In FERC’s Sunshine Meeting this morning, they issued a Notice of Proposed Rulemaking that says they intend to approve NERC CIP-013, the supply chain security risk management standard, as well as the accompanying modifications to CIP-005 and CIP-010. Of course, the interesting part was what they also said. Here is my summary:
First, they find that NERC did a good job of drafting a standard that carries out what they mandated in Order 829. However, Commissioner LaFleur, in her statement concurring with the Commission’s decision, says “The proposed standards would provide significant flexibility to registered entities to determine how best to comply with their requirements. In my view, that flexibility presents both potential risks and benefits. It could allow effective, adaptable approaches to flourish, or allow compliance plans that meet the letter of the standards but do not effectively address supply chain threats. I hope that we will see more of the former, but I believe the Commission, NERC, and the Regional Entities should closely monitor implementation if the standards are ultimately approved.”
What Commissioner LaFleur is asserting is similar to what I’ve been (at least implicitly) saying in my recent posts about auditability of CIP-013: There really isn’t much in the requirements themselves that would allow NERC to reject a plan that was clearly inadequate. However, I’ve also been saying that I’m not too concerned about whether plan-based standards like CIP-013 are auditable or not. What matters is whether the NERC entity can get assistance from their Regional Entity, over the course of developing and implementing their plan, in making sure their plan is a good one and is implemented well. This goal isn’t furthered by audits (or at least, audits are a very inefficient way of furthering it); I described another way that the Regions could provide this assistance in this post.
Second, FERC questioned why CIP-013 only applies to Medium and High impact BES Cyber Systems, not Low BCS or Medium and High Electronic Access Control and Monitoring Systems (EACMS), Protected Cyber Assets (PCAs), or Physical Access Control Systems (PACs). Since NERC is currently conducting a study (ordered by the Board of Trustees when they approved CIP-013 last August) of additional supply chain risks, including those associated with Low impact BCS, the Commission stated that this study should go forward, although it should also look at risks associated with PACs and PCAs.
However, regarding EACMS, the Commission stated that the risks associated with these systems are sufficiently clear that there’s no need to wait for a study. Accordingly, FERC proposes to order that EACMS be included in the applicability of CIP-013, and is seeking comments on this proposal. Since NERC standards can’t be modified once approved by the Board of Trustees, this means that the CIP-013 drafting team will need to develop a modified CIP-013 (as well as CIP-005 and CIP-010) that includes EACMS in the applicability section.
The above two items in the NOPR aren’t terribly surprising. However, there is one item that was surprising (or at least I was surprised by it), relating to the implementation date for the three new or revised standards. FERC believes that the current 18-month implementation plan is too long by six months. They are proposing (and seeking comments) to order NERC to change this to 12 months. In other words, in the same Order in which FERC approves CIP-013 (and the revised CIP-005 and CIP-010), FERC would order NERC to revise the CIP-013 Implementation Plan.
FERC is seeking comments on this proposal, but I sincerely doubt they’re going to change their mind on this. So let’s say FERC issues their Order this May. NERC will have to revise the Implementation Plan[i] to 12 months. 12 months after this May is obviously May 2019. Since the Implementation Plan says that the effective date will be the first day of the calendar quarter after this, it means the effective date of CIP-013 will be July 1, 2019. If FERC issues their Order after June of this year, the effective date will be October 1, 2019. In either case, this will be before the implementation date I had been anticipating, which is either January 1 or April 1, 2020.
So, as of today, you have less than 21 months to implement CIP-013, and perhaps less than 18 months. I don’t think any medium-to-large NERC entity should wait any longer to at least develop a plan for implementing CIP-013 compliance by July 1, 2019.
And – as I mentioned in my last post – Tom Alrich Consulting would be pleased to discuss with you how we might help you develop your plan to come into compliance with CIP-013-1, CIP-005-2 and CIP-010-3. If you would like to set up a time to discuss this, please drop me an email at the address below. Since I happen to know the owner of TAC very well[ii], I’ll make sure he pays close attention to you!
The views and opinions expressed here are my own, and do not reflect those of any organization I work with. If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org.
[i] And if you think this revised Implementation Plan would probably be voted down by the NERC membership and would therefore be null and void, you’re engaging in wishful thinking. If the NERC membership doesn’t approve a new or revised standard (or implementation plan) that has been ordered by FERC, the NERC Board of Trustees is required by the Rules of Procedure to develop this themselves and submit it to FERC. In other words, the NERC membership will have two options: a) approve the new standard, or b) have the Board approve it anyway. Isn’t choice wonderful?
[ii] OK, perhaps not that well. He’s always surprising me.