Nov. 4: On Nov. 2, at least one NERC region sent an email to their members confirming what is reported in the first paragraph below. Also, EnergyWire has an article today stating that a FERC spokesperson has confirmed this.
Kevin Perry, the Director of Critical Infrastructure Protection (and Chief CIP Auditor) of SPP Regional Entity, provides a CIP update at each of the SPP RE Board of Trustees meetings. At the meeting on October 26, 2015, Kevin’s final slide included the following statement: “FERC expected to conduct CIP V5 and CIP-014-2 audits beginning in 2016.” This was followed by two bullet points: “SPP RE will cancel planned audit activities for a registered entity if FERC steps in” and “Regions and NERC may observe FERC-led audits”.
Kevin Perry, the Director of Critical Infrastructure Protection (and Chief CIP Auditor) of SPP Regional Entity, provides a CIP update at each of the SPP RE Board of Trustees meetings. At the meeting on October 26, 2015, Kevin’s final slide included the following statement: “FERC expected to conduct CIP V5 and CIP-014-2 audits beginning in 2016.” This was followed by two bullet points: “SPP RE will cancel planned audit activities for a registered entity if FERC steps in” and “Regions and NERC may observe FERC-led audits”.
Translation:
FERC is going to start choosing entities it wants to audit for CIP. A FERC
audit may supersede a planned audit by one of the Regions. The Regions and NERC
can only observe FERC audits, not participate in them. Kevin’s slides are in
the single file with all of the meeting slides, accessible here
(Kevin’s presentation starts on slide 28; the slide in question is his slide
number 13. I haven’t had a chance to ask Kevin if he deliberately chose 13 to
be the number of the slide that delivers this news – or that he chose to reveal
this so close to Halloween).
I am told
that Kevin also said that FERC would have an official announcement of this
policy change soon, and that - at the moment - nothing is known for sure on what
entities will be targeted for FERC audits. The above are the only facts I have. But
I’m going to speculate on what they may mean:
- It’s safe to say that FERC’s audit approach will be very
different from NERC’s, probably much tougher. It’s also important to
remember that FERC can audit whenever it wants; it doesn’t have to follow
the three- or six-year schedule in the NERC CMEP (Compliance Monitoring Enforcement Plan). You could have had a CIP
audit this year, and FERC will audit you next year.
- Also, there is no time limit on FERC audits. I know of at
least one audit (of all the NERC standards, including CIP) that took
multiple years. Hopefully, that
won’t be the norm.
- It’s also probably safe to say that the lucky entities
chosen for FERC audits will be among the larger ones.
- Can anything be said about how FERC might address the
various areas of controversy in CIP v5? Normally, of course, FERC doesn’t
have anything to say about NERC standards once they’ve approved them –
unless they also ask for specific changes, which then get incorporated in
new standards (as happened with the changes FERC ordered when they
approved CIP v5 in 2013; these were incorporated into the CIP v6
standards).
- However, FERC did surprise me and others by weighing in
quite forcefully on the meaning of External Routable Connectivity in their
NOPR (Notice of Proposed Rulemaking) for CIP v6, issued in July. In the NOPR, they discussed NERC’s new concept
of Low-Impact External Routable Connectivity (LERC), and disagreed quite
forcefully with NERC’s idea that a “protocol break”, somehow involved with
the transition from routable to serial communications, would terminate
LERC (they didn’t rule out that something else might break LERC, but they
also didn’t make any suggestions on what that something else might be –
see this post
for some ideas on that topic).
- Of course, in their NOPR, FERC was talking about LERC, not
ERC – so technically their comments have no bearing on ERC. But as I
pointed out in this
post, FERC’s arguments against the idea of a protocol break can just as
easily be applied to ERC as to LERC. With the news that FERC will start
auditing v5, these arguments suddenly take on new significance.
I must admit
that the first question that came to my mind when I read Kevin’s slide was what
impact FERC’s move would have on the idea of CIP v5 “enforceability”, which I
had conveniently just addressed in my most recent post.
In that post, I said that the CIP v5 standards won’t be “effectively
enforceable” (i.e., PVs assessed) until the regions are comfortable that they
understand them[i];
I said that in general this won’t happen for at least six to 12 months
after April 1, 2016.
I also said
that the effective enforcement dates for CIP-002-5.1 R1 and the concept of ERC
are currently “never”; that is, until R1 and the definition of ERC are
rewritten to address the many ambiguities and contradictions in the current
language, it is unlikely any auditor is going to issue a PV if his/her opinion on an issue
differs from the entity’s opinion – as long as the entity has made a good faith
effort to understand the issue in question and document why they arrived at
that conclusion. For example, if the auditor and the entity have different
opinions on the meaning of the words “affect the Bulk Electric System” in the definition of BES Cyber
Asset – and the entity has documented how they researched that issue and came
up with their interpretation – I don't believe any auditor will issue a
PV because in her/his opinion the entity has not properly identified their BES
Cyber Assets.
There may
well be a few other “inherently ambiguous” requirements that will require
rewriting (a 2-3 year process, of course) before they can be effectively
enforced. Let’s designate as “ambiguous requirements” the following: CIP-002
R1, requirements where ERC comes into play, and perhaps one or two other requirements.
