Warning: Reading this post may cause unintended side
effects in NERC compliance professionals, including loss of sleep, depression,
excessive consumption of alcoholic beverages, and thoughts of suicide.
I have
attended a number of NERC and regional meetings dealing with CIP Version 5
lately, and I have talked with many CIP compliance professionals. I haven’t been surprised to find that lots of
people have questions about the meaning of particular parts of CIP v5, and about
what seem to be unintended consequences of the wording of particular
requirements. This is to be expected,
given that v5 is a complete rewrite of the CIP standards (it should really be
called CIP 2.0, with CIP v1-3 being called v1.0, 1.1 and 1.2, or something like
that. Too late for that now, of
course).
The question
becomes: Who answers these questions?
And what is the mechanism by which these interpretations can be
made? Let’s examine the usual suspects:
- Revise the Standards – Is it still possible to make changes to CIP Version 5? Not any more. I was hoping FERC would order NERC to open up the wording problems in CIP-002-5, to remove the inconsistencies and confusion in Requirement 1 and Attachment 1 of that standard (I even very helpfully rewrote the standard and submitted my version to FERC during the NOPR comment period); however, Order 791 came and went with ‘nary a word from FERC to that effect.
You may point out that there is a new
drafting team at work now, drafting the changes FERC ordered in Version 5. Couldn’t they make clarifications where
needed, even though FERC didn’t tell them to do so? In theory they could. However, their work is governed by their Standards
Authorization Request (SAR), and that strictly limits them to addressing
the four directives from Order 791.[i] Therefore, I see about zero chance that there
will be any revisions to Version 5, other than to meet the four directives.
- Request for Interpretation – Of course, there is a process for making interpretations to a requirement that has already been approved. A NERC entity has to make a Request for Interpretation; this needs to be discussed by a team of NERC members, who will develop the interpretation; a NERC ballot body has to vote on the interpretation; the NERC Board of Trustees needs to approve it and submit it to FERC; finally, FERC needs to approve it, at which point it becomes part of the standard (you’ll notice some of the earlier standards have a letter like a or b after them. These standards include one or more approved interpretations).
You can probably see the biggest problem
with this right away: all these steps take a long time. In fact, I doubt
any of the interpretations has come into effect much before two years after it
was originally requested (and none have even been requested yet for V5; I’m not
even sure NERC is set up to deal with it, were one to be requested). Plus, FERC showed last year – when they
remanded two interpretations on CIP – that they won’t necessarily approve
everything that NERC shoves across their desk anyway. So the Interpretations process clearly isn’t
going to do NERC entities any good as they prepare for v5 compliance in two years.
- Can NERC interpret the standard in some other way? That has certainly been tried. The Compliance Application Notices (CANs) were an attempt to make something like an interpretation, without going through the Interpretations process. And guess what? They haven’t worked, and NERC doesn’t plan to issue any more.
The reason why they haven’t worked is
pretty simple: NERC has a process for developing and revising standards. It requires constituting an SDT, having them
draft the standard, having it approved (or not) by a ballot body, having the
B0T approve it, and finally having FERC approve it (or not). There simply is no kosher way to interpret or
revise a standard that doesn’t go through this process.
- How about the CIP v5 Implementation Study? In this, six lucky entities are starting the transition to v5 now, and are discussing their experiences with NERC; NERC will in turn summarize and publish these lessons learned in June. In fact, they have already published three documents on particular lessons learned. And at the CIPC meeting in St. Louis in early March, various NERC spokespeople clearly implied that a lot of the ambiguities in CIP v5 would be cleared up through these lessons learned.
Folks, if you believe this, you’re
heading for a big disappointment. The
three lessons learned documents that have come out have certainly been useful,
but none of them have addressed wording problems in any of the v5 requirements
– and I sincerely doubt the final document will do much in that regard
either.
