Saturday, December 13, 2014

The CIP v5 Compliance Date Needs to be Moved Back

When I started this blog at the beginning of 2013, one of my first posts was about the need to move the CIP v4 compliance date back.  It seems I’m now doing the same thing for v5, less than two years later. 

I’ve been spending a lot of time lately, on the phone and in person, with NERC entities of various sizes (well, super large to medium size); I always ask how they are coming on their CIP v5 program.  To a man/woman, they all first tell me the program is moving along well.  Once we’ve gotten past that formality, a little digging usually reveals it really isn’t going along quite so smoothly, although the entity also may be in denial and not realize how far they are from being compliant on April 1, 2016.

One problem is funding.  I know at least a couple large entities that aren’t going to officially get a dime in v5 funding until 2015.  They’re then going to have to scramble – and fight over a small pool of consulting resources – to get everything done next year (and you definitely need to have your entire v5 program in place by the end of 2015.  You then should have an assessment to see what you may have missed; that leaves you at least a couple months to fill any remaining gaps by April 1, 2016).

This might seem pretty short-sighted of those entities.  Why didn’t they budget any money for v5 in their 2014 spending plans?  However, you have to consider the history.  Until April 2013 when FERC upset the applecart and issued their NOPR , the only thing set in stone was that CIP v4 would come into effect April 1, 2014.  And even with the NOPR, I know a lot of NERC compliance people had a big problem convincing their management and legal teams that v5 was really coming.  There was good reason for their reluctance: V4 was approved, while v5 was still just a wishful statement by FERC.  It was only when FERC approved v5 on November 22, 2013 that it became crystal clear it would come into effect.  Of course, most entities had already done their 2014 budgeting by that date.

So that’s one problem.  A bigger problem has been the huge amount of uncertainty about what the wording of the CIP v5 standards means - especially my favorite standard, CIP-002-5.1.  Of course, a lot of this uncertainly has been caused by irresponsible bloggers trying to split hairs over fine points of the wording.  But leaving such riff-raff aside, NERC and the regions have been honest that more guidance is needed.  Yet it has been slow in coming, and many entities have decided they can’t wait any longer for all the holes to be filled in, and they’ve “rolled their own” solutions to do the job.

But other entities haven’t quite been able to give up the cherished belief that NERC ought to tell them what the standards mean, not they NERC.  This is a relic of the quaint old tradition (going back say 4,000 years to the Code of Hammurabi), in which it’s the authorities that interpret the laws, while the people obey them.  I’m afraid NERC entities need to discard such outmoded concepts.  This is the brave new world of NERC CIP Version 5, where any official interpretation help will be late in coming and inconclusive, and perhaps won’t come at all.  You have to roll your own solutions, or simply not do anything at all.

It is the latter option – not doing anything at all – that has been embraced wholeheartedly by a number of NERC entities; since there is no other clear path forward, doesn’t it make sense that’s the best thing to do, pending better clarification?

I’ve compared this attitude to that of the heroes of the play Waiting for Godot, one of the greatest plays ever written.  In it, two men spend the entire play standing on a virtually empty stage, waiting for someone named Godot to come; they have already been waiting for some time.  Godot sends a messenger every day to say he can't come but he will for sure the next day, yet the fact remains: The protagonists know all along Godot isn’t coming, and they’ve always known that (in fact, they’re not at all sure why they’re waiting for him in the first place).  But even at the end of the play, when it’s clearer than ever Godot will never come[i], they continue to wait.  They say they're through with waiting, but they just stand there as the curtain falls.

I don’t want to press this analogy too far (Samuel Beckett, the playwright, was of course writing about the human condition in general, not NERC CIP v5).  But it does seem to me that entities that are waiting for all ambiguities to be cleared up in v5 are in the same position as these two hapless gentlemen.  Deep in their hearts, they realize help won’t be coming – or at least not enough of it.  But they keep waiting.

I’ve now discussed two types of entities that are in danger of not meeting the 4/1/16 deadline.  One is those that haven’t had the funding available.  The other is those that may have funding, but are paralyzed by the fact that there are so many holes still to be filled in the interpretation of v5.

