July 28, 2014: I noticed a lot of people have been going to this post recently. I think this may be referrals from my recent update of this topic, but if you don't know about that update, please go here.
I attended the first meeting of the NERC CIP Version 5 Revisions Standards Drafting Team in Washington DC February 19-21. I was glad I did, since it provided a very good perspective on what we can expect to happen with CIP going forward (to the extent that anyone knows, of course – there are a lot of unknowns). And it was good to be able to discuss various issues with the drafting team members and the observers (there were about 30-35 attendees in all) – even though there won’t be any resolution to those issues for a number of months.
I attended the first meeting of the NERC CIP Version 5 Revisions Standards Drafting Team in Washington DC February 19-21. I was glad I did, since it provided a very good perspective on what we can expect to happen with CIP going forward (to the extent that anyone knows, of course – there are a lot of unknowns). And it was good to be able to discuss various issues with the drafting team members and the observers (there were about 30-35 attendees in all) – even though there won’t be any resolution to those issues for a number of months.
I intend to
write two posts about the meeting, one discussing timeline issues and the other
discussing everything else I learned there.
Since I think it’s more important to present what I learned about
timelines, they will be the subject of this post. The other will follow soon.
I think most
of you already know the timeline for CIP Version 5. The Medium and High impact assets need to
comply by April 1, 2016; the Lows need to comply by April 1, 2017. Nothing of this has changed. However, what has changed is my thinking on the likelihood that CIP v5 will even
come into effect.
Before I
discuss that, I need to point out that the drafting team is preparing a new CIP
version, which will most likely be called CIP Version 6. Those of you who have been reading my posts
for a while won’t be surprised by this statement, since I’ve been saying there
will be a v6 since my post
on FERC’s NOPR last April.[i] However, everybody
from NERC who was at the meeting bent over backwards to make it clear that v6
will not be in any way a “new” standard like v5 is.[ii] Rather, it is simply v5 with the changes FERC
ordered, nothing more.[iii]
I have said
several times (including in my post on Order 791)
that I don’t think CIP v5 will ever actually come into effect – that it will be
superseded by v6, just as v5 superseded v4.
It seemed to me that forcing entities to comply with v5, which has the
“Identify, Assess and Correct” language in 17 requirements, couldn’t be
followed by requiring compliance with v6, which won’t have IAC (since one of
the tasks FERC ordered NERC to do is to remove that language). This would amount to cruel and unusual
punishment and might lead many NERC entities to sue for whiplash.
I brought
this issue up to the SDT during the meeting.
Scott Mix of NERC pointed out to me that it really wasn’t going to be a
big problem to do this – i.e. to have v5 come into effect, followed by v6. NERC will simply need to make sure people
understand that they should ignore the IAC language in v5 – and instruct the
auditors to ignore it as well.[iv] And he pointed out there is a precedent for
this: When FERC approved CIP Version 1 in Order 706 in 2008, one of the many
changes they said they wanted was removal of the language regarding “reasonable
business judgment” (i.e. the idea that in some cases an entity could waive
strict compliance with the wording of a requirement based on their own judgment
of what was reasonable). Since CIP v2,
which removed that language, didn’t come into effect until after the compliance
dates for v1, NERC let entities know to simply ignore that language in v1. This isn’t necessarily a really elegant way
to do things (it might not even be legal, although I ain’t no lawyer), but as
long as it’s likely to work, that’s fine with me.
The upshot
of this is that I was wrong in thinking v5 wouldn’t come into effect. I now believe it will, and on the dates that
have already been announced: April 1, 2016 for Medium and High assets, and
April 1, 2017 for Lows. However, keep in
mind that these dates are for compliance only with the requirements in CIP v5
as filed with FERC in January, 2012.
They have nothing to do with the four changes[v] that
FERC ordered NERC to make in CIP v5.
Those changes will be in v6.
So when will
v6 come into effect? When I believed
that v6 would supersede v5, I also believed there would be an accelerated
timeline for v6 – since FERC would look askance at the idea of v5 not coming
into effect at all and v6 only coming into effect long after what was supposed
to be the v5 compliance date.
But there is
no longer a need to accelerate the v6 timeline a lot – the new requirements in
v6 are all completely unknown[vi] at this
point, and won’t be known for sure until the end of this year, when NERC
intends to have them approved and sent to FERC.
FERC won’t approve them for probably at least six months after that, say
the third quarter of 2015. So if compliance with v6 became mandatory on the
same dates as compliance with v5 will, High and Medium entities would have no
more than 6-9 months from FERC approval of v6 to come into compliance with it
on April 1, 2016. And Lows would have
only about a year and a half. I contend
that isn’t enough time at all, given the current complete uncertainty on what
the new v6 requirements will be.
So if the
SDT agrees with me and decides to keep the v6 implementation plan the same as
the v5 one (i.e. “first day of the ninth calendar quarter…”), this would mean
the v6 implementation date for Highs and Mediums would be late 2017, and for
Lows would be late 2018. But remember,
these dates would effectively just be for the three new sets of requirements
that FERC mandated – for transient devices, “communications networks”, and more
specific Low requirements. All the rest
of v6 (i.e. what’s identical with v5) will have already come into effect in 2016
(Medium/Highs) and 2017 (Lows).
