Industrial Cybersecurity Pulse
  • SUBSCRIBE
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Resources
  • Helpful Links
  • Editorial Calendar
  • Advertise
  • Contribute
  • Content Partners
  • Contact Us
  • Privacy Policy
  • Terms and Conditions
SUBSCRIBE
  • Resources
  • Helpful Links
  • Editorial Calendar
  • Advertise
  • Contribute
Industrial Cybersecurity Pulse
Subscribe
Industrial Cybersecurity Pulse
  • Threats & Vulnerabilities
  • Strategies
  • IIoT & Cloud
  • Education
  • Networks
  • IT/OT
  • Facilities
  • Regulations
  • Networks

NERC CIP checklist for identification and categorization of BES cyber assets

  • Mathias Mesich
  • November 19, 2021
Courtesy: Brett Sayles
Courtesy: Brett Sayles
Total
0
Shares
0
0
0
0

The North American Electric Reliability Corporation (NERC) maintains the critical infrastructure protection (CIP) security standards. These protocols coordinate security practices for major electricity providers across both the United States and Canada. Among them is NERC CIP 002-5.1a. Similar to many NERC CIP standards, these requirements are highly technical and intricate. The purpose of this post is to present a three-step model for how to approach this requirement. These steps focus on identifying systems, identifying assets and categorizing each accordingly.

Before exploring these topics however, it is important to recognize that 002-5.1a deals exclusively with bulk electricity systems (BES). These are generally understood to be assets operating to support interstate generation and transmission on the large network of connected facilities commonly called “the grid” and not solely intended for local distribution. Cyber systems falling outside of these systems are not likely to be relevant to 002-5.1a requirements.

Step 1: Identify systems

The first step is to determine what “BES cyber systems” exist within your network landscape. These systems are defined as “one or more BES cyber assets logically grouped by a responsible entity to perform one or more reliability tasks.” Common reliability tasks include balancing load and generation, controlling frequencies, normalizing voltages, as well as monitoring and control systems. Significant room is left however, for individual operators to determine the logical grouping of their network. The definition of a cyber system, therefore, is intentionally broad.

Despite this flexibility, defining a cyber system requires careful consideration. Organizing too many assets within a single system may result in significant difficulty meeting audit requirements. Conversely, defining a system too narrowly could duplicate monitoring and report efforts unnecessarily. In either case, NERC requires report lists of indexed systems. Organizing this reporting logically will streamline the process and help ensure robust security.

Step 2: Inventory assets

The second step is to inventory “BES Cyber Assets” within the previously determined systems. Unlike the system level, NERC provides a specific definition as to what constitutes a BES cyber asset. For the purposes of 002-5.1a, this is any “Cyber asset that if rendered unavailable, degraded or misused would, within 15 minutes of its required operation, misoperation or non-operation, adversely impact one or more facilities, systems or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the bulk electric system.”

This definition provides an expansive list of possible asset types. It does not stop with the identification of the BES cyber assets, because the standard also defines supporting systems that fall into the following categories:

Electronic access control or monitoring systems (EACMS). EACMS assets control the authentication and limitation of user access to BES cyber systems. These are devices that usually perform security rather than operational functions. Usually, these assets sit at digital access points and might include user directory servers, asset monitoring systems and intrusion detection systems.

Physical access control systems (PACS). PACS are like EACMS but mediate the physical access to BES cyber systems. Most commonly, these are systems concerned with building and plant security. Such systems are largely composed of personnel authentication systems like badge, FOB or card passes.

Protected cyber assets (PCA). PCA assets are ancillary equipment located in the same network security zone (electronic security perimeter in NERC CIP speak) as BES cyber assets. The mere location of these devices is often sufficient to warrant security consideration. Any failures or exploit against these systems would directly impact the reliable operations of the facility. Examples of PCAs would include switches, file servers and network time clocks (if not otherwise captured as a BES cyber asset,) and essentially anything else with an IP address in that network security zone.

Step 3: Categorizing risk

Finally, each BES system must be categorized as low, medium or high impact. The criteria for making these distinctions are linked to the functions of the assets housed within each system. Detailed guidance for specific criteria are laid out in a set of “bright-line” requirements set out in the first attachment of CIP-002-5.1a. Before consulting the individual requirements, however, it is helpful to understand the larger rational and motivation for each separate security level in turn.

High impact systems are generally those housed at the control center level. In particular, systems which oversee tasks associated with energy balancing, transmission, generation or the specific reliability monitoring are most likely to be classified as high impact.

