CIP-002: Where it all starts!!
(Originally posted on October 30, 2018)
CIP-002 may be the most important standard in all of NERC/CIP land.
What? How can that be?
CIP-002 is the manual for identifying and categorizing BES cyber assets. If that is not exciting I don’t know what is.
Prepare yourself as I perform a breakdown of the low impact portion of CIP-002. I am of course making the assumption that you already know which of your cyber systems are part of the BES and that they are indeed categorized as low impact and not medium or high.
Looking closely at CIP-002-5.1a, we will see that low impact requirements start at R1 and R1.3 specifically. The verbiage of each are listed below:
· R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3:
o i. Control Centers and backup Control Centers;
o ii. Transmission stations and substations;
o iii.Generation resources;
o iv. Systems and facilities critical to system restoration, including Blackstart Resources and Cranking Paths and initial switching requirements;
o v. Special Protection Systems that support the reliable operation of the Bulk Electric Systems; and
o vi. For Distribution Providers, Protection Systems specified in Applicabililty section 4.2.1 above.
· R1.3 Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not required).
That doesn’t seem so hard. Let me take the hatchet to it:
Have a process to identify assets that contain low impact BES cyber systems.
A list of BES cyber systems is not even required, just the assets themselves; however, I highly recommend keeping a list of your BES cyber systems.
What constitutes a process?
1. Can our summer intern check this list against any old or new assets that may contain BES cyber systems? → Sure can! Just be sure to have the intern sign and date something.
2. What about the Vice President of Operations that likes to review the list of BES assets every Sunday evening before the 10 o’clock news, does this count?
Absolutely! Just be sure to have the VP sign and date something.
See a pattern here? Numerous requirements for NERC/CIP can be met with using signed and dated documents for evidence.
What’s next? There are still two more requirements in CIP-002.
But don’t worry, they are simple.
I’ll summarize each of the requirements for R2 below:
· R2.1 - Review the asset list at least every 15 months, even if you don’t have any assets in the list (don’t think about that too hard). If there are any changes, update the list.
· R2.2 - The CIP Senior Manager, or delegate, shall approve the list every 15 months, even if you don’t have any low impact assets to constitute a list.
The CIP team commonly uses 15 months as a time-frame, to make this simpler shorten it to 12 months and just think annually.
This was very high level summarization of CIP-002 R1.3, R2.1, and R2.2. There is a lot of useful information in this standard and I recommend at least reading the sections that pertain to your specific situation.
Next blog post → CIP-003!!!!!!
FYI - If there is a standard or topic you’d like CIP Centric to cover in future blog posts please let us know in the comments below.