Note: This post builds on the two previous posts, starting with this one.
In my last two posts, I have been assuming that NERC would support the trade associations' of pushing back the CIP v5 compliance date three months, to match that of CIP v6 – July 1. However, I have now heard that they may be opposed to the idea. In fact, I’m willing to speculate that this may be why the trade associations decided to petition FERC two days ago – because they weren’t getting anywhere with NERC itself.
In their petition, the trades made the argument that the burden of having to comply with CIP version 5[i] for just three months, then switch to v6, would be large and would constitute a significant waste of resources and diversion of attention (rather than have one version switchover, they would have to conduct two switchovers within three months. This includes having two sets of processes, two sets of documentation, two sets of training programs, etc).
However, if you look at what exactly is involved here, this argument isn’t too compelling. While there are some significant additions to the requirements in CIP v6, these won’t come into effect until 2017 through 2019. The only change that will take place on July 1 is removal of the “Identify, Assess and Correct” language from 17 v5 requirements (with some rewriting of the requirements themselves to reflect this fact). All NERC entities have known this language would be removed for two years, and I believe all of the NERC regions (and NERC itself) said last year that, if v6 doesn’t come into effect on April 1, they will still audit the v5 standards with the assumption that entities are not required to comply with the IAC language. In other words, no entity should have to make any substantial switchover at all come July 1, since the seven v6 standards will effectively have been in place since April 1 – not their v5 counterparts.
However, there is an excellent reason for moving the CIP v5 compliance date back by three months; that is because there has been so much uncertainty about the meaning of the v5 requirements and definitions, and especially about the most fundamental requirements and definitions – those that tell you what cyber assets are in scope for CIP v5. This includes (but is certainly not limited to!) a) the word “Programmable” in the Cyber Asset definition; b) the words “adverse impact on the BES” in the BES Cyber Asset definition; c) the definition of External Routable Connectivity; and d) the many questions about how virtualized devices are to be handled, given that CIP v5 is silent on this issue and that the definition of Cyber Asset seems to exclude any virtual devices. All of these issues have been the subject of extensive debate and various assurances by NERC that they would be addressed. Here is a short, and certainly incomplete, synopsis of those discussions, as told in my posts:
- In March 2014, I wrote a post summarizing what NERC was saying about fixing interpretation problems in CIP v5. They pointed to two sets of documents that would be coming out: the RSAWs and the results of the CIP v5 Implementation Study. I won’t go into details here, but neither of these ended up providing any sort of real guidance.
- In this post from September 2014, I was quite excited that NERC was starting to put out guidance in the form of Lessons Learned documents, although I was skeptical they could address the many interpretation problems in v5 in time for entities to become fully compliant on April 1, 2016. At the time, I thought all substantial issues would have to be addressed by NERC before April 1, 2015. Otherwise, entities would never be ready for compliance on April 1, 2016, and the compliance date would need to be pushed back.
- In December 2014, I wrote my first post calling for the compliance date to be moved back 6 to 12 months. My reasons? For one, some big entities weren’t going to receive their first dollar of CIP v5 compliance funding until 2015, since FERC hadn’t approved v5 until November 2013, after their 2014 budgets were set in stone.[ii] But the biggest reason was that many entities expected NERC to clarify most of the big interpretation issues (especially those having to do with scope), and they were waiting for this clarification before fully moving forward with their CIP v5 programs. I compared this to the two main characters in Samuel Beckett’s classic play “Waiting for Godot”. Those two gentlemen spend the whole play waiting for Godot to show up, despite the fact that they both know he never will.
- In February 2015 I wrote about WECC’s CIP User Group meeting in January. I pointed out that Tobias Whitney of NERC had said there would be 15 Lessons Learned developed by April 1, 2015. Unfortunately, this was quite optimistic. In fact, as of today I believe there are only four finalized Lessons Learned. There have been a number of Lessons Learned (including one on “Programmable” that I thought was very good) that have been unceremoniously withdrawn.
- In late April, NERC introduced five “Memoranda” that purported to provide “mandatory” guidance on various issues. Some of that guidance was actually good, in my opinion, but the idea that NERC staff could provide mandatory guidance, when there is no provision for that in the Rules of Procedure, was received very badly in the NERC community. NERC withdrew all of the Memoranda in early July, and since then has issued some Lessons Learned that, while quite good, only discuss different compliance approaches – they don’t choose which is the best among them.
- At the December 2015 CIPC meeting, and again in a webinar in January, Tobias Whitney admitted that some important issues – including the four mentioned above – were being turned over to the standards drafting process. This is certainly the right way to address these issues; it would also be nice if this process had been started two years ago (as I was advocating at the time. I was given a flat "no" by Steve Noess of NERC when I asked this question at the Dec. 2013 CIPC meeting). It will take a bare minimum of 3-4 years for these changes to be developed and balloted (multiple times), approved by NERC and FERC, and come into effect (the SDT started developing CIP v5 in early 2011. It's now coming into effect mid 2016, 5 1/2 years later). What happens until then? It is up to the entities to determine how to deal with the various ambiguities, a process I call “roll your own”. I have discussed it in a number of posts, starting with this one.
As you can see, the entities have been whipsawed back and forth on these issues. Of course, none of this is to say that they aren’t ultimately responsible for their state of compliance, which they are. But I truly believe that a three-month reprieve in v5 compliance would be a godsend for many NERC entities, since as it stands now, after April 1 many of them might have to spend as much time writing self-reports as they do strengthening their CIP v5 compliance posture. It may be justice that they not get a reprieve, but I suggest that “tempering justice with mercy”[iii] is the appropriate course.
PS: I have heard that pushing the compliance date back may play havoc with the regional audit schedules, since audits scheduled for April through June will have to be somehow fit in at a later date (and the schedules are made up years in advance). I understand this problem, and hope it can be addressed in some way.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] Specifically, standards CIP-003-5, CIP-004-5, CIP-006-5, CIP-007-5, CIP-009-5, CIP-010-1 and CIP-011-1. If CIP v6 had come into effect on April 1, these would have been superseded by their v6 counterparts and therefore been stillborn. As it stands now, they will live on for three months in a kind of limbo state – the living dead, you might say.
[ii] Of course, I’m sure there were many entities whose CFO’s were able to look beyond the fact that CIP v5 hadn’t been officially approved and still put v5 money in the 2014 budget, given that there was little doubt v5 would be approved. However, there were also some entities that weren’t so fortunate.