The CIP v5 Enforcement Date

I spent all last week (Oct. 13-16, 2015) at NERC GridSecCon; as has been the case with the previous two events I’ve attended, this was an excellent program. Every year I say it can’t get any better, yet the next year it does; I’m already looking forward to the 2016 meeting in Quebec. My compliments to Bill Lawrence and his team for putting this together so efficiently and creatively. As well as for choosing as venue the city where I was born (and in whose suburbs I grew up), Philadelphia.

One of the tenets of GridSecCon is that it’s about security, not compliance. That being said, there was one discussion titled “CIP V5 – the Home Stretch”; this was led by Tobias Whitney, Felek Abbas and Tom Hofstetter of NERC. One of the questions asked in that discussion was whether the “enforcement date” for v5 would be pushed back a year. Tobias answered that, while nobody expected strict enforcement to begin on April 2, 2016, enforcement would not be officially pushed back. This was certainly the answer I expected from Tobias, and I don’t disagree with it. However – as with all things NERC – there are a lot of nuances to this topic, at least some of which I’ll discuss in this post. I’ve already stated everything you’ll read below in previous posts, but this will bring all those statements together.

On the next break, a couple people asked me if I had asked that question (questions were submitted on cards and read by Bill Lawrence, but he didn’t mention the questioner this time – perhaps intentionally since the subject was compliance). I was asked this because I had this summer advocated the approach of leaving the main compliance date for v5 as 4/1/16, but setting an enforcement date a year later – 4/1/17. This was what was done in CIP version 1. The practical effect of this would be that, while entities would need to be compliant with v5 to the best of their ability on 4/1/16, they would not have to self-report violations, and they would not be assessed Potential Violations at audits, until 4/1/17.

When I made this proposal, I didn’t wait by my phone for Tobias to call excitedly to say this was a wonderful idea (of course, since my cell phone is always by my side except in the shower, this is an antiquated expression); I realized when I made the proposal that it wasn’t likely to be accepted. So in this post in August, I came up with the concept of the “effective enforcement date” (although I didn’t use that term). The idea of effective enforcement date is fairly simple: A standard will be enforced only if the entities that are in charge of enforcement – that is, the eight NERC regions[i] – feel comfortable enforcing it. The effective enforcement date of a standard or requirement in your region is simply the date your Regional Entity feels comfortable issuing PVs for non-compliance.

So why wouldn’t the regions feel comfortable enforcing CIP v5 on 4/1/16? Tobias mentioned one reason in his answer: Enforcement of many of the v5 requirements depends on a record of having performed a particular operation like patch management on a regular basis. These requirements obviously can’t be properly audited for 3-6 months after the compliant date of 4/1/16, so that entities can build a record of compliance.

However, this isn’t the main reason why I believe the regions won’t feel comfortable enforcing v5 on 4/1/16. The main reason is – you guessed it – the huge amount of uncertainty over the standards. I can certainly verify this uncertainty from my discussions with a lot of NERC entities, but also from a recent Bridge Energy Group Utility Industry Survey[ii] that found that 68 percent of utilities believe their organization is “not well prepared” for CIP v5 compliance.

So I’m saying I believe the effective enforcement date for the CIP v5 standards will definitely be much later than 4/1/16. How much later? That will vary by standard and even requirement, as well as region. And to be frank, it’s likely to vary by auditor, since an individual auditor is only going to feel comfortable enforcing a v5 requirement when the auditor believes he or she understands what constitutes compliance with that requirement, in the context of the entity he/she is auditing.

However, just because the effective enforcement dates will vary a lot doesn’t mean I can’t give you some idea of what those dates might be. You may already know that I don’t often let lack of complete knowledge hold me back from making definite statements; my motto is “Often wrong, but never in doubt.” As usual, I will preface my statements with some “your mileage may vary” language.

1. First, there isn’t one compliance date for CIP v5/v6, but lots of dates. This post describes the set of official compliance dates for the different standards, requirements, and even requirement parts. The fact that the effective enforcement date for most of the standards will be later than 4/1/16 will affect a lot, but perhaps not all of, the other compliance dates.
2. The above set of dates is dependent on FERC’s approving the CIP v6 standards on time, as discussed in this post. To summarize that discussion, if FERC doesn’t approve v6 by the end of November (not December as some might think. This is because FERC’s approval won’t become official until the Order is published in the Federal Register, and that takes about 30 days), the v6 dates will be delayed. And NERC may decide to delay the v5 dates to match the v6 delays (at least, I hope they would do that – again, this is because in this case the regions aren’t going to effectively enforce v5 anyway).
3. When I say compliance will be effectively postponed, I am specifically talking about Potential Violation citations not being issued. Entities will still need to self-report any potential violations they know of; I just find it very hard to believe these will turn into actual citations, and even less into Violations. But this is the biggest difference between the idea of NERC’s officially moving the actual enforcement date back, and the idea of the enforcement date being effectively moved back without any official action: in the former scenario, entities won’t have to do self-reports, while in the latter they will have to.
4. The biggest caveat in all of this is that PVs and violations will still be issued for entities that simply blow off their responsibility for complying with all or part of CIP v5. There has to be a good faith effort to comply. And this includes the entity doing its best to research any areas of ambiguity; for example, even though there is no definition of “programmable” and no definitive guidance from NERC on this important issue, it is still up to the entity to read the different documents NERC has put out on this (two of these were later rescinded, but they still describe valid alternatives for this definition). It is also important to get whatever guidance is available from your region, either in public meetings or in private conversations. Finally, it is vitally important to document all of this – both the different alternatives you considered, as well as how you came to your final conclusion on the particular issue. Of course, this will be a lot of work[iii]; but there really is no alternative, given it’s been clear since at least July that there will never be any fairly definitive guidance from NERC on the great majority of areas of ambiguity in CIP v5, at least not before 4/1/16 (and probably a good while after that).

