It has come to my attention that some NERC entities are asking whether the enforcement date for CIP v5 will be postponed beyond April 1, 2016. I have gone back over certain posts over the past year, and see that I have gone through four different stages on this issue. Since I think a discussion of these will shed light on what may happen in the future regarding CIP v5, I want to outline them.
1) I first advocated for pushing back the compliance date in December, 2014. I always realized it would take an extraordinary amount of commitment by NERC and FERC for this to happen (I believe NERC would have to petition FERC, and they would have to approve the petition). But I felt – and still feel – that this is the right way to deal with the problem caused by the large amount of uncertainty[i] felt my many NERC entities regarding interpretation of the CIP v5 standards.
2) This past July, I wrote another post advocating that the “Compliant” date for CIP v5 remain 4/1/16, but that an “Auditably Compliant” date be set for one year later – meaning no Potential Violations (PVs) would be issued until that date, assuming the entity was making a good faith effort to comply. This suggestion was also met with thunderous silence (although I acknowledged this would also take a huge amount of commitment by NERC, FERC and the NERC community, so it was always quite a long shot).
3) I officially threw in the towel on the idea of the compliance date being officially pushed back in this post at the end of August, 2015. That was when I started talking about the “effective compliance date” – that is, the date (or rather dates) that the regions would feel comfortable enough with the interpretation of the v5 standards to start issuing PVs[ii]. While I was prepared to have this be a completely unofficial process (i.e., each auditor would decide for him/herself when they could start issuing PVs), I did say it would be much better if there were some sort of informal agreement among NERC, the Regions and the NERC entities to the effect that PVs wouldn’t be issued until after X date. The other provision of this agreement would be that all parties would make a concerted effort to clarify the biggest issues with CIP V5, like the meaning of “programmable”, ERC, etc. This clarification wouldn’t constitute anything binding [like an actual Request for Interpretation would, or a Standards Authorization Request (SAR) – both of which will take years to bear fruit], but it would at least provide a common framework for entities to finalize their compliance with v5, and for the Regions to start auditing and issuing PVs six months or a year after 4/1/16.
4) My most recent post on this question was in October, 2015, when I threw in the towel on the idea that there was any way the effective enforcement date for any of the CIP v5 standards would be earlier than October 1, 2016, and very possibly much later. I brought up something (in my footnote v) that I’d said early in 2015, to the effect that the standards couldn’t be effectively enforced until a year after enough guidance had been provided so that reasonable “interpretations” were available - from NERC and/or the regions – on all of the major issues in CIP v5; since I wrote this post in October, I was implicitly saying it was already too late for v5 to be effectively enforceable even on 10/1/16. Moreover, this also implied that only if NERC started an aggressive drive to clear up the ambiguities and contradictions in CIP v5 immediately would there be any real possibility that the standards might effectively be enforceable on even 4/1/17.[iii]
I don’t think it will surprise you greatly when I say I see no sign that NERC is making any sort of effort – aggressive or otherwise – to clarify the many interpretation issues that remain in CIP v5. In fact, in a NERC webinar on Friday, December 4, 2015, Tobias Whitney said that the only Lesson Learned still planned is on patch management (he also stated this in a presentation at the NERC CIPC meeting in Atlanta on December 15). He also stated that some issues, including virtualization, External Routable Connectivity and Interactive Remote Access, will probably go into the SAR process – meaning it will be literally years before these are addressed. Thus, I have to now say it’s very possible there will be no meaningful clarification on most of the major issues in CIP v5 until one or more standards are rewritten and approved by the NERC ballot body and FERC. I don’t believe this process will take anything less than three years, and possibly longer than that.[iv]
So now we come back to my one-year rule. If, as I believe, the standards will not effectively be enforceable until a year after fairly definitive guidance on major issues has been provided to the NERC community, and if it doesn’t look like there will be any major guidance until some standards or requirements (and a few definitions) are rewritten, this means CIP v5 (and v6) will not be enforceable for at least several years, right?
