The Lighthouse: CIP low impact from the ground up – Part 6, Asset identification
By Lew Folkerth, Principal Reliability Consultant, External Affairs
In this recurring column, I explore various questions and concerns related to the NERC Critical Infrastructure Protection (CIP) Standards. I share my views and opinions with you, which are not binding. Rather, this information is intended to provoke discussion within your entity. It may also help you and your entity as you strive to improve your compliance posture and work toward continuous improvement in the reliability, security, resilience and sustainability of your CIP compliance programs. There are times that I also may discuss areas of the standards that other entities may be struggling with and share my ideas to overcome their known issues. As with lighthouses, I can’t steer your ship for you, but perhaps I can help shed light on the sometimes-stormy waters of CIP compliance.
Photo: Big Bay Point Lighthouse, Big Bay, Michigan (Lew Folkerth)
In previous parts of this series I’ve laid the groundwork for addressing the NERC Reliability Standards. In this part, I’ll examine the Cyber Security Standard on BES Cyber System Categorization, CIP-002-5.1a, and give you some ideas for how to implement your compliance with this Standard. Note that I cannot tell you how to be compliant, but there is a certain sequence of steps imposed by the language of the Standards, and this I will explain.
Much of the language we will be working with is in NERC Glossary definitions. These definitions are referenced in the Standards by use of capitalized terms and may themselves contain other Glossary terms. Glossary terms are the approved meaning of the terms used in the Standards.
Visit the CIP Senior Manager’s Corner for an executive summary of this article and Lew’s recommendations for CIP Senior Managers.
Impact rating
Impact ratings are a measure of the importance of an asset to the Bulk Electric System (BES). CIP-002-5.1a identifies three levels of impact. High impact ratings are used for major Control Centers. Medium impact ratings are used for larger Control Centers, large substations, large generators, and other critical BES components.
Low impact ratings are used for all other applicable BES assets. You can see from this that there are a LOT of low impact assets. In the CIP Standards, the term “low impact” is used in the context of the stability of the BES. Individually these assets have a low impact on the overall BES and are unlikely to cause instability or widespread outages. But these same assets will have a high impact on the communities and industries they serve.
One recent example is the disruption of a substation that serves Heathrow Airport. Chances are that this substation would be categorized as low impact if it were subject to the CIP Standards. But this “low impact” substation triggered a major disruption in international air traffic by causing Heathrow to lose power for 18 hours due to a transformer fire. My point is that the low impact categorizations are made only in the context of BES reliability, but their impact on the wider world isn’t always low.
Technically speaking, an impact rating is only assigned to a BES Cyber System, and it depends on the physical asset the system is located at or associated with. So it is common practice to discuss these physical assets as if they also have impact ratings. I will follow this practice in this article.
CIP-002-5.1a Part 1.3 requires you to identify your physical assets that contain a low impact BES Cyber System. Part 1.3 also states that a list of low impact BES Cyber Systems is not required. I’ll discuss this statement in more detail later.
BES Cyber Systems
Before we discuss the identification of BES Cyber Systems, we need to understand what a BES Cyber System is. There is a chain of NERC Glossary definitions that we need to follow. The basic definition is a Cyber Asset. A Cyber Asset is a “programmable electronic device.” This means literally anything with a CPU chip. For example, if a device connects to a network, it’s a Cyber Asset; if a device has updatable firmware, it’s a Cyber Asset; if a device has an electronic display, it’s a Cyber Asset. In contrast, an electromechanical relay does not contain a CPU and is not a Cyber Asset.
A BES Cyber Asset is a Cyber Asset that has a 15-minute impact on the reliability of the BES. For example, a protective relay generally has an impact on the grid within milliseconds and would thereby be a BES Cyber Asset. A programmable logic controller (PLC) controlling a boiler feed pump at a generating station would have an impact within seconds and would be a BES Cyber Asset. A Cyber Asset used to unload a train car of coal would not have a 15-minute impact. A meter placed on the output of a generator for billing purposes, if not used for real-time decisions, would not be a BES Cyber Asset.
