As we suspected this was going to be a hot topic and it is. As you will likely recall, Tom penned a recent letter and we posted here late last week. However Tom, and his insomia, managed to pore over the entire, full release from FERC over the weekend and has been chatting with a number of ‘interested’ parties since then. What we have now is a much more detailed analysis of what, exactly, FERC put out there. This is pretty interesting (if you ask me). What follows below is, as always, Tom’s personal opinions. Read on and let us know your thoughts in the comments section please!
CIP Version 4: On Second Thought…
Tom Alrich firstname.lastname@example.org
“Consistency is the hobgoblin of little minds.” -Ralph Waldo Emerson
The opinions expressed in this article are those of the author, not of Honeywell International, Inc.
I am about to reverse myself 180 degrees. On Thursday (April 19), we posted a piece I had written the day before, in anticipation of FERC’s approval of NERC CIP Version 4. In it, I reiterated my long-held belief that Version 4 would never actually be implemented – so Version 5 will really be the next version of CIP that the industry has to comply with.
This morning, I opened an email from a CIP auditor (he describes himself as a “friendly, benevolent auditor.” Is there any other kind?) from one of the NERC Regional Entities, suggesting I should rethink this in light of FERC Order 761, the document that actually approved Version 4 (like most people, I had just read the one-paragraph summary on Thursday. In fact, NERC didn’t send the full Order out until Friday). I went through the Order, and have rethought my opinion that CIP Version 4 will never be implemented. I have to say that, while that opinion may still be right, it is now no longer the open-and-shut case I had thought it was.
The reason is that besides approving CIP Version 4, Order 761 puts forth a number of directives that FERC would like to see addressed in Version 5, that are not addressed in Version 4. FERC is careful to point out that these are not new directives, but simply guidance for directives already provided in Order 706, which approved CIP Version 1 (they were also brought up in the NOPR of last fall).
What this auditor pointed out was that addressing these directives in CIP Version 5 will take some time (potentially a lot), and it will require new NERC ballots. This pushes back the likely date for NERC to deliver Version 5 to FERC until close to the date that FERC has mandated that delivery: March 31, 2013. It is also possible that NERC will miss that date, if the changes prove especially difficult to make or are very contentious.
Let’s assume for now that Version 5 will be delivered to FERC on March 31, 2013. Since the implementation date of Version 4 is now set in stone – April 1, 2014 – this means that Version 5 will be delivered exactly one year before the implementation date. If FERC takes more than a year to approve Version 5 – and it took 14 months to approve Version 4 – then Version 5 will be approved after the implementation date for Version 4.
Why is this important? As Thursday’s post mentions, the implementation plan for Version 5 specifies that, if Version 4 is approved but not yet implemented when Version 5 is approved by FERC, then Version 4 will never come into effect (and Version 3 will be continued until the V5 implementation date). This provision was what I was leaning on when I said that Version 4 would never come into effect. It seemed that, with Version 5 currently scheduled to be approved by NERC in June or July of this year, there was no way FERC approval wouldn’t happen before April 1, 2014. But with FERC’s directives in order 761, this whole timetable has been put into serious jeopardy.
What are the changes FERC is mandating for Version 5, in Order 761? Here is my quick, unscientific summary: (Editor’s Note: The following list is in now way intended to be a full summary of any and all requirements set forth in order 761. We strongly recommend you read through the order yourself as well)
- Paragraph 58 requires NERC to consider making control centers Critical Assets (if they would not otherwise be so) if they are network-connected to other control centers.
- Paragraph 69’s directive is rather general: it requires NERC to “largely eliminate the risk of gaps in the identification of Critical Assets.” What exactly this means is very much TBD, but it is clear they think there are gaps now.
- Paragraph 87 requires that “some form of” electronic security perimeter be applied to all BES Cyber Systems. In the current draft of Version 5, only the Medium and High impact BES Cyber Systems need to be in an ESP. This requirement isn’t currently there for Low impact systems, but it would have to be for it to apply to all BES Cyber Systems.
- Paragraph 91 is perhaps the most explicit and forceful directive. After a discussion of the idea of making a cyber asset’s connectivity to other assets (especially outside the ESP) an explicit criterion for inclusion as a Critical Cyber Asset, FERC says “..we continue to believe that criteria adopted for the purpose of identifying Critical Cyber Assets under CIP-002 should include a cyber asset’s “connectivity” and its potential to compromise the reliable operation of the Bulk-Power System. Therefore, we expect Version 5 to address these issues.” You can’t get much more explicit than that.
