Thursday, December 29, 2016

An Auditor Addresses Auditing on Ambiguous Authorities


My most recent post discussed what kind of information the NERC regions are willing to provide regarding how they interpret (little “I”, of course!) areas of ambiguity in the CIP standards, as well as the format they’re willing to provide it in (verbal or written). As almost a sidebar in that post, I made the assertion – which I used to repeat about once a week during the big debates in 2014 about how to handle ambiguity in the runup to CIP v5 compliance – that, in cases where the entity has to make a decision on how to comply with a truly ambiguous requirement, they need to look at all available guidance from NERC, the regions, Tom Alrich’s blog, The Tibetan Book of the Dead, the I Ching, etc. But in the end, it is up to the entity to make – and especially document – how they made their decision.

If the entity gets audited three years later and the auditor doesn’t agree with the decision they made, there’s no way he or she can issue them a PV (and have it upheld). You gotta do what seems best given the available information at the time. I pointed this out because an auditor I was quoting in the post had endorsed this position by email (quoted in the post).

However, in seeing how I had interpreted what he said, the auditor emailed me back. Here is the full text of his email:

“A clarification...

 ”When I said we would audit based on what the entity actually did and using the best information at the time, I was not saying we would forgive the entity if they relied on advice or guidance provided at the time of the inquiry, only to be found non-compliant at the time of audit.  At the time (I) was referring to the time of audit.  And what the entity actually did is very important because we have seen entities misapply our guidance.

“We provide guidance using the very best information available at the time of the inquiry.  But, as we all know, things change.  Standards are revised.  Interpretations, although infrequent, do get approved by FERC.  NERC issues guidance through its Section 11 process.  And, while we try very hard to thoroughly understand not only the nuances of the Standards, but also the question being asked, we are not infallible.  We reserve the right to get smarter.

“We expect the entity to take our guidance into consideration as they would any other.  Moreover, we expect the entity to keep up with changes and additional guidance as they evolve.  We expect the entity to determine their course of action after due consideration; not just to do something because the Region ‘told them to’ unless the direction is in response to a non-compliance issue, such as a violation mitigation or a RAD.

“That said, the Region is still the best resource.  We are closer to NERC, NERC guidance, and the collective wisdom of all eight Regions.  Auditors across all eight Regions and NERC have the ability to collaborate and seek consensus on issues as they arise, whether submitted as a question or encountered at audit.  We collectively communicate and discuss issues of a frequent basis.  We have also had the benefit of seeing numerous and sometimes widely varying approaches to compliance, and know what works and what is problematic.

The three main lessons I draw from this email are:

  1. Suppose your region provided compliance guidance for a requirement or you read about the issue in some official guidance, and you based your compliance approach for that requirement on what you had been told or read. You did this because this was the most recent guidance you could find. This doesn’t preclude you from still being found in violation at audit. NERC or your region may change its mind or decide it made a mistake, the CIP Standards Drafting Team may issue a draft requirement that clarifies the issue, FERC could issue an Order or a NOPR that affects the issue, etc. In other words, contrary to what I wrote in the previous post, just being able to show that your action was in accordance with the best guidance available at the time doesn’t give you a Get Out of Jail Free card for a future violation.[i]
  2. Even when your region provides guidance on a requirement, they aren’t expecting you to follow it blindly. If you have documentation of guidance issued by some “official” entity that contradicts the region’s guidance and you want to follow that guidance not the region’s, you should feel free to do so.
  3. And it seems the regions aren’t infallible and can change their minds! I was shocked…shocked! to hear this, of course.

At this point, I realized that the idea of the entity having to decide for itself how to comply, based on all the guidance available at the time, made lots of sense in the context where I described it in 2014 (and it wasn’t my idea, but that of a longtime control system/CIP professional at a large generating organization), when entities were staring at a seemingly fast-approaching v5 compliance date and had to make decisions right away if they were going to be in compliance with v5 by the mandated date. But what does the idea mean now, when the compliance date has long passed?

I then replied to the auditor and laid out a set of scenarios where an entity found or received guidance either a long or short time before an audit, the guidance they received was either very quick or very time-consuming to implement, the entity either could or couldn’t implement the changes before the audit, etc. I asked what his region would do if it found potential non-compliance in the audit, in each of the scenarios I laid out.

