The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards CIP-002...
through CIP-009 provide the minimum requirements for utilities and other affected enterprises to ensure the Bulk Electric System (BES) is effectively protected from cyberattacks and faults.
Before diving into the CIP-002 requirements and how to take the right actions, some key terms need to be defined and highlighted to help you better understand this process. These terms are summarized below and defined in the NERC Glossary.
- BULK ELECTRIC SYSTEM (BES): The electrical generation resources, transmission lines, interconnections with neighboring systems and associated equipment, generally operated at voltages of 100 kV or higher. Protecting the BES is the primary focus of the NERC CIPs.
- CRITICAL ASSETS: Facilities, systems and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System. Examples of critical assets include generating plants, major transmission substations and system control centers.
- CRITICAL CYBER ASSETS (CCAs): Programmable electronic devices and communication networks including hardware, software, and data that are essential to the reliable operation of Critical Assets.
To help you better understand the hierarchy of the BES to the Critical Assets to the CCAs, please see Figure 1.
CIP-002 mandates utilities follow a high-level approach for Critical Cyber Asset identification. A summary of these steps is as follows:
- First, the utility must identify and document a risk-based methodology to be used to identify its critical assets. An excellent reference to help utilities with this process development is provided by NERC.
- Second, using the risk-based methodology identified above, the utility shall review all of its assets and then identify its critical ones. This must be done at least annually. Of course, the process must be documented and you are expected to follow the procedure and process prepared in #1.
At a minimum you are expected to consider the following assets:
- Control centers and backup control centers.
- Transmission substations important to the BES.
- Generation resources important to the BES.
- "Blackstart" resources -- i.e., those generators and substations needed if there is a complete system blackout and no electric power is available.
- Automatic load shedding systems capable of shedding 300 megawatts (MW) or more.
- Any other asset deemed critical to the reliable operation of the BES.
- Thirdly, using the list of critical assets you developed in #2, you need to prepare a list of CCAs essential to the operation of the critical asset. Examples at control centers could include cybersystems that provide monitoring and control (e.g., SCADA systems), automatic generation control, real-time power system modeling, and real-time inter-utility data exchange.
Of note, the NERC CIPs mandate that the CCAs must also meet one of the following characteristics. That is, the cyberasset:
- Uses a "routable protocol" to communicate.
- Uses a "routable protocol" within a control center.
- Is dial-up accessible.
Many people are surprised to see that the Critical Cyber Assets are only limited to "routable protocols." The Frequently Asked Questions (FAQs) Cyber Security Standards CIP--002--1 through CIP--009--1, issued by NERC, states: "The Critical Cyber Assets that use non-routable protocols have a limited attack scope; hence, they are less vulnerable than Critical Cyber Assets using routable protocols." This document further notes that "routable protocols" are those that provide switching and routing as described by the Open System Interconnection (OSI) model Layer 3 or higher.
Overall, getting the list of critical assets and Critical Cyber Assets complete and correct is absolutely essential for the enterprise that is required to follow the NERC CIP requirements. This is not an impossible process; however, a utility and its supporting vendors really need to pay close attention to detail in this process to avoid "surprises" later on in the NERC CIP implementation. Even the Chief Security Officer of NERC, Mr. Michael Assante, has criticized the industry for its failure to adequately and thoroughly identify their critical assets and CCAs. Therefore, NERC has high expectations for utilities to do this process right the first time.
About the author:
Ernie Hayden lives in the Seattle area and has substantial experience in the energy and information security industries. He has been a CISO at an electric utility implementing the NERC CIPs and is currently consulting.