In October
of 2017, FERC issued a NOPR
stating that they intend to approve CIP-003-7, which includes the revamped “LERC”
requirement and also the requirement for Transient Cyber Assets and Removable
Media used at Low impact assets. In November, I put out a post
on the NOPR, which turned out to be the first of five parts.
In that
post, I made two statements about the implementation date for CIP-003-7. First,
I said that the implementation plan is for 18 months and the likely date for compliance was July 1, 2019. This was a
mistake, because that date was just a little more than 18 months from the date
I wrote the post. I was obviously assuming that FERC would approve the standard
within a few weeks of when I wrote the post. This would have been a physical impossibility,
since they were asking for comments on their proposed changes. The comment
period would be a couple months, and wouldn’t start until at least January. Then FERC would have to analyze the comments and make their decisions on the various
issues. There was no way FERC could approve CIP-003-7 for at least five or six
months; I have no idea what I was smoking when I said otherwise. This means it
is likely – and was always likely – that FERC won’t approve CIP-003-7 until the
second quarter of this year. So the effective
date for the standard will probably be January 1, 2020.
The second
statement I made in the post was that NERC entities wouldn’t have to comply
with the physical and electronic access control parts of CIP-003-6 R2
(specifically, sections 2 and 3 of Attachment 1) until CIP-003-7 comes into
effect. In other words, implementation of these two sections of CIP-003-6 will
be superseded by version 7.
I have
continued to believe this was correct until today at the WECC CIP workshop in
Boise, Idaho[i],
when WECC auditors stated a couple times that compliance with both sections 2
and 3 of version 6 is still due on September 1 of this year – although they
will allow the entity to describe what they have done using the language of v7[ii]. This
will save entities from having to rewrite their documentation when v7 comes
into effect.
I was of course
surprised by this, but I wondered if I’d been wrong. So I went back to NERC’s
Implementation Plan, where I found these words: “..this Implementation Plan
clarifies that under Requirement R2 of CIP-003-7(i), the Responsible Entity
shall not be required to include in its cyber security plan(s) any elements
related to Sections 2, 3, and 5 of Attachment 1 until the effective date of
CIP-003-7(i). Upon the effective date of CIP-003-7(i), the Responsible Entity’s
cyber security plan(s) must include the elements required by Sections 2, 3, and
5 of Attachment 1 and the Responsible Entity must implement the controls
included in its plan to meet the objectives of Sections 2, 3, and 5.”
This is very
clear: NERC was saying that entities wouldn’t need to comply with the physical
and electronic access control requirement parts of CIP-003-v6 until the
effective date of CIP-003-7. FERC merely paraphrased this language. Specifically,
in paragraph 45 of the NOPR, FERC says “NERC explains that the proposed
implementation plan does not alter the previously-approved compliance dates for
Reliability Standard CIP-003-6 other than the compliance date for Reliability Standard
CIP-003-6, Requirement R2, Attachment 1, Sections 2 and 3, which would be replaced with the effective date for proposed
Reliability Standard CIP-003-7. NERC
also proposes that the retirement of Reliability Standard CIP-003-6 and the
associated definitions become effective on the effective date of proposed
Reliability Standard CIP-003-7.” (my emphasis)
Does this
mean I’m saying WECC entities should stop whatever they’re doing to implement
physical and electronic access controls for Lows - and take a long vacation
before they start the push again next year? I think you would be on solid
compliance grounds if you did that, but in the unlikely event that FERC doesn't approve CIP-003-7, you'll be in a bad place. Whenever I have asked an entity whether they’re still going full bore to meet
the September 1, 2018 date, they have inevitably said yes.
What this points
out is something that NERC entities have known for a long time: the whole business
of effective dates of new or revised NERC standards needs to be revisited (in
fact, I had a discussion of exactly that issue with one entity during the WECC
workshop). This is certainly not the first time I’ve seen lots of confusion
about the effective date for a standard.
Also note that I did amend some of the language from the post last night, to clarify WECC's motivation in saying that the 9/1/18 date remains in effect. They are being very careful, and it is indubitable that, as of today, the effective date for the Low impact electronic access control requirement remains 9/1/18.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
Tom Alrich LLC can help you with NERC CIP issues or challenges like what is
discussed in this post. To discuss this, you can email me at the same address
or call me at 312-515-8996.
[i]
Which is a wonderful town, by the way!
[ii]
Since CIP-003-7 does away with the LERC and LEAP terms but still allows the
entity to comply in the same ways they could comply with Sections 2 and 3 in
CIP-003-6 R2, this means that, if the entity complies with CIP-003-6 and later
complies with CIP-003-7, they will need to rewrite their documentation but won’t
need to make any actual changes to the physical or electronic access controls themselves –
unless they want to, of course.