SANS Industrial Control Systems Security Blog

Ready, Set, Stop! FERC Postpones CIP Version 5

SANS ICS

This post was written by SANS ICS456 - Essentials for NERC CIP co-author Ted Gutierrez.

Just when the electric industry thought that they had seen it all, FERC pulls another rabbit out of its hat astonishing audiences near and far. In an order issued today (February 25, 2016) FERC granted a motion to defer the implementation of the CIP Version 5 Standards to July 1, 2016. This move aligns with the effective date of the Version 6 standards approved just last month and essentially means Version 5 will be skipped all together!

It's really a head scratching move from FERC requiring a bit of a rewind to July 16, 2015 when FERC issued a Notice of Proposed Rulemaking (NOPR) that indicated their intention to approve the Version 6 standards. I'd previously blogged about that NOPR and urged industry to evaluate it carefully and to submit comments. The proposed implementation plan for Version 6 made is so that had FERC evaluated the comments and approved V6 before December 31, 2016 it would have simply superseded Version 5 leaving all other timelines intact. Instead FERC approved V6 on January 21, 2016 which automatically pushed its implementation date to July 1, 2016. Had FERC simply issued their order of approval in Q4-2015 this could have been avoided.

In a show of unity (some might say that they'd had enough nonsense) the electric industry, through multiple trade associations, petitioned FERC requesting this extension. So in a way it's a victory for registered entities. But it's not that simple. Yes, the industry gets a 3-month breather, but it also creates new questions, concerns and rework.

For starters, utilities that received state regulatory approval and cost recovery for capital expenditures for V5 projects have some explaining to do. Many state regulatory commissions had already seen the disappearing standards trick when Version 4 Standards were superseded and they weren't happy about it. I was in the awkward position of having to explain this to the Indiana Utility Regulatory Commission and it was uncomfortable to say the least.

Additionally, much time and effort has been spent developing Version 5 specific policies, procedures and training content. At minimum those documents need to be updated and CIP Senior Manager approvals need to be obtained, again. I know of at least one entity that is in its 90-day audit notification period and would have already summited V5 information for auditor review - I can only imagine the insanity they are going through. Then there is required training confusion - if you trained your staff ahead of April 1 on V5 policies do you have to retrain those same folks to V6 before July 1?

Finally, I'm concerned about the perception these types of decisions create. The electric industry is full of hard working, incredibly dedicated people who want to do the right thing. But that thing keeps changing. These folks will undoubtedly feel silly having to explain to their leadership how the race to April 1 wasn't so urgent after all. Frankly it makes FERC, NERC and the industry look inept to those not close enough to understand it all. I really wish the regulators would get their act together and stop putting entities in this position. CIP really is hard enough already.

Those are my thoughts please continue the conversation and share your thoughts too by posting your comments below or join me on Twitter @Gutierrez_Ted.

Bio: Ted Gutierrez, CISSP, GICSP, and GCIH, is the ICS & NERC CIP Product Manager at the SANS Institute and co-author of SANS ICS456 - Essentials for NERC CIP. Ted was most recently the Director of Operations Technology & NERC Compliance at Northern Indiana Public Service Company (NIPSCO) where he was responsible for compliance to NERC 693 and CIP standards and the support of the related operations technology systems. He has over twenty-five years of experience working in the electric utility, information technology, and manufacturing industries.

3 Comments

Posted March 8, 2016 at 1:24 PM | Permalink | Reply

David

Have you confirmed that v5 will be skipped? If so, what is the drop dead date for implementing v6? It looks like there is a disconnect in the logic. If v6 becomes effective on 1 July 2016, does that mean that it has to be implemented by 1 July 2016?

Posted March 9, 2016 at 5:10 PM | Permalink | Reply

Ted Gutierrez

Hi David and thanks for the question. Yes, the FERC order issued 2/25 did in fact postpone the effective date of CIP version 5 Reliability Standards to July 1, 2016. That is the same date that the version 6 standards become effective as well. The same High and Medium Impact requirements that you would have needed to be compliant to on April 1, 2016 under v5, are now required by July 1, 2016 except in some cases it's under v6 of the standards. Note also, that most of the timelines for Low Impact were unaffected and will remain under the same timeline previously communicated under v5.
Part of the confusion I'm seeing in the industry is related to our history of referring to the standards by a version number. Doing that just doesn't work anymore. What we've all been calling version 5 actually consisted of 8 standards (CIP-002 through CIP-009) that were at v5 and 2 standards (CIP-010 and CIP-011) that were at really at v1. The version 6 standards updated 5 standards (CIP-003, CIP-004, CIP-006, CIP-007, and CIP-009) from v5 to v6 and 2 standards (CIP-010 and CIP-011) from v1 to v2. Because CIP-002, CIP-005 and CIP-008 will remain at v5, we actually will have a mix of v5, v6, and v2 standards that are enforceable on July 1, 2016.
I hope that clears things up. If you'd like further clarification, please feel free to email me at tgutierrez@sans.org with contact information and we can talk through the changes in more detail.

Posted March 14, 2016 at 7:11 PM | Permalink | Reply

David

Ted, Thanks. That clears it up. I had no idea that CIP could be more confusing than NIST.