In this fourth blog installment on implementing NERC CIP Low Impact BES Cyber Systems (BCS) requirements, I’ll dive into the prerequisite Standard CIP-002-5.1 for determining if Low Impact BCS are present at a Bulk Energy System (BES) facility and if an inventory should be created.
No List Required?
CIP-002-5.1 Requirement R1, Part 1.3 and CIP-003-6 Requirement R2 clearly indicate that a distinct list of BCS, or BES Cyber Assets (BCA) that make up a BCS, is not required. While this adheres to the Standards’ language, during CIP Version 5 outreach efforts NERC and Regional Entities — as well as Burns & McDonnell — have indicated that it is in an Entity’s best interest to develop some type of list to assist in determining if the documented protections are Standards-compliant.
Audit Team Requirements & a List
Per the Generally Accepted Government Auditing Standards used by the Regions, the primary purpose of an audit is to determine with “reasonable assurance” that the indicated protections will meet Standards requirements. While there are several ways of determining reasonable assurance, one of the most effective methods involves reviewing and validating a list or diagram as appropriate. For CIP-003-6, two of the Sections in Attachment 1 require the application of: 1) physical protections to BCS and Low Impact BES Cyber System Electronic Access Point (LEAP); and 2) electronic protections for the LEAP or BCS having Dial-up connectivity.
For Low Impact BCS, auditors need to understand the BCA making up the BCS, if there is Low Impact External Routable Connectivity (LERC), and if there is LERC understand where the LEAP is located, and if there is any Dial-up to the BCS to determine if the indicated protections are appropriate and in place to meet the Standards. The information can be verbally communicated, or a list and diagrams can be provided to the auditors. The information is normally validated with “reasonable assurance,” using site visits to match up the provided information with what is actually at the facility.
Although the two collection methods may seem similar, from my own experience conducting audits combined with an understanding of the Regional Audit Teams approach, I’ve found that a verbal presentation of the information is far more time-consuming than if a list was presented. Auditors often wonder if the information provided verbally is complete, and whether consistent information was used in the documented protections’ application.
By providing a documented list, the time spent completing a Low Impact audit can be reduced since the process of collecting and validating information is significantly expedited. This technique also offers the potential benefit of reducing the number of site visits needed once the audit team reaches a confidence level that the Entity knows what it has and the protections are applied as documented.
Burns & McDonnell’s approach for facilities containing only Low Impact BCS consists of either full inventory or survey inventory. A full inventory, like the process used for facilities containing High and Medium BCS, can be time-consuming, especially for an Entity with numerous Low Impact-only sites since that process involves visiting and inspecting each site. A survey inventory is a process in which existing Cyber Asset information is collected from different sources, such as an Entity’s O&P and Information Technology Asset Management program, as well as interviews with site Subject Matter Experts.
While the survey method is not as detailed as a full inventory, when applied correctly it provides the necessary and relevant information to understand which Cyber Assets are BCA, the BCS’s make-up, knowledge on where the site’s LEAP is and Cyber Assets containing the LEAP (if any), and BCS with Dial-up connectivity.
Burns & McDonnell has used both methods to successfully identify Cyber Assets requiring Low Impact protections, specify the appropriate protections and, if requested, implement the protections to meet the Standards.
The following information may be of assistance in your Low Impact BCS research and implementation efforts:
- My previous posts for the NERC CIP Low Impact Requirement series: an Introduction to NERC CIP Low Impact Requirements, Cultural Change, and the Policy, Plans, Processes and Procedures.
- Western Electricity Coordinating Council (WECC) Low Impact Workshop held May 25-26, 2016, in Salt Lake City, Utah, covered a variety of topics, including Assets Containing Low Impact BES Cyber Systems, CIP 003-6 Low Impact Cyber Systems, and Low Impact Generation CIP V5 Pilot Project.
- NERC’s presentation on Auditing Low Impact BES Cyber Systems presented at several Regional Entity outreach events in April and May 2016 can be found here.
- Burns & McDonnell will host our second annual Power Utility Security & Compliance Symposium August 8-9, 2016, which will cover several subjects related to Low Impact BCS.