The Ship has Sailed, NERC

This is the fourth and last of a series of posts on the many problems with CIP-002-5.1 R1, and what both NERC entities and NERC itself need to do to deal with them.  The series started with a post in which I said the compliance date for CIP v5[i] should be pushed back from its current date, April 1, 2016.  It was followed by a post that listed serious interpretation issues with this requirement (which is of course the fundamental requirement of CIP v5), and most recently by a post describing a high-level “methodology” for complying with this requirement (or more accurately, showing graphically why it is impossible to develop any sort of definitive methodology).

To go back to the first post in the series, the reason I gave for pushing the compliance date back was that a large number of entities will clearly either a) not be compliant by 4/1/16; or b) only achieve compliance through a large, very inefficient expenditure of money – as the huge demand for assistance with v5 runs up against the small number of competent resources available to meet the demand.

I listed three reasons why entities won’t be ready by the compliance date, although it’s possible there are other reasons as well:

1. They won’t have budget for CIP v5 until 2015;
2. They have been holding back from taking action on v5 due to the many uncertainties in interpretation; or
3. They are already spending money on v5, but they aren’t addressing what needs to be done.

You could say that 1 and 3 are the result of the entity’s actions or inactions, and aren’t anyone else’s fault (like NERC’s)[ii].  I don’t dispute this, although that doesn’t in any way mean the date shouldn’t be pushed back.  When you have a large number of people not in compliance with a law or regulation, you have to look at whether a) the law or regulation imposes too much of a burden for compliance; or b) the implementation period is too short.  I assert that both of these are true in the case of CIP v5, although addressing a) will be much harder than addressing b).

But let’s focus on the second reason that a large number of entities aren’t going to be ready for v5 compliance on 4/1/16: uncertainties in interpretation.  Folks, this one is entirely NERC’s fault.  Since April of 2013, I’ve written maybe 40-50 posts on problems with CIP-002-5.1 R1 and Attachment 1, culminating (for the moment) with the second post referred to above.  This post describes about 20 problems with CIP-002-5.1 R1 (most quite serious), and I’m sure that there are a lot of others lying in wait in the “bright-line” criteria (I love that term, which is FERC’s.  It shows they have a great sense of humor).

Of course, CIP-002-5.1 R1 (hereinafter referred to as “R1”) is just one of 33 requirements in CIP v5 (there are more requirements in CIP 6.3940, the “version” that entities will actually have to comply with)[iii].  However, R1 is definitely the foundation of v5.  The goal of CIP v5 is to protect BES Cyber Systems.  To comply with R1, you need to identify those BES Cyber Systems.  If you don’t do that properly because you don’t understand what that requirement means, none of your efforts to comply with the other v5 requirements will really be valid (even though it’s not likely you’ll actually be assessed PV’s for violating those other requirements, due to a mistake in complying with R1).  It’s like a real estate salesperson is trying to sell you a house called CIP v5.  They say, “It has wonderful bathrooms, a great kitchen, huge living room…The foundation is rotten and could go at any time…But LOOK at these bathrooms!”

You may point out to me that CIP v5, like all NERC standards, was written by a Standards Drafting Team composed of employees of NERC entities, and it was approved by a ballot of those entities; therefore, any blame for problems resides with the NERC entities themselves.  While this isn’t completely true (since NERC staff members played a big role in guiding the SDT), I’ll stipulate you’re right.  But IMHO, once the NERC Board of Trustees approved v5, ownership passed to NERC.  As problems began appearing (and they appear with every standard), it was NERC’s responsibility to address them in a timely fashion, so that entities could comfortably meet the compliance deadline.  Despite some half-hearted efforts like coming out with some Lessons Learned, NERC hasn’t definitively addressed any of these issues.