Fortunately for me (since I now realize my request was fairly foolish), the auditor didn’t take the bait. Here is the entire text of his response:

“The answer to all your questions is...  It depends.  When was guidance originally issued, if any? When was it revised?  What did the entity do before the current guidance?  What did they do with the guidance once it came out?  Essentially, the entity needs to tell its story and explain why it thinks it should not be found non-compliant.  The auditor will listen and evaluate what the entity presents.

“The auditor starts out reading the plain language of the Requirement.  Where there is vagueness and uncertainty, we will be conservative in any response we give during outreach or in response to questions.  Our recommendations with respect to virtualization bears that out.  We have no idea where the SDT will ultimately go.  But our intent with conservative guidance is to give the entity a direction that will likely be compliant with whatever the SDT produces and FERC approves.  If the entity wants to bet against our advice, they are free to do so.  Maybe they will get lucky, maybe they won't.  But the guidance we have been giving today is firmly rooted in the language of the Standards today.  And, my Region, at least, will explain our position couched in the language of the Standards.

“We will be, hopefully, reasonable in both our guidance and also our ultimate finding.  But there is absolutely no way an auditor will declare today how it will find an entity in 2019.  We have to see the facts and circumstances at the time of the audit.  In the end, we take industry guidance under advisement and give it weight.  But, to the extent the guidance includes errors or contradicts the language of the Requirement, we have no choice but to audit to the language of the requirement. The entity can appeal the auditor's finding through the enforcement process.

“Here is an example.  By when does an entity have to first test its Incident Response Plan for Low Impact BCS?  Many entities think they have until 4/1/2020 and base that on the fact that there was a delayed effective date (by 12 months) for the equivalent Requirement applicable to High and Medium Impact BCS.  But, show me where in any Implementation Plan a deferral is specified for Section 4 of Attachment 1 to CIP-003-6. There is none.  The Implementation Plan says 4/1/2017.  Maybe the SDT overlooked this detail and intended to give a delayed start date. Maybe not.  Regardless, all we have to work with is what FERC approved; the specifics in the Implementation Plan.  That and the Excel spreadsheet that NERC published that also shows 4/1/2017.

“Now, if 4/1/2017 comes along and we start writing violations, and then the Implementation Plan is changed to delay the first test, then Enforcement can dismiss the violation.  But the auditor determination is a finding of fact at the time of the audit.

“Here is another example.  The CIP-002-5.1 guidance recently published by NERC was produced by the entities and not the Regions.  It contains errors that the authors declined to address following a Regional Entity review.  So, what happens if an entity follows that guidance and gets the wrong answer?  Possibly a violation for failing to properly identify and categorize their BCS….the entity will likely not receive a violation if they over-categorize their BCS.  But declare something Low when it is Medium, they will likely be found non-compliant, regardless (of) what the guidance says.  Guidance is not approved by either the NERC Board of Trustees nor FERC. It is given some deference, but it is not…(binding from a regulatory point of view).

“So be very careful trying to characterize what an auditor will do in the future….(T)hat does not invalidate the appropriateness of an entity asking for advice and guidance.  They are still better off than asking some of the consultants out there that have not been as closely involved with the CIP Standards.

I won’t try to summarize this statement; it seems pretty straightforward to me.


The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.


[i] Of course, it is still pretty unlikely that you would receive a large penalty – or perhaps any penalty – when you can show that you were acting on the best information available at the time you had to make the decision.

Wednesday, December 28, 2016

What will the Regions Say?


This is the second post inspired by comments I received after my post entitled “A Lesson Still Unlearned

In this recent post, I made the statement “Since the Rules of Procedure say nothing about the regions having any authority to interpret the standards, no region will ever commit an interpretation to writing, even in an email. I have heard from a lot of entities that you have to call up an auditor and ask his or her opinion, if you have an interpretation question. They might not tell you, of course, but if they do they will only do it on the phone. Of course, this means that if, three years from now, a different auditor issues a PV because their interpretation was different from that of the auditor you talked to, there won’t be any documentation of what the original auditor told you.” (note I slightly revised this quotation to clarify it)

I got two sets of comments from two CIP auditors on this statement. One set was from an auditor who has contributed to many of my posts over the years. The other set was from Lew Folkerth, who was formerly a CIP auditor but is now head of CIP outreach for the RelabilityFirst region; he has been the subject of a number of my posts. For both of their regions (although I don’t know whether this is true of any of the other regions), my statement above wasn’t completely accurate. Interestingly enough, I seem to have been wrong in different ways for their two regions.

