Tuesday, September 3, 2013

WWWD (What Will Wellinghoff Do?)


Sept. 22: Yesterday I wrote a post that updates some of the speculation in this post.

I’m not telling anybody anything they don’t know when I say there is huge uncertainty now over what FERC will do with respect to NERC CIP Version 5.  FERC’s NOPR of April 18, 2013 makes clear they intend to approve Version 5.  It also makes clear they want changes made to it.  Sounds pretty simple, right?  They’ll make some changes and then they’ll approve it.

As anyone who has been reading my blog posts since then knows, the situation is hardly simple.  Under Section 215 of the Federal Power Act of 2005, which gave FERC the ability to impose mandatory reliability standards on electric utilities through NERC (the “ERO”), FERC can’t do this.  They can either completely remand (reject) a proposed standard or they can approve it without change.  Does this mean that, if they want to approve Version 5, they have to forget their desire to make changes?

No, it doesn’t.  At the same time as FERC approves a standard, they can order NERC to develop a “compliance filing” that will incorporate the changes they want; they may or may not order this to be delivered by a particular date.  This happened when FERC approved CIP Version 2 unchanged in 2009.  At the same time as they did that, they ordered NERC to file a new version in 90 days that incorporated a requirement for logging ingress and egress for visitors to the PSP, as well as a minor change regarding testing of incident response plans.  This became CIP Version 3.  Version 2 came into effect April 1, 2010, while V3 came into effect October 1, 2010 (and remains in effect today, of course).

This is why the scenario I have been using for Version 5 approval and implementation (discussed below) called for CIP Version 6 to be the next version that NERC entities would have to comply with: I thought that only by ordering that a new version be developed could FERC assure the changes they want will be implemented.  The problem is the new version will probably take a year or even more to be developed by NERC and approved by FERC; meanwhile, the long period of uncertainty regarding the next CIP version (which started in at least 2009) will continue.  Through reading and talking with various people, I have come to believe it isn’t acceptable for the uncertainty to continue even after FERC approves CIP Version 5 (hopefully this year).  The industry wants that approval to put an end to the uncertainty, so they can focus on planning for and implementing CIP Version 5 compliance.

In this post, I will first outline my original scenario as well as what I saw as the only possible alternative to that, which I am calling NERC’s scenario. I will then outline a possible third scenario (really a range of scenarios) that would allow FERC[i] to approve Version 5 without requiring major changes (so Version 5 could still be the next version that NERC entities had to comply with), while at the same time getting most of the changes they want.  Does this seem impossible?  Just watch my hands.


My Original Scenario
As described in this post, my scenario goes like this:

  1. FERC approves CIP Version 5, probably before the end of 2013.
  2. When approving Version 5, FERC orders a compliance filing from NERC.  It will probably incorporate at least the major changes they listed in the NOPR (listed below in this post).
  3. The deadline for the compliance filing will be maybe 9 months or even a year later (the changes are major, of course), meaning NERC will come back with Version 6 by the third or fourth quarter of 2014.
  4. FERC will take one or at most two quarters to approve Version 6, meaning approval before June, 2015.  The implementation plan for V6 will say it supersedes V5, just as the V5 plan supersedes V4.
  5. Since the compliance date for High and Medium impact facilities will be shortened to about one year, that date will be about July 1, 2016.
  6. Depending on whether FERC also moves up the implementation date for Lows, that date will be about July 1 of either 2017 or 2018.

