The Timeline for CIP Version 5.5

When FERC said they were going to approve CIP version 5 in their April 2013 NOPR, I immediately drew the conclusion that CIP v5 wouldn’t be the next version that entities had to comply with; it would be a new version 6.  My reasoning, outlined in this post, was this:

1. Given the tone of the NOPR, it was clear that FERC wasn’t going to approve v5 unchanged. 
2. Since NERC’s Rules of Procedure don’t allow changes to be made to a standard after it has been approved by the Board of Trustees (and all of the v5 standards were so approved at the end of January 2013), the changes would have to be in a “compliance filing” ordered by FERC when they approved 2013.  The revised standards would have to have a new version number, which would almost certainly be v6.
3. I also didn’t think it was likely that v5 would ever be allowed to come into effect before v6.  I felt the changes ordered by FERC (especially removal of the “Identify, Assess and Correct” language, which FERC strongly suggested they would order when they wrote the NOPR, and indeed they did mandate in Order 791) would make it almost impossible to have a smooth transition from v5 to v6.  I therefore thought that v6 would “sunset” v5, just as v5 would “sunset” v4 when it was approved, and the next compliance version would be v6.

I continued to hold this position when Order 791 came out last November.  In a post two days later, I argued that it was likely that the v6 standards would come into effect on the same dates as the v5 standards, so they would clearly supersede v5. 

However, after attending the first meeting of the “CIP Version 5 Revisions” drafting team in February, I changed my opinion.  As discussed in this post, I was convinced at the meeting, by the smooth-tongued Scott Mix, that there was really no problem with v5 coming into effect before v6; all NERC has to do is let it be known they won’t consider IAC in their auditing, and all will be well.

At that point, my official position became that v5 would be the next version, followed after some period of time by v6.[i]  That is, until I saw the official first drafts of the drafting team’s work (now being balloted by NERC).  Then I realized two things.  First, the drafting team hasn’t produced new versions of all the v5 standards.  Specifically, they have only revised CIP-003, -004, -006, -007, -009, -010, and -011.  They have left CIP-002, -005, and -008 exactly as they were.  You might wonder why this is unusual, since the latter three standards must not have needed changing.

But this hasn’t been the previous practice.  For example, in the CIP v2 to v3 transition, the only standard that was changed in v3 (I believe) was CIP-006; yet all of the standards were revised so that there was a “-3” at the end of them.  Similarly, when CIP v4 was developed, only CIP-002 was changed in substance, but all of the other standards were revved to v4.  The fact that this hasn’t been done this time means that the next compliance version of CIP won’t be v5 or v6; rather, it will be the mixture of v5 and v6 standards I’ve just described.

Is this a problem?  No, it isn’t in theory.  But it does mean that NERC entities need to be careful with the version of the standard they’re using.  With versions 1-3, you could tell simply by the “-1”, “-2” or “-3” which version you were dealing with.  Now, you need to have a little cheat sheet telling you that you should always be using the “-6” versions of CIP-003, -004, -006, -007, -009, and the “-5” versions of CIP-002, -005 and -008.  And how about CIP-010 and -011?  Those were “-1” in the original v5, but they have both been revved to “-2”.  So you need to use the latter.  And since the next CIP compliance version will be a mixture of 5 and 6, it may be better to just call it v5.5 (except I know everyone – including me – will continue to call it v5).

At this point, you may ask (and if not, I’ll ask for you) “Why don’t we just simplify things and bring CIP-002, -005 and -008 to v6?  Then there will be a complete set of v6 standards, and we’ll just comply with those.”  I have to say, that’s an excellent question.  The answer is simple: After the debacle with CIP Version 4 – then v5 – then v4 – and finally v5, I think most people at NERC are convinced that if they introduce a new improved CIP version, they’ll all be strung up from the nearest lamppost by an angry crowd of NERC entities. 

And there is reason for that fear, since the CIP v4 debacle did result in real costs to a number of entities.  On the other hand, it simply isn’t the case that v6 is being foisted on the industry as part of some nefarious plan to generate more paperwork (and perhaps justify more jobs at NERC?).  V6 has only come about because FERC required changes in v5, and these can’t be included in the current version.  V6 is nothing more or less than what FERC ordered (I actually wish it were more than what FERC ordered.  For example, I would like to see CIP-002-5 R1 and Attachment 1 completely rewritten.  I believe I’ve mentioned this once or twice before – like in over 20 posts.  However, it ain’t happening, meaning we have to go to plan B.  Or C.  Or D….But something needs to be done).

So I can guarantee you won’t hear a NERC employee refer to CIP version 6, even though most of the standards currently being balloted have a “-6” suffix.  Instead, it’s “CIP Version 5 Revisions”.  Whatever…

The second thing I noticed is that, unlike what I expected, the compliance dates for the new standards are almost all exactly the same as they were for the “classic” version 5 standards – that is, High and Medium impact facilities need to comply on April 1, 2016, while Lows need to comply on April 1, 2017.  This may be hard to see from the wording of the new Implementation Plan, but hear me out.  For most of the standards, the plan reads like this:

Reliability Standard CIP-003-6 shall become effective on the later of April 1, 2016 or the first day of the first calendar quarter that is three months after the date that the standard is approved by an applicable governmental authority.