Let’s start with the current auditor. He wrote “My Region receives and responds to far more email requests than…phone calls.  And we do so by email…That said, entities like to get on a conference call because it is more efficient and comprehensive to have a two-way discussion than to tag back and forth via email.  Entities need to understand that we are giving our best professional opinion, (that) we are not directing an approach or implementation, and that we will audit what the entity actually did in the light of the best understanding of the requirements available at that time.”

In a subsequent email, he elaborated on this: “As far as email responses, it is often the collective opinion of the team and not just one person.  We don't usually preface the response.  Our entities generally know us well enough that an explicit statement each time is not necessary.  We have been doing outreach and responding to questions for 7 years now.

The auditor is saying that, not only do he and the other auditors in his region respond to “interpretation” questions by email, they do this much more often than by just a phone call. At the same time, he says that in their comments they’re not directing a particular approach to compliance, and they will audit entities on ambiguous requirements based on whatever was the best information available at the time the entity had to make the decision.

For example, suppose you have to make a decision on a particular issue like the cloud or virtualization. You investigate the available guidance and implement your decision; yet NERC subsequently comes out with new guidance that calls into question the judgment you made. This region (and I suspect most if not all the other regions) won’t ding you for not following guidance that wasn’t available when you had to decide.[i]

Moving to the auditor’s second paragraph, it is clear that not only do the auditors in his region respond by email, they also don’t insist that anything they say is merely a personal opinion; they discuss many issues as a team, and are willing to stand behind their team’s collective decision. Of course, this doesn’t mean a) they won’t as a team change their opinion later, nor b) that the individual auditor you talk to won’t actually be giving his or her personal opinion, not the collective one (note the auditor says that they don’t usually preface a statement by saying that it is either a collective opinion or an individual one); so this means you still can’t rely on these emails as being the “official” position of that region. But this does seem to be a step further than what most other regions will do.

Let’s move to Lew Folkerth of RF. Lew writes excellent articles on CIP in the bi-monthly RF newsletter; these articles are always called “The Lighthouse”.[ii] They provide compliance guidance on different aspects of CIP; some have even dared to suggest that what he does constitutes “interpretation”! (of course, I would never use that forbidden word in describing Lew). I have written more than one post on these articles[iii]; you can find all of the newsletters on RF’s website. In an email, Lew wrote “at RF we do a lot of ‘Assist Visits’ which an entity can request through the RF web site. Most Assist Visits are phone calls with multiple RF SMEs and entity SMEs. We seldom, if ever, provide a written response to questions as a group. Individually we may respond to emails, but always with the caveat that this is one person’s opinion and is not an official RF response.” Lew goes on to point out that, in his Lighthouse articles, any “interpretation” he does of the Standards is his own opinion, nothing more.

So Lew is saying that RF’s auditors and outreach people will sometimes respond to questions by email, but they will always preface the email by saying this is their personal opinion. And the same goes for his Lighthouse articles. Any collective opinions will only be expressed verbally, not in writing (and Lew doesn’t even say that RF even formulates any collective opinions of the auditors, as the other region just discussed does). RF clearly doesn’t go as far as the other region goes, and I suspect the other regions fall more in RF’s camp – although I will point out that Lew’s “Lighthouse” articles are literally unique among the regions, in actually providing compliance guidance in an article format.

I’m not making any judgments on any of the NERC regions in this post.  There are no official NERC guidelines to the regions for providing unofficial guidance! If anything, the moral is that if you plan to rely heavily on something that a CIP auditor or outreach person in your region tells you, you should find out under what conditions the opinion is provided. Is it an individual opinion? More than that? And you also need to remember that you will never receive an “official” position from any region, even if it is more than the individual auditor’s opinion. There will always be some risk that when you get audited three years from now, the auditor won’t even have heard about what was originally said to you, and in any case will discount it as simply another auditor’s opinion.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.


