There has
been a lot of talk in NERC circles lately about guidance for the CIP standards.
This is largely driven by NERC’s recent efforts to “clarify” the status of the
many types of guidance they have put out about CIP v5 and v6, and now CIP-013.
I would like to give your my own account of those guidance efforts.
In the
long-ago days of CIP v3, concern began to grow about inconsistency between
auditors and between regions in the interpretation of the CIP requirements.
This led to NERC’s creating two series of documents: Compliance Application
Notices (CANs) and Compliance Application Reports (CARs). NERC thought – along with most of the
industry, to be sure – that simply having NERC state its opinion on certain
controversial topics would lead the regional auditors to put aside their
differences and all start singing from the same page in the hymnal.
Unfortunately,
things didn’t work out too well for the CANs and CARs. They were attacked
roundly from many sides, and most importantly the auditors saw no reason to
feel bound by what these documents said. After all, where was the basis for them
in the NERC Rules of Procedure? The answer is “Nowhere”. This led to most,
although not all, of the CANs and CARs being withdrawn (a few of the less
controversial ones remain technically in force).
This was
considered to be a good learning experience for NERC. People said, “Well, at
least NERC will make sure that the next CIP version (which was expected to be
numbered v4 at the time) doesn’t have these ambiguities, so there will be no
need for these extraordinary measures in the future.” However, I would say that
many people in the NERC community today would gladly exchange the huge level of
uncertainty in CIP v5 and v6 with the much more modest level of uncertainty in
CIP v3 (and coming soon to a NERC Regional Entity near you: CIP-013!). Yes,
those were the days…
When FERC
issued their Notice of Proposed Rulemaking (NOPR) in April 2013, which said
they intended to approve CIP v5 (and would send CIP v4, which had been approved
for implementation in April 2014, to sleep with the fishes), I decided to write
a series of posts on v5.
What I found
was disturbing. I started out with CIP-002, since that is the first standard. I
tried to figure out exactly what CIP-002 R1 (with Attachment 1) required the
entity to do. And I literally came to a dead end: The logic broke down so
completely that there was no way to go forward without taking a big leap of
faith. I went on to write probably 100-150 more posts on problems with CIP v5
over the next 2-3 years and cataloged a wide range of problems, especially
having to do with CIP-002 and its associated definitions.
At this
point I started wondering how these problems could be fixed. My first hope was
for FERC – when they actually approved v5 – to simultaneously order NERC to fix
the problems, or at least the really fundamental ones in CIP-002-5.1 R1 (since
that is the foundation of the rest of the current CIP standards).
However,
when FERC approved
CIP v5 in Order 791 in November 2013, they broke my heart by not telling NERC
to address any of these problems. And the next month, at a NERC CIPC meeting in
Atlanta, I asked a highly-placed NERC staff member whether NERC would of its
own accord include this problem in the Standards Authorization Request (SAR)
that would guide the drafting team for CIP v6[i]. His
answer was as concise as possible: “No”.
This was a
very disappointing answer, since I believed it meant there was now no way to truly
fix the problems with CIP v5. I believed this (and still do!) because the NERC
Rules of Procedure allow no other mechanism to address problems with a standard
than to write a SAR and convene a Standards Drafting Team to revise the
standards. Yes, this is a very time consuming process – especially given the
magnitude of the problems in CIP v5 – but it is the only way to fix problems,
rather than simply attempt to paper them over.
However,
life goes on. The fact that there were a lot of problems with CIP v5 didn’t
mean that NERC entities didn’t have to comply on April 1, 2016 (the original
compliance date) – they still had to do that. My attention then turned to the
next question: What would NERC do to at least mitigate these interpretation
problems? I first asked this question in this
post, and you could say that each of the next 100 posts asked the same
question.
I won’t
reiterate for you all the many twists and turns of NERC’s admittedly
well-intended efforts to provide guidance on complying with CIP v5. At first
the Guidelines and Technical Basis were going to do the trick, then the RSAWs,
then the CIP v5 Implementation Study, then the FAQs, then the Lessons Learned,
and finally the Memoranda (I’m probably missing three or four things in this
list and I know they overlapped, so the order isn’t at all hard and fast).
