Draft 4 of the NERC CIP standard is out, and this may be the set of standards that goes to ballot and is approved. There is a NERC summary of the changes available here, and I’m in a middle of a blog on the changes.

The big change isn’t the standards; it is the implementation schedule. Essentially implement ation requirements have been pushed back TWO YEARS! Most of the requirements now require compliance in Q2 2009, over three years from now. Auditably Compliant is not required until Q2, 2010.

If this is important to the security of the grid, and our experience says it is, how can we wait three years? If it is not important, why are we wasting time on these standards efforts? NERC CIP compliance will require some resources and work, but it is mainly in processes, training and documentation. There is no reason this should take three years.

Readers of this blog know I’m a big fan of the measurable and auditable approach of the NERC CIP. It is a true standard that can be tested for compliance and would clearly improve an entity’s security posture even with less than sincere compliance efforts. That said, it appears that the FERC involvement and the ERO created in the recent Energy Act are needed.

A self-regulatory organization like NERC, where the members vote on what reliability standards and requirements are levied on themselves, may not be able to pass what is needed in a vote. If required to pick requirements that 2/3rds of the voting members agree on, the late adopters end up making the decision and carrying the day.

FERC will have the responsibility to review these standards if NERC is selected as the ERO. Hopefully this is one area they will push back hard. Another area is proof of compliance. I’m not involved in the politics of this issue, but it is a bit baffling to me that NERC would do this at the same time as applying to be the ERO. It does not show the independence and rigor an ERO will need.