that they would end up incrementing all the version numbers and calling the package CIP v6, but this didn’t happen. About a year later I attended a NERC presentation on the new standards in Atlanta where they did actually call them CIP v6, but in general NERC has studiously avoided using The Version Number that Dare not Speak Its Name). So when “CIP version 6” came into effect last year, six of the standards had “-6” after them, while three had “-5.1” or “.5” after them. And since both CIP-010 and CIP-011 were modified, they now had “-2” as a suffix.

When it became apparent that there would no longer be a consistent version number for all the CIP standards, I raised a protest, saying this would be confusing. But a few experienced NERC professionals pointed out to me that, in the other NERC standards families like COM and EOP, it has been a long time – if ever – since these standards were all on the same version number. I responded that, since so many CIP professionals came from other standards environments like PCI and HIPAA, where the version numbers were always uniform, they wouldn’t be used to this.

Now I realize this was a losing battle. Consider the other CIP changes since “CIP v6”:

1. As I said above, CIP-003 will be at the v7 level in less than two years; plus a drafting team will start work on v8 of that standard soon.
2. The second version of a new standard, CIP-014-2, is in effect.
3. CIP-013-1, the new supply chain security standard, has been submitted to FERC for approval.
4. Along with CIP-013, two modified versions of existing CIP standards were submitted, and will be approved along with CIP-013. These are CIP-005-6 (CIP-005 was one of the three standards that wasn’t modified when “CIP version 6” was developed) and CIP-010-3 (this becomes v3 of the standard, since CIP-010 was modified under “CIP v6” and thus became CIP-010-2).
5. A new standard, CIP-012, is being balloted now, and will most likely come into existence as version 1.
6. The current CIP Modifications SDT is working on modifications to other standards, because of other tasks mandated in their SAR that haven’t reached the drafting stage yet. This includes the changes required to incorporate virtualization into CIP, which will likely require modifications to most of the CIP standards (and these will of course simply increment the existing version numbers, leading to even more diversity, although it would be nice if all the standards could be brought up to the same level, e.g. version 9 or whatever the “high water mark” is at the time they come into effect[iv]).

So how are you to keep track of what versions of the different CIP standards are currently in effect? Fortunately, NERC has put on their web site – and will be maintaining as changes are made, I’m sure – a spreadsheet showing current and recent versions of all the NERC standards (not just the CIP ones). It’s called the “US Standard One-Stop-Shop”. You might want to plan on downloading it regularly so you can be sure you’re always dealing with the most recent versions (it includes links to all the standards as well as their RSAWs, FERC Orders, Lessons Learned and Compliance Guidance); this is especially important if you deal with other NERC standards besides the CIP family.

For your amusement, here are the current effective versions of all the CIP standards, according to the most recent version of this spreadsheet:

• CIP-002-5.1a
• CIP-003-6
• CIP-004-6
• CIP-005-5
• CIP-006-6
• CIP-007-6
• CIP-008-5
• CIP-009-6
• CIP-010-2
• CIP-011-2
• CIP-014-2

And as I already said, the diversity of these version numbers is only going to increase as we go forward.

The moral of this story? We all need to disabuse ourselves of the idea that there is any longer a “version number” for the CIP standards as a group. Instead, we all need to be checking regularly that we are working from the current version of each standard.

The views and opinions expressed here are my own, and do not reflect those of any organization I work with. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

---

[i] Some had “-3a” or “-3b” after them, meaning that an approved Interpretation had been applied to them.

[ii] The “-5.1” was the result of an error correction that NERC made before FERC approved the v5 standards in November, 2013.

[iii] I believe this was done because of the real wounds incurred by some NERC entities during the great CIP v4 debacle, when different groups – sometimes within one NERC entity - had different opinions about whether v4 or v5 would be the next version that entities would have to comply with. In April of 2012, FERC surprised the industry (and certainly me!) by approving CIP v4, while CIP v5 was actively being drafted. I have a theory about why they did this (which was later obliquely confirmed to me by a FERC staff member), but it’s too involved to go into here (if you’re interested in this, you can email me at tom@tomalrich.com and I’ll be glad to tell you the whole sad story. Let’s just say that FERC’s approval of CIP v4 – when they were not really intending to have it come into effect – caused a lot of confusion in the industry, and undoubtedly resulted in at least some NERC entities spending substantial sums of money that came for naught. It wasn’t exactly FERC’s finest hour, in my opinion).

[iv] However, as I’ve pointed out recently, I consider it highly unlikely that the CIP Modifications SDT will ever complete any of the remaining items in its SAR, unless they’ve reached the drafting stage. This includes virtualization, which is certainly a great idea - but it will probably take more than ten years to get all of the required changes drafted and approved (I’m not kidding about this). But the team still has CIP-012 on its plate, and I believe CIP-003-8 will be added soon, as discussed in the previous post in this series. So the drafting team members aren’t going to be lacking for ways to occupy their time!