Hello all.

As we suspected this was going to be a hot topic and it is.  As you will likely recall, Tom penned a recent letter and we posted here late last week.  However Tom, and his insomia, managed to pore over the entire, full release from FERC over the weekend and has been chatting with a number of ‘interested’ parties since then.  What we have now is a much more detailed analysis of what, exactly, FERC put out there.  This is pretty interesting (if you ask me).  What follows below is, as always, Tom’s personal opinions.  Read on and let us know your thoughts in the comments section please!  

CIP Version 4: On Second Thought…

 Tom Alrich tom.alrich@honeywell.com

“Consistency is the hobgoblin of little minds.” -Ralph Waldo Emerson

 The opinions expressed in this article are those of the author, not of Honeywell International, Inc.

I am about to reverse myself 180 degrees.  On Thursday (April 19), we posted a piece I had written the day before, in anticipation of FERC’s approval of NERC CIP Version 4.  In it, I reiterated my long-held belief that Version 4 would never actually be implemented – so Version 5 will really be the next version of CIP that the industry has to comply with.

This morning, I opened an email from a CIP auditor (he describes himself as a “friendly, benevolent auditor.”  Is there any other kind?) from one of the NERC Regional Entities, suggesting I should rethink this in light of FERC Order 761, the document that actually approved Version 4 (like most people, I had just read the one-paragraph summary on Thursday.  In fact, NERC didn’t send the full Order out until Friday).  I went through the Order, and have rethought my opinion that CIP Version 4 will never be implemented.  I have to say that, while that opinion may still be right, it is now no longer the open-and-shut case I had thought it was. 

The reason is that besides approving CIP Version 4, Order 761 puts forth a number of directives that FERC would like to see addressed in Version 5, that are not addressed in Version 4.  FERC is careful to point out that these are not new directives, but simply guidance for directives already provided in Order 706, which approved CIP Version 1 (they were also brought up in the NOPR of last fall).

What this auditor pointed out was that addressing these directives in CIP Version 5 will take some time (potentially a lot), and it will require new NERC ballots.  This pushes back the likely date for NERC to deliver Version 5 to FERC until close to the date that FERC has mandated that delivery: March 31, 2013.  It is also possible that NERC will miss that date, if the changes prove especially difficult to make or are very contentious.

Let’s assume for now that Version 5 will be delivered to FERC on March 31, 2013.  Since the implementation date of Version 4 is now set in stone – April 1, 2014[1] – this means that Version 5 will be delivered exactly one year before the implementation date.    If FERC takes more than a year to approve Version 5 – and it took 14 months to approve Version 4 – then Version 5 will be approved after the implementation date for Version 4.

Why is this important?  As Thursday’s post mentions, the implementation plan for Version 5 specifies that, if Version 4 is approved but not yet implemented when Version 5 is approved by FERC, then Version 4 will never come into effect (and Version 3 will be continued until the V5 implementation date).  This provision was what I was leaning on when I said that Version 4 would never come into effect.  It seemed that, with Version 5 currently scheduled to be approved by NERC in June or July of this year, there was no way FERC approval wouldn’t happen before April 1, 2014.  But with FERC’s directives in order 761[2], this whole timetable has been put into serious jeopardy.

What are the changes FERC is mandating for Version 5, in Order 761?  Here is my quick, unscientific summary: (Editor’s Note: The following list is in now way intended to be a full summary of any and all requirements set forth in order 761.  We strongly recommend you read through the order yourself as well) 

1. Paragraph 58 requires NERC to consider making control centers Critical Assets (if they would not otherwise be so) if they are network-connected to other control centers.
2. Paragraph 69’s directive is rather general: it requires NERC to “largely eliminate the risk of gaps in the identification of Critical Assets.”  What exactly this means is very much TBD, but it is clear they think there are gaps now.
3. Paragraph 87 requires that “some form of” electronic security perimeter be applied to all BES Cyber Systems.  In the current draft of Version 5, only the Medium and High impact BES Cyber Systems need to be in an ESP.  This requirement isn’t currently there for Low impact systems, but it would have to be for it to apply to all BES Cyber Systems.[3]
4. Paragraph 91 is perhaps the most explicit and forceful directive.  After a discussion of the idea of making a cyber asset’s connectivity to other assets (especially outside the ESP) an explicit criterion for inclusion as a Critical Cyber Asset, FERC says “..we continue to believe that criteria adopted for the purpose of identifying Critical Cyber Assets under CIP-002 should include a cyber asset’s “connectivity” and its potential to compromise the reliable operation of the Bulk-Power System. Therefore, we expect Version 5 to address these issues.”  You can’t get much more explicit than that.[4]
5. Paragraph 104 states quite explicitly that there should be some way for NERC or the Regional Entity to review a cyber asset’s designation as non-critical (or by implication Low impact under Version 5) and change that to critical (or Medium or High impact in V5).   

