This is the first of two or three posts based on my visits to the SPP CIP v5 Workshop in Kansas City and the WECC CIP User Group in Portland during the first week of June. I learned a lot from the presentations at the meetings and from individual conversations with various parties, which I’d like to share with you.
Without doubt, the biggest concern at both meetings was the six “Memorandums” that NERC put out in April. And the biggest part of this concern was caused by the impression that the guidance provided in these documents was in some way mandatory for compliance. The Memorandum that caused the most concern was the one on Programmable Electronic Devices.
On April 22, NERC released a Memorandum on the meaning of “Programmable Electronic Device” (PED). As we all know by now, this is how “Cyber Asset” is defined in the NERC Glossary. And since Cyber Asset can be considered the foundational definition of CIP Version 5, getting this right is of vital importance for compliance with v5. PED was never defined in the drafting process for v5, which is why we’re having this conversation now.
Some background: The Memorandum wasn’t the first time NERC has addressed this issue. There was a draft Lesson Learned posted on January 9[i]. The argument in this document hinged on the distinction between devices that are “field updateable” and those that are “configurable only”. According to the Lesson Learned, the former are programmable (and therefore meet the definition of Cyber Asset); the latter are not. When this draft Lesson Learned appeared in January, most NERC entities I talked to thought it was a fair document – one they could live with.
I had expected the Lesson Learned would be finalized by April, but the April Memorandum made clear that this document now sleeps with the fishes; it will never be finalized. The Memorandum states (page 2) “After further evaluation, NERC determined that the issue related to this topic was not appropriately addressed through a lesson learned or FAQ as it was not consistent with the purpose of those guidance documents.”
What’s the new definition? NERC wastes no time in setting that out in the Memorandum, it is “any device that is electronic and capable of executing a set of instructions.” In other words, “configurable only” devices are now considered programmable, whereas they weren’t in the Lesson Learned. This new “definition” is based on the SDT’s responses to comments from NERC entities received during the drafting process for CIP v5, which were included in NERC’s 7,000-page (!) CIP v5 filing with FERC in January 2013.
Is the new “definition” much different in practice from the old one? From what I’ve heard, yes. There are many devices that would have been excluded as Cyber Assets using the draft Lesson Learned because they are “configurable only”. According to the Memorandum, these will all now be Cyber Assets, and will have to be considered as possible BES Cyber Assets. As soon as the Memorandum came out in April, I heard cries of anguish from NERC entities about this.[ii] I heard more at the SPP and WECC meetings.
However, there was total unanimity among the speakers at the two meetings that the Memoranda don’t count as mandatory interpretations. At the SPP meeting (which occurred on Tuesday June 2), three speakers – Kevin Perry of SPP, Lew Folkerth of RFC, and Tom Hofstetter of NERC – all agreed this was the case (naturally, they were speaking for themselves, not the organizations they work for – the standard disclaimer). However, they all did say that any entities that choose not to follow the “definition” in the Memorandum need to have a pretty good story about why this is the case.
Lew Folkerth did go beyond that and pointed the audience to an article he wrote for RFC’s newsletter (pp. 8-9) last December, discussing in general how entities can deal with “non-prescriptive” standards[iii] such as some of the CIP v5 ones – i.e. how they can comply when the standard doesn’t provide all of the information needed to fully understand what “comply” means. Let me go beyond what he said to address this particular problem: If your entity started their CIP v5 compliance program before April (and I would hope almost all entities did), you should point out to the auditor – when he/she questions why you didn’t use the April Memorandum as your “programmable” definition - that you couldn’t have even started your compliance effort without a definition of Programmable, since that is the first step in the process of identifying BES Cyber Systems. If you started this year, you may have used the Lesson Learned from January. If you started last year, you may have used something like the “definition” provided to me by a Generation compliance person, which I described in this post last September. Whatever you did, you need to document a) how you searched through all guidance on this issue that was available at the time and b) the definition you used and how you arrived at it.
Hearing two regions (and a NERC spokesperson) say the new “definition” of PED wasn’t mandatory was certainly good news, but at the WECC meeting two days later (on Thursday June 4) there was even better news. First, Brent Castagnetto, Chief CIP Auditor for WECC, said they didn’t consider any of the Memoranda to be mandatory (I’m told Texas Regional Entity also announced this). Even more significantly, it was announced that, at a meeting in Atlanta held on Tuesday and Wednesday of the week, NERC had decided to withdraw the Memorandum on Programmable Electronic Devices altogether.[iv]
This last statement is quite interesting because of what it doesn’t contain – namely, any reference to what is going to replace the Memorandum. Should entities try to follow the Lesson Learned?[v] Or are they truly on their own to come up with the best possible definition? I’m hoping that the CIP v5 Revisions SDT will address this, as well as the many other issues with CIP-002-5.1 (and the BCA/BCS definitions), by drafting a revised CIP-002 (which would have to include new BCA, BCS and Cyber Asset definitions; these are all intimately linked to the current CIP-002 wording). This is the only way to settle these questions once and for all.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte & Touche LLP.
[i] I wanted to include a link to this document, but it seems to have been removed from the NERC web site. If you want to email me at firstname.lastname@example.org I’ll send it to you.
[ii] It was stated at the SPP meeting that the biggest reason for pushing through this changed definition was because the definition from the Lesson Learned would probably have been used by many entities to remove all relays, RTUs and some other devices from the scope of CIP v5. I found this simply incredible, since I had never heard of anyone even considering this possibility – and I confirmed with others in the industry that they had never heard of that either. If that is why NERC developed this Memorandum, it seems to clearly be a solution in search of a problem.
[iii] I prefer the term “ambiguous”. Just a matter of taste, I suppose.
[iv] I’m publishing this post a week after I wrote it. I regret to say that, at the NERC CIPC meeting in Atlanta June 9-10, Tobias Whitney of NERC made clear that not only does the PED Memorandum remain in effect, but NERC still considers it “auditable”. He said the only recourse that entities have, if they don’t like the Memorandum, is to file an RFI or a SAR for a new definition; of course, this doesn’t help anybody for compliance by next June, since both of these are multi-year processes at best – and I hear that NERC hasn’t even permitted any RFIs to go forward so far.
[v] NERC unfortunately cannot return to advocating that entities follow the Lesson Learned on PED. They said in the Memorandum that the PED question wasn’t addressable through a Lesson Learned, per the quote in the fifth paragraph of this post. This is probably why the LL has been removed from the NERC web site.