- Paragraph 104 states quite explicitly that there should be some way for NERC or the Regional Entity to review a cyber asset’s designation as non-critical (or by implication Low impact under Version 5) and change that to critical (or Medium or High impact in V5).
You can start to see what I am getting at here. Addressing these points will not be trivial, and will bring forth all sorts of controversy (I can already hear the controversy over number 5!). The SDT will have to meet on its own for a few months to make the changes. Then at least one additional ballot will probably be required, in addition to the two ballots now scheduled for May and June. All of this could quite easily add more than six months to NERC’s delivery time for Version 5 (meaning delivery to FERC in the second or even third quarter of 2013). And if FERC requires the same amount of time to review v5 as they did v4, we will be past the magic date of April 1, 2014 and Version 4 will come into effect.
What does this mean for everybody? First off, I truly feel sorry for the Standards Drafting Team members. They thought they were finally in the home stretch, but they once again find themselves at the halfway point. They will now have to schedule some new face-to-face meetings and conference calls to address these changes, and have to go through at the minimum one more ballot than they had thought they would.
And what does it mean for you, Mr/Ms NERC compliance person? I can only repeat what the auditor said (and he gave me permission to quote him. I made a couple small changes):
My concern, as a friendly, benevolent auditor, is that entities will sit and wait until the very last minute to see what happens with V5 and the implementation plan that proposes to discard V4 and retain V3 for another two years (even though FERC has now declared V3 to be retired). Entities that take that stance are at risk of not being able to comply with V4 on 4/1/2014, should that come to pass. I have given up trying to predict what FERC will do – I was truly surprised that V4 was approved without comment.
I am not a fan of the idea that entities may have to do a bunch of work on two different, overlapping programs. But, the consequences to an entity that bides their time only to see V4 become effective will be severe. It is a crap shoot to bet against v4 coming into scope and I hope entities plot their course wisely.
So what does it mean for entities trying to plot a course forward from here? Let’s look at three different compliance cases or scenarios:
- Your Critical Assets will not change under Version 4 – This means you don’t have to do anything, since CIP-003 through -009 haven’t changed in Version 4.
- Your Critical Assets will be fewer under Version 4 – Several entities have told me this will be the case – namely, one or more assets they’d declared critical under Version 3 would not be such under the bright-line criteria in Version 4. Congratulations, your compliance burden should be less. However, keep in mind that the bright-line criteria in Version 5 have now diverged substantially from those in Version 4, so you might end up with some of those assets becoming Medium or High impact under V5.
- You will have new Critical Assets under Version 4 – You need to at least start a V4 gap assessment for these assets. After you’ve done that, you may be lucky enough to find that it is now clear whether Version 4 will actually come into effect or not, before you actually commit funds and time for remediation. But as the friendly auditor says, you don’t want to take the chance on being caught noncompliant on April 1, 2014.
 This is the first day of the eighth calendar quarter after approval, which was of course April 19, 2012.
 As I just said, they are not new directives, but re-emphasized directives from Order 706 and the NOPR of September, 2011. However, the fact that FERC chose to emphasize them in Order 761 was quite significant. The Standards Drafting Team thought it had already sufficiently addressed FERC’s directives in the current draft of CIP Version 5. I believe the FERC commissioners (who don’t attend the SDT meetings but whose staff does) are saying, “You are not yet there on Version 5. If you want us to approve it, you have to go back and make these changes.”
 By CIP-003-5 R2, Low impacts are required to have a policy for electronic access control, but that is a far cry from having cyber assets in an ESP. One effect of this change may be to require an inventory of the Low impact systems, something which the SDT has bent over backwards to avoid so far.
 FERC does imply in Paragraph 90 that putting an ESP in place around all BES cyber assets might mitigate this problem. So maybe the solutions to this and the preceding issue are the same.
 A “successive ballot” for Version 5 is currently scheduled for May, with a final (third) “recirculation ballot” in June. I believe the May ballot is set in stone (although it would help if it could be postponed while the SDT came up with a new draft that addressed the Order 761 directives). However, the recirculation ballot couldn’t be held in June because that ballot can only be held if there are no substantial changes in the standards. In order to make FERC’s changes – which are definitely substantial – I believe the SDT will have to go back to a successive ballot (i.e. rerun the May ballot, this time based on a draft that incorporates FERC’s changes). If that doesn’t get enough yes votes (as happened with the first Version 5 ballot), the standards will have to be modified again and another successive ballot conducted, followed by the recirculation ballot.
What do you think? Would a webinar on what common tasks/programs could/should be started be of benefit? Let us know.