You can start to see what I am getting at here.  Addressing these points will not be trivial, and will bring forth all sorts of controversy (I can already hear the controversy over number 5!).  The SDT will have to meet on its own for a few months to make the changes.  Then at least one additional ballot will probably be required, in addition to the two ballots now scheduled for May and June.[5]  All of this could quite easily add more than six months to NERC’s delivery time for Version 5 (meaning delivery to FERC in the second or even third quarter of 2013).  And if FERC requires the same amount of time to review v5 as they did v4, we will be past the magic date of April 1, 2014 and Version 4 will come into effect.

What does this mean for everybody?  First off, I truly feel sorry for the Standards Drafting Team members.  They thought they were finally in the home stretch, but they once again find themselves at the halfway point.  They will now have to schedule some new face-to-face meetings and conference calls to address these changes, and have to go through at the minimum one more ballot than they had thought they would.

And what does it mean for you, Mr/Ms NERC compliance person?  I can only repeat what the auditor said (and he gave me permission to quote him.  I made a couple small changes):

My concern, as a friendly, benevolent auditor, is that entities will sit and wait until the very last minute to see what happens with V5 and the implementation plan that proposes to discard V4 and retain V3 for another two years (even though FERC has now declared V3 to be retired). Entities that take that stance are at risk of not being able to comply with V4 on 4/1/2014, should that come to pass. I have given up trying to predict what FERC will do – I was truly surprised that V4 was approved without comment.

I am not a fan of the idea that entities may have to do a bunch of work on two different, overlapping programs. But, the consequences to an entity that bides their time only to see V4 become effective will be severe. It is a crap shoot to bet against v4 coming into scope and I hope entities plot their course wisely.

So what does it mean for entities trying to plot a course forward from here?  Let’s look at three different compliance cases or scenarios: 

1. Your Critical Assets will not change under Version 4 – This means you don’t have to do anything, since CIP-003 through -009 haven’t changed in Version 4.
2. Your Critical Assets will be fewer under Version 4 – Several entities have told me this will be the case – namely, one or more assets they’d declared critical under Version 3 would not be such under the bright-line criteria in Version 4.  Congratulations, your compliance burden should be less.  However, keep in mind that the bright-line criteria in Version 5 have now diverged substantially from those in Version 4, so you might end up with some of those assets becoming Medium or High impact under V5.
3. You will have new Critical Assets under Version 4 – You need to at least start a V4 gap assessment for these assets.  After you’ve done that, you may be lucky enough to find that it is now clear whether Version 4 will actually come into effect or not, before you actually commit funds and time for remediation.  But as the friendly auditor says, you don’t want to take the chance on being caught noncompliant on April 1, 2014. 

Hello all.  If you have not yet heard, FERC has just this morning approved CIP version 4.  This is the first effort at updating the CIP 002 language in an effort to increase the general level of participation.  For the FERC release see here.  FOr a general discussion from Tom (penned last night prior to the FERC meeting) read on.  Remember:  These are Tom’s opinion’s, not those of anyone else in particular or Honeywell in general. 

CIP Versions 4 and 5 Update

 Tom Alrich tom.alrich@honeywell.com

The opinions expressed herein are those of the author, not of Honeywell International, Inc.

I am writing this the day before the April 19 FERC commission meeting, at which it is possible they will approve CIP Version 4.  This is also two weeks after the new draft of CIP Version 5 was posted for comment, with balloting coming up in May.  So it’s a good time to look at the bigger picture of what is really going on with the new CIP versions.

First, let me say that I think it is likely that FERC will approve Version 4 tomorrow (you will know if they did when you read this); if you look at their NOPR of last September, it is hard to see how they would do anything else.  However, I can also say with confidence that it is very unlikely the industry will have to comply with V4.  As we have opined previously, FERC never wanted Version 4, since it only gives them part of what they wanted in Order 706 – the bright line criteria.  Version 5 at least tries to give them everything they asked for in Order 706. 