You must not consider the redundancy of a Cyber Asset as a reason not to identify it as a BES Cyber Asset. You might have many operator consoles, for example, and the loss of one would not be felt since other consoles could pick up the load. But even a single console, if compromised, can be used against you by an attacker.
A BES Cyber System is a group of BES Cyber Assets. How BES Cyber Assets are grouped into BES Cyber Systems is up to you. You can have one BES Cyber Asset per BES Cyber System, or one BES Cyber System for an entire site, or anything in between. To actually identify your assets containing low impact BES Cyber Systems I’m going to refer you to the CIP-002-5.1 Application Guide on the NERC website. This 68-page Guide was produced by the MRO Standards Committee and has been endorsed as Implementation Guidance by NERC and the Regional Entities. Don’t panic. The 68 pages contain suggested methodologies, tips, reference material, and other helpful information. The guide discusses two approaches to identifying BES Cyber Systems, top-down and bottom-up. If this is your first time performing the CIP-002 identifications, I suggest using the top-down approach summarized on page 14.
You should now have your list of physical assets containing low impact BES Cyber Systems. Be sure to document how you developed this list. Your CIP Senior Manager may wish to review this documentation. And you should retain the approved list of assets and the documentation of how it was developed to provide your audit team with reasonable assurance of your compliance.
Choose an approach to low impact identification
You now face a significant decision which should involve your CIP Senior Manager. You have the option to protect all of your Cyber Assets associated with the physical asset, in which case your asset identification process stops. Or you may protect only those low impact BES Cyber Systems associated with the physical asset, in which case you need to identify those low impact BES Cyber Systems.
Applying the low impact CIP Standards to an entire asset such as a Control Center or a larger generating facility may not be optimal for you. Those types of facilities frequently have cyber systems, such as business systems, that do not have a 15-minute impact on the BES. When I discuss CIP-003-8 Attachment 1 Section 3, you will see that you have the option to protect all the cyber assets at the physical asset, or only the low impact BES Cyber Systems and their access control systems. If you choose the latter option, you will need a list of those low impact BES Cyber Systems, even though it is explicitly not required by CIP-002-5.1a Part 1.3. If you do not have that list, your audit team will not be able to obtain reasonable assurance that you are protecting the low impact BES Cyber Systems. And, more importantly, you will not know which systems to protect.
In your considerations of Cyber Assets that might be BES Cyber Assets, don’t overlook devices like time sources (such as GPS clocks), stability monitoring systems (such as phasor measurement units) and other supporting devices.
You may make the decision to protect an entire asset or only the low impact BES Cyber Systems on an asset-by-asset basis. You do not need to choose one approach for your entire compliance program.
Generator segmentation
If you’re responsible for a generation facility that is capable of 1500 MW or more, Impact Rating Criterion 2.1 contains a provision that permits you to segment your BES Cyber Systems to keep the facility at the low impact level. If this applies to you, you should read these documents:
• CIP-002-5.1 Requirement R1: Impact Rating of Generation Resource Shared BES Cyber Systems is a “Lessons Learned” document that provides additional guidance on segmenting generating systems; and
• While its intended audience is auditors and other CMEP staff, the Generation Segmentation CMEP Practice Guide provides a valuable look into how your audit team will evaluate any generator segmentation you may perform.
CIP Senior Manager approvals
Your CIP Senior Manager (or delegate) must approve the list of assets containing low impact BES Cyber Systems on or before the date CIP-002-5.1a becomes effective for your organization. I also recommend, although it’s not required, that your CIP Senior Manager (or delegate) approve any list of low impact BES Cyber Systems you have developed.
Resources
• NERC Reliability Standard
• Implementation Guidance
⋄ Identify and Categorize BES Cyber Systems and Cyber Assets (MRO SC)
⋄ Shared Ownership of BES Facilities (CIPC)
• CMEP Practice Guide
⋄ CIP-002-5.1a R1 – Generation Segmentation
• General Guidance
⋄ CIP-002-5.1 BES Cyber Assets Lessons Learned
⋄ CIP-002-5.1 Far-end Relay Lessons Learned
⋄ CIP-002-5.1 Generation Interconnection Lessons Learned