The Lighthouse: CIP low impact from the ground up – Part 6, Asset identification | CIP Senior Manager's Corner

By Lew Folkerth, Principal Reliability Consultant, External Affairs

In this recurring column, I explore various questions and concerns related to the NERC Critical Infrastructure Protection (CIP) Standards. I share my views and opinions with you, which are not binding. Rather, this information is intended to provoke discussion within your entity. It may also help you and your entity as you strive to improve your compliance posture and work toward continuous improvement in the reliability, security, resilience and sustainability of your CIP compliance programs. There are times that I also may discuss areas of the standards that other entities may be struggling with and share my ideas to overcome their known issues. As with lighthouses, I can’t steer your ship for you, but perhaps I can help shed light on the sometimes-stormy waters of CIP compliance.

The article below is a high-level executive summary on low impact asset identification and Lew’s recommendations for CIP Senior Managers. For the in-depth version of this article, click here

Executive summary

BES Cyber Systems are groups of operational technology (OT) computers that can have an impact on operations within 15 minutes of their disruption. The focus of CIP-002 is on identification of these systems and on assigning them an impact rating of low, medium, or high. The impact rating is a general assessment of the importance of the system to the reliability and stability of the grid.

For low impact systems, only the physical asset (substation, generating plant, etc.) where they are located needs to be identified.

You have two options regarding each low impact asset:

  1. Protect low impact assets at the asset level, in which case you need not identify the individual BES Cyber Systems at that asset; or
  2. Protect only the low impact BES Cyber Systems and their electronic access control systems at the asset, in which case you will need to be able to identify each of those systems.

Multiple resources are available on the NERC website to assist your staff with these determinations.

Lew’s recommendations

As the CIP Senior Manager, you should take the lead to ensure your CIP subject matter experts (SMEs) collaborate with the necessary company personnel and receive the cooperation they need to ensure a complete inventory of Bulk Electric System physical assets is developed.

You should review and approve the decision as to which low impact assets will be protected at the asset level and which will be protected at the BES Cyber System level.

You or your delegate must approve the list of assets containing low impact BES Cyber Systems before CIP-002 becomes effective for your organization, and annually thereafter.

Your staff should develop a change management system that will keep you informed of impending changes to the asset list. As a good practice, you should re-approve the asset list whenever it undergoes significant changes.