Security Awareness Blog

Ready - Set - Stop! FERC Postpones CIP Version 5

STU-01Editor's Note: This guest post is from Ted Gutierrez, the ICS & NERC CIP Product Manager at the SANS Institute

Just when the electric industry thought that they had seen it all, FERC pulls another rabbit out of its hat astonishing audiences near and far. In an order issued today (February 25, 2016) FERC granted a motion to defer the implementation of the CIP Version 5 Standards to July 1, 2016. This move aligns with the effective date of the Version 6 standards approved just last month and essentially means Version 5 will be skipped all together!

It's really a head scratching move from FERC requiring a bit of a rewind to July 16, 2015 when FERC issued a Notice of Proposed Rulemaking (NOPR) that indicated their intention to approve the Version 6 standards. I'd previously blogged about that NOPR and urged industry to evaluate it carefully and to submit comments. The proposed implementation plan for Version 6 made is so that had FERC evaluated the comments and approved V6 before December 31, 2016 it would have simply superseded Version 5 leaving all other timelines intact. Instead FERC approved V6 on January 21, 2016 which automatically pushed its implementation date to July 1, 2016. Had FERC simply issued their order of approval in Q4-2015 this could have been avoided.

In a show of unity (some might say that they'd had enough nonsense) the electric industry, through multiple trade associations, petitioned FERC requesting this extension. So in a way it's a victory for registered entities. But it's not that simple. Yes, the industry gets a 3-month breather, but it also creates new questions, concerns and rework. For starters, utilities that received state regulatory approval and cost recovery for capital expenditures for V5 projects have some explaining to do. Many state regulatory commissions had already seen the disappearing standards trick when Version 4 Standards were superseded and they weren't happy about it. I was in the awkward position of having to explain this to the Indiana Utility Regulatory Commission and it was uncomfortable to say the least.

Additionally, much time and effort has been spent developing Version 5 specific policies, procedures and training content. At minimum those documents need to be updated and CIP Senior Manager approvals need to be obtained, again. I know of at least one entity that is in its 90-day audit notification period and would have already summited V5 information for auditor review - I can only imagine the insanity they are going through. Then there is required training confusion - if you trained your staff ahead of April 1 on V5 policies do you have to retrain those same folks to V6 before July 1?

Finally, I'm concerned about the perception these types of decisions create. The electric industry is full of hard working, incredibly dedicated people who want to do the right thing. But that thing keeps changing. These folks will undoubtedly feel silly having to explain to their leadership how the race to April 1 wasn't so urgent after all. Frankly it makes FERC, NERC and the industry look inept to those not close enough to understand it all. I really wish the regulators would get their act together and stop putting entities in this position. CIP really is hard enough.

Those are my thoughts please continue the conversation and share your thoughts too by posting your comments below or join me on Twitter @Gutierrez_Ted.

BIO: Ted Gutierrez, CISSP, GICSP, and GCIH, is the ICS & NERC CIP Product Manager at the SANS Institute. Ted was formerly the Director of Operations Technology & NERC Compliance at Northern Indiana Public Service Company (NIPSCO) where he was responsible for compliance to NERC 693 and CIP standards and the support of the related operations technology systems. Ted has over twenty-five years of experience working in the electric utility, information technology and manufacturing industries.