Dec. 15: For an update to this post, based on information from the NERC CIPC meeting in Atlanta last week, see this new post.
FERC issued Order 791 on Friday November 22, approving NERC CIP Version 5. If you’re looking for my rating, I guess I give it 1 ½ thumbs up. What it does, it does well. However, it doesn’t do everything I had hoped it would do. For more on this, read on. Note that page numbers below refer to the page numbers in the Order itself, not what Adobe Reader™ will show you when you read the PDF version.
FERC issued Order 791 on Friday November 22, approving NERC CIP Version 5. If you’re looking for my rating, I guess I give it 1 ½ thumbs up. What it does, it does well. However, it doesn’t do everything I had hoped it would do. For more on this, read on. Note that page numbers below refer to the page numbers in the Order itself, not what Adobe Reader™ will show you when you read the PDF version.
As I and
others have suspected
for a while, FERC is requiring that NERC develop a new version of CIP, even
though in the Order they always speak in terms of changes to Version 5. However, they can’t both approve Version 5
and order it changed. The changes have
to appear in a new version, which will be based on V5. I believe that version will be called CIP
Version 6.
NERC is to
deliver the new version within one calendar year of the effective date of CIP
Version 5 (meaning it has to be drafted, balloted by the NERC membership and
approved by the Board of Trustees). On
page 145 of the Order, FERC says the effective date will be 60 days after
publication of their Order in the Federal Registry. Since orders are usually published in a few
days, this means the effective date of the Order will be in late January, 2014. So FERC wants the new version by January,
2015.
FERC
directed that NERC include several changes in the new version, which I discuss
in sections 1 through 3 below. The
remaining sections of this post discuss other directives (or in two cases,
non-directives) in Order 791.
- “Identify, Assess and Correct”
The
Identify, Assess and Correct language (hereinafter IAC) was one of the
signature features of CIP Version 5 when it was approved by NERC. In their NOPR of last April and again in
Order 791, FERC expressed grave misgivings about that language (which is found
in 17 requirements in V5). They made it
very clear they find too many ambiguities in the whole idea, and they feel that
NERC hasn’t adequately explained how the IAC process will work. The discussion is quite interesting and worth
reading, but I won’t discuss the details here (it starts on page 25 of the
Order).
Of course, a
lot of people are going to be disappointed by the death of IAC (although they
shouldn’t be surprised that it happened, if they read my post
in September as well as a couple previous ones). But I actually think FERC’s discussion should
give them more than a few rays of hope.
This is because FERC makes a point of talking nicely about the NERC Reliability
Assurance Initiative (on page 42 of the Order). They say “..the Reliability Assurance
Initiative process when fully developed may afford a consistent, informed
approach that provides incentives for entities to develop robust internal
control programs.”
Briefly, the
RAI will essentially do what IAC was intended to do – move the enforcement
process from being based on zero tolerance for even the slightest, most
insignificant infraction to making sure the entity has a robust program for compliance. It will not require changes to the standards
at all (and it will ultimately apply to all the NERC standards, not just CIP)
but rather to the CMEP,
which is NERC’s Bible for monitoring and enforcement of compliance. As far as I know, this is the first time FERC
has provided encouraging words about RAI (they mentioned it, although not by
name, in the V5 NOPR, but there really wasn’t much information on RAI available
last April. A lot of information has
since come out, and a few of the regions are already piloting RAI).
So here’s
the hope: If RAI is implemented for CIP before the implementation date for V5,
then it really doesn’t matter that IAC isn’t in the language. You’ll effectively be audited based on IAC anyway.
Of course, there is still a lot of possibility for slippage in this
scenario, so I’m not going to place the go-for-broke $5 bet that I normally
place when I am quite certain something will happen.[i]
One other
interesting point from the IAC discussion: FERC clearly thought NERC didn’t
fight hard enough for IAC. And I have to
agree with them. I was very surprised,
when I read NERC’s comments on the NOPR submitted in June, that they were
proposing to clear up the enforcement questions that FERC raised in the NOPR -
six months after FERC approves
V5! In essence, they were telling FERC,
“We admit there are a lot of things that need to be cleared up. First you approve V5 (with IAC of course),
then we’ll clear them up.”
Such a deal
– does anyone wonder why FERC didn’t take it?