To be honest, I don’t think v5 will go several years without being enforceable, even if there is no more guidance provided. I think that, after maybe a year of audits where mainly Areas of Concern (not PVs) are issued, both the auditors and the entities may have developed a pretty good understanding of what the v5 standards mean, even if this understanding is never codified in any document put out by NERC or the Regions.
Let me summarize what I’m saying:
I’m definitely not saying that PVs won’t be issued soon after 4/1/16 to entities that for whatever reason haven’t made a real effort to comply with parts of CIP v5. For example, I realize there are a lot of questions on how to identify and classify BES Cyber Systems, but there are many cases where it should be pretty obvious that something is a Medium or High BCS – let’s say a relay controlling a 500kV line or the EMS in a High control center. If an entity doesn’t make such a designation, they might be the recipient of a PV. Another example: If an entity has decided they’re not going to comply with say CIP-007-6 R2 (patch management) for some of the BCS they’ve identified, I’d say they are likely to get a PV or two for that. Or if an entity has decided that a substation that clearly has 3,000 points under Criterion 2.5 isn’t in fact Medium impact, they will also have a lot of explaining to do, even if it’s on April 2, 2016.
On the other hand, if an entity has interpreted the phrase “External Routable Connectivity” in such a way that the relays in a particular substation – connected serially to an RTU that then connects routably to the control center – do not have ERC, and if an auditor doesn’t agree with them on this when they’re audited in say November 2016, I don’t believe the auditor will issue them a PV because his opinion on this very contentious issue isn’t the same as theirs. He/she will probably call this an Area of Concern, but until the auditor feels there is a consensus across the NERC community on what exactly constitutes and doesn’t constitute ERC, they won't issue a PV. I’m guessing (maybe “hoping” is a better word) that around 4/1/17 there will be consensus on ERC and other major issues. So if that same entity gets audited say in June, 2017 and the same discrepancy is found, it’s very possible they would receive one or more PVs for this.[v]
So let’s say you know of a few entities – and I’m sure you’re not one of them (wink, wink) – that will still be deficient in CIP v5 compliance on April 1, 2016, despite their best efforts over the past couple of years. What happens to those entities? Are they just off the hook, in the same way as the entity who is almost completely compliant (I don’t think any entities will be 100% compliant, since nobody knows now what that term even means, given the remaining uncertainties)?
Definitely not. They’ll still need to self-report every requirement – that they know of – for which they’re non-compliant. On the other hand, I can’t believe they would need to self-report that they had used the wrong definition of “programmable”, since there is no agreed-upon definition (they do need to document the definition they used, show how they derived it, and show that it was consistently applied across all of their assets. See this and subsequent posts for discussion of my “roll your own” approach). And these entities obviously need to continue their work to come into compliance as soon as possible after 4/1/16.
There was one significant development after my October post on enforceability: the news that FERC will start doing some CIP v5 audits themselves next year. What does this mean for the above discussion? Specifically, will FERC be able to effectively make the v5 standards enforceable before 4/1/17 (since I’m guessing this will be the effective date if just NERC and the Regions are doing audits)? I don’t think so, unless FERC makes an effort to provide guidance on the many profound interpretation issues in v5. Without guidance, how could an auditor – NERC, FERC, or Regional - possibly assess a violation when there is a simple difference of opinion on an ambiguous requirement or definition? In other words, I don’t think the fact that FERC has entered the auditing picture makes any difference for when CIP v5 will be enforceable.
Before I go, I want to make one further point: This post has discussed one meaning of the word “enforceable” when applied to NERC standards – that is, “enforceable” in the sense that auditors will write PVs and entities will generally accept them. My conclusion was that CIP v5 will be enforceable in that sense around 4/1/17. But there is a stronger meaning of the word, namely that a violation and fine are likely to be upheld if appealed to the court system (which is always a recourse for any NERC entity that feels it has been unfairly penalized). Will CIP v5 ever be enforceable in this sense? I will soon have a post out on this question.
