What is low impact CIP?

CIP-003
Written By Jim Sheldon

Welcome to CIP Centric’s first blog post!

(Originally posted on October 20, 2018)

This blog will focus on NERC’s Critical Infrastructure Protection standards which apply to low impact assets.

Low impact CIP

NERC/CIP low impact

low impact rules

low CIP standards

All of these phrases refer to the same thing, the group of CIP standards and requirements mandated by NERC that all entities must adhere to if they have low impact Bulk Electric System (BES) assets. Whew!

It seems so unnecessarily confusing; however, it is not impossible to understand.

Let’s break it down with an overly simplified flow chart:

Wow! It may be simple, but it’s not easy.

Determining if your asset is part of the Bulk Electric System (BES) may be a difficult task. This pdf from the NERC website defines what constitutes a BES asset.

If you can decipher the NERC BES definition you’ll have no problem understanding the BES Cyber System Categorization standard located on NERC’s website here. This document is what is commonly known as CIP-002 and determines the asset impact level, or categorization if you want to be formal.

Make sure you read and understand these documents…or not. Just be sure to follow their requirements as there will not be a quiz, only an audit at some point in the future with a potential for some serious fines.

FYI for the readers with low impact assets — the low impact CIP standard requirements listed below are already in effect and must be followed with more coming in 2020! All of these will be covered in later blog posts.

·         CIP-002-5.1a R1.3 — Low Impact BES Cyber System Identification — July 1, 2016

·         CIP-002-5.1a R2.1 — Review the Low Impact Asset List — July 1, 2016

·         CIP-002-5.1a R2.2 — CIP Senior Manager Review — July 1, 2016

·         CIP-003-6 R1.2 — Documented Cyber Security Policies — April 1, 2017

·         CIP-003-6 R2 S1 — Cyber Security Awareness Plan — April 1, 2017

·         CIP-003-6 R2 S4 — Cyber Security Incident Response Plan — April 1, 2017

·         CIP-003-6 R3 — CIP Senior Manager Identification — July 1, 2016

·         CIP-003-6 R4 — CIP Senior Manager Delegate Process — July 1, 2016

Jim Sheldon
Previous

CIP-002: Where it all starts!!