This is the
second in a series of four posts on the NOPR that FERC released in October; you
can read the first one here.
As I said in the first post, I just got the chance to spend quality time with
the NOPR this past weekend, and I’m writing 4 or 5 posts on interesting things
I learned from it.
In the NOPR,
FERC said two things. First, they intend to approve CIP-003-7, making this the
first “version 7” CIP standard to come into effect. Second, they ordered NERC
to draft two important changes to CIP-003-7. This, coupled with the fact that
NERC’s Rules of Procedure require these changes to be made in a new version of
the standard, ensures that a NERC drafting team will start work on the first
“version 8” CIP standard in early 2018.
I’m sure some
of you remember when it was possible to state clearly that all of the CIP
standards in effect were part of the same version. Less than two years ago, all
of the CIP standards in effect had a “-3” after them[i]; there
was no question that we were living in the “CIP version 3” world. When the “CIP
version 5” standards came into effect in July 2016, we now had two sets of
suffixes. Standards CIP-002 through CIP-009 all had “-5” or “-5.1” after them[ii].
Standards CIP-010 and CIP-011 both had “-1” after them, since these were new
standards; but they had been developed and balloted with the “-5” standards, so
there wasn’t any confusion about their being part of “CIP v5”.
However,
when FERC approved CIP v5 they ordered modifications, as they have done when
they approved every other CIP version. These required new versions of the
standards being modified, as explained above in this post. NERC put together a
standards drafting team to make these modifications, but they were explicitly
not referred to as the “CIP version 6” drafting team. Instead, they were dubbed
the “CIP Version 5 Revisions” SDT, giving the somewhat misleading impression
that it was possible to modify a NERC standard without incrementing the version
number[iii].
Previously,
whenever FERC had approved a new CIP version but ordered changes, all of the
CIP standards had been “revved” to the new version, even if they weren’t
affected by those changes. For example, when FERC approved CIP v2 in 2009, they
ordered a single modification: revision of CIP-006 to add a requirement for
escorted access of visitors into the ESP. However, the team that developed this
modification to CIP-006 also incremented the version number for all the other
CIP standards, so they all had the “-3” suffix when they came into effect in
2010.
However, the
CIP v6 team opted not to do this, and instead only incremented the version
number of the standards that were modified (I had assumed
that they would end up incrementing all the version numbers and calling the
package CIP v6, but this didn’t happen. About a year later I attended a NERC
presentation on the new standards in Atlanta where they did actually call them
CIP v6, but in general NERC has studiously avoided using The Version Number
that Dare not Speak Its Name). So when “CIP version 6” came into effect last
year, six of the standards had “-6” after them, while three had “-5.1” or “.5”
after them. And since both CIP-010 and CIP-011 were modified, they now had “-2”
as a suffix.
When it
became apparent that there would no longer be a consistent version number for
all the CIP standards, I raised a protest, saying this would be confusing. But
a few experienced NERC professionals pointed out to me that, in the other NERC
standards families like COM and EOP, it has been a long time – if ever – since
these standards were all on the same version number. I responded that, since so
many CIP professionals came from other standards environments like PCI and
HIPAA, where the version numbers were always uniform, they wouldn’t be used to
this.
Now I
realize this was a losing battle. Consider the other CIP changes since “CIP
v6”:
- As I said above, CIP-003 will be at the v7 level in less
than two years; plus a drafting team will start work on v8 of that
standard soon.
- The second version of a new standard, CIP-014-2, is in
effect.
- CIP-013-1, the new supply chain security standard, has
been submitted to FERC for approval.
- Along with CIP-013, two modified versions of existing CIP
standards were submitted, and will be approved along with CIP-013. These
are CIP-005-6 (CIP-005 was one of the three standards that wasn’t modified
when “CIP version 6” was developed) and CIP-010-3 (this becomes v3 of the
standard, since CIP-010 was
modified under “CIP v6” and thus became CIP-010-2).
- A new standard, CIP-012, is being balloted now, and will
most likely come into existence as version 1.
- The current CIP Modifications SDT is working on
modifications to other standards, because of other tasks mandated in their
SAR that haven’t reached the drafting stage yet. This includes the changes
required to incorporate virtualization into CIP, which will likely require
modifications to most of the CIP standards (and these will of course
simply increment the existing version numbers, leading to even more
diversity, although it would be nice if all the standards could be brought
up to the same level, e.g. version 9 or whatever the “high water mark” is
at the time they come into effect[iv]).
So how are
you to keep track of what versions of the different CIP standards are currently
in effect? Fortunately, NERC has put on their web site – and will be
maintaining as changes are made, I’m sure – a spreadsheet showing current and
recent versions of all the NERC standards (not just the CIP ones). It’s called
the “US
Standard One-Stop-Shop”. You might want to plan on downloading it regularly
so you can be sure you’re always dealing with the most recent versions (it
includes links to all the standards as well as their RSAWs, FERC Orders,
Lessons Learned and Compliance Guidance); this is especially important if you
deal with other NERC standards besides the CIP family.
For your
amusement, here are the current effective versions of all the CIP standards,
according to the most recent version of this spreadsheet:
- CIP-002-5.1a
- CIP-003-6
- CIP-004-6
- CIP-005-5
- CIP-006-6
- CIP-007-6
- CIP-008-5
- CIP-009-6
- CIP-010-2
- CIP-011-2
- CIP-014-2
And as I
already said, the diversity of these version numbers is only going to increase
as we go forward.
The moral of
this story? We all need to disabuse ourselves of the idea that there is any
longer a “version number” for the CIP standards as a group. Instead, we all
need to be checking regularly that we are working from the current version of
each standard.
The views and opinions expressed here are my own, and do
not reflect those of any organization I work with. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i]
Some had “-3a” or “-3b” after them, meaning that an approved Interpretation had
been applied to them.
[ii]
The “-5.1” was the result of an error correction that NERC made before FERC
approved the v5 standards in November, 2013.
[iii]
I believe this was done because of the real wounds incurred by some NERC
entities during the great CIP v4 debacle, when different groups – sometimes within
one NERC entity - had different opinions about whether v4 or v5 would be the
next version that entities would have to comply with. In April of 2012, FERC
surprised the industry (and certainly me!) by approving CIP v4, while CIP v5 was
actively being drafted. I have a theory about why they did this (which was
later obliquely confirmed to me by a FERC staff member), but it’s too involved to
go into here (if you’re interested in this, you can email me at tom@tomalrich.com and I’ll be glad to tell
you the whole sad story. Let’s just say that FERC’s approval of CIP v4 – when
they were not really intending to have it come into effect – caused a lot of
confusion in the industry, and undoubtedly resulted in at least some NERC
entities spending substantial sums of money that came
for naught. It wasn’t exactly FERC’s finest hour, in my opinion).
[iv]
However, as I’ve pointed out recently,
I consider it highly unlikely that the CIP Modifications SDT will ever complete
any of the remaining items in its SAR, unless they’ve reached the drafting
stage. This includes virtualization, which is certainly a great idea - but it
will probably take more than ten years to get all of the required changes
drafted and approved (I’m not kidding about this). But the team still has
CIP-012 on its plate, and I believe CIP-003-8 will be added soon, as discussed
in the previous post in this series. So the drafting team members aren’t going
to be lacking for ways to occupy their time!
No comments:
Post a Comment