As I’ve already said, I’m no longer so comfortable with this scenario.  There are two reasons:

  1. The comments filed on the NOPR were overwhelmingly in favor of having FERC approve Version 5 without changes.  NERC, EEI and others made the point eloquently that all the back and forth with V4 or V5 had taken a big toll on the industry, and any further uncertainty would just make that worse.  FERC seems to be very concerned about this problem (as I believe their recent order extending the Version 4 implementation date shows).
  2. I had previously argued that, under my scenario, the uncertainty would end when FERC approved V5 (likely this year), since the order for the compliance filing would specify exactly the changes FERC wanted to be incorporated into V6.  That, coupled with the fixed deadline for NERC to develop and approve V6, meant that entities would know exactly what they had to comply with and when.  The big problem with this argument is that many corporate legal departments will only let actions be taken (or not taken) on the basis of FERC orders, not what amount legally to just statements of intent (I wrote about this problem recently in regard to Version 4, since some IOU’s are to this day still pushing ahead with their Version 4 implementation tasks – due to a lack of any order saying Version 4 won’t come into effect).  These legal departments won’t consider Version 6 to be real until FERC approves it in mid-2015 (i.e. at step 4 in my scenario).  At this point, the Highs and Mediums will only have one year to comply with V5 (since I’m assuming FERC will shorten the compliance period as they hinted in the NOPR), and all hell will break loose as a big scramble goes on to comply in one year – this isn’t good for the industry or for FERC.  It is best if FERC’s order approving V5 actually orders the new version, period – and that version subsequently comes into effect`.  But that requires a different scenario from mine.
  
NERC’s “Scenario”
What does NERC think will happen?  They haven’t come out with a specific scenario, but it’s implicit in their NOPR comments.  If FERC listens to them and approves Version 5 unchanged, and that happens in 2013 as I know NERC believes, then V5 obviously will come into effect and not be superseded by a Version 6.  The compliance date for High and Mediums will be around January 1, 2017, and for Lows a year later.  FERC might order a new version of CIP (Version 6), but it won’t have a near-term deadline (and perhaps no deadline at all).  Version 6 will go through the normal channels for a revised standard: a Standards Authorization Request (SAR), constitution of a new Standards Drafting Team, drafting by the team, a round of ballots (there were four for Version 5) and finally approval by the NERC Board of Trustees.  Easily a three-year process, maybe more.  This means Version 5 will be in effect a minimum of 3 or 4 years, which most people would argue (I think) is a decent amount of time.

The big problem with this scenario is it ignores all of the changes that FERC said, in their NOPR, they really wanted.  It assumes FERC will agree to forget about those changes, or just order them to be included in Version 6 (meaning they will be four years away).  Given the tone of the NOPR, it’s hard to see FERC doing that.


A Third Scenario
If it is possible, we need a third scenario.  In it, FERC will need to address two goals: a) eliminating the prospect of an additional year of uncertainty for the industry (as happens in NERC’s scenario but not in mine), and b) getting the changes they want (which happens in my scenario but not in NERC’s). To achieve a), FERC has to approve Version 5 unchanged and make clear it will in fact come into effect.  Given that, how do they achieve as much of goal b) as possible?  Is it even possible for this to happen?

At this point, it’s important to look at the four major changes FERC wants in Version 5, and ask how FERC would achieve each of these in a new scenario.  These changes (stated in the NOPR) are:

1.        “Specific, technically-supported cyber security controls” for BES Cyber Systems at Low impact facilities;
2.       Shortening the implementation period, at least for Medium and High impact facilities;
3.       Two changes in the definition of BES Cyber Asset (removal of the “15-minute” criterion and of the sentence exempting laptops used for less than 30 days within the ESP); and
4.       Removal of the “identify, assess and correct” language in 17 requirements;

Let’s start with number one.  Change number one wouldn’t have to be in Version 5 for FERC to approve it.  It could be incorporated in a compliance filing coming soon afterwards (maybe six months?).  In other words, FERC could approve V5 as it now stands, but require a compliance filing to address item one.   You may now (rightfully) ask, “But didn’t you say you wanted to avoid a compliance filing that would just prolong the uncertainty?”