It is for that reason that the Standards Drafting Team included in the Version 5 implementation plan the provision that, should Version 4 be approved but still not implemented when Version 5 is approved, Version 4 will never come into effect – instead, Version 3 will continue as the operating version until the effective date of Version 5.  So even if FERC approves Version 4 tomorrow, it should never see the light of day, unless Version 5 is seriously delayed.  (Editor’s comment:  One of the qualifying criteria of FERC in the approval of this was that V5 be delivered by March 2013)

Why would FERC bother to approve Version 4 if it doesn’t mean anything?  My personal opinion is that FERC wants leverage.  They are in effect saying, “Mr/Ms NERC entity, you will either approve Version 5 in a timely fashion, or you will have to comply with Version 4 and then Version 5 at a later date.  Which do you want: two big compliance deadlines or just one?”  (Editor’s comment: the adoption of V4 now also introduces the ‘bright line criteria’ which should bring additional facilities into scope and therefore motivate many who have delayed or held out to get moving rather than wait for V5 in its entirety.) 

Which leads us to CIP Version 5.  As everyone knows, this was resoundingly voted down on the first ballot.  The fact that it was voted down the first time isn’t surprising (Version 4 was as well).  What was surprising was the magnitude of the rejection, with most of the standards getting around 25% of the vote.  The new draft then has some serious ground to make up in order to have a more favorable ballot result.   

I think the balloting will go better this time.  The SDT has made great improvements in the standards, the most important of which (in my opinion) is clearing up the very unworkable asset identification model that was in the first draft.  The SDT had a good webinar last week to discuss these improvements.  If you missed the webinar, I’m sorry for you since it wasn’t recorded.  But you can see the slides here.   

However, let’s discuss what will happen if Version 5 is thoroughly rejected on the second ballot.  In theory, the SDT could keep revising and resubmitting it until Doomsday.  In practice, my guess is that were the worst to happen, NERC would pull the plug on this SDT (which after all has been working since 2008!), and start over again with a new SDT.  This would definitely result in a delay of much more than a year (maybe 2-3 years) in having a workable Version 5.  And guess what?  In that case, Version 4 most likely will come into effect, assuming FERC does approve it.

In case anyone is under the illusion that it might be good for them to first comply with Version 4 then Version 5, consider the case of a power plant that is currently not a Critical Asset under Version 3, but that would be under Version 4.  If V4 comes into effect, the owner will have to put in place an entire CIP compliance program for Version 4.  Then when Version 5 (or maybe it will be called Version 6 at that point) does finally get developed and approved, they will have to scrap that entire program and either put in place a Low impact or a Medium impact program, depending on how the plant is classified. 

If the plant is Low impact, that won’t be so bad, since in the new V5 draft, compliance for Low impacts consists mainly of putting in place four programs (incident response plan, awareness training, etc.  See CIP-003-5 Requirement R2 in the latest Version 5 draft.  All requirements that apply to Low impacts are now in CIP-003, with R2 being the meat of them).  However, if the plant is Medium impact, the whole CIP Version 3 compliance program will have to be reworked to handle the different requirements of Version 5 (a lot of those requirements are improvements over Version 3, of course.  But it will still be a big deal to revamp the whole compliance program).  Does this strike you as really worthwhile activity that will lead to vast improvements in security and reliability?  Me neither.

So this blog post is partly a “get out the vote” effort.  You don’t need to blindly vote for Version 5 if you really hate it.  But if you see flaws, you shouldn’t feel that you need to vote it down in order to make your voice heard.  Make your comments (since the comment period is now open).  Your comments will be considered for the third draft, even if you vote yes on the second ballot (in fact, the commenting process is completely separate from the balloting process this time – your comments are not at all linked to your vote).  And keep in mind the Version 4 monster lurking outside your door if Version 5 does go down in flames (OK, sorry for the mixed metaphor).

 P.S:  I don’t want to pretend that everything is all sweetness and light with CIP Version 5.  We have recently made two blog posts (here and here) about the fact that virtually all of generation seems to now be exempt from the Medium impact classification in V5.  This will very likely bring a strong response from FERC.  On the other hand, the SDT is no longer able to make the wholesale changes that would be required to address this issue.  So you just need to keep in mind that there is a good likelihood of FERC’s making a big change to increase the number of generating plants that are Medium impact under Version 5 (as well as perhaps other changes as well), when they finally get to approve it.  But they could do the same thing for Version 4 as well.

