As many of you have likely heard, the ERO has settled on a consistent audit approach for the initial performance of low impact Incident Response Plans (IRP). The ERO now considers that such plans must be tested prior to April 1, 2017. This is an unfortunate position, although it is technically defensible given the ambiguity in the implementation plan. Nevertheless, it is inconsistent with at least the spirit of the CIP V5/6 implementation plans, which provide additional time to comply with most periodic requirements.
EnergySec reviewed prior guidance from several of the regions and identified a mixed message. For example, on November 14, 2016, Bill Beaver of SERC presented on a webinar in which it was clearly stated that initial testing of low impact IRPs would be expected prior to the implementation date and that, “This is an ERO position.” Likewise, Kevin Perry made a similar assertion in early 2017 in a presentation to the SPP Board of Trustees. Several other presentations we reviewed were silent on the matter.
On the other hand, at the WECC Low Impact Workshop on May 26, 2016, Lisa Wood and Eric Weston presented a slide which listed the effective date for CIP-003-6 R2, Attachment 1, Section 4 as 4/1/17, with a note that said, “(Clock Starts for initial performance).” This clearly suggests that IRP testing is not due until 36 months after 4/1/17. On October 27, 2016, Ms. Wood gave another presentation at the the WECC Fall Compliance Workshop where her slide said that she, “Recommend[s] entities test section 4 Incident Response plan and provide Awareness prior to April 1, 2017.” Again, the use of the word “Recommend” clearly implies that an entity is not required to test the IRP prior to the effective date of April 1, 2017. It is important to note that this latter presentation was less than three weeks prior to Mr. Beaver’s statement that the ERO had a position on the issue, which means either that the ERO made this decision in that timeframe or that their outreach efforts to the Regional Entities was lacking (or both). On March 21, 2017, WECC released a letter to Registered Entities in their region stating that they have “received additional guidance” from the ERO and informing entities that they must perform the initial test prior to the effective date of April 1, 2017. That WECC felt the need to send this letter less than two weeks prior to the enforcement date strongly implies that there was a communication breakdown within the ERO.
While the best approach, if at all possible, is to complete (or have completed) this testing prior to April 1st, those unable to do so are being encouraged to submit a Self-Report to their region. Other options include filing a Request For Interpretation (RFI) on this matter (We’d be happy to help with that), or simply challenging the audit approach (good luck).
This historical look at what the Regions were publicly saying may be interesting, but it is also important to ask whether the ERO has made the right decision in stating that a test of the IRP must be performed prior to April 1. To examine that question, we must look closely at the language of the standard. CIP-003-6 R2 states that Responsible Entities, “Shall implement one or more documented cyber security plan(s) for its low impact BES Cyber Systems that include the sections in Attachment 1.” Note that the base requirement is that plans for low impact systems must be implemented by the effective date. We looked up the word “implement” in several dictionaries. Dictionary.com defines it as, “to put into effect according to or by means of a definite plan or procedure.” Merriam-Webster defines it as, “to make (something) active or effective.” Both of these definitions suggest that simply making plans effective would meet the definition of implementing them, and that any specific actions within the plan should then be carried out according to the plan and its timelines. This would support a less onerous audit approach.
Another consideration is that high and medium impact IRPs can be used for low impact systems. So, an entity which is leveraging such plans for the low impact systems can simply point to their test of those plans. If an entity decides to take this approach, they would be advised to document the differences between high/medium impact and low impact assets (see here for WECC saying that, here for RFirst doing so, and here for NERC). It is also important to note that testing of high or medium impact IRPs is not required until July 1, 2017, so if you use this approach and perform the initial test between April 1 and July 1, you would still be encouraged to submit a Self-Report to your region. This also means that the initial test of a low impact IRP must be performed before an initial test of a high or medium impact IRP must be performed, which does not make complete sense.
We’d be happy to discuss this topic further with any interested party. Email firstname.lastname@example.org with any questions or comments.
Editor: A condensed version of this post originally appeared in the EnergySec NERC CIP Newsletter on March 22, 2017. The NERC CIP Newsletter is a semi-monthly email newsletter containing updates and analysis on CIP-related events, guidance, and published violations and is included with EnergySec membership. Visit www.energysec.org/membership for more information about how to become an EnergySec Member, and to learn more about the benefits included with membership.