If NERC had been really serious about this, they would have busted a__
to clear up the ambiguities this summer, so FERC could have had that
information before they made their
decision; did they really think that FERC would just trust that NERC had the
enforcement all figured out, and just didn’t have the time to write it down
before FERC approved V5? It really seems
as if NERC had given up on IAC (perhaps because RAI was moving forward), and
didn’t think it would do any good to make much of an effort to change FERC’s
mind on it. They may well have been
right, of course; I for one think that, given FERC’s language in the NOPR,
there wasn’t much chance of saving IAC.
The bottom
line is FERC didn’t change their mind about IAC. They state on page 40 (paragraph 70), using
the driest of humor, “NERC’s proposal that the Commission approve this language
in numerous requirements of the CIP version 5 Standards, while postponing a
detailed explanation regarding the understanding, compliance implications and
proper implementation of the proposed language to a future time, is an
inadequate approach.”
- The Lows
I had the
most admiration for FERC in the way they dealt with Low impact assets. I thought they a) listened carefully to the
comments on their NOPR statements about Lows and adjusted their position
accordingly, and b) came up with a solution that makes clear what they want but
allows NERC a lot of flexibility in how they achieve that.
FERC said
two important things about Low impact assets in their NOPR. The second (but easier to deal with, so I’ll
discuss it first) was their questioning of the language in CIP-002-5 and
CIP-003-5 saying that an inventory of cyber assets at Low impact facilities
isn’t required. FERC clearly thought in
April that an inventory was needed to protect the Bulk Electric System (or the
Bulk Power System, since FERC always uses that term).
However, the
comments they received in June were overwhelmingly against this, because of the
huge effort it would take to conduct this inventory (at least for some entities,
such as the large government entity that said at a WECC meeting that they had
potentially 350,000 cyber assets that would have to be inventoried. I also know other entities that have had this
inventory all along, as a matter of good security and asset management
practice). FERC listened to those
comments, and changed their mind. They
state clearly on page 65 of the Order that they don’t think it would be a good
idea to require an inventory for the Lows.
The second
proposal FERC made about Lows in their NOPR (page 38) was “we propose to direct
NERC to develop a modification to CIP-003-5, Requirement R2, to require
responsible entities to adopt specific, technically-supported cyber security
controls for Low Impact assets, as opposed to the proposed unspecified
policies.” Of course, the comments about
this proposal were as negative as they were about inventory. It’s interesting to see how FERC dealt with
this.
Note that,
in the NOPR, they were looking for specific controls; I and most people interpreted
that to mean they were going to ask NERC to write some specific requirements
for Lows (I thought they would be pretty basic, like requirements for a
firewall, for locks on the doors, etc).
But that doesn’t seem to be what FERC had in mind (or at least, it’s not
what they have in mind now. It’s not
worth using up perfectly good electrons worrying whether or not this
constitutes a change in their opinion since the NOPR).
In the
Order, (starting on page 61), FERC says “…while we do not require NERC to
develop specific controls for Low Impact facilities, we do require NERC to
address the lack of objective criteria against which NERC and the Commission
can evaluate the sufficiency of an entity’s protections for Low Impact
assets.” So the problem now is having
criteria by which NERC and FERC can judge whether an entity is actually
protecting its Lows properly. FERC gives
three options to NERC, although they say that other approaches might work as
well.
The first
option (page 64) is that NERC could define a set of “control objectives” for
Lows, but not specific controls. I
believe an example of this might be requiring that the entity take steps to
protect the PSP without requiring specific technologies like card readers or
specific procedures like escorting of visitors.
The second
option is that NERC could require specific controls that would apply to
particular sub-categories of Low impact systems (so there might now be Low-Low,
Medium-Low and High-Low systems, with specific controls perhaps only being
applied to the latter). I don’t think
this option will get a warm reception at NERC, since it’s hard to see how it
could be audited without requiring a cyber asset inventory.
