I have mentioned several times since early 2014 that it is unfortunate the revised standards developed in response to FERC Order 791 were called the “CIP Version 5 Revisions” rather than simply CIP v6, since that is in fact what these are. And it is even more unfortunate that not all the v5 standards were “revved” to v6, since now entities will have to keep in mind that the “compliance version” of CIP consists of three v5 standards (002, 005 and 008) and seven v6 standards (i.e. all the rest).[i]
This arrangement is obviously causing confusion, and that is unfortunate. But a question at the WECC meeting on June 4 (and other conversations I’ve had over the past few months) showed me there is a more serious consequence: Entities may put off working on compliance with the changed requirements in v6 longer than they should, due to the mistaken impression that v6 is the “next version” to comply with, and that entities should just focus on v5 for now.
Let me be clear: You will only comply with one version of each of the standards which are collectively – and informally - called “CIP version 5” (as just described, this is three v5 standards and seven v6 ones). Most of the v6 requirements have the same compliance dates as their v5 counterparts – April 1, 2016 for Medium and High assets/Facilities and April 1, 2017 for Lows. The other v6 requirements have different dates; you can find a full list of the compliance dates in this post. You really need to consider this as one CIP version, not two.[ii]
Specifically, the questioner asked whether his entity should be working on the Transient Electronic Devices requirement (CIP-010-2 R4), given that FERC hasn’t approved v6 yet. The answer was clear: Just like all of the “CIP v5” standards, you need to look at the compliance date for that requirement and make sure you start your compliance effort early enough to meet that date. For CIP-010 R4, the compliance date is January 1, 2017. As with all requirements, you need to start getting ready, so that you can be sure of being compliant on the appropriate date.[iii]
So don’t let the different version numbers fool you: you will have to comply with one CIP “version”, not two. If it’s easier, you could call the next CIP compliance “version” what I have previously called it: CIP version 5.5.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte & Touche LLP.
[i] The experience with CIP v2 and v3 is illustrative. When FERC approved v2, they mandated that NERC develop, within 90 days, a new requirement to provide for escorted access of non-CIP-qualified visitors within the PSP. NERC actually developed this new requirement on time. The only substantive change was to CIP-006, but NERC at the same time re-christened all of the other v2 standards as v3 ones. This is why, since 2010, NERC entities have been complying with “CIP v3” rather than with CIP-006-3 along with CIP-002-2, CIP-003-2, etc. Unfortunately, that approach wasn’t followed this time.
[ii] I long ago made a ZIP file with the actual compliance versions of the v5 and v6 standards. If you want to email me at firstname.lastname@example.org, I’ll send you that file.
[iii] Part of the reason the questioner was holding back on starting compliance with the “transients” requirement was he wasn’t sure FERC would actually approve it. Scott Saunders of Exelon – who was a member of the CIP v5 Revisions SDT (I should say is a member, since their work may not be over yet) – came up to the microphone to confirm there is little chance FERC won’t approve all of v6.
Now, it is always possible FERC will require something more be added to the v6 standards – in which case the revised standards would be called v7. But it is very unlikely they won’t approve all of the v6 standards that NERC submitted to them in February of this year. Anyone who puts off starting their effort to comply with a v6 standard solely because FERC hasn’t approved v6 risks missing the compliance date. This is especially true for the Transients requirement, since that will require a lot of completely new procedures be implemented and will therefore require a lot of time to prepare. It may also be true for the requirement to physically protect all intra-ESP wiring even if it exits the PSP (CIP-006-6 R10), which may require either physical changes like conduit or logical changes like encryption.