Editor’s Comment: While the above scenario of complying with V4 and then switching to V5 is not necessarily advisable, we do strongly suggest that with this recent approval of V4 and the bright line criteria that those organizations that have been waiting to see what will happen should begin work.  There are fundamental tasks/efforts that need to be undertaken regardless of final wording or versions such as asset inventories and general planning for installation AND maintenance of security controls and programs.  As Tom points out even the designation of ‘Low Impact’ has some basic building blocks that can/should be started on and will not be wasted.  Slide 21 here is a good graphic of the overlayed timelines and the entire deck is useful as well.

Hello all.

Sorry we have been ‘tardy’ lately.  Spring is always busy and this year is no exception.  Nonetheless I wanted to share a little something with you all this week.  Recently got an email from a new reader who asked an excellent question about CAN 019, patching (specifically CIP 007 R3) and when to apply TFEs.  Not an easy subject at all.  Now this particular reader is very well versed and offered a couple of specific links to a number of resources including Linkedin discussions and such but to protect the identity (Yes, I have asked the author’s permission to publish his name but at this point in time I do not yet have that permission.)of our contributor while still allowing the sharing of information I am going to do the following:

I have read the links and discussed this with our guy Donovan whom you all have been introduced to in the past.  Donovan offers the following summary/conclusion.  For those like me with ADD that dont want to read all the way to the end, the answer is ‘I dont know’!  Read on to find out how we get to that most glorious, nebulous, useless answer!  (ps. if you are on Linkedin and look for the NESCO forum you will have access to the full discussion). 

As of the last Rules of Procedure,  CIP-007 R3 is eligible for TFE.  Throughout 2008 and 2010 an interim TFE Procedure was in place, CIP-007 R3.2 was included originally, then removed, R3.1 was added, R3 was permitted temporarily, then CIP-007 R3 was added.  But the final version, Appendix 4D to the Rules of Procedure, it specifies CIP-007 R3.2.  As far as I can tell, Appendix 4D supersedes and retires all former NERC Compliance Process Bulletins.  TFEs for patch management have had a rocky road.

I read through the LinkedIn thread and there are so many different messages:

-          The CIP-007 R3.2 requirement does not include the words ‘technically feasible’, only that compensating measures need to be documented when patches are not installed. This is unique compared to most other TFE-eligible requirements, because others explicitly use the phrase “technically feasible”.

-          The interim TFE procedures from 2008 through 2010 only add to the confusion as patching was added, removed, and the requirements changed.

-          There is extremely low TFE reporting by Responsible Entities, leading to the conclusion that few organizations file TFEs for every patch.  Likely they only submit TFEs if they are unable to patch because their system cannot be shutdown, or the vendor no longer offers new patches.

-          Recently, a CIP consultant has advised their customer that they should file TFEs for every patch they choose not to install.

-          A FAQ from FRCC dated November 3^rd 2011 says “Question: Is a TFE required if an entity evaluates a patch as per CIP-007-3 R3.2 and determines not to implement the patch?

• Answer: No. However, the Reliability Standard CIP-007-3 R3.2 indicates that the Responsible Entity must document the compensating measure(s) applied to mitigate risk exposure in cases where the patch is not installed.”  

-          The draft Compliance Action Notice 19 (CAN-0019) is trying to put some serious teeth into TFE reporting, either install the patch or file TFE for compensating measure within 30-days after evaluation (60-days after release). “Thus, Compliance Enforcement Authorities are to verify that a Responsible Entity implemented a security patch or upgrade within 30 calendar days following its determination that the security patch or upgrade was applicable. If a Responsible Entity has not implemented an applicable patch within 30 calendar days following its determination that the security patch or upgrade was applicable, the CEA is to verify that the Responsible Entity had, within the 30 calendar days, applied for a TFE and implemented its compensating measures”

The final answer is still open whether or not you need to file TFEs for every missing patch.  It requires a letter to your Auditor to ask their stance, because regions like FRCC say no.  CAN-0019 is currently collecting industry comment until May 7^th, if anyone is paying attention to the 30-day patch or TFE rule, they will outright reject it with a need to provide detailed criteria when TFE is required.

Sorry, there is no definitive answer.  This is one of those areas where a precedent would change the landscape, such as CAN-0019 or a specific region insisting that TFE is required for every missing patch.