I attended RF’s spring CIP workshop in Baltimore this week. I have been to a lot of regional CIP meetings over the past 8+ years, but this was the best I’ve seen so far. I kept thinking there would be at least one boring presentation where I could get some email done, but it never happened all day! I will have a number of posts on things I learned during that day (probably not consecutively). This is the first, and perhaps the most important.
One of the presentations was by Cory Sellers, the Chair of the Supply Chain Security Standards Drafting Team. Cory gave a very good rundown on a) the objections that were raised to the first draft of CIP-013, which was roundly voted down by the NERC ballot body; and b) the changes that the drafting team is working on (with emphasis on the present progressive tense. He wasn’t kidding when he said changes were being made as he spoke – in fact, new versions were sent out to the Plus List the meeting was still in session), which should be posted for a new ballot in a few weeks.
It was quite interesting to see all the changes that are being made – to CIP-013 as well as to CIP-003, CIP-005 and CIP-010. I can’t summarize them here, but I will say they are quite ambitious and have a lot of moving parts. But my concern wasn’t so much the substance of the new changes, but the timeline for approval.
At the end of his presentation (which included taking a number of questions from the room – Corey certainly wasn’t trying to hide anything!), I asked him the question I was most concerned about. Here is the situation that prompted my question:
- Obviously, the first draft of CIP-013 failed miserably, receiving only about 10% positive votes.
- The next posting will need 68% to pass (I wasn’t sure about the exact number, but Corey readily supplied it to me). In the best of circumstances, it would be very difficult to go from 10% to 68% in one ballot. And frankly, with the large number of changes, and especially the fact that changes are being made to three existing standards as well as to CIP-013 (plus the fact that two new terms are used – “vendor” and “machine-to-machine remote access” - for which there will be no vote on a definition), it seems especially unlikely that the next ballot will pass. This means it will very likely take at least one additional ballot before it passes (both CIP v5 and v6 took at least three ballots to pass, and in both cases I believe there was a fourth ballot to clean up the wording).
- At the same time, the deadline remains September to a) have the revised standards approved by the ballot body; b) have the NERC Board of Trustees approve them; and finally c) file them with FERC. And since the BoT’s last meeting before September is in mid-August, the changes need to be approved by the ballot body before then.
- If you do the math, it’s quickly evident there’s no chance to have a third ballot, should the second one fail. So it appears very likely NERC will miss FERC’s deadline.
- But despite all of this, Corey said that NERC had assured him it would not miss the deadline, and FERC would have their supply chain security standard (and related changes in other standards) in September.
Given this, the question would naturally be “Why do you seem to believe that NERC can make the deadline, given that it’s very likely this won’t have been approved by the NERC ballot body by then?” However, I actually asked Corey a different question: Did he know about Section 321 of the NERC Rules of Procedure? He readily admitted he knew that section quite well, and had been discussing it a lot lately; I was not surprised to hear that, because I heard last week (from a very reliable source), that NERC was seriously discussing invoking Section 321 for the first time – for CIP-013 and the associated changes. Corey said he had deliberately not brought up Section 321 in his presentation, but he was glad I had.
What is this mysterious Section 321? You can read it yourself, but it essentially allows the NERC BoT, in the event that the normal balloting process has not yet produced a draft standard(s) that, in the Board’s opinion, will satisfy an order from a regulatory body (which means FERC, here in the US), to have the Standards Committee draft one that will satisfy the order.
The wording of Section 321 is much more oriented to the case where a standard has been approved by the ballot body, yet is inadequate for some reason; in this case, we’re talking about a deadline being missed. However, I have no doubt – and Corey does not seem to either – that 321 could be made to apply to this case. I doubt the BoT will have a big problem with the wording of the new standard and the changes to existing standards; the problem is that there isn’t enough time to go through the normal approval process before FERC’s deadline.
So the bottom line is: This next ballot will very likely be the last one for the supply chain standard. If it passes, the current wording (with some legal clean-up) will be approved and submitted to the Board in August. If the ballot fails, then it will be up to the BoT and the Standards Committee to determine what the wording should be – and whatever they decide on will still be submitted to the Board in August. Of course, since these committees are both made up of industry members, it’s not likely that what they ultimately approve will be hugely different from the second draft. In fact, I imagine they might also consider the comments that are made in the second round of balloting, and use those to improve on that draft. So I’m not expecting the final version of CIP-013 to be some Frankenstein freak that nobody will like.
But this isn’t the end of the story. I learned from one of the participants at the meeting that the next ballot is likely to pass after all, given the very strong support being provided by a major industry group. If so, the Section 321 “nuclear option” might be put back on the shelf for another day. But whether or not 321 is invoked, it’s pretty clear to me that the normal balloting process is being short-circuited – in the one case by 321 being invoked, in the other by the substantial pressure this industry group is exerting on their members to vote yes, in spite of lingering misgivings they may have. In other words, it won’t be a completely free-will approval.
The real problem here is the fact that FERC only gave NERC a year to develop and approve the new standard. This was definitely not enough time, as was eloquently expressed by Commissioner (and now acting Chairman) LaFleur in her power dissenting opinion – and by me in my post on Order 829 (which includes a summary of Commissioner LaFleur’s argument).
I suggested at the time – both in my blog and at I believe two NERC CIPC meetings – that NERC should petition FERC to get the deadline extended, to no avail. I suggested this to Cory as well, but he assured me that NERC wasn’t going to do that (it’s not clear if FERC could approve the deadline extension at this point, since they don’t have a quorum. But they do have some powers to take action, and given that Cheryl LaFleur is now the acting Chairman, I would think she would be inclined to grant this if at all possible).
But it seems the decision has been made not to even ask for an extension. This is all quite unfortunate, of course. Does anyone doubt that another year, or even half a year, of debate and modification of CIP-013 would result in a much better standard? Or to word this differently, is there anybody who seriously believes that the SDT has such amazing listening and writing skills that they will be able to come up with exactly what is needed to satisfy everybody in their upcoming draft, and most of the 90% who voted no on the first draft will now be happy as clams with every word they’re voting on in the second draft? Please raise your hand if so….Yes, I didn’t think there would be anybody.
In any case, we’ll get what we’ll get. It will certainly be decent, but it’s unfortunate it can’t be really good. I see this as the symptom of a bigger problem – the canary in the coal mine that just died, in the process revealing a serious condition that threatens the miners themselves. More on this in another post coming soon to a blog near you.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.