Well I am sure you were starting to wonder if our man in the field Tom Alrich was ever going to pop up on here again. Well he has. There has been a lot going on in the land of CIP lately and true to form, Tom has captured a great many number of aspects of it in his latest offerring. It is a bit long for the main page so I offer the introduction here and a link to the full document in the body below. As always, have a read, let us know what you think. For now, sit back, relax and enjoy.
Tom Alrich email@example.com
blog post to insecurity.honeywellprocess.com
All opinions expressed herein are mine, not necessarily those of Honeywell International, Inc.
I attended the MRO compliance meetings recently in St. Paul, and was struck by two things: 1) the degree to which concerns about CIP now predominate over concerns about almost all of the other NERC standards put together, and 2) the high level of interest in CIP Versions 4 and 5 – both in their content and in the possible scenarios for their implementation.
Crowning all of the Versions 4 and 5 concerns is this one: Will the industry have to comply with CIP Version 4 – now approved by FERC and scheduled to come into effect April 1, 2014 – or will Version 4 be bypassed in favor of Version 5, which now has NERC Board of Trustees approval and will soon be submitted to FERC?
This is literally the (multi-) million dollar question for many NERC entities. Many are desperate to avoid having to comply with V4 and then two or three years later with V5. A V4 compliance program will be much different from a V5 program – documents, processes and procedures will mostly have to be redone. And there are some controls required by V4 that aren’t required by V5, such as the infamous six-wall boundary of CIP-006.
Because the two versions are applicable to differing sets of assets, an entity could literally spend millions putting in place Version 4 controls and programs for a facility that will no longer be needed under V5 because it isn’t in scope (as a Medium or High impact facility). Conversely, entities could expose themselves to huge penalties if they don’t put in place controls and programs for a facility that is in scope for Version 4, if Version 4 is in fact enforced on 4/1/2014.
I will be honest at the outset: I don’t know the answer to the question whether V4 will be enforced. The only ones who possibly could know are the five FERC commissioners, and I suspect they have not made up their minds. What I will try to do in this post is at least parameterize the different areas of uncertainty, and suggest developments that might occur next year which will indicate whether this event is more or less likely. You are hereby warned: this will be a long post. Like all things NERC CIP, this is a very complicated issue.
To start out, I would like to try to identify the groups that will and won’t be affected by this issue. It is certainly true that this isn’t a problem for many NERC entities, while for others it is a huge problem.
But first I want to clarify one point: When I say an entity “has to comply” with CIP Versions 3 or 4, I mean they will have at least one Critical Asset with at least one Critical Cyber Asset.
And when I say an entity “has to comply” with CIP Version 5, I mean that they will have BES Cyber Systems associated with facilities that are listed as Medium or High impact in CIP-002-5 Attachment 1. There are of course many more entities that will have BES Cyber Systems at facilities that are Low impact in Attachment 1. Since the requirements for the Lows are so much less than those for the Mediums or Highs (Lows only need to develop and implement four policies, and cyber assets don’t have to be inventoried), I don’t consider the question whether or not an entity has to comply with Version 5 as a Low to be one that carries a high dollar impact.
Let me first list some types of entities for which the question whether CIP Version 4 will be implemented isn’t really an issue. They include:
 I’m sure some will disagree with me in this regard, and say there could be a substantial effort required by entities to comply with V5 for Low impact facilities. I agree a number of technologies like firewalls and locks on the doors have to be put in place (and I know that even now there are facilities without those), but the biggest burden of CIP is all the compliance procedures and paperwork, and those are almost entirely absent for Lows in V5.