In this fourth blog installment on implementing NERC CIP Low Impact BES Cyber Systems (BCS) requirements, I’ll dive into the prerequisite Standard CIP-002-5.1 for determining if Low Impact BCS are present at a Bulk Energy System (BES) facility and if an inventory should be created.

No List Required?

CIP-002-5.1 Requirement R1, Part 1.3 and CIP-003-6 Requirement R2 clearly indicate that a distinct list of BCS, or BES Cyber Assets (BCA) that make up a BCS, is not required. While this adheres to the Standards’ language, during CIP Version 5 outreach efforts NERC and Regional Entities — as well as Burns & McDonnell — have indicated that it is in an Entity’s best interest to develop some type of list to assist in determining if the documented protections are Standards-compliant.

Audit Team Requirements & a List

Per the Generally Accepted Government Auditing Standards used by the Regions, the primary purpose of an audit is to determine with “reasonable assurance” that the indicated protections will meet Standards requirements. While there are several ways of determining reasonable assurance, one of the most effective methods involves reviewing and validating a list or diagram as appropriate. For CIP-003-6, two of the Sections in Attachment 1 require the application of: 1) physical protections to BCS and Low Impact BES Cyber System Electronic Access Point (LEAP); and 2) electronic protections for the LEAP or BCS having Dial-up connectivity.

For Low Impact BCS, auditors need to understand the BCA making up the BCS, if there is Low Impact External Routable Connectivity (LERC), and if there is LERC understand where the LEAP is located, and if there is any Dial-up to the BCS to determine if the indicated protections are appropriate and in place to meet the Standards. The information can be verbally communicated, or a list and diagrams can be provided to the auditors. The information is normally validated with “reasonable assurance,” using site visits to match up the provided information with what is actually at the facility.

Although the two collection methods may seem similar, from my own experience conducting audits combined with an understanding of the Regional Audit Teams approach, I’ve found that a verbal presentation of the information is far more time-consuming than if a list was presented. Auditors often wonder if the information provided verbally is complete, and whether consistent information was used in the documented protections’ application.

By providing a documented list, the time spent completing a Low Impact audit can be reduced since the process of collecting and validating information is significantly expedited. This technique also offers the potential benefit of reducing the number of site visits needed once the audit team reaches a confidence level that the Entity knows what it has and the protections are applied as documented.

Inventory Methods

Burns & McDonnell’s approach for facilities containing only Low Impact BCS consists of either full inventory or survey inventory. A full inventory, like the process used for facilities containing High and Medium BCS, can be time-consuming, especially for an Entity with numerous Low Impact-only sites since that process involves visiting and inspecting each site. A survey inventory is a process in which existing Cyber Asset information is collected from different sources, such as an Entity’s O&P and Information Technology Asset Management program, as well as interviews with site Subject Matter Experts.

While the survey method is not as detailed as a full inventory, when applied correctly it provides the necessary and relevant information to understand which Cyber Assets are BCA, the BCS’s make-up, knowledge on where the site’s LEAP is and Cyber Assets containing the LEAP (if any), and BCS with Dial-up connectivity.

Burns & McDonnell has used both methods to successfully identify Cyber Assets requiring Low Impact protections, specify the appropriate protections and, if requested, implement the protections to meet the Standards.

Additional Information

The following information may be of assistance in your Low Impact BCS research and implementation efforts:

Michael C. Johnson is a member of the Compliance & Information Protection Group at Burns & McDonnell. He provides cybersecurity and NERC CIP compliance consulting to generation, transmission and distribution entities.