Time for the Trades to get involved

If you’re looking for my pandemic posts, I’ve created a new blog for them. If you’re looking for my cyber/NERC CIP posts, you’re at the right place. And if you’re looking for my usual April Fool’s Day post, you’re out of luck. I don’t see anything funny to write about today.

A number of people have asked me lately about the CIP-013 compliance date – will it actually be pushed back three months, as I suggested should be done in my post on March 12? Of course, NERC can’t postpone the date on their own. They (or someone else concerned) need to petition FERC to do this. And FERC will need to convene a meeting to discuss and approve this (or not), although I would certainly hope that nowadays it would be a virtual meeting. There are only three out of five commissioners now, but that’s still a quorum, so it should be doable. But I haven’t heard of any move afoot at NERC now to petition FERC.

I put out another post on the 18^th, saying that I still expect it will be pushed back, but that people who have been blessed (?) with the task of writing the supply chain cyber security risk management plan should keep working under the assumption the date won’t change – although if it’s ever a choice between working on CIP-013 and keeping the lights on during this difficult time, you definitely need to choose the latter!

This remains my position, but I think it’s time to do something more. In the March 12 post, I briefly mentioned the CIP version 5 experience, in which the compliance date was postponed from April 1 to July 1, 2016, for reasons you can read about here. Here is the rough order in which events occurred, without trying to dig up specific dates:

1. FERC approved CIP version 5 in November 2013. The compliance date was set for April 1, 2016.
2. FERC approved CIP version 6 in late January 2016; by doing that, the compliance date for v6 was set for July 1 of the same year.
3. NERC entities began to realize that, if CIP v5 came into effect on schedule on April 1, they would have to have all of their documentation, procedures, training, etc. for v5 in place on that day – and then on July 1 they’d have to throw a lot of that away (with most documentation and procedures it would have been a fairly simple task to update them to v5, but for some requirements that had changed in v6, there was going to be real work to do). They started asking NERC to petition FERC to move the v5 date back.
4. NERC, for some reason, didn’t find this to be a great idea, so they didn’t petition FERC in a timely manner.
5. At that point, the trade associations (I’m not sure which ones – perhaps all four, which are EEI, APPA, NRECA and EPSA) got together and petitioned FERC on their own.
6. NERC – again for some inscrutable reason I couldn’t fathom – actually made a filing opposing the petition. But FERC approved it, and the date was moved back.

This isn’t my call, but I think the Trades should start considering – if they aren’t already – filing their own petition. I can’t imagine why FERC would turn it down. But we’ll never know if they will or won’t approve the petition if it doesn’t get filed in the first place.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. If you’re with a NERC entity, have you started working on your CIP-013 plan but gotten stuck somewhere? Or even if you’re not stuck but you would like to have me review the plan to suggest ways to improve it, I’d be glad to discuss this with you. Just drop me an email.