[i] This idea is very similar to what I often said during the time in 2014 and 2015 when entities had to make decisions on ambiguous areas like the meaning of “Programmable”: You can only be held responsible for compliance with the meaning of a requirement as it was understood at the time. This means you have to look at all available guidance, but in the end it is up to the entity to make its decision – although a consultation with its region is definitely also advised.

When I asked the auditor to clarify this point, he wrote back an email that added a further dimension to this particular issue that I hadn’t anticipated. Rather than try to shoehorn that into this post, I will do a new post dedicated to it soon.

[ii] I hereby reveal the meaning of this title. I have been harboring this dark secret for so long, I can no longer continue to do so in good conscience. Lew is a great fan of the lighthouses on the Great Lakes, and always adorns his column with a picture of one of them. I am also a fan of those lighthouses, but I’m sure he has seen far more than I have.

[iii] And my next post will call people’s attention to two recent articles, which I think are really excellent.

Monday, December 26, 2016

“Implementation Guidance”


I received some very good comments on my most recent post. I will discuss them in three new posts. Here’s the first one.

A longtime NERC practitioner – whom I have known for a number of years – emailed me about my most recent post, in which I reiterated the sorry fate of all of NERC’s attempts in recent years to provide official “interpretations” of the wording of CIP requirements and definitions, which didn’t go through the only two processes allowed by NERC’s Rules of Procedure: a Request for Interpretation, or a SAR to rewrite all or part of a standard or standards. NERC’s motivation for trying to unofficially “interpret” the CIP standards has always been admirable: a desire to have a uniform auditing method that all regions and auditors will follow. But in every case, NERC has run up against the same wall they’ve hit before: there is no way to do this short of an RFI or SAR – and both of those take years to yield results (and may come up empty-handed, as in the case of two Interpretations of CIP requirements that were approved by NERC but remanded by FERC four years ago).

In my post, I provided three examples from the most recent NERC CIPC meeting that seem to indicate that NERC (and others in the NERC community) has still not learned this lesson. Regarding the third of these examples, my friend said:

“On your 12/17/16 posting you state:

3)      At one point, Tobias brought up something I’d forgotten about: that somehow a number of industry organizations, including the trade associations, have become empowered to write up “guidance” on CIP compliance questions. I had heard this before, but couldn’t understand what it meant – and I still can’t. Any organization has always been empowered to write guidance for its members (and any others who wish to follow it) on how to comply with any standard – whether a NERC standard or not. But there is no way that this can be considered some sort of “official” guidance, which NERC will endorse as something the regional auditors should follow. And if that’s the case, why even imply that allowing the organizations to issue guidance is in some way a mitigation of the wording problems with CIP v5/v6? It isn’t.

“Actually, the ERO Enterprise does endorse Implementation Guidance documents and auditors are directed to show “deference” to the guidance. The Implementation Guidance (documents) are intended to be examples of ways to be compliant with requirements, but not prescriptive as the only way to comply. More info on the process, the ERO’s processes and existing guidance is at http://www.nerc.com/pa/comp/guidance/Pages/default.aspx.”


My friend also attached a short document titled “ERO Enterprise CMEP Practice Guide: Deference for Implementation Guidance” (I’m having trouble reaching NERC’s web site today, so I can’t provide the link; but you can Google it. I don’t think that’s NERC’s fault. I’m in an Asian country that sometimes seems to restrict access to certain sites for reasons unknown to me. I couldn’t reach RF’s site, either). And I now want to clarify the paragraph from my post that my friend quoted. I’m not at all opposed to NERC’s endorsing guidance prepared by other organizations, as long as there is no implication that it will provide some unique perspective on the meaning of a requirement that would elevate it over guidance provided by other less privileged sources – say, this blog.

The NERC document my friend referenced says “ERO Enterprise CMEP staff (essentially, NERC and regional auditors) will provide deference to ERO Enterprise endorsed Implementation Guidance.” And what do they mean by “deference”? The last sentence of the document reads “If CMEP staff determines the registered entity was found in non-compliance with a NERC Reliability Standard or Requirement, but in good faith, relied on Implementation Guidance, CMEP ERO Enterprise CMEP staff will provide deference to ERO Enterprise endorsed Implementation Guidance.”