The third
option is that NERC could “define with greater specificity the processes that
responsible entities must have for Low Impact facilities under CIP-003-5,
Requirement R2.” In other words, rather
than simply require entities to draw up and implement four policies (with no
specification of what is in them, as is the case in CIP-003-5 R2 now), NERC
could be more specific about the processes that entities need to require in
those policies.[ii]
Note that
both the first and third options would not require controls that apply to
particular cyber assets, which is the big show-stopper for NERC. As long as controls (or criteria) are just on
the site level, I think some can be found that will be acceptable to the
membership.[iii]
That being
said, I see this whole discussion about Lows as being the most important that
will occur as NERC drafts the new CIP version, one which will generate (no pun
intended) a lot of interest among the membership. I think the new SDT meetings on Version 6 may
have to be held in Madison Square Garden.
They will certainly be very interesting.
- “Transient Devices”
The
definition of BES Cyber Asset now includes the following parenthetical
expression: “(A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive
calendar days or less, it is directly connected to a network within an ESP, a
Cyber Asset within an ESP, or to a BES Cyber Asset, and it is used for data
transfer, vulnerability assessment, maintenance, or troubleshooting purposes.)”. I don’t need to remind you that the
definition of BES Cyber Asset is fundamental to CIP Version 5, and the
Definitions document that contains it is part of the V5 standards, and has to
be approved by FERC.
FERC
questioned the wisdom of this provision in their NOPR, and they haven’t backed
down from that position. They point out
(starting on page 74) that devices like laptops that are used, no matter how
temporarily, within the ESP can cause all sorts of havoc if they introduce viruses
and worms into the ESP. I won’t go into
the discussion here, but it’s worth reading all the arguments in this
section.
Even with
these concerns, FERC didn’t direct that the language be removed. If they had, this would have imposed a big
burden on NERC entities, since every
device that might ever be used – even for ten minutes – within an ESP would
have to be forever protected as a BES Cyber Asset/System (or at least a
Protected Cyber Asset).
However,
they did direct NERC to develop a new (or modified) standard that provides for
cyber security of transient devices (p.80).
I’m guessing NERC will decide to include this in CIP Version 6 (so it
might be called CIP-012-1) – I would think this would be preferable to
developing a whole new set of standards.
- CIP Version 4
The
remaining sections of this post deal with statements included in the Order which
aren’t changes to be included in the next CIP version. One of these statements will hopefully put to
rest a longstanding bugaboo: FERC makes it clear that CIP Version 4 sleeps with
the fishes. Of course, simply by
approving the Version 5 implementation plan, FERC put V4 to rest. But they made sure to drive the point home on
page 6: “CIP-002-4 through CIP-009-4 will not become effective, and CIP-002-3
through CIP-009-3 will remain in effect until the effective date of the CIP
version 5 Standards.” I hope this will be enough evidence for the
legal departments at some large
IOU’s to let their compliance people stop working on compliance with CIP
Version 4 and start working on Version 5.
- Got 15 minutes?
The
definition of BES Cyber Asset begins, “ A Cyber Asset that if rendered
unavailable, degraded, or misused would, within 15 minutes of its required
operation, misoperation, or non-operation, adversely impact one or more
Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise
rendered unavailable when needed, would affect the reliable operation of the
Bulk Electric System.”
In their
NOPR, FERC seriously questioned why “15 minutes” is in the BCA definition,
since it presumably excludes a lot of cyber assets that can affect a Facility
but don’t do so within 15 minutes. You
may know the answer to that question: “15 minutes” is really a proxy for “real-time”. The SDT wanted to only include devices that immediately
affect the Facility but couldn’t find appropriate wording, so they decided to
be safe and include everything that could affect it within 15 minutes.
Of course,
this shows that no good deed goes unpunished, since FERC then seized on the 15
minutes as the problem – implying that devices that may take 3 or 4 days to
affect the Facility should also be defined as BES Cyber Assets. There were a large number of comments stating
that the 15 minute provision absolutely needed to be left in the BCA
definition.
And guess
what: FERC listened! They didn’t order that this provision be
removed. However, they did order NERC to
undertake a survey to determine how this provision will actually be used, and the
impact it might have (including how many cyber assets would be excluded or
included through leaving it in). This
survey is due within a year, at exactly the same time as NERC will need to
submit Version 6 to FERC.[iv]
- Just what we
needed…a new standard!