But there’s another entity that is probably even worse off than both of these.  This is an entity that thinks they are on the road to full compliance.  They’re mounting a big effort to understand the CIP v5 standards, and they’re producing various presentations and documents on what v5 means, both in general and for them.  But they’re not actually doing what needs to be done for compliance: deciding what policies, processes and technologies need to be in place for v5, then implementing them. 

I say this type of entity is worse off because they don’t know it.  They think that every PowerPoint and position paper is moving them further toward compliance, when at best they’re pretty much standing still.  The fact is, you’re on a fool’s errand if you think you can approach v5 compliance from first principles.  I’ve written probably 25-30 posts just on CIP-002-5.1, and the only conclusion I’ve been able to reach about first principles in that standard is that there are none (more accurately, it was built on two or three very different first principles, and the contradictions between them were never reconciled).

Richard Feynman, one of the greatest physicists of the 20th century, famously said (about quantum mechanics, literally the foundation of modern physics and the reason I’m able to type this post on a computer that doesn’t take up multiple rooms and cost millions of dollars), “If you think you understand quantum mechanics, you don't understand quantum mechanics.”  Unfortunately, the same applies to CIP v5: If you think that developing a deep understanding of what v5 means will help you comply with it, you don’t understand v5 in the first place.  Put down your PowerPoints; pick up your pen and start writing your v5 policies and procedures.  Those are what CIP v5 means.

I’m sure there are other reasons why entities aren’t ready for v5.  But I don’t need to know all the many reasons, nor do I need a survey or focus groups to tell me this: The majority of NERC entities won’t be ready for CIP v5 compliance by 4/1/2016, or if they do actually make the date it will be because they’ve spent far too many ratepayer dollars (or shareholder dollars) than they should have[ii].

So I’m saying the main v5[iii] compliance date should be pushed back – at least six months, hopefully a year.  Of course, this would mean that all the other compliance dates would have to be pushed back as well.  What’s the mechanism for this to happen?  Beats me, but it certainly seems something could be worked out among NERC, FERC and the regions.  Something has to be worked out anyway, given the interpretation problems (and you'll hear more from me on these interpretation problems very soon.  You might want to put me on your spam list while there's still time) and the fact that the ship has sailed on any effort to deal with them in a “legal” way.  These are extraordinary times, requiring extraordinary measures.

What are the chances the date actually will be pushed back?  I’d say they’re slightly better than those of the Cubs winning the World Series next year.  But you never know.  It’s been “Wait ‘til next year” for 106 years here in Chicago; one of these centuries, next year will come.

This post is the first of four posts that describe why the v5 compliance date needs to be moved back, and what else needs to be done to address the serious problems in CIP-002-5.1, the foundation of all the CIP v5 (or more explicitly CIP v6.3940) standards.  The next post in this series is here.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

You have a message from Mr. Godot.
Yes Sir.
He won't come this evening.
No Sir.
But he'll come tomorrow.
Yes Sir.
Without fail.
Yes Sir
What does he do, Mr. Godot?
He does nothing, Sir.
What am I to tell Mr. Godot, Sir?
Tell him ….tell him you saw me and that…..that you saw me…..

[ii] Of course, given that I’m a CIP consultant, and given that the greater part of the money these entities waste will be on consultants, you might say this is the best thing that could happen for me.  But the fact is, there aren’t that many consultants who can really help right away in the v5 effort, although there are a lot who will say they can - meaning they’re happy to learn the ropes on your dime.  These people will come out in droves – correction, are coming out in droves – and the majority of the consultant spending in 2015 will be on them.  As I said, after an entity has spent a huge amount on these people, it may well be compliant on 4/1/16.  But it wouldn’t have to be this way, if entities were given more time to comply.  They could actually take their time and become compliant in an efficient, cost-effective manner.

[iii] And when I say “v5”, I mean the combination of v5, 6 and 7 standards that entities will actually have to comply with.  I’ve named this Version 6.3940, but I know everyone will continue to refer to the whole thing as v5; I’ll continue to do so as well, at least at times.

No comments:

Post a Comment