I received some very good comments on my most recent post. I will discuss them in three new posts. Here’s the first one.
A longtime NERC practitioner – whom I have known for a number of years – emailed me about my most recent post, in which I reiterated the sorry fate of all of NERC’s attempts in recent years to provide official “interpretations” of the wording of CIP requirements and definitions, which didn’t go through the only two processes allowed by NERC’s Rules of Procedure: a Request for Interpretation, or a SAR to rewrite all or part of a standard or standards. NERC’s motivation for trying to unofficially “interpret” the CIP standards has always been admirable: a desire to have a uniform auditing method that all regions and auditors will follow. But in every case, NERC has run up against the same wall they’ve hit before: there is no way to do this short of an RFI or SAR – and both of those take years to yield results (and may come up empty-handed, as in the case of two Interpretations of CIP requirements that were approved by NERC but remanded by FERC four years ago).
In my post, I provided three examples from the most recent NERC CIPC meeting that seem to indicate that NERC (and others in the NERC community) has still not learned this lesson. Regarding the third of these examples, my friend said:
“On your 12/17/16 posting you state:
3) At one point, Tobias brought up something I’d forgotten about: that somehow a number of industry organizations, including the trade associations, have become empowered to write up “guidance” on CIP compliance questions. I had heard this before, but couldn’t understand what it meant – and I still can’t. Any organization has always been empowered to write guidance for its members (and any others who wish to follow it) on how to comply with any standard – whether a NERC standard or not. But there is no way that this can be considered some sort of “official” guidance, which NERC will endorse as something the regional auditors should follow. And if that’s the case, why even imply that allowing the organizations to issue guidance is in some way a mitigation of the wording problems with CIP v5/v6? It isn’t.
“Actually, the ERO Enterprise does endorse Implementation Guidance documents and auditors are directed to show “deference” to the guidance. The Implementation Guidance (documents) are intended to be examples of ways to be compliant with requirements, but not prescriptive as the only way to comply. More info on the process, the ERO’s processes and existing guidance is at http://www.nerc.com/pa/comp/guidance/Pages/default.aspx.”
My friend also attached a short document titled “ERO Enterprise CMEP Practice Guide: Deference for Implementation Guidance” (I’m having trouble reaching NERC’s web site today, so I can’t provide the link; but you can Google it. I don’t think that’s NERC’s fault. I’m in an Asian country that sometimes seems to restrict access to certain sites for reasons unknown to me. I couldn’t reach RF’s site, either). And I now want to clarify the paragraph from my post that my friend quoted. I’m not at all opposed to NERC’s endorsing guidance prepared by other organizations, as long as there is no implication that it will provide some unique perspective on the meaning of a requirement that would elevate it over guidance provided by other less privileged sources – say, this blog.
The NERC document my friend referenced says “ERO Enterprise CMEP staff (essentially, NERC and regional auditors) will provide deference to ERO Enterprise endorsed Implementation Guidance.” And what do they mean by “deference”? The last sentence of the document reads “If CMEP staff determines the registered entity was found in non-compliance with a NERC Reliability Standard or Requirement, but in good faith, relied on Implementation Guidance, CMEP ERO Enterprise CMEP staff will provide deference to ERO Enterprise endorsed Implementation Guidance.”
I will take NERC at its word that Implementation Guidance doesn’t constitute an Interpretation of a requirement or definition, so I’ll stipulate this is perfectly legal (i.e. compliant with the Rules of Procedure). But my problem is that NERC seems to think that the possible future development of Implementation Guidance on sticky issues like VOIP and the cloud (as well as others) constitutes in some way at least partial compensation for the fact that the current CIP standards require interpretation regarding these issues. Implementation Guidance documents on these and other issues will certainly be welcome, but at the end of the day NERC entities will still not understand what the standards say about these interpretation issues (because they don’t say anything about them, or what they say isn’t clear); in other words, there won’t be any certainty on these issues. Once again, the only legal way to provide definitive guidance is an RFI or a SAR.
If you haven’t been reading my posts religiously the past few months, you may think I’m now pushing a hardline position that NERC has to immediately write a bunch of RFIs and SARs and set 10 or 20 new Standards Drafting Teams to work on these. That’s the last thing I want. What I do want is a single SAR to rewrite all of CIP in a non-prescriptive, objectives-based format, which will change arguments like these from ones with grave compliance implications to simply issues requiring guidance. This non-prescriptive format isn’t something completely new, but can currently be found in CIP-013, CIP-014, CIP-007-6 R3 and CIP-010-2 R4[i], as well as at least two other current CIP requirements.
I say this because I am now convinced that CIP is at an impasse: It will be impossible to address significant interpretation questions like VOIP, and especially to accommodate more recent technologies like virtualization and the cloud, any other way. More on this coming soon to a blog near you.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] In listing these examples of current (or future, in the case of CIP-013) non-prescriptive NERC standards or requirements, I’m not saying that any one of the differing formats of these standards and requirements is exactly what should be followed for the “new CIP” standards. I and two co-authors are currently working on a book that will provide (hopefully by the end of 2017) what we think would be the best format, and I will sometimes discuss working ideas for this in my blog.