In their
NOPR, FERC had raised the issue of communications. The previous NERC definition of cyber asset
had included “communications networks” as well as “programmable electronic
devices”. In Version 5, the SDT removed
those networks from the definition. In
their NOPR, FERC questioned why this was done, and whether it was putting the
BES at any risk.[v]
FERC has now
decided that communications networks need to be protected by NERC Reliability
Standards – but they’re not ordering that these protections be included in NERC
CIP. Instead, FERC orders NERC (pages
86-87) to develop or modify standards for this.
Unlike with
transient devices, I don’t think NERC will include this new standard in CIP
Version 6. Transient devices are
computers, and CIP is for protecting computers.
But communications networks are quite different, and I believe NERC will
decide to address this in a separate standard, or perhaps as part of the
existing COM standards.
- Mark your calendars
FERC raised
three issues in the NOPR that they don’t want to drop, but also don’t want to
use to order changes to CIP. These
include “communications security” (which here means communications between
devices within a Facility, and whether they should be encrypted or not),
“remote access” (specifically whether the provisions in the current CIP Version
5 are adequate or not), and whether CIP Version 5 adequately addresses FERC’s provision
in Order 706 to adopt as much of the NIST Risk Management Framework as
possible.
It’s not
surprising that the comments regarding these three items varied widely. So FERC has decided (p. 122) to have NERC
call a conference within 180 days to discuss these three items – and in a
comprehensive manner, as opposed to piecemeal.
The question will be whether these three items need to be included in
CIP going forward or not, and perhaps more generally how they can be addressed
to protect the BES.
- I’ve left the best
for last
The big
question on a lot of people’s minds is the implementation dates for CIP Version
5 (and 6). When will High, Medium and
Low impact Facilities have to comply?[vi] Well guess what…it isn’t simple. But when was there anything about NERC compliance that was simple?
What is
simple is the timeline for Version 5.
All of the V5 standards say that V5 will become effective “on the later
of July 1, 2015, or the first calendar day of the ninth calendar quarter after
the effective date of the order providing applicable regulatory approval.”[vii] Here we go:
- As I’ve already mentioned, the effective date for V5 is 60 days after publication in the Federal Register, which means sometime in late January 2014.
- The first day of the ninth calendar quarter after that is April 1, 2016. This is the date that Highs and Mediums will have to comply with V5.
- Since the Low date is a year later, Lows have to comply on April 1, 2017.
That’s
simple, right? The real question is,
what about Version 6? Will it supersede
V5 (just like V5 has superseded V4), or will V5 come into effect, followed by
V6? And will its implementation plan
have the same timeline as the V5 one – 24 months for High and Mediums and 36
months for Lows?
I was
expecting FERC to say something about the implementation plan for the new
version in the Order, but it is silent on that.[viii] So let’s assume that Version 6’s
implementation plan is just like Version 5’s, except it doesn’t say anything
about superseding an earlier plan.
What’s that timeline?
- FERC has ordered V6 to be delivered to it by January 2015.
- Let’s assume FERC takes just less than two quarters to approve V6 (which is reasonable since most of V6 will be the same as V5) – let’s say they approve it on June 30, 2015 (and I know they approved at least a couple CIP versions on the last day of a calendar quarter, which of course meant the effective date was three months earlier than if FERC had waited ‘til the next day – the first day of a new quarter – to approve it).
- The first day of the ninth calendar quarter after June 30, 2015 is July 1, 2017. So that would be the compliance date for Highs and Mediums for Version 6.
- A year later than that would be the Low date, or July 1, 2018.
So think
about it. In this scenario, High and
Medium Facilities will have to comply with CIP Version 5 on April 1, 2016, and
with Version 6 on July 1, 2017. What
does that mean? For one thing, it means
the entity has to put together a whole compliance program based on Identify,
Assess and Correct (remember, FERC just approved Version 5 without change, since that’s the only way they can approve standards);
then 18 months later, they have to go back to a “zero-tolerance” program. Think about what that would entail, in terms
of documentation, training, etc. Sounds
like a lot of fun, right?
There’s
more. From the auditors’ point of view, on
April 1, 2016 they will need to allow transient devices to be used for up to 30
days within the ESP without any cyber security standards applying to them –
even though they know these will be in place the following year and they know
what they will be (since V6 will have been approved in 2015). They will also need to just audit Low
facilities based on the four policies required by CIP-003-5 R2, rather than the
presumably beefed-up requirements of CIP Version 6.
