Sunday, December 13, 2015

FERC Doesn’t do Something! Here’s the Full Story…

In one of the most famous Sherlock Holmes stories, the sleuth solves the mystery of a suspicious death by keying on the fact that a dog didn’t bark when an intruder supposedly entered a home to commit a crime. The fact that it didn’t bark meant a member of the household was the criminal. In the same way, the fact that FERC didn’t do something on December 10, 2015, that they were expected to do, has almost as much importance as if they had taken an affirmative action.

Those keeping score at home know that FERC still hasn’t approved CIP version 6. CIP v6 was submitted to them by NERC last February[i], and FERC issued a Notice of Proposed Rulemaking (NOPR) in July, indicating they intended to approve it. Even the fact that they issued a NOPR rather than an order approving v6 surprised many in the industry, including me, as I noted at the time.

The NOPR asked for comments on several issues, which you can read about in the post I just linked and in its sequel, Part II. The comments were about a few areas that FERC might like to have NERC improve, such as developing a transient electronic device requirement for Low impact assets. As always when FERC solicit comments, there was a cutoff date for receiving them – in this case late September.

When NERC submitted v6 they also submitted an implementation plan[ii], as they always do with new or revised standards. The plan had specific dates for different parts of v6 (in fact, it had a plethora of dates. See this post for the complete set of v5 and v6 implementation dates, although also read the note I just put on that post). However, each effective date listed in the plan is followed by the words “or the first day of the first calendar quarter that is three calendar months after the date that the standard is approved by an applicable governmental authority.”

In the US, the “applicable governmental authority” is of course FERC. Since a number of the v6 standards come due on April 1, 2016 (at which point they’ll replace their v5 counterparts), and since the dates for other standards or requirements (or in some cases, requirement parts!) are all based on the 4/1/16 date, this means that if FERC doesn’t approve v6 this month, literally all of the dates in the v6 compliance plan will move back one quarter – although that assumes that FERC will approve v6 by March, 2016. If they don’t do that, all the dates go back another quarter. And if they still don’t approve v6 by June 2016, the date goes back yet another quarter…etc.

So what’s the dog that didn’t bark in this case? If FERC were going to approve v6 this month, they would have to do so at their monthly “Sunshine Meeting” (don’t you just love that term? Only in Washington could they think up something like that) on December 17. But for them to even take up v6, it would have to be on the meeting agenda. The agenda was released on December 10 and guess what? V6 wasn’t on it. Therefore, v6 won’t be approved in Q4 2015.

This means the compliance dates for all of the v6 standards are now officially pushed back at least three months.[iii] Assuming FERC approves v6 before April 2016, here are the new dates for some of the more important standards/requirements:

  • The date for CIP-010-2 R4 – for Transient Electronic Devices – will move from 1/1/17 to 4/1/17.
  • The due date for the security awareness policy and the incident response plan required for Low impact assets by CIP-003-6 R2 will move from 4/1/17 to 7/1/17.
  • However, the due date for the four policies for Low impact assets mandated in CIP-003-6 R1.2, will not move. This is because CIP-003-6 R1.2 is identical to CIP-003-5 R2 – which was always scheduled to come into effect on 4/1/17. The latter requirement would have been superseded by CIP-003-6 R1.2 had v6 gone into effect on that date. Now, it won’t be superseded until v6 does actually come into effect. But since the two requirements are identical, the four policies will still be due on 4/1/17.
  • The last compliance date in the v6 Implementation Plan is September 1, 2018, when the physical and electronic access controls for Low impact assets, mandated by CIP-003-6 R2, come due. This date will also be moved back, but by four months rather than three. Why four, you ask? Well, it’s pretty simple: As Scott Mix of NERC admitted at a recent NERC meeting, the CIP v5 Revisions Standards Drafting Team made a mistake when they assigned the 9/1/18 date. They seem to have forgotten that the first day of the fourth quarter is October 1, not September 1. Since the Implementation Plan doesn’t say “three months after…(FERC approval)”, but rather the language in the fourth paragraph above, this means this date will move to January 1, 2019. Now you know.

The discussion so far has been all mechanics. How about the human element? First, why is FERC taking this action – or more correctly, not taking this action? The only explanation I can think of (and I want to thank a longtime FERC observer for sharing her thoughts on this with me) is that the FERC staff is finding it more difficult than they originally thought to make a decision on the questions for which they solicited comments.

When the NOPR came out, I noted in this post that the amount of time between the due date for comments (near the end of September 2015), and the date FERC had to issue their order in time not to force the v6 compliance dates to move back, was pretty short – less than three months. However, since I and most others believed FERC didn’t want the v6 dates moved back, it seemed logical to assume they were sure they could complete their considerations in time to be able to approve v6 in December.