I will take NERC at its word that Implementation Guidance doesn’t constitute an Interpretation of a requirement or definition, so I’ll stipulate this is perfectly legal (i.e. compliant with the Rules of Procedure). But my problem is that NERC seems to think that the possible future development of Implementation Guidance on sticky issues like VOIP and the cloud (as well as others) constitutes in some way at least partial compensation for the fact that the current CIP standards require interpretation regarding these issues. Implementation Guidance documents on these and other issues will certainly be welcome, but at the end of the day NERC entities will still not understand what the standards say about these interpretation issues (because they don’t say anything about them, or what they say isn’t clear); in other words, there won’t be any certainty on these issues. Once again, the only legal way to provide definitive guidance is an RFI or a SAR.

If you haven’t been reading my posts religiously the past few months, you may think I’m now pushing a hardline position that NERC has to immediately write a bunch of RFIs and SARs and set 10 or 20 new Standards Drafting Teams to work on these. That’s the last thing I want. What I do want is a single SAR to rewrite all of CIP in a non-prescriptive, objectives-based format, which will change arguments like these from ones with grave compliance implications to simply issues requiring guidance. This non-prescriptive format isn’t something completely new, but can currently be found in CIP-013, CIP-014, CIP-007-6 R3 and CIP-010-2 R4[i], as well as at least two other current CIP requirements.

I say this because I am now convinced that CIP is at an impasse: It will be impossible to address significant interpretation questions like VOIP, and especially to accommodate more recent technologies like virtualization and the cloud, any other way. More on this coming soon to a blog near you.


The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.


[i] In listing these examples of current (or future, in the case of CIP-013) non-prescriptive NERC standards or requirements, I’m not saying that any one of the differing formats of these standards and requirements is exactly what should be followed for the “new CIP” standards. I and two co-authors are currently working on a book that will provide (hopefully by the end of 2017) what we think would be the best format, and I will sometimes discuss working ideas for this in my blog.

Saturday, December 17, 2016

A Lesson Still Unlearned


I attended the NERC CIPC meeting in Atlanta this week. There wasn’t a lot of discussion of the CIP standards, since they are just one of the topics discussed at those meetings, and we aren’t currently in the throes of any momentous developments in CIP. But I was struck by one common theme I heard from a couple of the speakers, and realized that a lesson I thought the NERC community had learned over the past four or five years still hasn’t been learned.

The lesson is simple: If there are gaps or inconsistencies in a NERC standard that can’t be fixed with a straightforward reading of the text, the only permanent remedy is to write a SAR (Standards Authorization Request) and draft a new or revised standard that fixes the problem. There is no other remedy allowed by NERC’s Rules of Procedure.

NERC has run into this immutable fact several times in the past (at least regarding CIP), and has spent a lot of time and effort trying to get around it. Does anybody remember the 2012 CANs (Compliance Application Notices) and CARs (Compliance Analysis Reports) that were intended to fix inconsistencies in interpretation of the CIP v3 requirements? They caused a lot of weeping, wailing and gnashing of teeth in the NERC community, and they were ultimately withdrawn.

Now let’s go to CIP v5. After FERC approved v5 in late 2013 and entities took a serious look at the requirements in 2014, they began to realize there were a lot of problems with the wording – ambiguities, inconsistencies and just plain holes. NERC acknowledged there were some problems and vowed to address them in time for entities to be fully compliant by the faraway date of April 1, 2016.

They promised a large and shifting array of documents to fix the problems. There may have been others, but I remember NERC pointing at various times to the V5 Implementation Study, the RSAWs, Section 11 Supporting Documents, the Lessons Learned and finally the infamous Memoranda (which created a huge firestorm, as a result of which all of them were revoked and removed from the NERC web site).

All of these documents fell into one of two types: serious attempts to address gaps or inconsistencies; or “helpful hints” regarding CIP compliance that didn’t address wording problems. Documents of the first type (for example, the Lesson Learned on “Programmable Electronic Devices”, which seemed to many of us to be a sensible way to fix the problem caused by the fact that the word “Programmable” in the Cyber Asset definition wasn’t itself defined) were without exception ultimately withdrawn and removed from NERC’s website – when it became clear they weren’t just providing implementation guidance but actually going beyond the strict wording. Documents of the second type were left in place, and remain there to this day (note that I’m not complaining about the second type of documents. These certainly did fulfill an important need. But they didn’t clear up gaps or inconsistencies in the wording of the standards, as they were initially touted as doing).

Late in 2015, NERC seemed to finally acknowledge the hard truth that I’ve already stated: The only way to change a NERC standard or definition is to go through the standards drafting process, which of course usually takes years. They bit the bullet and called for a new CIP drafting team to fix some problems in CIP v5 (which were identified by the CIP v5 Transition Advisory Group). When FERC approved CIP v6 in January of this year, they ordered NERC to make three changes: clarify the LERC definition, develop requirements for Transient Electronic Devices at Low impact assets, and protect all Control Center-to-Control Center communications. These items were added to the new SDT’s SAR. I supported the new SDT, but pointed out that the really fundamental problems with CIP v5/v6 weren’t even mentioned in the SAR. In fact, I later published a list of important problems that aren’t included in the SAR.

To be honest, at that point (around April of this year) I assumed that it had finally become apparent to the NERC community, and especially to NERC itself, that there was no point in talking any more about ingenious “solutions” to CIP wording problems, that didn’t involve a new SAR[i]. That is why I was surprised by three statements that were made at this week’s CIPC meeting:

1)      Tobias Whitney of NERC always leads a discussion of current developments in the CIP standards at CIPC meetings. He discussed the recent Technical Conference that included a day of discussion on the problem of how entities can utilize the cloud while staying compliant with CIP[ii]. He said NERC was working on this issue and would put out a paper soon. He implied that this would settle the matter of how the cloud could be utilized in a CIP environment.

I pointed out in the meeting that this paper will certainly be valuable, but it isn’t suddenly going to change the fact that a strict reading of the CIP standards wouldn’t allow an entity to utilize the cloud. Tobias didn’t seem to disagree with this, but he also didn’t state its implication: Unless NERC plans to write a SAR for a new CIP version to incorporate the cloud (and NERC has made no moves to do that), the only way that a NERC entity can safely utilize the cloud is to reach an accommodation with their Regional Entity to allow this. I happen to think that most if not all of the RE’s will be open to entities that want to utilize the cloud (as they have been to virtualization); but I’m also sure a lot of entities will hesitate to move in this direction, until the cloud is officially recognized in the CIP standards. And I won’t even venture a guess as to how many years from now that will be!

2)      The second statement was made during a discussion of the VOIP issue. There, it was again implied that a rigorous, thoughtful analysis of the wording of the requirements and the BES Cyber Asset definition would resolve the problem. I’ve got news for you, guys: This has been a serious concern for at least a couple of years, and has been debated endlessly. At least 7 of the 8 NERC regions have decided they do not consider VOIP systems to be automatically BES Cyber Assets; and I believe the eighth region now takes this position as well. But the problem can’t be fixed permanently until the BCA definition is changed, which – ta da! – requires a SAR (and while the current CIP SDT is charged with changing the BCA definition to address two other problems, they are not charged with addressing this one. Moreover, it is highly unlikely they will decide to add this to their already-overfull agenda).

3)      At one point, Tobias brought up something I’d forgotten about: that somehow a number of industry organizations, including the trade associations, have become empowered to write up “guidance” on CIP compliance questions. I had heard this before, but couldn’t understand what it meant – and I still can’t. Any organization has always been empowered to write guidance for its members (and any others who wish to follow it) on how to comply with any standard – whether a NERC standard or not. But there is no way that this can be considered some sort of “official” guidance, which NERC will endorse as something the regional auditors should follow. And if that’s the case, why even imply that allowing the organizations to issue guidance is in some way a mitigation of the wording problems with CIP v5/v6? It isn’t.
                                                            
You may have noticed one common theme to all three of the points above: In the end, the only “interpreters” of the CIP standards that matter are the regions. If the auditors in a region think a requirement should be interpreted in a particular way, the entities in that region would be well served to make sure they understand their thinking, since they are likely to be audited based on that. And guess what? I doubt there’s any NERC entity in the US who won’t assign the utmost importance to their own region’s interpretation of a CIP requirement.

