The week of January 20-24 was a significant one in the world of CIP Version 5, with NERC meetings in Atlanta and Phoenix and FERC agreeing to a rehearing on Order 791. This post isn’t meant to be a synopsis of what went on, but rather what I personally see as some of the most significant aspects of those events.
NERC “Technical Meetings” on CIP Version 5
NERC held two long-anticipated meetings on CIP Version 5, in Atlanta on Tuesday and Phoenix on Thursday. I think some people may have been disappointed when they realized the purpose of these meetings wasn’t to explain v5, but to gather input for the new Standards Drafting Team (members yet to be announced) that will address FERC’s mandates in Order 791. But they were nevertheless both quite interesting meetings, which I listened to while enjoying the wonderful January weather here in Chicago.
In order 791, FERC ordered NERC to do the following five things. For three of these, they gave a due date of one year from the effective date of v5 (which is Feb. 3, so the due date is Feb. 3, 2015). However, NERC speakers made it clear that they want to get all of these done in a year; the industry has been living with uncertainty for so long that it needs to come to an end as soon as possible. Here are the five things:
- Remove “Identify, Assess and Correct” from the 17 requirements in CIP v5 that include that language[i]. There was a good discussion of this at both meetings. The upshot is that this isn’t a disaster for the industry, because of probably the most important development in NERC compliance, the Reliability Assurance Initiative. The RAI will essentially do what IAC was meant to do, but will do it completely outside the standards – in the auditing process. Audits themselves will focus more on the robustness of the compliance program at the entity, and not so much on whether or not they took 25 hours rather than 24 to remove access for John Jones when he was terminated for cause last May. And RAI will[ii] apply to all the NERC standards, not just the CIPs. You can read a lot more on RAI at the NERC web site (on the site, RAI isn’t hidden as well as most of the CIP information is, so you can actually find useful information with a simple search. I think this is the first example in human history of someone getting useful information through a search on the NERC site).
- Develop specific requirements for Low impact BES Cyber Assets. There was, as you might expect, a lot of discussion about this. A couple points I found interesting were a) that Low impact assets like substations are often shared by multiple entities, making the personnel requirements of CIP-004-5 much more tricky (and requiring more guidance from NERC); and b) that, since physical security costs will probably be the biggest component of spending for compliance, it would be best if only certain areas of the facility (i.e. those with cyber assets) had to be protected, not the whole asset.
The Low requirements will probably be the most contentiously debated at the SDT meetings. This is mainly because of their impact: there are so many Lows that even what may seem a minor requirement will become major just because of the sheer number of facilities it will affect. I recommend that these requirements be put into a separate v5 standard, perhaps CIP-012-5. This will allow the SDT to set a compliance date for this one standard that is later than that for the others, which would be completely justified (for more on compliance dates, see below).
- FERC directed NERC to “..conduct a survey of Cyber Assets that are included or excluded under the new BES Cyber Asset definition during the CIP version 5 Standards implementation periods.”[iii] What this is specifically referring to is the “within 15 minutes” phrase in the definition of BES Cyber Asset. FERC expressed doubts about this in the NOPR, and there was a lot of robust defense of the phrase in the comments received by FERC. The problem is that FERC’s directive quoted above might be seen as requiring entities to survey all of their cyber assets at High, Medium and Low impact facilities. This would be a huge deal (and is why CIP-002-5 specifically forbids requiring an inventory at Lows); this was forcefully pointed out by a woman from a large IOU (I believe) at the Atlanta meeting.[iv] However, NERC speakers assured the audience that they have no intention of requiring such a drastic step; they will use sampling or some other method to reduce the effort required.
One thing that did become clear at the Phoenix meeting was that people have a lot of questions about the definition of BES Cyber Asset, and how 15 minutes fits into it. This is clearly an area where NERC needs to provide guidance.[v]
- Protect “transient devices”. This section of Order 791 (pp. 74ff) is actually headed “30-day Exemption”, since NERC excluded from the definition of BES Cyber Asset those devices used within an ESP for less than 30 days. In the NOPR, FERC questioned why this exemption was there, but they were persuaded by the comments they received that it should remain. However, they did order NERC to develop or modify a CIP standard to provide some sort of requirements to protect these devices. It seems clear to me that these requirements should also be put in a separate standard (e.g. CIP-013) rather than be modifications to one of the other v5 standards. Again, the reason I say this is it will allow the SDT to set a different, presumably later, compliance date for this new and currently unknown standard than for the other v5 standards (which are all spelled out now, and won’t change except for removal of IAC).[vi]
The discussion in Phoenix on this topic was quite good, and convinced me that this will not be an easy standard to write, either. One big obstacle is the wide variety of transient devices – thumb drives, laptops, flash memory cards, etc. So it would seem sensible to categorize these and have separate requirements for each category. But as someone in Phoenix pointed out, this runs into the problem that the devices themselves are always changing and taking on characteristics of other categories. As I said, not an easy standard to write.