I do want to
discuss the Low impact implementation date in more detail, since there is a lot
of interest in that. I believe it is
just about certain that CIP-003-5 R2, the single requirement in v5 that applies
to Lows, will still come into effect on April 1, 2017 as currently
scheduled. However, the new Low
requirements being developed in v6 will presumably come into effect on the
separate v6 implementation schedule that will be determined by the current SDT
(and I’m currently guessing the compliance date for these requirements will be
late 2018, as I just said).
However,
there is one reason why I hesitate in making this prediction. That is because FERC gave the SDT three or
four options for how they will implement FERC’s mandate that they develop
specific requirements for Lows. One of
those options is that they simply “flesh out” what needs to be in the four
policies that are currently mandated by CIP-003-5 R2[vii] - i.e. state what must be addressed in each
policy. If the SDT follows this option,
then it’s possible that the Low entities would have to implement the
fleshed-out policies on the v5 compliance date of April 1, 2017. I don’t think that would be completely fair
(since as I’ve said, the content of v6 won’t be known until the end of this
year, and probably won’t be approved by FERC until the second half of 2015),
but I guess it could happen. To quote
the philosopher Jimmy Carter, “Life is unfair”.
All opinions expressed herein are mine, not
necessarily those of Honeywell
International, Inc.
[i]
While I was right that there will be a v6, I was wrong in my reasons for
thinking so. I thought it was the
Federal Power Act itself that forbids any modification of a standard, once it
is approved by FERC. I’ve now learned the
real reason is that NERC’s rules don’t allow a standard to be modified once it
has been approved by the Board of Trustees and sent to the regulators (FERC and
the regulatory bodies in each Canadian province); so the changes FERC ordered –
which are of course what the new SDT is working on – need to be in a new
standard. And NERC’s numbering
conventions pretty well require that the new version be v6, not v5a, v5.1, or
something like that.
[ii]
The NERC people are clearly walking on eggshells on this issue. The community is so upset about the whole
“v4…no, v5…no, v4…no, wait a minute, it’s v5 after all” saga that I think
they’re worried they’ll be strung up on the nearest tree if they let it be
known now that v6 is coming. But they’re
absolutely right that v6 won’t be a major change like v5 was; in any case, it’s
mandated by FERC.
It might help if the CIP versions after v1 had been
numbered as they should have been: v2 should have been 1.1, v3 should have been
1.2, v4 should have been 1.3 (or something like that). These were all very incremental changes. V5, on the other hand, is a major rewriting
of CIP, so it should be called CIP v2.
If it were, then v6 could be called v2.1, and nobody would get
apoplectic about that.
[iii]
There is a small exception to this statement. Steve Noess of NERC did say that,
if someone points out a “no brainer” change that should be made in the existing
wording – such as changing a word that everyone agrees was the wrong one to use
in the first place – the SDT could make it.
Of course, what the SDT won’t
do is open up more fundamental issues like the problems with CIP-002-5 R1 that
I’ve been bringing up in my posts
for nine months or so – they have enough on their plate already. This just reaffirms what Steve had said
in answer to my question about this at the December CIPC meeting.
I have come to agree with Steve on this point; the SDT
simply doesn’t have time to open any fundamental discussions of the standards,
even if changes are needed to address basic inconsistencies in some of the
wording. This is why I’ve been saying
that the problems I’ve been pointing out with CIP-002-5 R1 will have to be
dealt with by the regions, in their interpretations of v5. Fortunately, at least one of the regions does
seem
to be stepping up to the plate on this, so all may not be lost (however, this
isn’t the entire solution, since all
of the regions need to agree on a common interpretation. I will be hearing more about another region’s
interpretation this week, and may have more to report on this front soon).
[iv]
NERC won’t simply say to ignore the language without explanation as to why,
since there is a very good reason. The
reason NERC doesn’t think removal of IAC from v5 is a big problem is that the Reliability
Assurance Initiative (RAI) will essentially accomplish the same thing (and for
all NERC standards, not just CIP), without requiring any changes to wording in
standards. See my Part II post on the
SDT meeting for more on this.
[v]
I can name these by heart after all the discussion about them at the SDT
meeting: 1) Removal of IAC; 2) Requirements for transient devices used in the
ESP for less than 30 days; 3) More-specific requirements for Low impact assets;
and 4) Protection of “communication networks”.
I will discuss what was said on each of these in my Part II post.
[vi]
What is currently known is that IAC won’t
be in v6. However, even though it will
remain in the 17 requirements where it’s found in v5, I’ve already said that
NERC will effectively tell all concerned to pretend it isn’t there. Having it removed in v6 will simply confirm
that fact.
[vii]
At the SDT meeting, it was pointed out several times that CIP-003-5 R2 says
absolutely nothing about what the four policies should be – only that the Low
entity needs to have policies for cyber security awareness, physical security
controls, etc. I have been joking that
an entity could state that their – say - awareness policy was “Everybody at
Headquarters will get ice cream on Thursdays.”
As long as they made sure that those lucky employees got ice cream every
Thursday, they would be in complete compliance with that part of the
requirement.