I wrote lengthily (not that I ever write any
other way) and bitterly about the first draft of the CIP-002-5.1 RSAW in this
post in late June. The second drafts of
the RSAWs were released
this week, so I eagerly downloaded the new CIP-002 document to see whether it
would be better. Surely, I naively
thought, there must have been some big improvements.
Boys and girls, I hate to tell you this: The
world doesn’t always (or even usually) follow what we may wish. So I have good news and bad news for you. The good news is that all of the statements that I found objectionable in the first draft
have been removed. And what’s the bad
news?
The bad news is that NERC has replaced those
statements with….nothing. That’s right,
nothing. All of the statements I cited
in the original post were found in a set of blue boxes, labeled “Evidence
Requested”, “Compliance Assessment Approach” or “Notes to Auditor”. The first and third boxes have simply
disappeared[i]. And the Compliance Assessment Approach box
now consists of nothing but a recitation of CIP-002-5.1 R1, preceded by the
words “Verify that…” in several places.
It’s hard to express how depressing this
is. After originally implying
that the RSAW’s would shed light on some of the problems with CIP v5, it seems
NERC has now completely given up on that idea, and has reduced the CIP-002-5.1
RSAW (and I haven’t read the others yet) to simply a recitation of the
requirements. This wouldn’t be all bad
if NERC were at the same time working feverishly on addressing the interpretation
problems with that standard; but I see absolutely no sign of that.
Meanwhile, of course, we’re approaching
October 1, exactly 18 months from the High/Medium compliance date for v5. What are entities to do, with no guidance on
these issues? They really can’t go full
bore ahead with their v5 compliance programs until they’re satisfied that they’ve
identified what’s in scope correctly.
And since the only official (or even unofficial) guidance currently
available is the wording of the standard itself, in all its glorious
inconsistency and ambiguity, this has to be making a lot of people nervous (or
they simply haven’t started their v5 process in any meaningful sense).
Of course, people will find a solution, one way or the other. I will soon start a series of posts that will
discuss how people are “rolling their own” definitions and interpretations. What else can they do?
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
[i]
This isn’t entirely true, since there still is a heading labeled “Auditor
Notes”. However, it is completely
blank. Did someone start to write some
notes, run into problems, then just give up?
Are they going to add them back in a future draft? Another in a long line of NERC mysteries.
10/16: It was pointed out to me that this end note doesn't mean anything, since the Auditor Notes are always left blank in the RSAWs. They're for the auditors to literally write notes during their audit. Of course, that doesn't affect the argument in the body of the post. I hope to revisit this problem shortly.
10/16: It was pointed out to me that this end note doesn't mean anything, since the Auditor Notes are always left blank in the RSAWs. They're for the auditors to literally write notes during their audit. Of course, that doesn't affect the argument in the body of the post. I hope to revisit this problem shortly.
No comments:
Post a Comment