- Develop new or modified standards that implement “appropriate and reasonable controls to protect the nonprogrammable aspects of communication networks” – i.e. the physical infrastructure of a network. This includes cabling, jacks, etc. There was of course a lot of discussion about this, but keep in mind that FERC’s use of the term “communication networks” does not include:
- Encryption or other means to protect data in motion. These topics fall under what FERC calls “communications security” – one of the three issues that FERC raised in the NOPR but declined to issue specific directives on in Order 791 (page 115ff). The three issues will be addressed in a technical conference to be convened by FERC within 180 days of Order 791 (I’ve heard March is a likely month for this).
- Communications networks outside of the ESP. There was much discussion in both meetings about the infeasibility of protecting networks of communications providers like Verizon; NERC entities clearly have no control over the security of these networks. However, I believe that, by the very fact that FERC is stating that communications networks should be protected within the CIP standards (and not with a new family of standards), they are saying that inter-ESP networks are out of scope. CIP Version 5 is for protection of BES Cyber Systems, and these reside within ESP’s. I don’t think it will be hard for the SDT to make clear in the new standard – and once again, I suggest this be a new standard like CIP-014, so that a separate implementation date can apply – that “communications networks” refers to intra-ESP networks only.
I further note that FERC directs that this topic should also be addressed in the technical conference.
FERC Grants a Rehearing for Order 791
You are forgiven if you didn’t know that two petitions had been filed with FERC, requesting a rehearing to clarify certain aspects of Order 791; I certainly didn’t know it either. But they were, and on Jan. 22 FERC issued an “Order Granting Hearing for Further Consideration”.[vii]
The two requests were each from a pair of trade associations; one from EEI and EPSA, the other from NRECA and APPA. To download these, you have to go to FERC Online (and you need a login for that) and search for documents on docket RM13-5. Or else you can email me at firstname.lastname@example.org for the documents (I imagine they’re also available on the four associations’ web sites).
To address the EEI/EPSA petition first, it requested a rehearing to address five issues. I’ll discuss each, along with my opinion on them.
- The survey regarding 15 minutes shouldn’t require an inventory of cyber assets. I have discussed this above, and believe this won’t really be a problem, since I don’t think FERC was really requiring that inventory in the first place. But I can certainly understand why EEI/EPSA would want to have FERC clarify this now.
- FERC should confirm that April 1, 2016 is the compliance date for Medium/High impact assets (this had to do with the difference between the Order 791 date, Nov. 22, and the effective date of Version 5, which is Feb. 3. NERC’s v5 implementation plan refers to the former, while Order 791 refers to the latter). Since I don’t think there is any real dispute about this, it is another case where EEI and EPSA are trying to remove all possible uncertainty – certainly a good thing.
- EEI and EPSA claim that FERC should have pushed back the implementation date for the Low assets beyond the roughly three years and a quarter shown in the v5 implementation plan (i.e. they want the date pushed back beyond April 1, 2017). Their reasoning for this is that, by directing NERC to develop new requirements applicable to Lows - which will be delivered to FERC about a year from now – they are making it very hard, if not impossible, for entities to be compliant by the date in the implementation plan. They point out that that date was agreed on by the NERC ballot body on the assumption that there would be only one requirement, CIP-003-5 R2, which applied to Lows. Now that there will be other requirements, and that they won’t even be known for close to a year, the situation is very different.
I believe this question is easily answered: As I said above, NERC should develop a new standard for Low impacts; they can then set a different implementation date for this standard than for the rest of v5.[viii] The implementation date for Lows in the v5 plan applies just to CIP-003-5 R2. So, assuming the new Low requirements are put into a new standard with a later implementation date, entities with Lows will have to comply with CIP-003-5 R2 on April 1, 2017, and with the new Low standard at some date after that.
Again, even though I don’t think this is really a problem, I do commend EEI and EPSA for asking FERC to clarify it – just to be sure.
- The FERC-led technical conference should take place within 90 days of the issuance of the Final Rule (i.e. Order 791). The reasoning for this request is solid: The new SDT has to have the revised standards, including the new requirements for communication networks, to FERC by February, 2015. Since the conference will address communication networks, if it is held this May (i.e. about 180 days after Nov. 22) and if new insights on this question are developed in the conference, it will be difficult for the SDT to incorporate them into the new communications requirements in time to meet FERC’s deadline.
This is certainly a good point, but I don’t think FERC will give EEI and EPSA what they want in this case. 90 days from Nov. 22 is Feb. 22, i.e. less than a month from now. I don’t think they could get a conference together that quickly. However, this makes it all the more likely that the conference will be in March, as I had heard it would be.
- FERC should clarify that the new requirements for communications networks won’t apply to network components outside of an entity’s control. As I said above, I think this can be pretty easily dealt with by the SDT, but again it’s a good idea to get FERC to confirm it.
NRECA and APPA’s petition just presents two issues:
- Their first issue is an important one, although I don’t see it as the big problem that NRECA and APPA do. They say that, by rejecting the “Identify, Assess and Correct” language in 17 requirements of v5, but giving NERC the option of either removing it altogether or just modifying it, they are leaving the industry in a very uncertain position as they start preparing for compliance on April 1, 2016.