However, it seems somebody miscalculated at FERC – or perhaps they were surprised by the volume of comments and perhaps the level of opposition expressed – and they have decided they simply need more time in approving v6.[iv]

You might wonder – given that I’ve said various times that I see no possibility FERC will simply reject v6 (and I certainly still believe that) – why approving v6 should require so much consideration. However, FERC’s hesitation isn’t over the question of whether or not to approve v6. It is actually due to the changes they may order – i.e. the different questions they asked for comments on in the NOPR.

Remember that NERC’s rules say a standard can’t be changed once it has been approved by the NERC Board of Trustees; this step is taken before the standard is even submitted to FERC. So when FERC orders changes to v6 at the same time that it approves the standards, these changes won’t appear in the v6 standards. Instead, whatever changes FERC decides it wants will have to be part of new standards – in other words, CIP v7. Once FERC enters its Order approving v6 and (perhaps) ordering some changes, NERC will need to constitute a drafting team (it could consist of the members of the CIP v5 Revisions SDT that drafted v6, but it might also be a new team), then have them go through a drafting and balloting process similar to what happened with v6 (since v6 was developed because of four changes FERC ordered when they approved v5 in 2013). In other words, v6 will almost certainly go into effect sometime in 2016 or early 2017, followed by v7 about two years later.

In my post in which I raised the possibility that FERC wouldn’t approve CIP v6 in time for the compliance schedule to remain on its original timeline, I went further than that. I also speculated that FERC might actually want to see the v6 compliance dates moved back. The reason for this is that it shouldn’t be hard for FERC staff members to see that the CIP v5 standards won’t be “enforceable” on 4/1/16 – in the sense that they’ll be well enough understood in the NERC community that auditors will feel comfortable writing Potential Violations for requirements about which serious interpretation issues exist (unfortunately, this applies to a lot of requirements in v5). And if they haven’t discovered this on their own, they’ve seen it in my blog posts, including this one. I wondered in the post – and I still wonder – whether FERC thinks they might be able to help the v5 “enforceability” problem by delaying the implementation of v6.

But how would FERC’s delaying the v6 implementation date (by not approving v6 until say May or June 2016) help with the “enforceability” problem with CIP v5? After all, CIP v5 will come into effect on 4/1/16 no matter what happens with v6[v]. Let’s be clear: I don’t think v5 will be any more or less enforceable because of the v6 delay. However, I do think that, if FERC delays v6 approval until say next May or June (and thus delays v6 implementation by six months), NERC may decide they want to announce that v5 enforcement will be delayed by the same amount of time.

Of course, this would amount to making a virtue of necessity, since as I’ve already said I don’t think v6 will be effectively enforceable before 10/1/17 at the earliest – and one of my next posts will state that I don’t believe v5 will be effectively enforceable until approximately 4/1/17. But if NERC were to actually state this, it would remove a lot of uncertainty – since I believe there are still a few people in the NERC community that don’t take everything I say in my posts to be the gospel truth.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

[i] In fact, it was Friday, February 13. I believe this explains a lot.

[ii] You may notice the plan linked has a “-7” after some standards, and a “-3” after CIP-010 and -011. This is because when the “CIP Version 5 Revisions” were finally passed by the NERC ballot body it included some v6 and some v7 standards. However, to somewhat mitigate the version confusion, the standards actually approved by the NERC Board of Trustees all had version 6 suffixes (“-6” and “-2”). This is discussed in the first post linked above. I swear I’m not making this stuff up. I could never dream of creating anything as complicated as the “CIP v5/then v6/then v7/then v6 again” saga – except perhaps the “CIP v4/no, v5/no, v4/no, v5” saga.

[iii] In this discussion, I’m assuming that FERC, when they finally approve v6, won’t also order NERC to revise the implementation plan so compliance would still be due on the original schedule. While I’m sure that’s theoretically possible, I don’t think it’s likely they’d do that.

[iv] A couple people wondered if FERC might be delaying approval of v6 specifically because of the supply chain security issue that they asked for comments on in the NOPR. FERC has now scheduled a Technical Meeting on January 28, 2016, and it is quite understandable they wouldn’t want to make a decision on this topic until after that meeting. However, just because FERC asked for comments on this issue in the v6 NOPR doesn’t mean they need to do something one way or the other on it when they approve v6. They could issue a separate order once they have finished their considerations on this topic (and that would make a lot of sense, since supply chain security is a completely new direction for the CIP standards, like CIP-014 was).

[v] You may wonder what happens with the “Identify, Assess and Correct” language in 17 of the CIP v5 requirements, which will be removed in their v6 counterparts. If all of v5 ends up coming into effect on 4/1/16 (rather than three v5 standards and seven v6 ones, which would have happened had FERC approved v6 in December), that language will supposedly be enforceable. Yet I believe literally all NERC entities are implementing v5 compliance under the assumption that they won’t have to comply with that language. They are safe in continuing on this course, since I believe all of the NERC Regions have formally or informally announced that “IAC” won’t be enforced regardless of what happens with v6, and perhaps NERC has stated this as well. If you haven’t seen or heard an announcement from your Region, just call them.

No comments:

Post a Comment