Each of
these different efforts was touted
by NERC at one
point as being the final answer to the ambiguities of CIP v5, yet each of
them was ultimately abandoned. What finally brought this process to an end was
the Memoranda, which caused huge contention and were withdrawn in spectacular
fashion at a meeting on July 1, 2015.
At that
point, NERC seemed to me to have raised the white flag and admitted
that there was no definitive way – other than by writing a SAR and convening a
new SDT – to address problems with standards; they said they would do exactly this
(and that team is still working today). They also seemed to be pointing toward
a more ecumenical guidance process where other groups could also provide
guidance and NERC would publish those documents that it believed had merit. And
here’s the kicker: It seemed they were finally admitting that all credible
guidance, from whatever source, should be given consideration by both entities
and auditors.
But there
was another implication to what NERC said: that in the case of ambiguity, it is
ultimately up to the entity to decide what the CIP v5 requirements and
definitions mean. Because if a) the standards are ambiguous (which NERC
admitted) and b) NERC can’t provide definitive guidance (by which I mean
guidance that the auditors are bound to follow in their audits), then there
really is no 100% right or wrong way to comply with a CIP requirement.
And here’s
where “Roll your own” comes in. In September 2014, I wrote the first
in what turned out to be a series of posts on how NERC entities were dealing
with ambiguity in CIP v5. That post described how one entity had decided they
couldn’t wait for NERC to come out with definitive guidance on v5 –
specifically, on what “programmable” means in the Cyber Asset definition – and had
simply developed their own guidance. Just as importantly, they had documented what
they had done. The person I talked with argued that, if an auditor three years
from now disagrees with the definition they came up with, they will simply show
him or her the documentation of how they arrived at this definition, including
the fact that they reviewed all available guidance before doing this. There is simply no way the auditor can assess a potential violation (or at least make it hold up after they have assessed it), given that the requirement is ambiguous.
This was a
turning point for me, because in the almost three years since I wrote that post
it has now become completely clear to me, as well as almost all of the rest of
the NERC community (including entities and auditors), that this is the only way
to comply with CIP v5 and v6: You simply have to get out your plywood and nails
and patch over whatever logical chasms you come across, so that you can cross
them and get on with compliance. But the key is documenting what you did; I
hope you all did that (at least if you have High or Medium impact assets), but
even if you didn’t, it’s not too late to do so.
Since July
2015, NERC has more or less adhered to what they said that month. They have
convened an SDT to address at least some of the problems with CIP v5[ii], and
they have moved to a guidance framework that allows a number of organizations
to develop guidance and have it “approved” by NERC. However, there is one way
in which NERC seems to be relapsing into its old mindset: It once again seems
to believe that it can develop guidance (or approve particular guidance
developed by others) that is better than anybody else’s guidance, and therefore
will be given some sort of “priority” by the auditors when they audit. I believe
the current idea is that “implementation guidance” written by the SDT that developed
a standard should and will be given extra attention, both by entities and
auditors.
But don’t
believe it. Let me repeat, in case you weren’t paying attention earlier:
- No CIP guidance of any kind, whether written by a NERC
SDT, the NERC Board of Trustees, Thomas Jefferson, Baha'u'llah, Saint
Paul, or the Dalai Lama, has any greater validity than any other guidance.
In particular, the auditors aren’t bound to follow any particular
guidance.
- However, you should consider all available guidance as you
do the only thing you can do when faced with an ambiguous requirement or
missing definition: decide for yourself the best approach, and document
how you came to that conclusion (for an alternative and more far-reaching
approach than “Roll your own”, see this
2014 post about an article by Lew Folkerth of RF).
Of course,
now we have CIP-013 coming up, and that presents a whole different set of
guidance issues…
The Horror!
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
[i]
The v6 SAR only included the four things FERC had mandated in Order 791. None
of them were fixes to the numerous wording problems I and others had found in
v5 thus far.
[ii]
Although, as I will say in an upcoming post, I don’t believe that SDT will ever
address everything that is on its plate. And I also don’t think, absent new
FERC orders, there will be any further changes or updates in NERC CIP – unless the
standards are completely rewritten from scratch.
No comments:
Post a Comment