I have to admit. It was a bit like Christmas to me as I waited for the FERC final ruling on CIP Version 5. On November 21 at 10am eastern time, I listened intently to every single word the commissioners said and boy, was I disappointed. The announcement was akin to receiving a pair of socks instead of the sought after Playstation 4.
The FERC meeting that discussed and ruled CIP Version 5 into law was certainly less dramatic and informative than I had expected, but there was still another present under the tree. The final ruling was yet to be posted and that allowed the excitement to build once again. So I waited and waited and waited…
While I waited, I reflected on the very few CIP version 5 facts obtained from the FERC meeting. Below is my initial understanding as to what was going to happen with the standards:
- FERC voted unanimously to issue a final rule on CIP version 5.
- FERC was directing NERC to remove the Identify, Access and Correct language completely.
- FERC was directing NERC to develop requirements to address laptops and removable media (did I hear them say USB thumb drives instead of removable media?)
- FERC was directing NERC to do something to the low impact BES Cyber Assets. It was not completely clear what they meant. Someone mentioned subdividing the lows. What would that do?
- There was mention that “they” agreed with the implementation timeframes.
I’m certain I missed some comments and/or even misheard some of what was said. Nonetheless, it was obvious that I needed the second present to make my NERC CIP Christmas day complete. As it is the end of the day, I have my doubts that I’ll see the CIP version 5 ruling today. Even if I did, I wouldn’t be able to dissect it properly so I’ll post this blog entry before I can share what is happening in more detail. What I can do is give you some things to think about…
- If “they” agree with the proposed implementation plan, I think that means version 4 is still on schedule to be effective next October. But what do I know? Watch this closely…this really matters!
- Transition to version 5 isn’t going to be easy. Seriously…there is more to it than you probably think. Without a doubt, this will make your head spin and make even the most seasoned compliance officer wonder why they took the job (or allowed themselves to be volunteered).
- Consider working on CIP-002-5 BES Cyber System Identification early (informally is fine…paralleled with existing RBAM processes). There are requirement owners within your organization depending on this being done so they can plan and budget for CIP related compliance activities or projects associated with newly identified BES Cyber Assets. Be sure to get advise on what this “identification process” is all about. This isn’t your mom’s Risk-Based Assessment Methodology with CCA identification a la mode. You will need to take a fresh look at everything with a CIP version 5 lens.
- Have you done a CIP version 5 gap analysis yet? If not…give us a ring. We can certainly help. With four former Regional Entity NERC CIP auditors on staff, The Anfield Group can give you insight you can’t get anywhere else.
- If you were around for the NERC CIP Version 1 days of yore then you will recollect how much work needed to be done and how fast the time flew by. Remember those last couple weeks before the “C” date and how many sleepless nights you had trying to get everything done. Learn from that and begin your NERC CIP transition projects now. I applaud NERC for doing the CIP Version 5 transition studies but you can’t wait for those results before you get started. If you do, I’m certain you will find yourself in trouble. The clock has started.
- Lastly, don’t underestimate how much more work needs to be done for version 5 compliance. For those who have not been obligated to address CIP-003-3 thru CIP-009-3 but will have to under the new version, be prepared for the ride of your life. For those who have already been dealing with version 3, this is going to put your current program into overdrive!
I’d like it to be made clear. I’m excited for the CIP version 5 ruling so we can move forward. Not because I think it is the perfect gift! It’s been a long haul and I truly believe the industry needed this to be done. Stay tuned for more CIP version 5 thoughts in a future blog.
Stacy Bresler, Managing Partner | The Anfield Group