All opinions expressed herein are mine, not
necessarily those of Honeywell
International, Inc.
July 31: I listened to
Scott Mix's excellent presentation to TRE on CIP Version 5 today (7/31). I
submitted the question of when NERC would tell entities it was OK not to worry
about V4 anymore, but he didn't explicitly answer it. However, from other
things he said I can infer his answer: NERC expects FERC to approve CIP Version
5 this year, but until then, NERC entities can't rest assured that Version 4
won't come into effect on 4/1/2014. He spent a lot of time discussing timeline
for V4 compliance, etc.
Sept. 7: To nobody's surprise, the final version of the CIP Version 5 Transition Plan ignores my sage advice below. So we'll have to wait for FERC to approve V5 directly and put an end once and for all to the idea that V4 might still happen.
Dear NERC:
This isn't great
news, since I know it means some entities will continue to spend money on
Version 4 compliance, even though that will in all likelihood be wasted. All I
can say is I tried, and I hope FERC approves Version 5 in September, as NERC
seems to think they will (although Scott said he thought it would be later this
year).
Aug. 2: I knew there was a reason why I am the only person in North America working on an August Friday afternoon. NERC just officially released the proposed transition plan - the same one I saw a week ago. However, they say this will be finalized on Aug. 14. This is good because there will now be an official plan for transitioning to Version 5. But it's bad because they clearly aren't going to address the issue of whether Version 4 will come into effect - and whether they'll audit against it if by some chance it does. So entities who want a final word on this will have to wait until FERC approves Version 5.
Aug. 2: I knew there was a reason why I am the only person in North America working on an August Friday afternoon. NERC just officially released the proposed transition plan - the same one I saw a week ago. However, they say this will be finalized on Aug. 14. This is good because there will now be an official plan for transitioning to Version 5. But it's bad because they clearly aren't going to address the issue of whether Version 4 will come into effect - and whether they'll audit against it if by some chance it does. So entities who want a final word on this will have to wait until FERC approves Version 5.
Sept. 7: To nobody's surprise, the final version of the CIP Version 5 Transition Plan ignores my sage advice below. So we'll have to wait for FERC to approve V5 directly and put an end once and for all to the idea that V4 might still happen.
Dear NERC:
I was
pleased with what was in the proposed CIP
Version 5 Transition Plan released last week. However, I have a big concern about something
that wasn’t in it.
My concern
is about guidance on CIP Version 4. As
you know, FERC made it quite clear in their NOPR that they don’t intend to let
Version 4 come into effect. However, it was exactly one year before that NOPR,
in Order 761, that they had made it very clear that Version 4 would come into effect.
A number of
NERC entities (and I talked to two of them just this morning) believe they can’t
take a chance that FERC will change their mind again and V4 will come into
effect. Some of them are still going
forward with Version 4 preparation, including things like documentation and
training that will not be applicable to CIP Version 5 – i.e. these are probably
stranded costs that might not be allowed by the PUC’s.
I had reason
to believe the Version 5 plan would indeed address this question. I thought Scott Mix’s comments at the SPP CIP
Workshop in Dallas in May (which I reported in this
post, see the paragraph numbered 6) indicated the plan would do that. However, there is no word at all about
it. I certainly hope the final plan –
which I also hope will be issued soon – will address the issue. Let me suggest some rough language that
would, I believe, allow a lot of NERC compliance professionals (as well as
utility and IPP CEO’s!) to sleep at night:
Should CIP Version 4 come into effect
as currently scheduled, and absent some other FERC directive on this issue,
NERC will encourage the Regional Entities not to audit for strict compliance
with CIP Version 4. Instead, NERC will encourage
the Regional Entities to recommend to their members that any assets, not
currently critical under CIP Version 3, be instead prepared for CIP Version 5
compliance.[i]
Oh, and one
more thing before I let you go, NERC. It
seemed in the discussion of the Transition Implementation Study (included with
the proposed transition plan) that the final plan might not come out until the
study was completed – i.e. in Q2 2014. I
hope I’m wrong about this interpretation.
Needless to say, since Version 4 will come into effect on the first day
of that quarter (if it comes into effect at all), it will obviously not help
any NERC entity if the V5 plan – even with the statement above – comes out
after that! The final plan really needs
to come out very soon (tomorrow would be fine with me), since some NERC
entities are incurring stranded V4 compliance costs as I write this sentence.
Please let
me know as soon as possible (you can comment below or send me an email at tom.alrich@honeywell.com) when and how
you will address this issue.
Respectfully
yours,
Tom Alrich
Overall
Nuisance and NERC/FERC Scold
[i]
This recommendation is valid because, as far as I – speaking as Tom Alrich –
know, there are few if any assets that would be Critical Assets under the
Version 4 bright-line criteria that wouldn’t also be High or Medium impact
under the Version 5 criteria. And also
because any assets that are currently Critical Assets under Version 3, that
would remain critical under the Version 4 criteria, wouldn’t have to have
anything done to them to remain in compliance under V4 – since CIP-003 through
CIP-009 remain the same in V4 as in V3.
The only exception to this statement – and this once
again proves my ironclad rule that no exception-less statement can be made
about anything having to do with NERC – would be >1500MW plants, where the
provision in CIP-002-4 R2 about Critical Cyber Assets would make V4 compliance
different from V3. But that’s not worth
worrying about now, since again the chances of V4 actually coming into effect
are very remote indeed.
No comments:
Post a Comment