This constitutes the fourth episode in the gripping saga of moving the CIP version 5 compliance date. The first episode is here. In the second episode, the electric power trade organizations filed a petition with FERC to push the v5 compliance date back to July 1, thus matching the v6 date. However, in my last post (the third one), I pointed out that I thought the trades had used the wrong argument for why this should happen.
The trades argued that not pushing the v5 date back would require they undertake a lot of needless paperwork and training. I think they should have instead emphasized that the great uncertainty about the meaning of some fundamental parts of CIP v5 – and NERC’s constantly-changing plans for dealing with this (which have culminated in NERC’s announcing recently that this uncertainty won’t be addressed until the next version of CIP, at least 3-4 years from now) – caused many entities to delay full implementation of their v5 programs, as they waited for what they thought would be more guidance from NERC.[i]
As I feared, the trades’ argument was fairly easily knocked down by NERC, who filed comments today on the trades’ petition. They simply stated that they’ve already announced they won’t audit on the “Identify, Assess and Correct” language in v5 if v6 is delayed. Since the only parts of v6 that will be affected by this delay are the parts that remove this language, NERC is effectively implementing those parts on April 1 anyway. If this is the only reason why the v5 date should be moved back, NERC has neutralized it.
Nevertheless, I feel the CIP v5 date should be moved back three months. There are many entities that are really scrambling to come into compliance on April 1, and a large number of them may not make it.[ii] Come April 1, they will have to divert a lot of their attention from the effort to become compliant to instead self-reporting their areas of non-compliance. This will do nobody any good, this will cause them to require even more time to become compliant. This self-reporting will be fairly meaningless, since nobody expects any PVs to be issued for many months after April 1 - and since I believe a lot of these entities will be able to come into close-to-full compliance by July 1.
I have also heard a number of stories about compliance and IT staffs pushing themselves to the breaking point in this effort – working weekends and weeknights, putting off vacations, etc. Their employers will bear the scars of this for years, since a lot of these people will undoubtedly seek other employment – and there are a lot of jobs to be had in the NERC CIP compliance and general cyber security fields nowadays[iii]!
If this effort were for some noble cause like a war effort, this might be justifiable. But – as I’ve said multiple times, most recently here – I don’t think CIP v5 will be enforceable in any real sense for six months to a year after April 1; delaying the compliance date until July won’t change that. So I don’t believe the grid will be any less secure if the date is pushed back. If anything, it will be more secure since as I said above, the entities won’t have to be diverted into an orgy of self-reporting after April 1 (and the auditors won’t have to drop what they’re doing to read all of these self-reports!).
As I also said in the last post, none of this excuses NERC entities from not being compliant April 1. That was clearly their responsibility, and they in theory could still make that date, given huge expenditures of money, time and psychological well-being of staff members. But is it really worth the country’s (and the ratepayers’) while for them to make these expenditures, when it will yield little if any increase in cyber security?
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] My last post also mentions that some entities weren’t able to get budget for CIP v5 work until 2015, due to the fact that FERC approved v5 late in 2013, after many 2014 budgets were already set.
[ii] I’m not talking about being fully compliant, either. Given the many ambiguities and contradictions in CIP v5 – especially in the most fundamental part, identifying what is in scope in the first place – I don’t think any entity will be “fully compliant”. It is possible to be close-to-fully compliant, though. I suspect that many entities will be quite far from even that mark.
[iii] And for anyone who is looking, I hope you’ll seriously consider Deloitte! We have over 2,000 cyber security consultants in the US alone, and we are always scrambling to find more – good ones, of course.