All the other requirements will be “non-ambiguous” requirements, although of
course there’s always some ambiguity in any requirement that could ever be
written in the English language.
So how will
FERC’s coming into the audit picture change the effective enforcement dates? In
the case of the non-ambiguous requirements where I’m saying there won’t be PVs
issued for at least six months for good-faith compliance efforts, I don’t think
FERC auditors are going to be much harder than NERC Regional auditors. They
will understand that there has been so much confusion about what the CIP v5
standards mean in general – confusion which will unfortunately not be cleared
up in any meaningful sense right up until 4/1/16, and beyond that as well –
that entities need more time to be held compliant to the letter of the
requirement (they also need time to develop their evidence record, as Tobias
Whitney acknowledged at GridSecCon two weeks ago).[ii]
What
about the ambiguous requirements: CIP-002 R1 and those that apply to assets
with ERC? I also believe the same rule will apply for FERC as for NERC
auditors: No PVs will ever be issued until there is definitive clarification
of the current requirements. Since it appears that NERC will
not provide such definitive clarification, I’ve been saying they
need to be rewritten.
But, while
FERC can’t officially issue new requirements or revise existing ones, FERC can
issue its own clarifications of areas of ambiguity in CIP v5. In particular, as
I said above, I think FERC’s discussion of LERC in their CIP v6 NOPR can easily
be read as applying directly to ERC. And here the impact is profound: I believe
entities need to review their own “definition” of ERC[iii] (and
every entity with serially-connected devices at an asset that has a routable
connection to the outside world needs to figure out for themselves how they
will determine whether or not there is ERC in any particular case) to make sure
it conforms with what FERC wrote in their NOPR.
If it doesn’t conform, they need to make it conform – and they will need to
rethink (and probably re-do) their identification of BES Cyber Systems with ERC
if there is a discrepancy. If FERC is going to audit you, it's safe to assume
that FERC will apply the reasoning in the NOPR to determine whether or not your
cyber assets have ERC.
The same
consideration will apply for any other guidance that FERC may issue. Unlike
guidance issued by NERC, such as the Lessons Learned and FAQs, you need to
consider FERC’s guidance to be written in stone.[iv] So if
FERC decides to clarify the various issues in CIP-002 (which I’ve been writing
about in my series of posts on “Rewriting CIP-002”, starting with this
one), you will need to pay close attention to this guidance, and re-do your
original BES Cyber System identification and classification methodology to
conform to whatever they say it should be (and then re-apply that methodology
wherever needed). On the other hand, and in my opinion, the problems with CIP-002 R1
and Attachment 1 are so profound that FERC may not want to wade into the
problem directly[v];
they may simply issue an order that CIP-002-5.1 needs to be rewritten (at least
I hope they will!).[vi]
To
summarize: There’s a new sheriff in town. Every NERC entity needs to rethink a
lot of what they may have considered settled decisions on CIP v5 compliance;
and I think they’ll probably determine they have to do a lot of things differently
given that FERC could be their auditor. Of course, FERC’s official announcement
may clarify what they intend to do.
And it also may not.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
I also said that, for an entity that hasn’t made a good-faith effort to
understand or comply with a particular requirement, the effective enforcement
date won’t be delayed beyond 4/1/16. The delayed effective date only applies to
good-faith efforts to comply, for which there is a disagreement between
the auditor and the entity about the meaning of the requirement in question. It
doesn’t apply when the entity hasn’t made an effort to determine the
proper interpretation, or even worse, has chosen an interpretation solely
because it will make its compliance effort easier (for example, an entity that
decided that only processors of 500 mhz and higher are “programmable”).
[ii]
On the other hand, I think it is likely that FERC will be less tolerant in
general of violations of the “little stuff”, which the NERC Regions are less
likely to be concerned about – a missed signature, etc. This could actually
turn out to be the biggest difference between FERC’s and NERC’s auditing of the
CIP standards.
[iii]
Of course, this isn’t a dictionary-type definition. Rather, it’s a procedure
for determining whether or not there is ERC, in the case of a communications
stream that contains both routable and non-routable elements.
[iv]
Technically, of course, even FERC can’t issue “binding” interpretations. But
since they have to approve all enforcement actions including fines, your only
recourse if you disagree with FERC’s interpretation of an issue is to take it
to court. I don’t believe any such appeal has ever been adjudicated.
[v]
Except perhaps to provide a “definition” of Programmable. This wouldn’t in
itself make CIP-002 enforceable, but it would be a good interim step during the
2-3 years it will take for the standard to be rewritten.
[vi]
I think this would be the right thing to do; in fact, I thought it was the
right thing to do in 2013, when I very helpfully “rewrote”
CIP-002 to make it clearer. I’m very glad FERC didn’t order NERC to follow what
I wrote back then, because I didn’t understand a lot of the problems in
CIP-002-5.1. And even now I’m not saying that CIP-002 needs to be rewritten
along the lines I’m suggesting. My primary motive has always been for CIP-002
to be rewritten so it is unambiguous and can be consistently followed; I’m not
so worried about the particular concepts that would be in the rewritten
version.