I did, but that wouldn’t happen in this case.  Version 5 would be approved and would come into effect based on the existing 2-3 year implementation plan.  But there would be a single new standard developed – it might be CIP-012-1 or maybe CIP-003-6 – that would include the specific requirements that FERC wants for Lows. Since I’m guessing FERC would give NERC 6-9 months to develop this standard (it won’t be easy, of course.  The industry has long resisted the idea of specific requirements for cyber assets at Low impact facilities), it would still be approved well in advance of the implementation date for the rest of the Version 5 standards.  It might be timed to come into effect after that date, meaning simply that for the first 9-12 months (allowing a quarter for FERC approval after NERC submits the new standard) after the compliance date for Lows in V5, the Lows would only have to comply with CIP-003-5 R2, which requires four policies.  When the new standard kicked in, they would also have to follow whatever specific requirements appeared in that.[ii]

Let’s say the implementation period for this new standard is three years.  Here is the scenario that implements this change:

  1. FERC approves Version 5 at the end of 2013.  Since they approve it unchanged, the implementation dates remain as they currently read (two years for High/Mediums, three years for Lows).
  2. At the same time, FERC orders NERC to develop the new standard and deliver it to them within nine months.
  3. By September 30, 2014, NERC delivers CIP-012-1 (or CIP-003-6) to FERC. 
  4. Medium and High facilities will have to comply with CIP-002-5 through CIP-011-1 about January 1, 2016.  Lows will have to comply about January 1, 2017.
  5. Lows to comply with the new standard around January 1, 2018 (again, this includes the nine months NERC takes to develop the new standard and submit it to FERC, and the three months FERC takes to approve it).

How about the second change FERC wants: shortening the implementation timeline?  My response is: In this scenario, why would they want to do that?  I believe FERC threatened in the NOPR to move up the implementation dates because, when they wrote the NOPR, they were looking at a scenario a lot like my original one: After they approved V5, there would be a year or more for NERC to develop V6 and for FERC to approve it.  If FERC didn’t shorten the implementation timeline for High/Mediums in Version 6 (say to one year), Highs and Mediums would have more than three years from the V5 approval date to comply with V6 (the two years in the implementation plan plus another year while V6 was being developed).  FERC could reasonably argue that, since they ordered the V6 compliance filing the day they approved V5, any entity would have known what requirements would be in V6, as well as the fact that the implementation timeline for V6 would be one year not two.  Any prudent entity would have started their V6 preparations upon V5 approval, if not earlier. 

I’m sure it was never FERC’s intention that Highs and Mediums would only have one year from Version 5 approval to comply with V5; that would have created a huge problem.  I think they really wanted that period to be two years[iii].   This means that, for FERC to get their second change, nothing has to change in the scenario just outlined.  High/Mediums will have two years from V5 approval to comply with the next CIP version – i.e. with V5.

How about the third change, in the definition of BES Cyber Asset (there are really two changes they want in that definition, of course)?  It’s pretty easy, as it turns out.  FERC can simply order the change as a compliance filing (I’m told the change is really in the NERC Glossary – meaning this change wouldn’t require a new CIP Version.  It seems Definitions that are approved with a standard – as this one was – all move to the NERC Glossary upon approval of the standard by NERC, so that’s where this and the other entries in the V5 Definitions document now reside).

The fourth of these changes, removing “Identify, Assess and Correct” (IAC) from the 17 CIP V5 requirements where it is now found, is the most problematic.  If FERC really doesn’t want this language in Version 5, it’s hard to see how they can approve V5 at all – if, as we’re assuming in this scenario, they really do intend for V5 to come into effect.  After all, it’s written into 17 of the most problematic requirements in Version 5.

Is there some way FERC could approve V5, with all of the IAC language, while still “removing” it in another way?  If there isn’t, this whole post has probably been for naught: FERC really is caught between my and NERC’s scenarios, and there is no “third scenario” as I’ve tried to show here.