As with most of EEI/EPSA’s issues, I commend NRECA and APPA for asking FERC to clarify this. However, I don’t think it’s FERC’s job to do that, in this case[ix]; it’s NERC’s job. As I said in end note 1 below, NERC staff members made it clear this week that they aren’t even considering trying to modify the IAC language; and it’s hard to see how any modification would do that, since FERC doesn’t think the IAC idea should even be addressed in standards at all. But someone from NERC needs to state that for the record.
- The second issue has to do with FERC’s estimates of the regulatory burden of complying with the CIP v5 standards. I totally agree that FERC’s estimates were ridiculously low (although NRECA and APPA don’t phrase it this way, of course. This is why I could never be a lawyer). I don’t think FERC will change their estimates, though. And even if they did, it wouldn’t have any effect; they’re not going to go back now and gut the standards to make the regulatory burden less. It’s certainly worth at least pointing out, though, so I commend the two organizations for doing so.
It will of course be interesting to see what FERC says at the rehearing (which I don’t believe is scheduled yet).
All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.
[i] FERC actually gave NERC the option of modifying the language to meet their objections. However, it was clear in the meetings that NERC doesn’t intend at all to do that – and indeed, I see no good way the language could be modified. FERC objected to trying to do IAC in the language of the standards at all, so it’s hard to see how you could change that language and satisfy them.
[ii] I probably don’t even need to use the future tense here. I was quite surprised when I attended MRO’s compliance meeting in December where they explained their new compliance enforcement program – and I realized halfway through the presentations that it was RAI, although they didn’t call it that. They have not only piloted RAI (at least one other region hasn’t even done that yet), but they’ve pronounced the pilot a success and they’re moving into production (this is something like a clinical trial where it becomes clear halfway through the trial that the medicine being tested is tremendously effective. Ethics require that the trial be stopped and all subjects be given the medicine). I’m not quite sure they were allowed to do this, but it seems to me the leaders of MRO would much rather beg forgiveness than permission. I’ve always liked that attitude.
[iii] FERC Order 791, page 73.
[iv] She said her organization would have to suspend work on v5 compliance for several months and put everybody to work on the survey response, if they had to assess every cyber asset.
[v] Of course, I’ve just done three long posts on the need to have guidance on asset identification in CIP-002-5 R1. And I’ve pointed out previously (actually, in the context of CIP Version 4, although the exact same argument can be used in v5) the need for guidance on the bright-line criteria in Attachment 1. There’s a log of guidance needed on CIP-002-5!
[vi] My suggestion differs from another suggestion at the Atlanta meeting: that transient devices be just defined as another type of cyber asset, and inserted in the requirements that would make sense to apply to these devices. Again, it seems to me it would be better to have a separate standard that could be given a different implementation date from the rest of v5.
[vii] Here is the entire text of the Order:
Rehearing has been timely requested of the Commission's order issued on November 22, 2013, in this proceeding. Version 5 Critical Infrastructure Protection Reliability Standards, 145 FERC ¶ 61,160 (2013). In the absence of Commission action within 30 days from the date the rehearing request was filed, the request for rehearing (and any timely requests for rehearing filed subsequently) would be deemed denied. 18 C.F.R. § 385.713 (2013).
In order to afford additional time for consideration of the matters raised or to be raised, rehearing of the Commission's order is hereby granted for the limited purpose of further consideration, and timely-filed rehearing requests will not be deemed denied by operation of law. Rehearing requests of the above-cited order filed in this proceeding will be addressed in a future order. As provided in 18 C.F.R. § 385.713(d), no answers to the rehearing requests will be entertained.
I defy anybody to show me where in these two paragraphs it says that the request has actually been granted; if it weren’t for the title, I’d swear this text says it has been denied, or at least not approved. I guess this is why lawyers seem to exist on a different plane than the rest of us – I’m sure any lawyer would take one look at this and it would be obvious to him/her that the request was granted.
[viii] Technically, of course, we’re talking about CIP Version 6, not v5. As I said in my post on Order 791, as well as in this much earlier post, FERC doesn’t have the option of approving a standard and then ordering changes in it. They can only completely remand the standard or completely approve it. When they order NERC to develop modifications, those modifications really have to be in a new version of the standards, which I believe will be called CIP Version 6 (this happened previously with CIP Versions 2 and 3). So in one year, the new SDT will present CIP v6 to FERC, which will consist of v5 plus the changes FERC ordered. I also believe a) that v6 will supersede v5, like v5 superseded v4; and b) that, for standards CIP-002-6 through CIP-011-6 (i.e. the standards that currently exist in v5), the implementation plan will be modified so that entities will have to comply with v6 by approximately the same dates as they would have for v5. You can read the chilling details of this in the Order 791 post.
[ix] After giving NERC two options in Order 791, FERC isn’t going to turn around and say they now only have one option.