Medium impact systems are generally those single facilities (plants for transmission substations) that play a significant role in the reliability of the grid as whole. These are the backbone system upon which everything depends, and a loss of too many of these would cause significant issues. Whether a system is considered medium impact is also dependent upon the observation of specific benchmarks. As an example, an asset related to energy generation will classified as medium impact if it is associated with a system producing a net real power capability in excess of 15,000 MW. In this manner scope and scale of site level, functions will interact to construct the medium impact classification.

Low impact systems are ascribed by default to those BES facilities, which fail to meet the qualifications of the other two categories. Additionally, NERC CIP does not require discrete identification of systems deemed low impact. However, there are considerable security benefits from maintaining complete inventories on all assets. This can help minimize vulnerabilities as well as prepare for networking shifts that may change an asset’s categorization. This is particularly beneficial, as NERC requires each impact asset inventory and system categorization to be updated every fifteen months.

In summary, it’s incredibly helpful to approach CIP-002-5 in three steps: identify systems, inventory assets and categorize risk. While a significant and potentially lengthy task, identifying and monitoring your critical systems and their components is necessary to mitigate cyber risk. Few stories illustrate this better than the Colonial Pipeline attack. The shutdown of the pipeline could have been avoided if systems and assets had been fully identified and segmented. As a result, standards such as CIP-002-5 should only be expected to become more critical as the years progress.

To learn how you can automate compliance with NERC CIP 002-5 to focus more of your time on strategic initiatives, check out our NERC CIP compliance guide with expert tips and advice from our experienced security and compliance practitioners.

Original content can be found at www.industrialdefender.com.

Do you have experience and expertise with the topics mentioned in this article? You should consider contributing content to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.

Mathias Mesich

Related Topics
  • CFE Content
  • Featured
Previous Article
  • Threats & Vulnerabilities

Throwback Attack: Three teens stoke fears of a cyber war with the Solar Sunrise attack

  • Gary Cohen
  • November 18, 2021
Read More
Next Article
  • Threats & Vulnerabilities

Hacking season: Why Cyber Monday presents a cybersecurity nightmare

  • Mariana Pereira
  • November 23, 2021
Read More
You May Also Like
Courtesy: A3/Siemens
Read More

Industrial robot utilization requires cybersecurity strategy

Courtesy: Brett Sayles
Read More

Throwback attack: Russia launches its first cyberattack on the U.S. with Moonlight Maze

Read More

Throwback attack: Russia breaches Wolf Creek Nuclear Power facility

Courtesy: CFE Media and Technology
Read More

Lack of qualified cybersecurity personnel for critical infrastructure

Figure 1: PLCs, HMIs, and other Ethernet-capable automation devices used for modern automation systems can no longer rely on “cybersecurity by obscurity” and “air gaps.” They must progressively adopt advanced IT type security features. Courtesy: AutomationDirect
Read More

Cybersecurity-centered systems and fundamentals

Read More

Port and maritime cybersecurity vulnerabilities are getting more focus

Figure 1: For smaller organizations with limited network resources, it can be tempting to plug your machine directly into the business network. Courtesy: DMC
Read More

Securing your facility

Courtesy: Trekkor
Read More

Bridging the IT and OT gap for a power service company

SUBSCRIBE

GET ON THE BEAT

Keep your finger on the pulse of top industry news

SUBSCRIBE TODAY!
VULNERABILITY PULSE
  • Berkeley Internet Name Domain (BIND) - May 19, 2022
  • Mitsubishi Electric - May 19, 2022
  • Apache - May 16, 2022
  • CISA - May 16, 2022
  • Joint Cybersecurity Advisory - May 17, 2022

RECENT NEWS

  • Throwback Attack: Hackers attempt to flood Israeli water supply with chlorine
  • Will CISA recommend securing industrial control systems?
  • How to implement layered industrial cybersecurity in volatile times
  • Throwback Attack: DDoS attacks are born in the Big Ten
  • Improve two-factor authentication system security

EDUCATION BEAT

Introduction to Cybersecurity within Cyber-Physical Systems

Cyber-physical systems serve as the foundation and the invention base of the modern society making them critical to both government and business.

REGISTER NOW!
HACKS & ATTACKS
  • Ron Brash Interview: Expert advice on finding the root of the ransomware problem
  • Throwback Attack: How the modest Bowman Avenue Dam became the target of Iranian hackers
  • Minimizing the REvil impact delivered via Kaseya servers
  • Key takeaways from 2020 ICS-CERT vulnerabilities
Industrial Cybersecurity Pulse

Copyright 2022 CFE Media and Technology.
All rights reserved.


BETA

Version 1.0

  • Content Partners
  • Contact Us
  • Privacy Policy
  • Terms and Conditions

Input your search keywords and press Enter.

By using this website, you agree to our use of cookies. This may include personalization of content and ads, and traffic analytics. Review our Privacy Policy for more information. ACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT