In FERC’s
Sunshine Meeting this morning, they issued a Notice of
Proposed Rulemaking that says they intend to approve NERC CIP-013, the
supply chain security risk management standard, as well as the accompanying modifications
to CIP-005 and CIP-010. Of course, the interesting part was what they also said.
Here is my summary:
First, they find that NERC did a good
job of drafting a standard that carries out what they mandated in Order
829. However, Commissioner LaFleur, in her statement
concurring with the Commission’s decision, says “The proposed standards would
provide significant flexibility to registered entities to determine how best to
comply with their requirements. In my view, that flexibility presents both
potential risks and benefits. It could allow effective, adaptable approaches to
flourish, or allow compliance plans that meet the letter of the standards but
do not effectively address supply chain threats. I hope that we will see more
of the former, but I believe the Commission, NERC, and the Regional Entities
should closely monitor implementation if the standards are ultimately approved.”
What Commissioner LaFleur is asserting
is similar to what I’ve been (at least implicitly) saying in my recent posts
about auditability of CIP-013: There really isn’t much in the requirements
themselves that would allow NERC to reject a plan that was clearly inadequate.
However, I’ve also been saying
that I’m not too concerned about whether plan-based standards like CIP-013 are
auditable or not. What matters is whether the NERC entity can get assistance
from their Regional Entity, over the course of developing and implementing
their plan, in making sure their plan is a good one and is implemented well.
This goal isn’t furthered by audits (or at least, audits are a very inefficient
way of furthering it); I described another way that the Regions could provide
this assistance in this
post.
Second, FERC questioned why CIP-013
only applies to Medium and High impact BES Cyber Systems, not Low BCS or Medium
and High Electronic Access Control and Monitoring Systems (EACMS), Protected
Cyber Assets (PCAs), or Physical Access Control Systems (PACs). Since NERC is
currently conducting a study (ordered by the Board of Trustees when they approved
CIP-013 last August) of additional supply chain risks, including those
associated with Low impact BCS, the Commission stated that this study should go
forward, although it should also look at risks associated with PACs and PCAs.
However, regarding EACMS, the
Commission stated that the risks associated with these systems are sufficiently
clear that there’s no need to wait for a study. Accordingly, FERC proposes to
order that EACMS be included in the applicability of CIP-013, and is seeking
comments on this proposal. Since NERC standards can’t be modified once approved
by the Board of Trustees, this means that the CIP-013 drafting team will need
to develop a modified CIP-013 (as well as CIP-005 and CIP-010) that includes
EACMS in the applicability section.
The above two items in the NOPR aren’t
terribly surprising. However, there is one item that was surprising (or at
least I was surprised by it), relating to the implementation date for the three
new or revised standards. FERC believes that the current 18-month
implementation plan is too long by six months. They are proposing (and seeking
comments) to order NERC to change this to 12 months. In other words, in the
same Order in which FERC approves CIP-013 (and the revised CIP-005 and
CIP-010), FERC would order NERC to revise the CIP-013 Implementation Plan.
FERC is seeking comments on this
proposal, but I sincerely doubt they’re going to change their mind on this. So
let’s say FERC issues their Order this May. NERC will have to revise the
Implementation Plan[i]
to 12 months. 12 months after this May is obviously May 2019. Since the
Implementation Plan says that the effective date will be the first day of the
calendar quarter after this, it means the effective date of CIP-013 will be
July 1, 2019. If FERC issues their Order after June of this year, the effective
date will be October 1, 2019. In either case, this will be before the implementation
date I had been anticipating,
which is either January 1 or April 1, 2020.
So, as of today, you have less than 21
months to implement CIP-013, and perhaps less than 18 months. I don’t think any
medium-to-large NERC entity should wait any longer to at least develop a plan
for implementing CIP-013 compliance by July 1, 2019.
And – as I mentioned in my last post –
Tom Alrich Consulting would be pleased to discuss with you how we might help
you develop your plan to come into compliance with CIP-013-1, CIP-005-2 and
CIP-010-3. If you would like to set up a time to discuss this, please drop me
an email at the address below. Since I happen to know the owner of TAC very
well[ii], I’ll
make sure he pays close attention to you!
[i]
And if you think this revised Implementation Plan would probably be voted down
by the NERC membership and would therefore be null and void, you’re engaging in
wishful thinking. If the NERC membership doesn’t approve a new or revised
standard (or implementation plan) that has been ordered by FERC, the NERC Board
of Trustees is required
by the Rules of Procedure to develop this themselves and submit it to FERC. In
other words, the NERC membership will have two options: a) approve the new
standard, or b) have the Board
approve it anyway. Isn’t choice wonderful?
[ii]
OK, perhaps not that well. He’s always surprising me.
No comments:
Post a Comment