But there is a problem with this: Since the Rules of Procedure say nothing about the regions having any authority to interpret the standards, no region will ever commit an interpretation to writing, even in an email. I have heard from a lot of entities that you have to call up an auditor and ask his or her opinion on an interpretation question. They might not tell you, of course, but if they do they will only do it on the phone. Of course, this means that if, three years from now, a different auditor issues a PV because their interpretation was different from that of the auditor you talked to, you won’t have any documentation of what the original auditor told you. So this is obviously not any sort of permanent solution.

The irony of this is that, after the CAN/CAR debacle with CIP v3, NERC pointed to CIP v5 as the version that would finally fix the problem of regional variability in interpretation of requirements. Not only has v5 (and v6) not fixed that problem, it has made it worse. Because of the much larger number of gaps and inconsistencies in the wording of the v5/v6 requirements and definitions, the regions have now become essential to understanding how to comply. I have said it a number of times – but never in this blog – that the CIP v5/v6 requirements only “mean” what your region says they mean. Nothing more, nothing less. So keep your eye on your region.[iii]

Before I let you go, repeat after me: There is no way a problem with the wording of a NERC standard can be permanently fixed, other than by writing a SAR and drafting a new standard. Ignore anyone who tells you something different.

But before you say, “Well, then we just need to draft a bunch of SARs and get some new SDTs to work on fixing the wording problems in CIP v5/v6”, I recommend you read my next post. This will prove (using advanced mathematics) that we have reached the limit of changes that can be made in the current prescriptive CIP standards. If we want to incorporate new areas like virtualization and the cloud, we will have to move to a non-prescriptive, outcomes-based approach. And that will be the only way to permanently “fix” the problems with the current wording (most of which problems will become moot in a non-prescriptive format).

This will require a complete rewrite of CIP, as well as changes in how the standards are audited and managed. But the alternative is to have what we have now: a set of standards whose interpretation is ultimately dependent on the auditors. If this is your idea of how mandatory standards with million-dollar-a-day penalties should be interpreted, then you should be happy as a clam now. If you aren’t comfortable with this, then I suggest you start asking what can be done to change the situation.


The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.


[i] When I say that a SAR is the only way to change a standard, you may be asking “How about RFIs (Requests for Interpretation)? They are also permitted in the NERC Rules of Procedure. An Interpretation is voted on by the NERC ballot body and approved by FERC, just like a new standard is.” But Interpretations aren’t meant to clarify problems with wording; they are only to explain wording that is already in place. So they can’t help with the problems I’m talking about. Those problems can only be addressed by changes in the wording of the standards or definitions.

[ii] There are a number of CIP problems that come up with the cloud. One of the most important has to do with CIP-004 R3 – R5. For example, if a NERC entity puts data from an ESP in the cloud, it will most likely reside in one or more huge server rooms, to which hundreds of technicians may have access. Since any one of those technicians might in theory be able to walk up to a server with that data and look at it, a strict reading of the standard would require that each one of them be vetted by the entity for access to their data before being allowed in that server room, and that the cloud provider notify the entity when any of those people leaves their employ. No cloud provider in the world will ever agree to do this. The provider would need to make sure that all servers that hold the entity’s data be housed in a locked room, with access granted only to technicians that have been vetted by the entity. This would effectively destroy any cloud provider’s business model.

[iii] I just noticed that I had predicted this situation in a post a month after FERC approved v5 in 2013. In a footnote, I said “I’m guessing that, if CIP-002-5 isn’t changed, the way this problem will be finally dealt with (not solved) is through the Regional Entities taking it upon themselves to develop their own interpretations.  These won’t have any more force than a NERC interpretation, but since the RE’s are the ones who do the auditing, it is far more likely the registered entities will follow the lead of their region.” Of course, I was specifically discussing problems with CIP-002 here, but the same can be said for any of the v5/v6 standards: the Regional Entities are the only real arbiters of interpretation questions. This situation will remain until the standards are revised or rewritten entirely (which is my preference, in case you haven’t noticed that yet).