NERC’s CIP Version 5 Transition Plan

Nov. 26: For my analysis of what FERC Order 791 means, including timeline for CIP V5/V6 and the transition to them, please see this exceedingly long post.

Nov. 8: It is very likely FERC will approve CIP Version 5 before Thanksgiving, most likely at their meeting on Nov. 21.  Of course, what will be important is the Order they issue with V5.  When that is issued, your reporter will sequester himself until he has figured out what it means, and will post that as soon as possible thereafter.

September 22: (the add-on notes to this post are now almost as long as the post itself)  I wrote yesterday a new post that updates some of the timing information in this post).

September 5: NERC finally released the approved version of this plan today.  I can’t see any substantial change from the preliminary one, so this whole post is still good (this post has gathered a very large following – I guess a lot of people are concerned about the topic, for some odd reason).  Of note:

1. NERC thinks RBAM means “Risk Based Asset Methodology”.  Oh well, I sympathize with whoever did that.  It's very hard to keep up with all the stuff that NERC throws at you!
2. They assume FERC will approve V5 in the third quarter.  That seems quite soon to me (also to Scott Mix in his talk to TRE recently), although I think Q4 is realistic.
3. They will publish their V5 RSAWs as soon as FERC approves V5.  I will be quite interested to see how someone could write an RSAW for CIP-002-5 that actually followed the wording of the standard.
4. They still include discussion of the upcoming "Transition Implementation Study".  In this study, they will give a few chosen entities about six months to try to implement V5 and then report on their experiences - and NERC will publish lessons learned.  As long as they don't think anyone could seriously implement V5 in six months, I supposed this isn't bad - they'll learn something, anyway.  But I believe NERC will have to provide a lot of guidance on Version 5 - and hopefully they won't wait a couple years to publish those documents, as they did with the Version 1 guidance.

June 25: I have just updated two important (and short) posts I did a few months ago on Version 5: one on the sequence of events for a new CIP version to come into place, the other on the likely timeline for compliance.  You may want to check these out first, since they are background for this as well as a number of other posts.

June 29: I found myself with writer's remorse this morning, thinking I had been too easy on NERC in this post.  This happened because I communicated with two NERC entities today who both asked the same question: How can we be sure CIP Version 4 won't come into effect?  I had hoped/expected the V5 transition plan would address that question, but at least this draft does not.  I said in footnote vi below that I hoped NERC would address the question in their final draft, but I realize I should express this hope more prominently.  So I have just made this post of an open letter to NERC. 

August 2: I knew there was a reason why I am the only person in North America working on an August Friday afternoon.  NERC just officially released the proposed transition plan.  It's exactly the same as what I wrote this post about.  What's important is they say this will be finalized on August 14.  So the good news is entities will now be able to use either the Version 4 or 5 bright-line criteria instead of their RBAM going forward.

The bad news is they clearly aren't going to address the question of Version 4 - whether they won't audit against V4 in the very unlikely event that it comes into effect next year.  Again, hardly anyone believes it will actually come into effect, but I know some entities probably consider that still too much of a chance to take.  They will have to wait until FERC approves Version 5 - perhaps later this year.

NERC has been surprising me lately.  They said in May they would have their CIP Version 5 transition plan out around mid-July, and they actually did that (arguably, it’s a week late).[i]  This is in sharp contrast to their Version 4 transition plan; they promised that was coming “soon” after FERC approved V4 in April 2012.  It didn’t show up until April 11 of this year, after a few false starts.  Then exactly one week later, on April 18, FERC made the plan largely invalid by announcing they intend to approve CIP Version 5, and that V4 won’t come into effect.  What’s a poor ERO to do?

What they did was get back to the grindstone and work on a V5 transition plan.  And now a Boring Alert: I don’t see anything seriously wrong with this plan.  Either it’s a decent plan or I’m getting old.  Since I know the latter isn’t the case, it must be the former.  Below is my summary of the plan.  I have consulted with an Interested Party on this, who provided some valuable comments and insight.  As is my usual practice when providing this Party’s comments, I will mix them in with my own comments, and let you try to figure out which is which.  I will of course take credit for everything good, no matter the source.