As you’ve probably guessed, I think there is a way FERC can do this (and now the plot really thickens, I’ll warn you).  It’s important to note that Identify, Assess and Correct has more to do with how a requirement is enforced than with the requirement itself.  That is, IAC is in essence “grafted on” to regular requirements.  For example, requirement part[iv] 2.1 of CIP-007-5 (which deals with patch management) reads:

(The entity must have) A patch management process for tracking, evaluating, and installing cyber security patches for applicable Cyber Assets. The tracking portion shall include the identification of a source or sources that the Responsible Entity tracks for the release of cyber security patches for applicable Cyber Assets that are updateable and for which a patching source exists.

However, Requirement R2, the “parent” requirement for 2.1, reads:

Each Responsible Entity shall implement, in a manner that identifies, assesses, and corrects deficiencies, one or more documented processes that collectively include each of the applicable requirement parts in CIP-007-5 Table R2 – Security Patch Management.

I think you’ll agree with me that 2.1 could easily stand on its own, even if it weren’t part of R2.  In fact, it was originally on its own.  IAC was added to seventeen of the V5 requirements only in mid-2012, more than a year and a half after the first formal draft of V5.  IAC is literally a description of the manner in which the entity has to implement[v] 2.1, not part of 2.1 itself (and the same goes for the other 16 V5 requirements with the IAC language).

How does this help FERC?  Because their problems with IAC could potentially be eliminated by a change other than changing the 17 requirements themselves.  Again, this would eliminate the additional year (or thereabouts) of uncertainty while the standards were being rewritten for a compliance filing.  In other words, FERC could perhaps order a change in how the 17 IAC requirements are enforced, while leaving the wording of all the V5 requirements the same as it is now. 

There are probably multiple ways this change could be accomplished, but one was suggested by the consulting firm Encari in their comments on FERC’s NOPR.   You are encouraged to read those comments, but I will also share with you part of an email that Mark Simon sent me, summarizing their argument.  Mark is a Compliance Consultant with Encari.

Encari suggests the IAC problem could be addressed, from FERC’s perspective, by eliminating references to IAC in the Version 5 VSL table.  Here is what Mark says in an email:

In general, for CIP v1-v4, I view the VSL Table as the source of the problem with zero-tolerance for CIP violations.  I also believe CIP v5 ineffectively addresses this problem by replacing measures of violations in the VSL Table with a no-violation policy so long as IAC is deemed present.  The problem with IAC is that auditors have too much leeway in how they will measure it; either they will see and love it, or they won't see it as anything more than a poor excuse for maintaining compliance.

IAC is a great concept when it is uncoupled from the concept of measurement.  We did not recommend its removal from the standards themselves, just the VSL Table.  Leaving IAC in the standards formalizes the recognition of IAC as a mitigating factor (culture of compliance) for violations, but it cannot or should not be used to measure the severity of violations.  

You don’t necessarily have to follow every nuance of Mark’s statement in order to get the main idea of what I’m saying: there are ways that FERC can get around their problem with Identify, Assess and Correct in V5, without having to order a new version be developed.  Encari suggests changes to how the VSL’s are written.[vi]  However, there might be other changes that could accomplish the same purpose (e.g. changes to instructions to auditors on how to audit requirements with IAC[vii]).  So the fourth major change that FERC mentioned in their NOPR also doesn’t pose an insurmountable barrier to approving Version 5 without changes (and intending for it to come into effect).

To summarize this discussion of FERC’s four changes, I believe FERC could still get all of them without having to order NERC to develop a new compliance filing that substantially rewrites all the Version 5 standards – a filing that could easily take a year to develop and get approved by the NERC ballot body and would lead to further uncertainty, which I believe is no longer tolerable.