So CIP-003-6 will become effective on April 1, 2016 (the same day as CIP-003-5, of course), unless FERC doesn’t approve it until January 1, 2016 or later.  And what is the chance that the latter will happen?  Very small.  Since the new standards will all be presented to FERC by the beginning of February of next year, and since FERC is likely to be happy with them (after all, these new standards are simply what FERC ordered, and FERC staff members have been riding herd on the SDT to make sure they produced something the Commissioners would like, although I’m sure they were always careful to say they didn’t know what the Commissioners would like), it is very unlikely that FERC won’t approve them fairly quickly, and certainly before January 1, 2016.

In other words, there will be no v5 standards that will come into effect, only to be superseded by v6 standards.  The three v5 standards that don’t have v6 versions will remain in effect, and in fact the compliance dates for v5.5 are for the most part unchanged from those of v5.

Of course, this being NERC, there are exceptions to the statement that the compliance dates are the same for the v6 standards as for their v6 predecessors.  Here are the exceptions:

1. This really isn’t an exception, but compliance with CIP-003-6 R2 – the only requirement that applies to Low impact assets – is due on April 1, 2017 (the same date as CIP-003-5 R2) or nine months after the effective date of CIP-003-6 itself.  This means that, if FERC doesn’t approve CIP-003-6 until April 1, 2016 or later, the compliance date for CIP-003-6 R2 will be later than April 1, 2017.[ii]  But there is almost no chance that will happen.[iii]
2. CIP-004-6 is the only v6 standard that requires FERC approval six months before April 1, 2016, in order for it to be effective on that date.  Since FERC will get the v6 standards from NERC in early February, 2015, this means they would have to approve them before October 1, 2015; if they approve them in the fourth quarter, then CIP-004-6 will become effective July 1, 2016 (while the other v6 standards will still come into effect April 1).  I won’t say this is impossible, although I still think it is less likely than that FERC will approve all of the v6 standards before October 1.
3. There is an exception regarding CIP-006-6 R1.10[iv]:

For new high or medium impact BES Cyber Systems at Control Centers identified by CIP-002-5.1 which were not identified as Critical Cyber Assets in CIP Version 3, Registered Entities shall not be required to comply with Reliability Standard CIP-006-6, Requirement R1, Part 1.10 until nine calendar months after the effective date of Reliability Standard CIP-006-6.

This states that control centers that weren’t Critical Assets under v3 have an additional nine months to comply with this one requirement part – so their date is January 1, 2017.

4. The next exception may seem small but is probably huge: 

Registered Entities shall not be required to comply with the elements of Reliability Standard CIP-007-6, Requirement R1, Part 1.2 that apply to PCAs and nonprogrammable communication components located inside a PSP and inside an ESP and associated with High and Medium Impact BES Cyber Systems until six calendar months after the effective date of Reliability Standard CIP-007-6.

This states that, for the purposes of compliance with CIP-007-6 R1.2, Protected Cyber Assets and “nonprogrammable communication components” inside an ESP have an additional six months to comply, for an effective date of October 1, 2016.

5. Here is the last exception:

Registered Entities shall not be required to comply with Reliability Standard CIP-010-2, Requirement R4 until nine calendar months after the effective date of Reliability Standard CIP-010-2.

CIP-010-2 R4 is the new requirement for Transient Cyber Assets and Removable Media.  This says that the effective date for this requirement – for all entities with High and Medium assets (the only ones subject to the requirement) – is January 1, 2017.  This is of course a big exception, but probably reflects the SDT’s estimate of the effort that will be required to comply with this requirement.

So there you have it – the timeline for CIP version 5.5.  If somebody creative wants to put this into an actual visual timeline, I’ll publish it.  Otherwise, this is left as an exercise for the reader.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

---

[i] There is a precedent for a smooth transition like the above.  When FERC approved CIP version 2 in the fall of 2009, they ordered a single change – a requirement for providing escorted physical access to non-authorized visitors to a Critical Asset.  NERC developed this requirement, added it to CIP-006-2, and changed the version number of all the v2 standards to v3.  CIP version 2 came into effect on April 1, 2010, while v3 came into effect on October 1, 2010.  This transition was possible because there was nothing changed or removed from v2; just the one requirement was added.  In the case of the v5-v6 transition, that was certainly not the case, so I didn’t see that it would be possible to have a similar transition happen as had with v2-v3.

[ii] Here’s why I say this: As has just been said, the compliance date for CIP-003-6 will be April 1, 2016 or three months after FERC approval.  If FERC waits until April 1, 2016 or later to approve the standard, then the effective date for the standard will be July 1, 2016 or later.  Since that date is nine months before April 1, 2017, in this case CIP-003-6 R2 would have an effective date later than April 1, 2017.  However, there is just about zero chance that FERC will dawdle this long in approving CIP-003-6.

[iii] And this is a pretty significant point.  I had really expected that the new requirement for Lows would have a compliance date 9 months or even longer after April 1, 2017.  Given the number of Low impact assets that most NERC entities have, it really behooves them to start planning for the Low compliance effort now.  I have had a couple large entities tell me that, regardless of problems they see with the High and Medium impact assets, it’s the Lows that scare them – simply because of their number.

[iv] This requirement is for protection of cabling that connects devices in an ESP, which itself exits the PSP.  It was one of the four items mandated by FERC in Order 791.