I realize
there are ways these problems can be mitigated.
For example, NERC could say they simply wouldn’t audit based on IAC, and
instead would use the old “zero-tolerance” approach. But what about an entity that thought its
compliance program was wonderful and they wanted
to be audited to the exact wording of the 17 requirements that have IAC in V5? NERC would obviously have to accommodate
them. But that would cause a lot more
work for the auditors, since they would have to have two different auditing
regimes – one for V5 without IAC, one with.
It seems to
me that NERC will want to have Version 6 do the same thing to V5 as V5 has now
done to V4: send it to sleep with the fishes once FERC approves V6. Of course, since (in my timelines above), V6
would be approved on June 30, 2015 and V5 wouldn’t become effective until April
1, 2016, this would be perfectly doable.
Does this
mean that CIP Version 3 will remain in effect until July 1, 2017? Well, here you get into politics and game
theory. My guess is that, should NERC
decide to have V6 supersede V5, they will also shorten the implementation
timeline for V6 so that the compliance dates were approximately what they would
have been had V5 come into effect. Why
would they do this? Because otherwise,
Papa FERC (although “Mama FERC” might be more appropriate, since Chairman
Wellinghoff made the surprise announcement on Thursday that he will step down
next week and Commissioner LaFleur will step in as interim Chairwoman. Congratulations to Commissioner LaFleur! I’m sure she’ll do an excellent job; she
certainly seems to have a good understanding of the issues surrounding NERC CIP. And that’s all that matters for FERC, right?)
might be unhappy. They thought
they were doing NERC a big favor by not shortening the V5 timeline as they’d
hinted in the NOPR; now they will find it effectively being lengthened by a
year and a half, unless NERC proactively shortens the V6 timeline.
The bottom
line on this: NERC entities need to prepare for compliance with CIP Version 5
or 6 on April 1, 2016 for High and Medium impact Facilities, and a year later
for Lows. You might end up getting a quarter or two more to comply (although you won’t
know if this is going to happen for probably a year and a half from now). But you’re risking big problems if you don’t
aim for these dates as of now.
CIP-002-5
A few of you
may have noticed that I’ve spilled a few electrons this year (in fact, about
ten whole posts) writing about problems with the wording in CIP-002-5, and
suggesting that these problems really need to be fixed in order for CIP Version
5 / 6 to have a firm foundation; you may also know I actually rewrote
CIP-002-5 and submitted that version to FERC during the NOPR comment period. And you may not know – but it is true - that
I have a lot of readers among the staff at FERC. So…what did the FERC Commissioners say about
this issue in Order 791?
I’ll break
the suspense: they said nothing about it.
What does that mean for this idea?
Will NERC still want to rewrite CIP-002 as part of the Version 6 drafting
effort? Well, I highly doubt NERC is
going to feel overly motivated to include that in the SDT’s marching orders for
Version 6, since those folks will have all the FERC mandates on their plates,
and a short deadline to address them all.
I also suspect that NERC couldn’t address these issues in V6 even if
they wanted to, since Version 6 will be a compliance filing – its purpose is to
address the specific directives in FERC Order 791, not go off on some wild
tangents not ordered by FERC.
So maybe the
answer is a guidance document? After
all, I think I’ve mentioned that about 100 times since I got on this kick
right after the NOPR was issued. Well, I
would still like to see a guidance document, but let’s face it: a guidance from
NERC can’t override the wording of a standard.
Let’s say someone interprets CIP-002-5 in a way that seems justified
(and given the ambiguities in it, all sorts of interpretations would be
justified), but gets a fine because their interpretation didn’t match the
guidance. They can take it to court
(since NERC standards are regulatory law); the judge will look at the entity’s
actions, agree they were plausible within the wording of CIP-002-5, ask if the NERC
guidance document had any legal force (which it wouldn’t), and give them a get
out of jail free card.
I continue
to see this as a problem, whether or not the FERC Commissioners do. And I don’t see any good way to address it,
other than rewriting CIP-002 as part of the V6 drafting effort (Interpretations
carry legal force, but they take a couple years to be approved, and in any case
they focus on very narrow issues. IMHO,
there are so many problems with CIP-002-5 that no single Interpretation could
fix that standard. And of course CAN’s
have been abandoned).