The fact is, there simply hasn’t been
enough time for the six entities to come face to face with all of the
requirements in CIP v5 and discover the tough problems that may be hiding
there. I’ve heard that some of the six entities are still in the throes of trying to figure out CIP-002-5
(as am I), and it’s unlikely they’ll learn a lot of lessons on the other standards
by the end of the study (in fact, I’m also told that the study has actually already
ended, with the effort at NERC between now and June going toward documenting
the lessons learned). I’m sure the final
document will contain a lot of very interesting and useful points; however, it
is highly unlikely it will contain interpretations that will definitively clear
up any ambiguity in the wording of
CIP Version 5. There really is no way it could do that.
- RSAW’s – Hey, what about these? Wasn’t NERC supposed to have those out by now? No, they weren’t. They were supposed to have them out by October 1 of last year. They’re still not out, and they’re still “Coming Soon” according to the NERC website. It will be nice when they come, but I certainly don’t advise anybody to put their CIP v5 compliance program on ice until the RSAW’s are available. The RSAW’s are delayed, but I can assure you the April 1, 2016 compliance date won’t be.
And I sincerely doubt the RSAW’s, when
they are delivered, will do what many people are hoping they will do: interpret
and clarify the language of the v5 requirements. The RSAW’s for the previous versions of CIP
did little more than rephrase the requirements and the measures. NERC has said the v5 RSAW’s will be
different, but I predict that – by the time the lawyers have their way with
them – they won’t be much more helpful for interpreting the requirements than
the previous ones were. We’re running up
against the same problem I discussed above: There simply is no good way for
NERC to circumvent its own processes for revising or interpreting standards.
- How about the NERC CIPC? After all, it was subcommittees of the CIPC that developed the two excellent guidance documents for CIP Versions 1-3: on identifying Critical Assets and Critical Cyber Assets. Maybe the CIPC will ride to the rescue again?
This might be a possibility, but I see
absolutely no interest in the current CIPC in doing this. And even if they decided at their next
meeting that they would do this, they would first have to constitute the
committee(s), develop their charters, have them do their work, approve it, and
finally release it. The Critical Asset
guidelines didn’t come out until September2009, right before the December 31,
2009 CIP Version 1 compliance date for the majority of entities; the CCA
guidelines came out in June 2010, six months after that date. The situation would be similar here.[ii]
At this
point, it may be clear that NERC itself can’t do interpretations – there is a
fundamental structural problem, in that NERC is set up as a body in which the
membership drafts and approves all standards and revisions thereto. NERC can’t violate that process without
ceasing to be NERC. So who or what else
could interpret CIP version 5?
- “How about FERC?,” you ask...You’re really asking that? You can’t be serious. FERC doesn’t interpret NERC standards; it merely approves or remands them.
- How about Scott Mix? After all he’s the Obi Wan Kenobi of CIP, having been involved with it since the beginning. I know a lot of entities have called him for his advice. And with his new grey beard, how could he be anything less than authoritative? However, I can just about promise you – I haven’t tapped his phone lately, so I can’t be sure – that Scott will never even pretend to make an interpretation of a CIP standard. He will helpfully point you to CAN’s, CAR’s, other NERC standards, etc. – anything that might shed light on your question. But he isn’t going to give you an interpretation.
- Here’s a good one: What about the intention of the Standards Drafting Team? After all, in interpreting a law, Federal courts often look to the debate in Congress that accompanied its passage. And in Constitutional questions, the parties will often bring up the debates at the Constitutional Convention, the Federalist Papers, etc. Shouldn’t somebody be able to go through the minutes of the SDT meetings and figure out what led to the choice of wording for a particular requirement?
That’s a nice idea, but it simply isn’t
going to work. The CSO 706 SDT met over
four years, and the personnel changed markedly during that time. The different issues were debated at
different meetings, with different participants. Most of the drafting of the actual
requirements occurred in subcommittee meetings conducted by phone, for which I
don’t think there were any minutes. Even
if there were detailed notes of what was said at the SDT meetings, it would be
almost impossible to trace the different threads as they were discussed over
four years.
