This constitutes
the fourth episode in the gripping saga of moving the CIP version 5 compliance
date. The first episode is here. In the second episode, the electric power
trade organizations filed a petition with FERC to push the v5 compliance date
back to July 1, thus matching the v6 date. However, in my last post
(the third one), I pointed out that I thought the trades had used the wrong argument
for why this should happen.
The trades argued that not pushing the v5
date back would require they undertake a lot of needless paperwork and
training. I think they should have instead emphasized that the great
uncertainty about the meaning of some fundamental parts of CIP v5 – and NERC’s
constantly-changing plans for dealing with this (which have culminated in NERC’s
announcing recently that this uncertainty won’t be addressed until the next
version of CIP, at least 3-4 years from now) – caused many entities to delay
full implementation of their v5 programs, as they waited for what they thought
would be more guidance from NERC.[i]
As I feared, the trades’ argument was fairly
easily knocked down by NERC, who filed comments
today on the trades’ petition. They simply stated that they’ve already
announced they won’t audit on the “Identify, Assess and Correct” language in v5
if v6 is delayed. Since the only parts of v6 that will be affected by this
delay are the parts that remove this language, NERC is effectively implementing
those parts on April 1 anyway. If this is the only reason why the v5 date
should be moved back, NERC has neutralized it.
Nevertheless, I feel the CIP v5 date should
be moved back three months. There are many entities that are really scrambling
to come into compliance on April 1, and a large number of them may not make it.[ii]
Come April 1, they will have to divert a lot of their attention from the effort
to become compliant to instead self-reporting their areas of non-compliance. This
will do nobody any good, this will cause them to require even more time to
become compliant. This self-reporting will be fairly meaningless, since nobody expects any PVs to be issued for many months after April 1 - and since I believe a lot of these entities will be able to come into close-to-full compliance by July 1.
I have also heard a number of stories about
compliance and IT staffs pushing themselves to the breaking point in this
effort – working weekends and weeknights, putting off vacations, etc. Their
employers will bear the scars of this for years, since a lot of these people
will undoubtedly seek other employment – and there are a lot of jobs to be had
in the NERC CIP compliance and general cyber security fields nowadays[iii]!
If this effort were for some noble cause like
a war effort, this might be justifiable. But – as I’ve said multiple times,
most recently here
– I don’t think CIP v5 will be enforceable in any real sense for six months to
a year after April 1; delaying the compliance date until July won’t change
that. So I don’t believe the grid will be any less secure if the date is pushed
back. If anything, it will be more secure since as I said above, the entities
won’t have to be diverted into an orgy of self-reporting after April 1 (and the
auditors won’t have to drop what they’re doing to read all of these
self-reports!).
As I also said in the last post, none of this
excuses NERC entities from not being compliant April 1. That was clearly their
responsibility, and they in theory could still make that date, given huge expenditures
of money, time and psychological well-being of staff members. But is it
really worth the country’s (and the ratepayers’) while for them to make these
expenditures, when it will yield little if any increase in cyber security?
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
My last post also mentions that some entities weren’t able to get budget for
CIP v5 work until 2015, due to the fact that FERC approved v5 late in 2013,
after many 2014 budgets were already set.
[ii]
I’m not talking about being fully compliant, either. Given the many ambiguities
and contradictions in CIP v5 – especially in the most fundamental part,
identifying what is in scope in the first place – I don’t think any entity will
be “fully compliant”. It is possible to be close-to-fully compliant, though. I
suspect that many entities will be quite far from even that mark.
[iii]
And for anyone who is looking, I hope you’ll seriously consider Deloitte! We
have over 2,000 cyber security consultants in the US alone, and we are always
scrambling to find more – good ones, of course.
No comments:
Post a Comment