Here is my summary of this document:

1.     NERC bases their plan on the assumption that FERC will approve Version 5 before April 1, 2014, thus “stopping the clock” on Version 4.  Since FERC said this very explicitly in their NOPR, this isn’t going very far out on a limb.

2.    They make it clear that, up until the date that Version 5 becomes enforceable (and see this post for a discussion of a possible timeline), Version 3 will remain in effect.  Again, nothing surprising here.

3.    As in the Version 4 plan, the interesting part is the discussion of options a NERC entity has for identifying their Critical Assets under Version 3, starting now.  The Version 4 plan gave just[ii] two options: a) keep using your existing V3 risk-based assessment methodology (RBAM), or b) adopt the Version 4 bright-line criteria in their entirety – so anything that would be critical under V4 would be critical today under V3.  There was an exception to the second option: NERC allowed entities to remove blackstart generating units and substations in the blackstart cranking path from their Critical Asset lists, and said these wouldn’t be treated as CAs once V4 came into effect, either.

4.     In the new V5 plan, there are now three options for identifying Critical Assets under V3: a) stick with your current RBAM, b) utilize the V4 bright-line criteria, minus blackstart resources as in the V4 plan[iii], or c) use the V5 criteria[iv] and identify all High and Medium Impact assets[v] from Attachment 1 of CIP-002-5 as Critical Assets under V3.  I contend that the Critical Asset lists will be fairly similar whether you use approach b) or c) (and for more on that, see this post, in the section numbered I). 

5.    Because some Critical Assets may be removed when an entity switches from their RBAM to either the V4 or V5 bright-line criteria, NERC inserts a requirement that the entity should, for criteria that involve third-party designations, provide 90 days notice to that third party (RC, PC, TP, etc) before doing so.  You can read about this in the NERC document (see footnote 1 for how to get it), starting at the bottom of page 4.

And that is the plan right there.  However, the document also contains an added bonus (at absolutely no additional charge!): announcement of a CIP Version 5 Transition Implementation Study.  This study will “help identify successful implementation methods and challenges that the industry may face in transitioning to CIP Version 5, including identifying circumstances where entities will not be able to maintain compliance with CIP Version 3 while implementing CIP Version 5.” 

NERC plans to choose six to eight entities (from among the thousands who will no doubt volunteer) to start implementing Version 5 compliance in October 2013 (that date was chosen because NERC is now developing Version 5 RSAWs, which won’t be ready until then).  They are expected to finish work in the first quarter of 2014, and report on their problems and experiences to NERC.  NERC will then prepare a report that will “synthesize the Responsible Entities’ experiences in applying CIP Version 5, focusing on the effectiveness of meeting the CIP Version 5 Requirements and the methods employed during implementation.”  This will in turn lead to the final “Cyber Security Standards Transition Guidance” document[vi] in Q2 2014.

I (and the Interested Party) see a big problem with this: The idea that an entity of any size could complete (or even make a big dent in) their implementation of CIP V5 in six months is very far-fetched (unless they have almost no assets in scope, which then makes their participation in the study meaningless).  I can see doing a gap assessment and then perhaps starting on implementation (assuming there’s no delay waiting for funding, which strikes me as pretty unlikely for most NERC entities) in six months, but that’s about it.  So I’m afraid the report won’t be the definitive guide NERC wants it to be.  In other words, look for the V5 situation to be even more confused a year from now (if such a thing is possible), despite the report.

The question then becomes, how else will NERC provide guidance on V5?  This is a huge change, and there will have to be a lot of education for NERC entities: on applying the bright-line criteria, on trying to muddle through the morass of non-sequiturs known as CIP-002-5[vii], on grouping BES Cyber Assets into BES Cyber Systems, on properly dividing substations into transmission elements (subject to Version 5) and distribution elements (not subject), etc.  I’m sure NERC’s honest answer would be, “Darned if we know[viii].”