More succinctly, the minutes of the CSO
706 SDT meetings were always fairly short and high-level, mostly consisting of
statements like “X was discussed”, “Y was discussed”, etc. Those minutes were simply never intended to
provide any guidance when it came to interpret the standards. This is partly because it would have been
very expensive to try to produce a literal transcript of the meetings.
More importantly, the minutes can’t be
used for interpretation because of what I call the fundamental problem with
NERC standards (and especially with CIP): The standards are written by
engineers, but they’re interpreted by lawyers.
Engineers focus on solving a technical problem – in this case, writing a
standard that the committee and the NERC ballot body will approve - and feel
their job is done when that has been accomplished. This means the SDT members – engineers and
cyber security professionals – didn’t worry about recording how the wording
came to be; they just wanted to come out with something that worked.[iii] But in interpreting a standard, lawyers want
to be able to discern why this particular wording was adopted. They will get no help from the minutes.
Well, we’ve
gone through these players: NERC, the CIPC, FERC, Scott Mix, the SDT…who have
we left out? I’ll give you a clue by
asking you a few questions: Why do you want to find an authoritative
interpreter of CIP v5, anyway? It’s so
you’ll be able to pass audits, right?
And who does those audits? Bingo…it’s
the regions. Could they possibly be the ones who interpret
CIP Version 5?
You’re so
intelligent…Of course, it’s the regions that need to step up to the plate
here. And it seems at least some of them
are already doing it. WECC has already
had two CIP v5 “road shows”, where auditors and enforcement staff discussed complying
with each of the standards.[iv] SPP has focused on CIP-002-5 R1 (certainly the
most problematic of the v5 standards, IMHO), and provided both a webinar (materials available here) and an
excellent hands-on workshop in Dallas that I attended.[v] I’m sure there will be more interpretation
from these two regions, as well as from the other regions.
Of course,
the reason that the regions’ interpretations are important is that they’re the
ones who will do the auditing. If your
region says this is how they interpret a particular requirement, you would be
well advised to interpret the requirement in the same way. However, there are three big caveats to this:
- None of the regions has come out with what I think is really needed: a comprehensive document that addresses the main wording issues in CIP-002-5 and provides an interpretation of each one. Of course, nobody has come out yet with a list of what those issues are, but they are certainly starting to appear in various forums. I have expended literally billions of electrons in documenting the wording problems in CIP-002-5 R1 and trying to develop a consistent interpretation; other groups including the North American Transmission Forum and the CIP user groups in FRCC, NPCC and MRO have as well (none published as of yet, however).
Having spent so much time on CIP-002-5
R1, I would like to start focusing as much on the other standards[vi]. Various people have provided me with serious
interpretation questions they have on the other standards. I would also very much like to hear about
questions that have been raised in your mind, and I’ll try to put them all in a
post – or maybe a few posts (email me at tom.alrich@honeywell.com). Maybe this can at least let the regions know
the main issues that need to be addressed in an interpretation document.
- Probably the biggest problem with the regions doing the interpretation is consistency. As you might guess, the WECC and SPP interpretations of CIP-002-5 R1 were worded quite differently (although I think they would both result in the same classification of BES Cyber Systems); I’m sure there will be many more differences as the other regions weigh in on this and the other v5 requirements.
It really seems to me that the regions
need to get together and agree on consistent interpretations of the
requirements of CIP version 5. Of
course, inconsistency across the regions will be a huge problem for entities that
span multiple regions. But even for
entities that are only audited by one region, it will always be galling to hear
that another region has interpreted a particular requirement – which may be a
sore spot for that entity – in a more advantageous way than their own region. A house divided cannot stand, as I believe
someone else from Illinois once said.
- And having the regions do the interpretation doesn’t solve the most fundamental problem: There really needs to be an interpretation that will stand up in a court of law. The CIP standards, like all NERC standards, are regulatory law. If an entity interprets a requirement one way, but ends up being fined because the Regional Entity and NERC interpret it another way, they can take this to court. And what will the court base its decision on? The wording of the requirement, nothing more. So if the court finds the wording of the requirement to be ambiguous, they are likely to set aside the fine, and possibly invalidate that requirement.[vii] But since I don’t see any other venue for interpretations other than the regions, this is just something that NERC will have to live with.
