Good day everyone! Today we get an interesting update from our man in the field, Tom Alrich. He has been listening to the SDT meetings again (the source for our open letters) and has some pretty interesting observations. The following excerpt is from his e-mail to me reporting in and I want to state very clearly here that these are Tom’s interpretations and opinions. We are in NO WAY stating that the specific decisions, content, next steps, etc are etched in stone or even accurate. Nonetheless, Tom is usually pretty close to bang on so please read at your leisure and let us know your thoughts.
I attended the NERC CSO706 (CIP) Standards Drafting Team meeting at NERC headquarters in Atlanta this week. I had wanted to attend mainly to make sure I was up to date on the latest developments in CIP Version 5, in preparation for our webcast.
I did certainly learn about the latest developments in V5, but I also learned something surprising: there is a much greater likelihood than I had thought that the current V5 will really be V4 – that is, that FERC will not approve (“remand” is the word that was used) what is now called V4, leaving the stage clear for what is now called V5 to be the next version of CIP. In fact, I would put the chances now at greater than fifty percent.
We had thought this was a possibility earlier, of course (see our previous Open Letter on Version 4). And I am not basing this new assertion on anything FERC said at the meeting. There were three FERC staff members present, who participated actively in almost all of the discussions. However, they were all silent on this topic.
What makes me believe this scenario is likely is two observations. First, there seems to be broad industry support – at least among the SDT members and observers at the meeting – for doing this. Second, it was pointed out (by SDT member Rich Kinas of Orlando Utilities) that FERC wasn’t really looking for Version 4 (i.e. what was delivered to them in February after NERC approval) – and that they had expressed surprise at receiving it in their Data Request RM11-11 (which I can’t find on either NERC’s or FERC’s web site, but which I can send if you email me at firstname.lastname@example.org).
I had been under the impression that FERC had really been behind the fact that V4 was pushed through last year as an interim step (see our previous Open Letter for more on this). But that may not have been the case; it may have really been NERC’s nervousness about what they perceived to be FERC’s wishes that drove V4. Just my guess. But when you think about it, jettisoning the current V4 and going straight to V5 makes the most sense. The only difference between the current V4 and V3 is the “bright-line” criteria for Critical Assets. These criteria are essentially repeated verbatim in V5. In addition, everything else (all of the controls that get applied to cyber assets) in V5 is radically changed from V1-3 (and those changes are there to address the remainder of FERC’s requests in Order 706). Why make the industry go through the big effort to gear up for two more versions, when FERC can get everything they want with one version, namely the version currently called V5?
The only thing that gives me pause is the fact that there is still a long way to go before the SDT has a consistent, defensible set of standards to present to the NERC membership for a ballot at the end of this year – that was another thing I was surprised about at the meeting. But this SDT works very hard, and I think they’re up to the task. The real question is whether FERC will wait to go through the whole NERC approval process (scheduled to be finished next June), or whether they’ll short-circuit the process (see the first Open Letter cited above for how they could do this) and just impose V5 once it’s developed to their satisfaction. Stay tuned.