I spent all
last week (Oct. 13-16, 2015) at NERC GridSecCon; as has been the case with the
previous two events I’ve attended, this was an excellent program. Every year I
say it can’t get any better, yet the next year it does; I’m already looking
forward to the 2016 meeting in Quebec. My compliments to Bill Lawrence and his
team for putting this together so efficiently and creatively. As well as for
choosing as venue the city where I was born (and in whose suburbs I grew up), Philadelphia.
One of the
tenets of GridSecCon is that it’s about security, not compliance. That being
said, there was one discussion titled “CIP V5 – the Home Stretch”; this was led
by Tobias Whitney, Felek Abbas and Tom Hofstetter of NERC. One of the questions
asked in that discussion was whether the “enforcement date” for v5 would be
pushed back a year. Tobias answered that, while nobody expected strict
enforcement to begin on April 2, 2016, enforcement would not be officially
pushed back. This was certainly the answer I expected from Tobias, and I don’t
disagree with it. However – as with all things NERC – there are a lot of
nuances to this topic, at least some of which I’ll discuss in this post. I’ve
already stated everything you’ll read below in previous posts, but this will
bring all those statements together.
On the next
break, a couple people asked me if I had asked that question (questions were
submitted on cards and read by Bill Lawrence, but he didn’t mention the
questioner this time – perhaps intentionally since the subject was compliance).
I was asked this because I had this summer
advocated the approach of leaving the main compliance date for v5 as 4/1/16,
but setting an enforcement date a year later – 4/1/17. This was what was done
in CIP version 1. The practical effect of this would be that, while entities
would need to be compliant with v5 to the best of their ability on 4/1/16, they
would not have to self-report violations, and they would not be assessed
Potential Violations at audits, until 4/1/17.
When I made
this proposal, I didn’t wait by my phone for Tobias to call excitedly to say
this was a wonderful idea (of course, since my cell phone is always by my side
except in the shower, this is an antiquated expression); I realized when I made
the proposal that it wasn’t likely to be accepted. So in this
post in August, I came up with the concept of the “effective enforcement
date” (although I didn’t use that term). The idea of effective enforcement date
is fairly simple: A standard will be enforced only if the entities that are in
charge of enforcement – that is, the eight NERC regions[i] – feel
comfortable enforcing it. The effective enforcement date of a standard or
requirement in your region is simply the date your Regional Entity feels comfortable
issuing PVs for non-compliance.
So why
wouldn’t the regions feel comfortable enforcing CIP v5 on 4/1/16? Tobias mentioned
one reason in his answer: Enforcement of many of the v5 requirements depends on
a record of having performed a particular operation like patch management on a
regular basis. These requirements obviously can’t be properly audited for 3-6
months after the compliant date of 4/1/16, so that entities can build a record of
compliance.
However,
this isn’t the main reason why I believe the regions won’t feel comfortable
enforcing v5 on 4/1/16. The main reason is – you guessed it – the huge amount
of uncertainty over the standards. I can certainly verify this uncertainty from
my discussions with a lot of NERC entities, but also from a recent Bridge
Energy Group Utility Industry Survey[ii] that found
that 68 percent of utilities believe their organization is “not well prepared”
for CIP v5 compliance.
So I’m
saying I believe the effective enforcement date for the CIP v5 standards will
definitely be much later than 4/1/16. How much later? That will vary by
standard and even requirement, as well as region. And to be frank, it’s likely
to vary by auditor, since an individual auditor is only going to feel
comfortable enforcing a v5 requirement when the auditor believes he or she
understands what constitutes compliance with that requirement, in the context
of the entity he/she is auditing.
However,
just because the effective enforcement dates will vary a lot doesn’t mean I
can’t give you some idea of what those dates might be. You may already know
that I don’t often let lack of complete knowledge hold me back from making
definite statements; my motto is “Often wrong, but never in doubt.” As usual, I
will preface my statements with some “your mileage may vary” language.
- First, there isn’t one compliance date for CIP v5/v6, but
lots of dates. This post
describes the set of official compliance dates for the different
standards, requirements, and even requirement parts. The fact that the
effective enforcement date for most of the standards will be later than
4/1/16 will affect a lot, but perhaps not all of, the other compliance
dates.
- The above set of dates is dependent on FERC’s approving
the CIP v6 standards on time, as discussed in this
post. To summarize that discussion, if FERC doesn’t approve v6 by the end
of November (not December as some might think. This is because FERC’s
approval won’t become official until the Order is published in the Federal
Register, and that takes about 30 days), the v6 dates will be delayed. And
NERC may decide to delay the v5 dates to match the v6 delays (at least, I
hope they would do that – again, this is because in this case the regions
aren’t going to effectively enforce v5 anyway).
- When I say compliance will be effectively postponed, I am
specifically talking about Potential Violation citations not being issued.
Entities will still need to self-report any potential violations they know
of; I just find it very hard to believe these will turn into actual citations,
and even less into Violations. But this is the biggest difference between
the idea of NERC’s officially moving the actual enforcement date back, and
the idea of the enforcement date being effectively
moved back without any official action: in the former scenario, entities
won’t have to do self-reports, while in the latter they will have to.
- The biggest caveat in all of this is that PVs and
violations will still be issued for entities that simply blow off their
responsibility for complying with all or part of CIP v5. There has to be a
good faith effort to comply. And this includes the entity doing its best
to research any areas of ambiguity; for example, even though there is no
definition of “programmable” and no definitive guidance from NERC on this
important issue, it is still up to the entity to read the different
documents NERC has put out on this (two of these were later rescinded, but
they still describe valid alternatives for this definition). It is also
important to get whatever guidance is available from your region, either
in public meetings or in private conversations. Finally, it is vitally important
to document all of this – both the different alternatives you considered,
as well as how you came to your final conclusion on the particular issue.
