Last week, I posted that FERC will start auditing some entities for compliance with the NERC CIP version 5 standards and also CIP-014 – and since then, I’ve been thinking about what this means. It didn’t take much thinking to realize this will have a profound impact on all NERC entities that need to comply with the CIP standards. This post sets out steps I believe FERC needs to take in the near term to address the primary problems with CIP v5.
First, it’s important to know that FERC’s move will impact all NERC entities with CIP v5 obligations, even though it is clear they won’t be auditing all, or even the majority of, entities. This is because I believe the mere fact that FERC may be their auditor will reset the bar for compliance for most entities - since it is a fair assumption that FERC’s auditors will be at least as strict as the Regional auditors, and often more strict. All entities will now need to rethink their compliance programs based on the assumption that FERC will be their auditor, not their Region (or perhaps both, since FERC could conceivably just do one audit for an entity, while leaving other audits to the Region. Hopefully, this is one issue that will be addressed when FERC makes their announcement of this program).
FERC and the entire NERC community are aware that compliance with the CIP version 5 standards is due starting April 1, 2016 – i.e., less than five months from now. FERC is also undoubtedly aware that there are a number of serious interpretation issues with CIP v5 that haven’t yet been addressed by NERC, and are very unlikely to be addressed in any definitive way before April 1.
Moreover, even if these issues are addressed before April 1, it may be too late. This is because the big CIP v5 interpretation problems are all found in what I call the fundamental requirements of v5 – the requirements that determine what cyber assets are in scope for the standards, as well as whether or not they have External Routable Connectivity (the concept of ERC doesn’t determine whether or not a cyber asset is in scope for CIP, but it does determine how many requirements are applicable to it). Since everything else that needs to be done for v5 is based on how the entity complies with these fundamental requirements, it is very likely not possible that an entity of any size can re-engineer its compliance program now and still meet the 4/1/16 date, even if definitive guidance comes out tomorrow on all of these problems.
This means FERC will be auditing NERC entities for CIP v5 compliance, knowing they haven’t had clear guidance on the meaning of the fundamental requirements in question. These include CIP-002-5.1 R1 and Attachment 1 (and the definitions that are integral to R1, including those of Cyber Asset, BES Cyber Asset and BES Cyber System), as well as the different requirements that apply to BES Cyber Systems with ERC.[i] Needless to say, this is a problem.
How will FERC deal with this problem? I can think of several ways:
1. FERC could, in effect, say to the entities “Too bad you didn’t have clear guidance on these issues when you needed it. But you’re still in violation of the requirements as we interpret them.” I don’t think this will win FERC too many friends; nor do I think they want to take this approach.
2. Since the NERC Regional Entities have provided some guidance to their members – either in public meetings or in private written correspondence – FERC can say they will audit to that guidance, as long as it is documented.[ii] The problem here is that both NERC and the regions have also provided guidance that isn’t documented in the Small Group Advisory Sessions (SGAS), as well as in phone conversations and at meetings.[iii] What will FERC do when an entity swears up and down that they were told during their SGAS that procedure X is a good way to comply with requirement Y, yet FERC (meaning the audit team) doesn’t agree with this interpretation? Does FERC accept the entity’s word, or do they fall back on the approach described in the previous bullet point? Frankly, I don’t believe either option would be acceptable to FERC.
3. FERC can put out their own “interpretations” of these issues. For example, they can come out with their own “definitions” of “Programmable” and “adverse impact on the BES”; they can provide their own methodology for complying with CIP-002-5.1 R1;[iv] they can provide their own interpretation of External Routable Connectivity;[v] etc.
I don’t think it will shock you to hear that I think the third method is the only workable one. But there is a problem with that as well: Given that FERC will be changing the fundamental rules of the CIP v5 game less than five months before the compliance date, they simply can’t expect entities to be compliant, based on the guidance FERC does put out, by 4/1/16. I think FERC will need to postpone the date on which v5 is enforced in some way.