I contend that yesterday, Jan. 1 2015, was a watershed day for CIP v5.  As of that day, there remain exactly 15 months for NERC entities with High and Medium impact BES Cyber Systems to achieve full v5 compliance for those systems.  Yet there remain a huge number of uncertainties about definitions of terms used in v5 and interpretation of wording (especially in R1, but the uncertainties are certainly not limited to that requirement).  NERC has put out about ten “Lessons Learned”[iv] and FAQ documents on v5 issues, most still in draft form.  That is just about the only “guidance” they have provided (and all these documents will ever be is guidance.  The only official Interpretations – which carry the full force of Requirements - of the v5 wording won’t be approved for years). 

NERC has also put out a list of 23 issues (ten of which are in R1) that they plan to address in future Lessons Learned or FAQs.  One or two have already been addressed in draft form, so there are about 21 issues they say they really really want to get to one of these days.  My guess is at most one, maybe two, of these will be addressed each month in 2015; so just addressing the issues NERC has said they’ll address will take all year.  And these are just a portion of the issues that are actually out there (I believe only two of the problems with R1 that I pointed out in my second post were even on NERC’s list to address at all).  If you assume there are at least 40-60 other serious issues to be addressed (including the 18 from my post), this means the Lessons Learned process will have them all nailed down by around the end of 2017, running at its current pace.  Does anyone else see a teeny teeny problem with leaving the compliance date at 4/1/16?

NERC, I’m sorry to say this, but the ship has sailed.  Entities needed to start their compliance process six months ago, but at the latest they should start it tomorrow (OK, I’ll give them ‘til Monday Jan. 5).  I was hoping you (NERC) would get a good number of these issues addressed by the end of 2014, so that entities could start off 2015 by a) identifying all their cyber assets/systems in scope for v5; b) conducting a gap assessment to see what they need to do; and finally c) rolling up their sleeves and implementing what they need to fill those gaps.   Because you only addressed one or two of the CIP-002-5.1 R1 issues, the entities simply don’t have enough guidance for them to start this process as they need to: with a comprehensive effort to identify all cyber assets in scope for v5 (BCAs, BCS, ESPs, PCAs, EAPs, etc). 

You’ve taken a remarkably leisurely approach to the Lessons Learned effort, NERC (for instance, the last LLs were posted in November).  I appreciate that you all have family commitments, etc, but this approach has eliminated any remaining possibility that entities will be able to competently and efficiently comply with CIP v5 by 4/1/16.  

So this is what you need to do, NERC:

1. As I believe I’ve just mentioned, the compliance dates for v5 need to be pushed back - a minimum of six months, but preferably a year.
2. You need to declare CIP-002-5.1 R1 an “open” requirement.  I doubt there’s any provision for doing this in the Rules of Procedure, but I also doubt there’s ever been a requirement that’s been both a) so extremely critical, and b) so vague and contradictory.  You need to simply declare that any entity that makes a good faith effort to understand R1, and that properly studies and applies all the appropriate Lessons Learned, etc, will never be assessed a PV for violating R1.

I know you’re not going to like this idea, NERC (in fact, you’re not going to like any of the ideas in this post).  But you know what?  It really doesn’t matter whether or not you declare R1 an open requirement; it will be that of its own accord.  There is simply no way any self-respecting auditor will assess a PV for R1, on an entity that has made a good-faith effort to comply.  And this is because there’s no way any assessed violation of R1 would ever be upheld in a court of law – the requirement is simply too contradictory and vague.  What auditor wants to waste their time (and credibility) writing PVs that have zero chance of ever being upheld?

