The CIP Merry-Go-Round: Say So Long to Version 4, Hello to Version 5?
The ever-changing landscape of critical infrastructure protection (CIP) standards at the North American Electric Reliability Corporation (NERC) is … changing. At the end of January, NERC issued its fifth iteration of the cyber security standards for protecting the most vulnerable and important parts of the bulk electric system, asking the Federal Energy Regulatory Commission (FERC) for fast-track approval of what amounts to a major change in direction in the standards.
On April 18, FERC largely signed off on the new CIP version 5, letting NERC bypass version 4 for the new set of cybersecurity standards. The commission signed off on a Notice of Proposed Rulemaking (NOPR) implementing the new CIP version. The FERC order in the case (RM13-5-000) seeks comment on some of the language in the new standards that the commission found ambiguous, but otherwise gave the new standards a green flag. In a written statement, Commissioner Cheryl LaFleur said the new standards “protect the cybersecurity of the North American grid.” But she added that “language requiring entities to ‘identify, assess, and correct’ deficiencies may result in requirements that are unclear and difficult to audit or enforce.” FERC is also asking for comment on the two-year implementation period for “Medium and High Impact” assets and a three-year period for “Low Impact” assets are needed or could be accomplished faster.
CIP version 5 is the latest go-round of cybersecurity rules for the bulk electric system since Congress beefed up the former voluntary reliability regime in 2005 and turned an industry-sponsored group into a formal, regulatory cadre with muscles. That’s when NERC, the North American Electric Reliability Council became NERC, the North American Electric Reliability Corporation. Will this CIP version last? That’s an open question, but the betting is that there will be further generations.
When the industry was coping with version 4 just six months ago, Paul Mydra of the Electric Power Research Institute commented about the “never-ending battle of getting the standards to stay in place. Every time they [NERC] get them done, they seem to go and start the process again.”
That was then—CIP version 4. This is now—CIP version 5. Version 4 requires compliance by April 2014. In its filing at FERC, the standards body says it “understands that the transition could be complicated” from the old versions to the new, and proposed an implementation plan “that would allow entities to transition from CIP Version 3 to CIP Version 5, thereby bypassing implementation of CIP Version 4 completely upon Commission approval.”
In its filing, NERC makes repeated pleas for haste from FERC in approving the new standards. Atlanta-based NERC says, “Prompt Commission approval of the CIP Version 5 standards and the implementation plan would reduce uncertainty among Responsible Entities regarding implementation of the CIP standards. Therefore, NERC reiterates its request for prompt Commission action approving the CIP Version 5 standards and associated implementation plan.”
Tom Alrich, a cyber security expert who works for Honeywell International, commented on his personal blog, “NERC is obviously counting very heavily on FERC’s approving Version 5 very quickly (given their repeated appeals to FERC in the filing to do so). A lot of NERC entities are putting off Version 4 compliance activities—which need to be finished by April 1, 2014—in the hope that Version 5 will be approved before that date and thus supersede Version 4.”
The key aspect of Version 5 is that it moves away from the binary approach of the prior four versions, which instructed managers of the power system to determine whether a particular piece of equipment was, or was not, part of the “critical infrastructure.” If it was in, it was covered. If not, it was free from the regulatory oversight. Among other problems, according to many observers, this approach spawned a cottage industry of consultants who would advise companies on how they define their gear in order to get out from under the CIP regime.
Version 5 moves to a more flexible concept. Josh Walderbach of LogRhythm, a consulting company that provides ways to compare and collate equipment logs across a series of operations, told MANAGING POWER in an interview, “Five looks to be a new direction. Versions 3 and 4 provided a basic framework of policy and procedures. Now we are seeing more emphasis on asset classification, and more talk about monitoring and surveillance.”
James Holler, a consultant with Abidance Consulting in Houston, who participated in advising NERC about Version 5, says, “Overall, this is the best set of requirements to come from NERC … ever, in my opinion. There are some very big changes coming with the onset of version 5. There is new terminology, new rule-sets and most importantly, new security cultures.”
Others are not so sanguine. Stephen Flanagan of FERC’s enforcement division wrote a paper late last year for the National Electric Sector Cybersecurity Organization arguing that the new version sets up standards that are essentially incapable of being audited by an outside organization. Expressing his own opinions, not those of FERC (which are as yet unknown), Flanagan said that the latest version, reacting to the traffic cop aspects of prior iterations, provides flexibility to correct what a company believes are minor deficiencies. But this creates its own problems, he said. “The initiative fails either to specify the standard so as to permit effective auditing or delineate the appropriate treatment of minor nonâ€compliance events in the enforcement process.”
The NERC plan, Flanagan argues, is deficient because “the two primary elements of compliance (auditing and enforcement) are compromised to the point that neither effective compliance nor the assurance of achieving security can be realized.”
Indeed, some argue that the concept of complete compliance in protection of critical assets is a chimera. Technology writer Glenn S. Phillips, author of the book “Nerd to English,” says, “No organization is completely compliant, just as total security not possible”. Why? “People are involved. Change is constant. Compliance is interpreted, not defined.”
Some experts were betting that FERC would not be able to fast track the new version, but the commission appears to have proven them wrong. Consultant Tom Alrich was one of the skeptics. “For the commissioners to make up their minds, the staff needs to first complete their analysis, then the commissioners need to take some time to decide whether there’s a good enough chance that they will approve V5 that they should issue a NOPR. Then they have to issue the NOPR, get comments and analyze them. I don’t think any of these steps can be avoided.” With the approval and issuance of a proposal in April, FERC is on track to have the new version in place in a year.
—Kennedy Maize is MANAGING POWER’s executive editor