About that CIP-013 Compliance Date….

In January, FERC issued their NOPR saying they intend to approve CIP-013. In my post at the time, I guessed that FERC would issue their Order approving the standard (and of course CIP-005-6 and CIP-010-3) in May, although it could still be a couple of months before this happens. In any case, I believe that the compliance date for CIP-013 will be either January 1 or April 1, 2020.[i]

However, in my post on the NOPR I said it looked like the date would be July 1 or October 1, 2019. I was basing this on FERC’s announcement in the NOPR that they were considering shortening the implementation period from 18 months (the period shown in the CIP-013 Implementation Plan, which was of course approved with the standards themselves) to 12.

However, I now consider it highly unlikely that FERC will order the implementation period be shortened. This is for four reasons:

1. Of all the comments from NERC entities on CIP-013 that I read, all said the period shouldn’t be shortened. The reasons came down to pretty much just one: There is a huge amount of work that needs to be done to put in place a CIP-013 compliance program, especially at a large entity.
2. I agree with that reason, and want to add two of my own. As I said in this post, the fact that CIP-013 is a completely plan-based standard (meaning it simply requires the entity to develop and implement a Supply Chain Cyber Security Risk Management Plan, with little or no guidance as to what should be included) means that literally everything depends on what you decide to put – and not put – in your plan. For this reason, before you start implementing the plan, you should ask your Region to review it[ii]. But if you wait until say two months before the compliance date, your Region may tell you to get in line and you’ll have to wait six months or so – they’ll most likely have a crush of other plans to review. So you’ll have to implement the plan without your Region’s input, since of course you have to have the whole plan implemented by the compliance date, not just drawn up.
3. Here’s my second reason: I realize that you may be shocked – shocked! – to hear this[iii], but there is actually a fair amount of uncertainty regarding what CIP-013 means. I point to NERC’s recent webinar on CIP-013, where the entire webinar focused on R1.2, with no mention of how to comply with R1.1 at all. See this post (I have since received indications that NERC does indeed intend to enforce the whole standard, as mentioned in this post).
4. But the last reason should be the clincher: If FERC orders the CIP-013 implementation period to be shortened by six months, it will at most result in an implementation date that is at most three months before the date that would result if they simply approve CIP-013 with the current Implementation Plan. That is because FERC can’t simply shorten the implementation period. They would have to approve CIP-013 but at the same time order NERC to develop a new Implementation Plan with a 12-month period. NERC would then have to develop a Standards Authorization Request and get it approved in a ballot; appoint a new drafting team (or most likely utilize the same team that developed CIP-013) and have them draft the new plan; conduct at least one ballot to approve the new plan; have the NERC Board of Trustees approve it; and finally submit the new Implementation Plan to FERC. FERC would then have to mull it over a little bit, then issue a new Order approving it. FERC would most likely give NERC 90 days to do this and NERC would almost certainly comply, but depending on the timing of when FERC approves the new plan, when it’s published in the Federal Register, etc., the resulting implementation date will at most be three months before what it would have been anyway, and more likely be the same date. So there will have been a huge uproar and lots of meetings, documents generated, votes tallied, etc. – and the result will be literally nothing. I simply don’t see this happening (in fact, I’m now surprised that FERC suggested it in the first place, although I must say it’s only recently that I’ve come to realize this).

Since I’m in kind of a snarky mood, and since this is something I’ve been meaning to write about anyway, I’d like to point out that my third reason above would probably not be a factor at all if FERC hadn’t decided to give NERC just one year to develop a supply chain security standard, when they issued Order 829 in July 2016 (Commissioner LaFleur dissented from the order as a result of this, and she issued an elegant eight-page memo which is linked in my post just referenced. I agreed with her in the post that one year was simply not enough time, especially since FERC hadn’t issued a NOPR[iv] saying they were considering ordering a standard. Had they done this, it would have given the industry a lot of time to think about what form the standard should take, as they commented on the NOPR).

As I pointed out in this post, the big problem with CIP-013 is that R1 requires the entity to develop a plan to identify and mitigate risks attendant on the supply chain, but doesn’t provide any list of risks that should be addressed, beyond the “six things” in R1.2. This seems to have led some at NERC and at least one region to come to view the standard as just being about those six things – you deal with them, and you’re good. In this view, R1.1 can be ignored. This is clearly wrong, but the problem is that, because of the absence of any list of risks (I prefer the word “threats”, but this was FERC’s term and the drafting team just adopted it) in R1.1, there is simply nothing to audit, unless the entity just doesn’t do anything meaningful at all to comply with the requirement.[v]

I’m hoping this omission will be addressed in the next version of CIP-013, but in the meantime, CIP-013 R1.1 isn’t auditable. Of course, the auditors will still be able to look at your plan and issue one or more Areas of Concern if they think you’ve missed something in it. I actually think this is almost as good as having R1.1 be auditable, since most entities will treat an AoC as being just as actionable as a PNC. But doing this essentially relies on each individual auditor to determine for him or herself what are the risks that should be addressed in the plan; it would be much better if these were all gathered in the requirement itself, as in CIP-010 R4 (see end note iv below).

