NERC CIP Checklist for Identification and Categorization of BES Cyber Assets

August 31, 2021

The North American Electric Reliability Corporation (NERC) maintains the Critical Infrastructure Protection (CIP) security standards. These protocols coordinate security practices for major electricity providers across both the United States and Canada. Among them is NERC CIP 002-5.1a. Like many NERC CIP standards, these requirements are highly technical and intricate. The purpose of this post is to present a three-step model for how to approach this requirement. These steps focus on identifying systems, identifying assets, and categorizing each accordingly. Before exploring these topics however, it is important to recognize that 002-5.1a deals exclusively with Bulk Electricity Systems (BES). These are generally understood to be assets operating to support interstate generation and transmission on the large network of connected facilities commonly called “the grid” and not solely intended for local distribution. Cyber systems falling outside of these systems are not likely to be relevant to 002-5.1a requirements.

Step 1: Identify Systems

The first step is to determine what “BES Cyber Systems” exist within your network landscape. These systems are defined as “one or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks.” Common reliability tasks include balancing load and generation, controlling frequencies, normalizing voltages, as well as monitoring and control systems. Significant room is left however, for individual operators to determine the logical grouping of their network. The definition of a Cyber System, therefore, is intentionally broad.

Despite this flexibility, defining a Cyber System requires careful consideration. Organizing too many assets within a single system may result in significant difficulty meeting audit requirements. Conversely, defining a system too narrowly could duplicate monitoring and report efforts unnecessarily. In either case, NERC requires report lists of indexed systems. Organizing this reporting logically will streamline the process and help ensure robust security.

Step 2: Inventory Assets

The second step is to inventory “BES Cyber Assets” within the previously determined systems. Unlike the system level, NERC provides a specific definition as to what constitutes a BES Cyber Asset. For the purposes of 002-5.1a, this is any “Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System.”

This definition provides an expansive list of possible asset types. It does not stop with the identification of the BES Cyber Assets, because the standard also defines supporting systems that fall into the following categories:

Electronic Access Control or Monitoring Systems (EACMS)
EACMS assets control the authentication and limitation of user access to BES Cyber Systems. These are devices that usually perform security rather than operational functions. Usually, these assets sit at digital access points and might include user directory servers, asset monitoring systems, and intrusion detection systems.

Physical Access Control Systems (PACS)
PACS are like EACMS but mediate the physical access to BES Cyber Systems. Most commonly, these are systems concerned with building and plant security. Such systems are largely composed of personnel authentication systems like badge, FOB, or card passes.

Protected Cyber Assets (PCA)
PCA assets are ancillary equipment located in the same network security zone (Electronic Security Perimeter in NERC CIP speak) as BES Cyber Assets. The mere location of these devices is often sufficient to warrant security consideration. Any failures or exploit against these systems would directly impact the reliable operations of the Facility. Examples of PCAs would include switches, file servers, and network time clocks (if not otherwise captured as a BES Cyber Asset,) and essentially anything else with an IP address in that network security zone.

Step 3: Categorizing Risk

Finally, each BES System must be categorized as low, medium, or high impact. The criteria for making these distinctions are linked to the functions of the assets housed within each system. Detailed guidance for specific criteria are laid out in a set of “bright-line” requirements set out in the first attachment of CIP-002-5.1a. Before consulting the individual requirements however, it is helpful to understand the larger rational and motivation for each separate security level in turn.
High impact systems are generally those housed at the control center level. In particular, systems which oversee tasks associated with energy balancing, transmission, generation, or the specific reliability monitoring are most likely to be classified as high impact.

Medium impact systems are generally those single Facilities (plants for transmission substations) that play a significant role in the reliability of the grid as whole. These are the backbone system upon which everything depends, and a loss of too many of these would cause significant issues. Whether a system is considered medium impact is also dependent upon the observation of specific benchmarks. As an example, an asset related to energy generation will classified as medium impact if it is associated with a system producing a net Real power capability in excess of 15,000 MW. In this manner scope and scale of site level, functions will interact to construct the medium impact classification.

Low impact systems are ascribed by default to those BES Facilities which fail to meet the qualifications of the other two categories. Additionally, NERC CIP does not require discrete identification of systems deemed low impact. However, there are considerable security benefits from maintaining complete inventories on all assets. This can help minimize vulnerabilities as well as prepare for networking shifts that may change an asset’s categorization. This is particularly beneficial, as NERC requires each impact asset inventory and system categorization to be updated every fifteen months.

In summary, it’s incredibly helpful to approach CIP-002-5 in three steps: identify systems, inventory assets, and categorize risk. While a significant and potentially lengthy task, identifying and monitoring your critical systems and their components is necessary to mitigate cyber risk. Few stories illustrate this better than the Colonial Pipeline attack. The shutdown of the pipeline could have been avoided if systems and assets had been fully identified and segmented. As a result, standards such as CIP-002-5 should only be expected to become more critical as the years progress.

To learn how you can automate compliance with NERC CIP 002-5 to focus more of your time on strategic initiatives, check out our NERC CIP compliance guide with expert tips and advice from our experienced security and compliance practitioners.