How does the IAC discussion change the Third Scenario outlined above?  Here is the final version of that scenario:

  1. FERC approves Version 5 at the end of 2013.  Since they approve it unchanged, the implementation dates remain as they currently read.
  2. At the same time, FERC orders NERC to develop the new standard for Lows (CIP-012-1 or CIP-003-6) and deliver it to them within (maybe) nine months.  This addresses the first change that FERC wants to see in V5.
  3. Also at the same time, FERC orders NERC to change the definition of BES Cyber Asset in the NERC glossary.  This addresses the third change FERC wants to see in V5.
  4. Also also at the same time, FERC orders NERC to redraft the VSL tables so that references to IAC are removed from the VSL’s for the 17 requirements that now include IAC.  This addresses the fourth change.  FERC gives NERC 90 days to do this, but this shouldn’t require a new version number for CIP.  NERC delivers this in the first half of 2014.
  5. By September 30, 2014, NERC will deliver CIP-012-1 (or CIP-003-6) to FERC.  FERC should approve it about three months later.
  6. Medium and High facilities will have to comply with CIP-002-5 through CIP-011-1 about January 1, 2016.
  7. Lows will have to comply with V5 (probably including CIP-003-5 R2) around January 1, 2017.
  8. Lows will have to comply with CIP-012-1 or CIP-003-6 (i.e. the new standard requiring specific controls) around January 1, 2018.

Finally, the Summary!
As has happened before, this has been a much longer post than I thought it would be, so I’ll summarize it now.  Until recently, it seemed to me it was inevitable there would be a long period of continued uncertainty even after FERC approves CIP Version 5, during the year or so that NERC will be developing Version 6.  But it seemed to me this was inevitable, because I didn’t think there was any way that FERC could make the changes they seem to want to make in V5, without having NERC take a year or so to make substation changes – in what would be Version 6.  In my original scenario, Version 6 would be the next version NERC entities would have to comply with, and that would take a fair amount of time to develop.

The only alternative I saw to this was NERC’s “scenario”, which included FERC’s approving CIP Version 5 as is, with no compliance filing required.  This would be great from NERC’s point of view but seemed very unrealistic, since it would require FERC to forget the major concerns they raised about V5 in their NOPR.

However, through reading and discussions with various parties I have come to believe it is simply unacceptable that there continue to be uncertainty much longer regarding CIP Version 5.  I have also come to believe there is a possible third scenario (more specifically, a range of possible scenarios) that would allow FERC to approve V5 and still achieve the major changes they seemed to be asking for in the NOPR.

What’s the moral of this story?  If you’re FERC, you can literally have your cake and eat it, too.



[i] I realize that the title of this post is open to amendment since Jon Wellinghoff is retiring as FERC chairman, and Ron Binz will replace him once he is confirmed by the Senate.  However, I thought WWWD had a better ring to it than WWWOBD – What Will Wellinghoff or Binz Do? Oct 5: Well, I guess it will be Wellinghoff for a while longer, until the President can find a new candidate foolish enough - I'm sorry, I meant to say qualified enough - to go through Senate confirmation.

[ii] An Interested Party and I have discussed this issue and have agreed to disagree (actually, I’m not sure he agreed, but – hey, it’s my blog after all).  He thinks that for Lows to comply with CIP-003-5 R2 as now written (i.e, having four policies), and then turn around 9-12 months later and comply with a new standard with specific requirements, would be unworkable.  I don’t agree with that, but if it were true, there would be a remedy: NERC could just say they won’t audit the Lows on compliance with CIP-003-5 R2, since it could be considered as being replaced by the requirement(s) in the new standard.

[iii] At this point, I need to point out that I have not had input from anybody at FERC on anything in this post – even though the whole post is speculation about what they’ll do.  I do have friends on the FERC staff, but I would never put any of them in the position of losing their job by asking them to provide me some inside information (and they would lose it, beyond a doubt).  Plus there is the issue: What would be the value of any insider information I received?  The staff members don’t make decisions for the Commissioners, and are frequently as surprised as anyone else by those decisions.  And the Commissioners aren’t even allowed to talk to the other Commissioners about anything relating to their decisions (this must make for some strange lunchroom conversations – all about the weather, how the Nationals are doing, etc), let alone some scruffy blogger.