I’m not at
all sure what the solution to this is, to be honest. I guess sometimes there aren’t solutions. To quote the philosopher Jimmy Carter, “Life
is unfair”.
Here ends my
story. I’d love to hear any and all
comments on this. You can either post
them below or email them to me at tom.alrich@honeywell.com.
All opinions expressed herein are mine, not
necessarily those of Honeywell
International, Inc.
[i]
FERC actually said on page 43 that modifying the CMEP would be one way for NERC
to effectively get IAC without modifying the standards – that’s what RAI would
do, although I guess there could be an interim modification just for CIP (i.e.
a “partial RAI”), to make sure that was in place before the enforcement date
for V5. In any case, FERC is clearly
encouraging NERC along the CMEP path, but also doesn’t think including this
language in the standards themselves (like NERC tried to do with IAC) is at all
workable.
[ii]
I have joked that, the way CIP-003-5 R2 reads now, an entity could have the
following as any of the four policies (say the physical security controls
policy): “In order to protect physical security, we will provide ice cream to
all employees on Thursdays.” So as long
as the entity actually provided ice cream on Thursdays, they would be
fulfilling the policy and couldn’t be found non-compliant.
[iii]
Not that being acceptable to the NERC membership really is a gating factor
here. NERC has to provide FERC with a
new CIP version that includes what FERC wants, period. If the membership votes down whatever gets
drafted, the Board is empowered – in fact obligated – to override the
membership. The Federal Power Act of
2005 leaves FERC holding all the cards here.
[iv]
I don’t want to take implications out too far, but it is interesting that both
V6 and the survey results are due at the same time. This means that, if FERC were to look at the
survey results and decide a change were needed – perhaps changing the 15
minutes to 15 hours, or eliminating it altogether – NERC wouldn’t be able to
include that in V6. Assuming FERC approves
V6, they would need to order a new
compliance filing with this change, which would be V7. And NERC would have to deliver that next….But
this way lies madness. I’m not going to
think about this anymore.
[v]
In practice, the fact that communications networks were included in the cyber
asset definition was meaningless in CIP Versions 1-3, since they were excluded
from being covered by the standards.
[vi]
As Carter Manucy of FMPA reminded me a couple months ago, there are actually
about 8 compliance dates for V5, not just the two I’m accustomed to thinking
of: one for Highs and Mediums and the other for Lows. This is because the V5 Implementation Plan lists
separate “initial performance dates” for specific periodic requirements. We
agreed that I’ll post his complete timeline, but only after the FERC Order on
V5, so it can be more than hypothetical.
I should have this up fairly soon.
[vii]
Scott Smith of Portland General Electric pointed something interesting out to
me: On page 11 of the Order, FERC quotes NERC’s V5 Petition (which was submitted
on Jan. 31, 2013, requesting approval of V5) as saying the standards will be
effective on “the first day of the eighth calendar quarter after a Final Rule
is issued in this docket.” NERC
obviously hadn’t read their own standards when they wrote this, since every one
of the ten CIP Version 5 standards refers to the ninth quarter. However, since FERC is approving the V5
standards in Order 791, not the Petition, I don’t see this as a legal problem –
just some bad proofreading on NERC’s part.
Interestingly enough, NERC made this mistake once
before, and it had more important consequences then. In Scott Mix’s August presentation
on V5 before TRE, he mentioned that the V4 standards officially said eight, not
nine calendar quarters; so the compliance date for V4 ended up being April 1
2014 rather than July 1. This was a mistake, since the SDT had really intended
for the date to be the first day of the ninth quarter. Scott said the SDT had now learned how to
count (which isn’t a bad thing, since half the SDT are engineers). But it seems the proofreaders still have to
learn to read; they obviously didn’t look at the V5 standards when they
mentioned eight quarters.
[viii]
In fact, the Order always refers to changes in Version 5, even though that can’t
happen. I assume this is some sort of
FERC-speak, because they certainly know the rules. I did go back and review the Order approving
Version 2, since that did the same thing as Order 791 does: it approved V2 but
ordered a new version with a few changes (much more minor than in this
case. They also gave NERC just 90 days
to come back with the new version). That
Order also talked about changes to V2, even though what came back was V3, not a
changed V2.