So here are the details:

1. I believe CIP-002-5.1 R1 will never be enforceable until it is rewritten in full; this includes the definitions that are missing from it, including the word “programmable” in the Cyber Asset definition and “affect the reliable operation of the BES” in the BES Cyber Asset definition. Of course, rewriting this standard will be a massive job and will take a minimum of three years starting when a SAR is accepted by NERC (and none has yet even been written, of course). I should point out that Tobias Whitney said at GridSecCon that there would probably be a SAR for a definition of “programmable”. Just addressing this one part of the CIP-002 problem, while leaving the rest untouched (and I’m writing a whole series of posts on “Rewriting CIP-002” now), will frankly be useless. This is because a team drafting a new CIP-002 R1 might well decide that having a separate definition of Cyber Asset isn’t needed; they might want to fold this into the definition of BES Cyber Asset. They might even decide that the whole concept of BCA can be eliminated, so that BES Cyber Systems will be the first thing identified in a rewritten R1. Even with “programmable” finally defined, R1 will be no more enforceable than it is now, if the other issues aren’t addressed. And all of the R1 issues need to be addressed as a whole, not individually.
2. The concept of External Routable Connectivity has turned out to be a black hole, meaning that in my opinion there will never be an end to the arguments on what constitutes ERC (as I concluded in this recent post). In fact, as I pointed out in this other recent post, an RF auditor announced at their recent CIP v5 workshop that RF won’t issue PVs for improper identification of BCS with or without ERC; and I’ve heard this may soon be an ERO-wide provision.[iv] Fixing the problem will require at a minimum rewriting the definition of ERC (and very likely the new “definition” will really be a set of procedures for determining when there is ERC, rather than a definition like one found in a dictionary). So the effective enforcement date for the concept of ERC (which of course affects a lot of requirements) is also “never”, until the definition is rewritten.
3. I am certain there are at least a couple other requirements or definitions that won’t be enforceable until they are rewritten. I’ll just have to keep you informed as I discover them.
4. What about all of the other requirements (in a few cases, complete standards) that aren’t affected by these various black holes – i.e. the requirements that to this day seem fairly unambiguous? Even though these may be unambiguous, I’m reasonably sure that no PVs will be issued for any CIP v5 requirement for a minimum of four to six months after 4/1/16, provided of course that the entity has made a good faith effort to comply with the requirement. The exact effective enforcement date will of course depend on how well the region feels it understands the requirement, as well as how the individual auditor feels; in many cases, the EED could be well beyond 10/1/16.[v] I’m told that some at NERC were concerned about a “bow wave” of violations of v5 starting 4/1/16. I’d say their concern is misplaced; the bigger question is whether CIP v5 will ever be enforceable in any meaningful sense.

I’m not kidding with that last sentence. If you think about it, CIP-002 R1 (and Attachment 1) and the definitions of Cyber Asset, BES Cyber Asset and ERC are the complete set of components of the asset identification process in v5; however, it is precisely these items that are black holes. Since all of the other CIP v5 and v6 requirements assume the entity has properly identified and classified its BES Cyber Systems, and since that assumption can never be proven or contradicted given the current wording of the standards, how can the CIP v5 and v6 standards ever be meaningfully enforced?

How indeed? That’s the $64,000 question.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

---

[i] I realize it isn’t technically correct to say the NERC Regions, or even NERC itself, are in charge of enforcement of CIP or the other NERC standards (i.e. assessing fines). In the US, FERC is technically the enforcer; in Canada it’s the appropriate provincial authority.

[ii] The results had previously been released, but were reported by Richard Jones of Bridge at GridSecCon.

[iii] I estimate the total compliance paperwork burden for v5 is at least three to five times that for CIP v3, and perhaps more than that. And that’s holding the number of assets in scope constant – which of course isn’t the case for most entities that had to comply with v3. I’d guess that 80-90% of such entities have more assets and cyber assets in scope for v5, often significantly more.

[iv] Of course, the “good faith” rule applies here. If you have an all-routable connection between a device in a substation and your EMS, I don’t recommend you claim there is no ERC. The confusion only applies in cases where there is at least some serial communications in the stream.

[v] I have previously said there needs to be a gap of a year between the date when it can be said that NERC and the regions have provided sufficient guidance on the CIP v5 and v6 standards (so that they can be described as “well-understood”) and the date they will effectively be enforceable. If you want to go by that rule, then it’s hard to see when the standards will ever be enforceable in any meaningful sense. It’s just about certain that there will not be significant guidance from NERC on most areas of uncertainty before 4/1/16, so by my rule the effective enforceable date for all of v5 and v6 will be 4/1/17, and probably much later than that.  This is why it is truer than ever that a NERC entity needs to run any questions it has by its region. The only “interpretation” of a requirement that you can bank on to be followed when you’re audited is one that has been provided to you by your region. And BTW, if you got an “interpretation” from your region say six months or more ago, it greatly behooves you to get it reconfirmed. Given all the changes that have happened – including the various Lessons Learned and Memoranda that NERC has issued and then retracted – it would be very surprising if your region hasn’t changed their opinions on the meaning of “programmable”, ERC, etc.