I contend this problem wouldn’t have happened if the drafting team had had more time to work on the standard. But when you have such a short deadline, you don’t dare introduce anything that could cause people to vote no, meaning the standards often have problems. You throw some words on the paper and leave the interpretation of what they mean for the auditors. CIP-014 suffers from this same problem; FERC ordered it developed in three months! Of course, NERC made the deadline. They always make the deadline. The question is what happens after the standard is implemented and the enforcement rubber meets the road.

P.S. I do want to point out that only one of the current Commissioners was in her position when FERC approved Order 829 - and that is Commissioner LaFleur, the one who dissented! The other four current Commissioners joined the Commission last year.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post. And if you’re a vendor to the power industry, TALLC can help you in various ways, including developing marketing materials, delivering webinars, etc. To discuss this, you can email me at the same address or call me at 312-515-8996.            

---

[i] 1/1/20 would be the date if FERC approves CIP-013 in May and possibly in June, whereas 4/1/20 would be the date if they approve it in the July-September quarter. It’s hard to believe they would take any longer than that.

[ii] All Regions should be able to review your plan at any time before compliance with CIP-013 becomes mandatory. After that date, it becomes more problematic. As I pointed out in this post, there is one Region that has an Entity Development program in place, which should – and I’m speculating on this, based on what I know about the work this group does in the Region in question – allow them to review and comment on your plan even after the compliance date. My guess (or at least hope) is that other Regions will have this in place in time to do some good for CIP-013.

And note that the Region won’t tell you whether your plan is “compliant” or not. But since CIP-013 R1.1 requires you to develop a plan to identify, assess and mitigate (although the word “mitigate” was left out, as I pointed out in this post. However, don’t even think about developing a plan that just identifies risks but does nothing at all to mitigate them! I can assure you that won’t fly) supply chain security risks, your Region can tell you whether they think you have done a good job of that or not. They can also point out things like risks you didn’t consider, mitigation ideas that might not work well, etc. This will be very valuable advice in any case, and the fact that it comes from your Region will make it all the more valuable.

[iii] Given that the rollout of CIP v5 was so smooth, with nobody – except me, of course – complaining about any ambiguities in the standards. J

[iv] FERC did provide a seemingly out-of-the-blue suggestion in the 2015 NOPR that ordered the development of CIP v6, that they were also considering ordering NERC to develop a supply chain security standard. But that was much different from issuing a NOPR just for the supply chain standard, since their 2015 action was interpreted as pretty much a call for a conference (which was held in January 2016). They should have issued a NOPR after that conference, rather than wait until the standard had been developed on their compressed timeline and then issue a NOPR after the standard had been developed and approved by NERC, when it was too late to order meaningful changes anyway – except in a version 2 which is undoubtedly 4 or more years away.

[v] How should CIP-013 have been written? I know I’ve said somewhere or other – and definitely in a book I’m now working on – that CIP-010 R4 is my poster child for writing a plan-based requirement. Attachment 1 of CIP-010 is actually part of the requirement, not guidance (this is crucial, of course). And it gives the entity a set of risks from Transient Cyber Assets and Removable Media that must be addressed in the plan required by R4. So the auditors can go through the plan and make sure it’s addressed all of these risks in a credible fashion. If the entity has missed one or two – and doesn’t have a good reason why they did so – then there might be a Potential Non-Compliance finding. This simply can’t be done with CIP-013 R1.1.

I do also want to point out that I attended a few of the drafting team meetings in person, and some of the phone meetings – and I never once raised these issues. In fact, it’s only recently become clear to me that plan-based requirements can’t be treated just as another form of the typical prescriptive NERC requirement. They really require a different auditing regime than is in place at NERC now. But given the current prescriptive NERC auditing regime, the best compromise is to put a list of risks in the plan, so that it can be audited under the current regime. But as I said, I saw through a glass darkly while CIP-013 was being developed, so I’m certainly not casting aspersions on the SDT. However, I think with more time (and perhaps looking at the example of CIP-010 R4), they might have realized that not having any criteria at all by which CIP-013 R1.1 could be audited wouldn’t end well. And it won’t end well.