Of course, this will be a lot of work[iii];
but there really is no alternative, given it’s been clear
since at least July that there will never be any fairly definitive
guidance from NERC on the great majority of areas of ambiguity in CIP v5,
at least not before 4/1/16 (and probably a good while after that).
So here are
the details:
- I believe CIP-002-5.1 R1 will never be enforceable until
it is rewritten in full; this includes the definitions that are missing
from it, including the word “programmable” in the Cyber Asset definition
and “affect the reliable operation of the BES” in the BES Cyber Asset
definition. Of course, rewriting this standard will be a massive job and
will take a minimum of three years starting when a SAR is accepted by NERC
(and none has yet even been written, of course). I should point out that
Tobias Whitney said at GridSecCon that there would probably be a SAR for a
definition of “programmable”. Just addressing this one part of the CIP-002
problem, while leaving the rest untouched (and I’m writing a whole series
of posts on “Rewriting CIP-002” now), will frankly be useless. This is
because a team drafting a new CIP-002 R1 might well decide that having a
separate definition of Cyber Asset isn’t needed; they might want to fold
this into the definition of BES Cyber Asset. They might even decide that
the whole concept of BCA can be eliminated, so that BES Cyber Systems will
be the first thing identified in a rewritten R1. Even with “programmable” finally
defined, R1 will be no more enforceable than it is now, if the other
issues aren’t addressed. And all of the R1 issues need to be addressed as
a whole, not individually.
- The concept of External Routable Connectivity has turned
out to be a black hole, meaning that in my opinion there will never be an
end to the arguments on what constitutes ERC (as I concluded in this
recent post). In fact, as I pointed out in this
other recent post, an RF auditor announced at their recent CIP v5 workshop
that RF won’t issue PVs for improper identification of BCS with or without
ERC; and I’ve heard this may soon be an ERO-wide provision.[iv]
Fixing the problem will require at a minimum rewriting the definition of
ERC (and very likely the new “definition” will really be a set of
procedures for determining when there is ERC, rather than a definition like
one found in a dictionary). So the effective enforcement date for the
concept of ERC (which of course affects a lot of requirements) is also
“never”, until the definition is rewritten.
- I am certain there are at least a couple other requirements
or definitions that won’t be enforceable until they are rewritten. I’ll just
have to keep you informed as I discover them.
- What about all of the other requirements (in a few cases,
complete standards) that aren’t affected by these various black holes –
i.e. the requirements that to this day seem fairly unambiguous? Even
though these may be unambiguous, I’m reasonably sure that no PVs will be
issued for any CIP v5 requirement
for a minimum of four to six months after 4/1/16, provided of course that
the entity has made a good faith effort to comply with the requirement.
The exact effective enforcement date will of course depend on how well the
region feels it understands the requirement, as well as how the individual
auditor feels; in many cases, the EED could be well beyond 10/1/16.[v]
I’m told that some at NERC were concerned about a “bow wave” of violations
of v5 starting 4/1/16. I’d say their concern is misplaced; the bigger
question is whether CIP v5 will ever
be enforceable in any meaningful sense.
I’m not
kidding with that last sentence. If you think about it, CIP-002 R1 (and
Attachment 1) and the definitions of Cyber Asset, BES Cyber Asset and ERC are
the complete set of components of the asset identification process in v5;
however, it is precisely these items
that are black holes. Since all of the other CIP v5 and v6 requirements assume
the entity has properly identified and classified its BES Cyber Systems, and
since that assumption can never be proven or contradicted given the current
wording of the standards, how can the CIP v5 and v6 standards ever be meaningfully enforced?
How indeed?
That’s the $64,000 question.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
I realize it isn’t technically correct to say the NERC Regions, or even NERC
itself, are in charge of enforcement of CIP or the other NERC standards (i.e.
assessing fines). In the US, FERC is technically the enforcer; in Canada it’s
the appropriate provincial authority.
[ii]
The results had previously been released, but were reported by Richard Jones of
Bridge at GridSecCon.
[iii]
I estimate the total compliance paperwork burden for v5 is at least three to
five times that for CIP v3, and perhaps more than that. And that’s holding the
number of assets in scope constant – which of course isn’t the case for most
entities that had to comply with v3. I’d guess that 80-90% of such entities
have more assets and cyber assets in scope for v5, often significantly more.
[iv]
Of course, the “good faith” rule applies here. If you have an all-routable
connection between a device in a substation and your EMS, I don’t recommend you
claim there is no ERC. The confusion only applies in cases where there is at
least some serial communications in the stream.
[v]
I have previously said there needs to be a gap of a year between the date when
it can be said that NERC and the regions have provided sufficient guidance on
the CIP v5 and v6 standards (so that they can be described as
“well-understood”) and the date they will effectively be enforceable. If you
want to go by that rule, then it’s hard to see when the standards will ever be
enforceable in any meaningful sense. It’s just about certain that there will
not be significant guidance from NERC on most areas of uncertainty before
4/1/16, so by my rule the effective enforceable date for all of v5 and v6 will
be 4/1/17, and probably much later than that. This is why it is truer than ever that a NERC
entity needs to run any questions it has by its region. The only
“interpretation” of a requirement that you can bank on to be followed when
you’re audited is one that has been provided to you by your region. And BTW, if
you got an “interpretation” from your region say six months or more ago, it greatly
behooves you to get it reconfirmed. Given all the changes that have happened –
including the various Lessons Learned and Memoranda that NERC has issued and
then retracted – it would be very surprising if your region hasn’t changed
their opinions on the meaning of “programmable”, ERC, etc.
No comments:
Post a Comment