The Interested Party brought up something else I hadn’t thought of: What about cases where implementing V5 compliance will actually cause an entity to fall out of compliance with V3 (e.g. replacing the annual requirements in V3 with the 15-month requirements in V5)?  This person thinks that auditors will have to be lenient with the entities in these cases, as long as it is clear they are really implementing V5 and not just violating V3.

If you haven't signed up for the joint Honeywell / EnergySec webinar on CIP Version 5 on August 21 - "Covering your Assets in CIP Version 5" - I recommend you do it today!  Seats are going fast, and you might end up sitting behind a pole if you wait too long.  Remember, even if you can't make that date, you should still sign up, so you'll receive the link to the recording when it's available a couple days after the webinar.  You can sign up here.

  

---

[i] The title of the plan says “Proposed”, so it doesn’t have the same status as the V4 plan released in April.  I hope NERC finalizes this soon; it doesn’t seem to need much more work, IMHO.  I would like to provide a link to the plan here, but I can’t because I don’t think it’s on the NERC website now – I received it through one of the regional entities’ mailing lists.  The best I can say is you can email me at tom.alrich@honeywell.com and I’ll send it to you.

[ii] I’m really simplifying what the V4 plan said here.  You can see it described in all its glory in my post that came out a few days later.

[iii] Although be sure to see footnote 3 on page 4 of the document.  That note points out that control centers which control blackstart resources will remain Critical Assets, even though the blackstart resources themselves won’t be.

[iv] You may well wonder, “Since CIP V4 isn’t ever going to come into effect, why would anyone choose to use the V4 criteria to identify Critical Assets under V3?  Why wouldn’t people either stick with their RBAM, or move to the V5 criteria in anticipation of V5 coming into effect?” 

I can think of a few reasons: 1) Since the V4 transition plan gave NERC entities the option of using the V4 criteria starting in April, some may have already moved along that path; 2) Given that blackstarts have been removed from the V4 criteria anyway, the V4 and V5 criteria are now fairly close in their coverage; 3) I’m told by transmission people that the V5 criteria for substations are more inclusive than the V4 ones are (i.e. more subs would be Mediums under V5 than would be Critical Assets under V4) – this means that an entity with substations might be able to reduce its immediate compliance burden by using the V4 criteria, and just implementing the V5 criteria when V5 itself (or V6) comes into effect.

[v] A literal reading of CIP-002-5 Attachment 1 will leave you confused since it refers to both Assets and Facilities.  Don’t even get me started on the wording problems with CIP-002-5; you can read about my own confusion with that deeply flawed standard here.

[vi] This is the actual name of the document I’m calling the Version 4 Transition Plan here.  This leads me to fear that NERC isn’t planning to issue a “final” version of the V5 plan; in other words, the “proposed” version I’m writing about in this post may be the last version published.  It will obviously help to provide the lessons of the V5 Transition Implementation Study to the industry when they’re available, but by not finalizing the V5 plan now, NERC won’t give the industry the option of using the V5 criteria now, in place of their V3 RBAM.  That is because the official Transition Plan remains the April one, which didn’t mention V5 criteria at all.  So I hope my fears are unfounded, and that this “proposed” plan becomes a final one soon.

[vii] Of course, this assumes my suggestion to rewrite CIP-002-5 from scratch – and the alternate version I proposed to FERC – will be ignored.  I think that’s a pretty safe bet.

[viii] I will admit that, at the moment, it’s probably not worthwhile for NERC to be producing a lot of guidance on V5, given that it isn’t known what changes FERC will require in it.  That excuse may go away when FERC issues their final order approving V5 (and most likely requiring changes in a compliance filing).  I recently learned that NERC is expecting this to happen this September.  One thing that will definitely help the transition is having the RSAW’s for V5, which NERC says they’ll provide by October.

Notice: Honeywell has produced three white papers on CIP Version 5 - what's in it and how you can comply with it.  They aren't posted yet, but to get copies, just email me at tom.alrich@honeywell.com 

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.