I have suggested one way this could be done, which is to have an “enforcement date” for v5 one year after the “compliance date”. Since I was fairly sure that wouldn’t happen, I had recently pointed out that the “effective enforcement date” for v5 would be postponed regardless of any official action; this refers to the date that the auditors will actually feel comfortable issuing PVs for non-compliance. I think the effective enforcement date will be after 4/1/16 because I believe auditors are unlikely to assess violations for requirements where there is fundamental ambiguity – assuming the entity has done all it could to come up with its own interpretation of the ambiguous areas, while considering all available guidance from NERC and its region.
However, I’m certainly not ready to make this assumption about FERC auditors; they may feel they have to issue violations whether or not there is ambiguity in the requirement. As I said earlier, even if FERC were to release tomorrow a complete set of interpretations of all the ambiguous requirements and definitions in CIP v5, it may be too late for entities to revise their v5 programs to take advantage of those interpretations. This means FERC needs to give them more time for compliance, whether through some formal Order or more likely through an informal understanding. I don’t know the exact amount of additional time that will be required for entities to come into full compliance after 4/1/16 due to the ambiguity in the requirements; I’d say it’s at a minimum six months, and probably closer to 12.
Note that I’m not saying the compliance date needs to be pushed back for all of the CIP v5 requirements; just those that are ambiguous enough that they require guidance – including the requirements discussed above. To give an example of how this might work for the “unambiguous” requirements (say for example the requirements of CIP-009-6, Recovery Plans for BES Cyber Systems), I would say the 4/1/16 compliance date can stand, provided FERC stipulates during an audit that the entity has correctly complied with CIP-002-5.1 R1 and identified and classified its BCS, including those with and without ERC. Once the “Enforceable” date has been reached for CIP-002-5.1 R1 and other “ambiguous” requirements, this stipulation can be removed and FERC can issue PVs for not identifying BCS properly.
As FERC probably realizes, what I’ve described above are short-term measures, designed to allow CIP v5 to be rolled out without holding back enforcement until it can be rewritten (since that will take years). In the second post, I will discuss the longer-term measures that are required to have a sustainable NERC CIP program. You may find what I say in that post to be surprising.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] There are certainly other areas of ambiguity in CIP v5. These will also have to be dealt with, but they don’t affect all of the other requirements like these “fundamental” requirements do.
[ii] Of course, NERC has provided a number of guidance documents, including the Lessons Learned, FAQs and the Memoranda. Since most of these are still in draft form or have been withdrawn, and the few that have been finalized don’t address the fundamental issues I’m referring to, I really can’t say that NERC has provided documented guidance on these issues.
[iii] The other problem is that even the documented guidance is almost always prefaced with some statement that this is just the opinion of the individual providing it, not of the Regional Entity. This of course is necessary since according to the NERC Rules of Procedure, the only definitive “guidance” on the meaning of a requirement is what is provided through the Request for Interpretation (RFI) process. An RFI accepted today will likely take at least a year (and I’d guess more like two years) to turn into an official, NERC and FERC-approved Interpretation. But guidance on CIP v5 obviously can’t wait until a couple years after the enforcement date.
[iv] As I have been saying regularly, but most recently in this post, the problem with interpreting this requirement is that there are so many ambiguities and contradictions that no finite methodology could ever be written down, that both could be followed and would be consistent with the words of the requirement (and Attachment 1). However, there is a methodology that currently guides how virtually all NERC entities are complying with the requirement. I summarized that methodology in five steps near the beginning of the post just referenced. I admit that was an over-simplification and there are probably more like ten steps. I will do a post in the (reasonably) near future that will outline what I consider a complete description of this methodology, which I’ll call the “effective” CIP-002-5.1 R1 compliance methodology. I highly recommend that FERC’s interpretation of R1 follow this methodology. After all, it’s the one that the entities are using and the regions are teaching, even though the methodology strays pretty far from the actual wording of R1 and Attachment 1. There might be a methodology that could actually be followed that would be closer to the wording. But to try to introduce that at this point – and essentially require all entities with High and Medium assets to go back to square one with their entire CIP v5 program – would be disastrous, in my opinion.
[v] Of course, I and many others think the discussion of Low-impact External Routable Connectivity (LERC) in FERC’s NOPR on CIP v6 actually constitutes an interpretation of the meaning of ERC as well. However, FERC needs to put out a document explicitly addressing ERC.