There have been a couple people who seem to think I have such inside information about FERC.  I hate to disappoint them, but I don’t.  In this and other posts, I’m only trying to go through some of the logic that the Commissioners and staff members might possibly also go through, to come up with guesses about what their decisions might be.  If this makes you want to cancel your subscription to this blog, I’ll be glad to refund every cent you paid.

[iv] “Requirement part” is the new term for “sub-requirement” in all new NERC standards, not just CIP V5.  For an explanation of this change (which has much more behind it than just a preference for the new words), see my post on Scott Mix’s recent presentation to TRE.

[v] And by implication, it is a description of how the entity will be audited for compliance with 2.1 and the other IAC requirements.  Of course, this is what FERC doesn’t like about IAC.  For a good discussion of this topic, you should listen to Steve Parker of EnergySec’s discussion in the recent joint Honeywell / EnergySec webinar on Version 5.  Some clown blabbers on for what seems like an eternity before Steve starts; fortunately, you can fast forward past him.

[vi] Since the VSL tables are independent of the standards, I don’t believe that, for FERC to order a change in them, a rewriting of the standards themselves would be required.  FERC could order NERC to provide updated VSL tables in a short-term compliance filing (probably 90 days).  The job of doing this would probably fall to one or two NERC staff members.  They would need to remove the references to IAC in the VSL’s for those 17 standards.  This might still need to be balloted, but I would think it’s doable in 90 days.

[vii] My Interested Party friend doesn’t agree with Encari that this change would solve the problem.  He thinks that auditors would still have to audit compliance with IAC, as long as the IAC language is in the requirement.  Mark retorts that this shouldn’t matter, since any audit finding that an entity had violated IAC for a particular requirement wouldn’t result in a penalty since there would be no VSL covering it (that is, once NERC had changed the VSL tables per FERC’s order); he doesn't think there can be a penalty without a VSL covering the violation.  And the IP retorts to Mark that "There are numerous instances where a violation has been found and upheld even though the VSL did not include language specific to the facts and circumstances of the violation."  If this discussion continues, I'm going to open up a new post for it - this is really about the role of VSL's, not about IAC.
 
However, regarding IAC, it is clear that, even though Encari's proposal may solve FERC's problem, it doesn't save what many NERC entities were hoping would be one of the big benefits of IAC: not having to report every single violation, no matter how inconsequential, of the underlying standard.  I'm afraid that, if FERC was serious about what they said about IAC in the NOPR, this hope will be frustrated for now (Encari's proposal would limit the damage by at least allowing IAC to be considered as a mitigating factor in assessing penalties).  But there is possible hope on the horizon, in the form of the Reliability Assurance Initiative (RAI), a program NERC is discussing
 that would essentially bring IAC to all NERC standards, not just CIP - and it would do it through how the standards are audited and enforced (CMEP), rather than through rewriting the standards themselves.  In their NOPR, FERC made clear that their opinions about IAC weren't meant to prejudge RAI (although they didn't use that term, since I don't think it had been announced yet).

Since attending three regional meetings in late May and early June where IAC / RAI was a big topic, I have wanted to write a post about this.  I even came up with a catchy title: “IAC, RAI: Is NERC SOL?”.  However, various other things have come up that I felt needed to be addressed more urgently.  And, to be honest, this post would require a lot of time (especially reading up on RAI), which I haven’t had.  So this footnote may have to suffice for a discussion of IAC for the time being.  As I mentioned in footnote v, Steve Parker gave a very good discussion of IAC in our webinar two weeks ago, which you may want to listen to.

All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.

2 comments:

  1. No one would ever write a post this long. You realize it's almost 5,000 words? Almost a novella. Anyway, for those who need to know, utterly indispensable. You do us all a great service, Tom. Many thanks. ab

    ReplyDelete
  2. Thanks, Andy. I'm currently in therapy for People who Write Lengthy Blog Posts. Unfortunately, it doesn't seem to be working....

    ReplyDelete