3. You need to bust your a__ providing guidance on v5.  No more one or two Lessons Learned a month.  You need to a) come up with a full list of ambiguities, etc. in all the CIP v5 standards; and b) make a plan to address each of these – through Lessons Learned, FAQs, fatwas, Papal encyclicals, or whatever means you have – by at a very minimum a year before the new (initial) compliance date for v5.  For example, if you put off the initial compliance date for a year to April 1, 2017, you need to address all of the ambiguities in v5 by April 1, 2016.
4. You need to write a SAR[v] for a new version of CIP-002 (which of course would be the first and perhaps only CIP Version 8 standard).  Even though I’m assuming you’ll listen to what I said in the paragraph above this (after all, you always listen to me!), there is simply no way that R1 can be made whole without completely rewriting it.  And if you’re not sure what’s wrong with the current standard and don’t feel like plowing through the 40 or so posts I’ve written on that topic (who can blame you for that?  I get tired of looking at them myself), I’ll be glad to make a couple suggestions.  Once a new CIP-002 R1 is in place, then I think CIP v5 (of course, I mean v6.3940) will be a completely enforceable version.  There are certainly problems with the other standards beyond CIP-002, but in my opinion they are all fixable through Lessons Learned or other documents; the problems with the current 002 are not fixable without a complete rewrite.

I must admit these four “suggestions” are based on an assumption: that rewriting CIP-002 will be a 2-3 year process, including writing the SAR, constituting a new SDT, drawing up and balloting a few drafts before final approval by NERC, submitting the new version to FERC, awaiting their approval, and addressing any changes FERC may require when they approve it.  A further assumption is that it would be unacceptable to leave CIP v3 in place during this entire process.

If either of these assumptions isn’t correct, then what I recommend is much simpler: NERC needs to start the process of rewriting CIP-002, and leave CIP v3 in place until the new version (CIP-002-8, by my calculations) is ready.

Of course, you may well ask what is the likelihood that NERC will take up any of my suggestions?  I refer you back to the first post in this series, where I said the likelihood was about that of the Chicago Cubs winning the World Series in 2015.  Quite small, yet still greater than zero.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.

---

[i] In this and other posts, when I say “CIP v5”, I’m almost always referring to what I call CIP 6.3940, the specific mix of v5, v6 and v7 CIP standards that NERC entities will actually have to comply with.  Everyone still refers to it as “CIP v5”, and that’s fine with me – as long as nobody is looking any more at any of the “real” v5 standards except for CIP-002, -005 and -008.  All the others have been replaced by their v6 or v7 versions.

[ii] I would say that blame for Number 1 can actually largely be attributed to FERC.  I believe they approved CIP version 4 in April 2012 not because they intended to see it come into effect, but as a way to put pressure on the NERC membership to quickly approve CIP v5 (the first draft of v5 had just gone down to resounding defeat, with no standard gaining more than I think about a 20% positive vote).  Unfortunately, by approving v4, the signal they sent (especially to the Legal and Compliance departments at large IOUs) was that v4 would come into effect, regardless of whether or when CIP v5 was approved.  So a lot of money and effort were wasted on v4 compliance efforts, which I documented in a series of posts (starting with this one) last summer.

A year and a day after FERC approved v4 (and undoubtedly due to a lot of frantic lobbying by NERC), FERC issued a NOPR saying they intended to approve v5, and that v4 would never come into effect.  Yet some of those IOU Legal departments a) continued to tell people to work on v4, since after all that was still the law of the land; and b) wouldn’t allow expenditures on v5 because it wasn’t actually approved, and because FERC had made it clear they wanted some changes in it.  FERC did approve v5 in November 2013, but that was past the date that most large utilities (and IPP’s) had prepared their 2014 budgets; hence a lot of NERC entities (some quite large) won’t have v5 budget until sometime in 2015.

[iii] There are problems in most of the other requirements as well – there always are.  However, the R1 problems are serious enough that I now contend there is no single methodology that can be written down for R1 compliance that conforms to all of the wording in R1 and Attachment 1; there are just too many missing definitions, holes in interpretation, and out-and-out contradictions.  The third post in this series drove home that point in nauseating detail.

[iv] Of course, to speak of “Lessons Learned”, when the v5 standards probably haven’t been fully implemented yet by any large NERC entity, is kind of strange.  These aren’t really lessons learned but non-binding interpretations (with a lower-case i).  True Interpretations, which are binding, will take probably three years to go through the whole process of drafting, balloting, and approval (or not) by FERC; they obviously won’t solve anyone’s problems with compliance by 4/1/16.

[v] Standards Authorization Request