P.S. A well-known auditor for one of the NERC Regional Entities wishes to add the comment below. It doesn’t contradict what I said above, but it does provide a better idea of what a “good faith effort to comply” would entail. One thing he mentions, that I have mentioned in other posts but not in this one, is that the entity needs to show that, in cases where a requirement is ambiguous, they considered all available guidance from NERC and their region; and if they decided they didn’t think the guidance was appropriate, they will need to document why.
The auditor says, “CIP V5 audits will begin in early April. As far as any guidance to the Regional auditors regarding how to handle vague requirements (such as application of auditor discretion), I will yield to NERC to publicly publish whatever guidance they may have or will provide to the auditors.
“What I will say is that the entity will have to tell a compelling story at audit. My team, at least, will not go into an audit with a pre-determined expectation of what represents compliance unless there is an explicit expectation stated in the requirement. But the entity will not be able to simply lay a document before us and declare it meets compliance, expecting the auditor to accept the document at face value. We are all aware of the discussions within the V5TAG, the issues being brought to the Standards Drafting Team, and the guidance issued by NERC (Lessons Learned, FAQs, etc.) and will certainly consider that background information when evaluating an entity’s compliance. What my team and I will never do is “guarantee” that we will treat something as an Area of Concern as opposed to something else like a possible violation. Our determination of a finding must be based upon the facts and circumstances presented at the time of the compliance monitoring activity. What we will do, up through the end of March, is provide our entities as much outreach as we can, including answering questions and conducting site visits. After April 1, we will still conduct extensive outreach for Low Impact BCS. It is up to the entity to take advantage of our outreach, which we have not been bashful about encouraging every opportunity we have.”
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] A recent Bridge Energy Group Utility Industry Survey found that 68 percent of utilities believe their organization is “not well prepared” for CIP v5 compliance. And a WECC survey of their members, discussed by Dr. Joe Baugh of WECC at the NERC CIPC meeting in Atlanta on December 15, showed that confusion over the meaning of the standards was the number one CIP v5 compliance problem (by a large margin) cited by respondents.
[ii] This applies to cases where the violation is caused by a genuine difference of opinion between the auditor and the entity over something that is unclear or undefined in CIP v5, such as the definition of “programmable”.
[iii] The reasoning for this is that an aggressive effort of interpretation of issues like ERC, “programmable” and the meaning of the BCA definition would require a lot of meetings with the industry and the regions, and would take at a minimum six months.
[iv] You may point out that, besides the SAR process, there is the Request for Interpretation process, which can also provide definitive guidance. The RFI process is shorter. I think the few successful RFI’s for CIP v3 took around two years to come into effect, including development of the Interpretation by the Interpretations Drafting Team, voting on it by the NERC membership, submittal to FERC, and FERC’s ultimate approval (although FERC remanded the last two v3 RFIs that were submitted to it). However, RFIs by definition have to focus just on an interpretation of a narrow bit of wording in one requirement. They don’t address issues like missing definitions or anything that requires rewriting a requirement. The big issues in v5 are all not addressable through RFIs.
[v] As I’ve already said, Tobias Whitney of NERC has listed several areas of ambiguity, including ERC, that will be the subject of Standards Authorization Requests (SARs); in other words, NERC has decided the only way these can be addressed is by rewriting one or more requirements (in the case of ERC, this would require rewriting the definition to clarify when there is ERC, and when not, when there are both routable and serial communications in a particular communications stream). I asked him whether PVs would be issued for these areas, pending this rewriting. While he definitely didn’t rule that out (and I’m sure there could be instances where it is clear that the entity has deliberately misinterpreted ERC, in which case there would be PVs), he did say that the main emphasis would be on designating Areas of Concern.