FERC's Sunshine Meeting Nov. 21

11/25: I posted my post on Order 791 last night.  The longest I've ever done, which is of course, saying a lot!  Any comments are appreciated.

11/21 10:15AM: I just listened to / watched the CIP Version 5 discussion in the Sunshine meeting.  The Order isn't out yet, so we don't know details, but here are the highlights:

• They're approving CIP V5.  No surprise here.
• They're ordering changes in V5 (which I believe will be called V6).
• Those changes include: a) Removing Identify, Assess and Correct language from the 17 requirements that have it; b) Modifying the "exemption" from V5 for transient devices (especially laptops) used within the ESP for less than 30 days - it seems they'll require some controls but not the full set that apply to BCA/BCS; c) Requiring "objective criteria" for evaluating protection for Low impact cyber assets (of course, no details until we see the Order).
• On this last point, one of the Commissioners said they were requiring that Low impact cyber assets be divided into two groups, according to their importance.  The important ones would have to follow the new specific requirements for Lows; the unimportant ones would not.  Again, no details now.

Commissioner LaFleur posted her own statement.  Here is the last paragraph of that:

“However, the order does not require NERC to develop a list of specific controls for low impact facilities. NERC is free to respond to our directive by developing such a list, but it has the flexibility to address our concerns through other means. For example, NERC could define an appropriate set of control objectives for low impact assets, subdivide low impact assets into different categories with different defined controls or control objectives applicable to each subcategory, or define with greater specificity the policies that responsible entities must have in order to comply with CIP-003-5, Requirement R2. NERC may also propose an alternative approach that addresses our concern in an equally efficient and effective manner.

My initial reaction to this is trying to meet this Low impact directive will be a huge deal.  The other changes sound fairly straightforward, but by giving NERC this much latitude on how they provide "objective criteria", FERC is opening up the door to a huge debate.  But that's probably how it should be, given the impact this will have on the whole industry (now a lot of small DP's, etc. are going to have to spend some significant effort on CIP).  But we'll know a lot more when the Order comes out.

A bombshell at the end was that Chairman Wellinghoff said he is stepping down on Nov. 24, and that Pres. Obama will appoint Commissioner LaFleur as Acting Chairwoman.  He has of course wanted to step down for a while, but his replacement had to withdraw because of Senate opposition.