On that
happy note, I’ll end. Be sure to send me
your interpretation questions.
All opinions expressed herein are mine, not
necessarily those of Honeywell
International, Inc.
[i]
At the initial meeting of the new SDT in Washington in February, Steve Noess of
NERC did say that the team might address “no-brainer” problems with the v5
requirements. He used an example of a
word that was clearly the wrong one to use, where the team could decide to
change that with just a couple minutes of discussion. However, I’m not sure there are any of these
– the CSO 706 SDT spent over two years drafting and re-drafting v5, and I’m
afraid the problems that are in there aren’t simple ones, since the team would
have caught them if so. Yet the new SDT
is under quite a time crunch to meet FERC’s deadline of February 2015 to return
the changes (actually, the deadline only applies to two of the four FERC
directives, but NERC has rightly decided that all the uncertainty about v5 needs
to end at some point, so the team really wants to address all four directives
by that deadline); I’ll agree that they simply don’t have time to enter into
long debates on proper wording of requirements that were already debated by the
previous SDT.
[ii]
This isn’t to say that, should the CIPC decide to do guidance on – say – CIP-002-5
compliance, that this wouldn’t still be helpful, even though it wouldn’t come
out until most Medium and High impact assets had already been brought into
compliance. I have been advocating for a
couple years that they should come out with a guidance on the bright-line
criteria (first for v4, now for v5).
This would of course be roughly equivalent to their guidance on
identifying Critical Assets in the previous versions. And they could also do a guidance on
identifying Medium and High impact BES Cyber Systems.
[iii]
At an RFC compliance meeting last year, a story was told that illustrated very
well the difference between lawyers and engineers (and also priests). I don’t know whether it’s true or not, but it
certainly has the ring of truth. It
seems that, in medieval times, a priest, a lawyer and an engineer were all
sentenced to be guillotined together. On
the appointed day, the priest was first.
He put his head in the apparatus, the executioner pulled the cord, and
the blade came down – but it stopped halfway down. The priest looked up and exclaimed, “God has
spoken! He doesn’t want me to die. You must free me!” And they did.
The lawyer was next.
He put his head in the apparatus, the cord was pulled…and again, the
blade stuck halfway down. The lawyer
exclaimed, “I was sentenced to have my head placed in the guillotine and have
the cord pulled. This has been done. You cannot now repeat the process. You must set me free!” And they did.
Finally, the engineer came up. He
put his head in, the cord was pulled, the blade got stuck again. He looked up, studied the apparatus for a
minute and then exclaimed, “Aha. I see
your problem….”
[iv]
I wrote about the first of those road shows, in Salt Lake City in early
February, in this
post. However, the second road show
occurred on March 18 and 19 in Marina del Rey, CA. I didn’t attend that, but you can see the
presentations here. There was a huge improvement between the two
road shows in how they distributed the presentations: At the first show, they
combined them all in a single file of 33MB.
For the Marina del Rey show, they posted the individual presentations. This makes downloading and reading them much
easier.
[v]
I hope to discuss both the webinar and workshop in an upcoming post on my
favorite topic: CIP-002-5 R1.
[vi]
I do still intend to have another big post or two on CIP-002-5 R1, since some
transmission entities have convinced me that my methodology for compliance with
that requirement – as well as the methodologies outlined by WECC and SPP –
misses a very important aspect that makes a big difference for how BES Cyber
Systems in substations are classified. I’ll
leave you in suspense until I get time to write this, but if you want to email
me at tom.alrich@honeywell.com, I’ll
explain what I mean.
[vii]
One of the reasons I have spent so much time harping about the wording problems
in CIP-002-5 R1 is that this is the
fundamental standard in CIP Version 5.
If a judge invalidated this requirement, it would make the rest of v5
invalid, IMHO.