1 cip-002-1 critical cyber asset identification a compliance perspective lew folkerth cip compliance...

1

CIP-002-1Critical Cyber Asset Identification

A Compliance Perspective

Lew Folkerth

CIP Compliance Workshop

Baltimore, MD

August 19-20, 2009

© ReliabilityFirst Corporation

2

Governance Annotated Text of the Standard

• Annotations are NOT authoritative, they are commentary only Pre-audit questions

• Are intended to streamline the audit process• Some go beyond what is required by the standard for informational

purposes• Are intended to help organize information used for compliance• Are intended as a starting point for review of the compliance

documentation The “plain language” of the standard will govern The only authoritative text in this presentation is that of the language of the

standard. All else is opinion and intended practice and is subject to change. This presentation is for use by ReliabilityFirst Corporation and its member

organizations only. Any other use requires the prior permission of ReliabilityFirst Corporation.


3

Time-based Terminology

The CIP standards call for an “annual review” or similar words in many places. But NERC has not yet defined the term “annual.” At present, the audit team must look to the entity to define “annual” in its own cyber security policy. However, some limits must be placed on how time-based terminology is defined.

A typical dictionary definition of “annual” might be “occurring each year at about the same time of year” such as an annual festival. The following are possible definitions of the term annual as applied to these standards:

1. Occurring within 365 (366 in a leap year) days of the previous occurrence;2. Once per year, at about the same time each year (plus or minus one month);3. An event that occurs on a 12-month cycle, occurring in the same month each

consecutive year. For example, an event occurring in July, 2009 would next occur in July, 2010;

4. Occurring in the same quarter each year, such as in the third quarter each year.5. Occurring once per calendar year.


4

Time-based Terminology (cont’d)

Of these examples, the first four might be acceptable to an audit team. The fifth example would probably not be acceptable since as much as 24 months may pass between occurrences of the event. Had the drafters of the standard intended this meaning, they would have used different terminology.

The final resolution of this issue will not occur until an official definition takes effect. Entities responsible for compliance to these standards should be aware that if an Interpretation is passed that is more restrictive than their own practice, they may be placed in violation of the standard. An Interpretation is retroactive, as it clarifies what the standard has meant all along.


5

CIP-002-1 R1Annotated Text

R1. Critical Asset Identification Method — The Responsible Entity shall identify and document a risk-based assessment methodology1 to use to identify its Critical Assets.

1There has been much discussion over what constitutes a risk-based assessment methodology. The traditional risk equation, Risk = Threat x Vulnerability, has been expanded in recent years to become Risk = Threat x Vulnerability x Impact. The NERC CIP Workshops gave instruction that since the identification and protection of Critical Assets in the electric industry is a long-term process, threats and vulnerabilities cannot be known in advance. The Workshop recommended that the Threat and Vulnerability portions of the risk equation be set to 1.0. If such is the case the risk equation becomes Risk = 1.0 x 1.0 x Impact, or Risk = Impact. Therefore, the risk-based assessment becomes an impact analysis.

Critical Assets: Facilities, systems, and equipment which, if destroyed, degraded, or otherwise rendered unavailable, would affect the reliability or operability of the Bulk Electric System.


6

CIP-002-1 R1Annotated Text (cont’d)

R1.1. The Responsible Entity shall maintain documentation2 describing its risk-based assessment methodology that includes procedures3 and evaluation criteria4.

R1.2. The risk-based assessment shall consider the following assets:

2The entity is required to maintain documentation regarding its methodology. Note that management approval of the methodology is not specifically required.3The documentation must contain procedures, that is, explicit instructions for applying the methodology.4The documentation must include evaluation criteria. The evaluation criteria may not be randomly chosen; they must meet certain minimum considerations as discussed below.


7


R1.2.1. Control centers and backup control centers5 performing the functions of the entities6 listed in the Applicability section of this standard.

5Control centers have been defined as having a broad geographic reach, as opposed to control rooms such as used at generating facilities. Using this definition, generation control rooms would fall under R1.2.3 rather than this requirement. Also note that it is the control center as a whole that is considered the asset, not just its computer systems.6Note that impact to the BES is not mentioned in this requirement. For example, if a control center is used to perform the function of an LSE, then it is subject to this requirement.


8


R1.2.2. Transmission substations7 that support the reliable operation of the Bulk Electric System.

7Normal planning work is done at the transformer, line or breaker level. This requirement explicitly states that loss or compromise of an entire substation must be considered. Note that transmission lines are not included as candidates for critical assets, although they could be considered as additional assets under R1.2.7 at the entity’s discretion. Note further that substations that support the reliable operation of the BES are to be considered. This may mean a substation operating at less than 100KV might be under consideration if its loss or compromise could affect the BES.


9


R1.2.3. Generation resources8 that support the reliable operation of the Bulk Electric System.

8The use of the term “Generation resources” rather than “Generation plants” or “Generation units” indicates that neither the plant nor the unit is to be the deciding factor in consideration. Rather, the facility must be considered by commonality of systems. For example, if a plant consists of two units, and these units share no common systems such as control rooms or computer networks, then these units would be considered as separate resources by the methodology. If, on the other hand, these units share a common system such as a control room, then the methodology must consider these units as one resource.

Bulk Electric System: As defined by the Regional Reliability Organization, the electrical generation resources, transmission lines, interconnections with neighboring systems, and associated equipment, generally operated at voltages of 100 kV or higher. Radial transmission facilities serving only load with one transmission source are generally not included in this definition.


10


R1.2.4. Systems and facilities critical to system restoration9, including blackstart generators and substations in the electrical path of transmission lines used for initial system restoration.

9Systems and facilities critical to system restoration are considered to be any generator or substation, regardless of capacity or voltage level, required to be in service for the primary and secondary cranking paths as determined by the authority responsible for blackstart in the area in which the asset under consideration is located.


11


R1.2.5. Systems and facilities critical to automatic load shedding10 under a common control system capable of shedding 300 MW or more.

10Note the restrictive limits in this requirement. Automatic load shedding, not manual; under a common control system, not separate control systems; total load controlled by the common system greater than 300MW. Also note that the BES is not mentioned in this requirement, so there is no minimum voltage consideration.


12


R1.2.6. Special Protection Systems that support the reliable operation of the Bulk Electric System.

Special Protection System: An automatic protection system designed to detect abnormal or predetermined system conditions, and take corrective actions other than and/or in addition to the isolation of faulted components to maintain system reliability. Such action may include changes in demand, generation (MW and Mvar), or system configuration to maintain system stability, acceptable voltage, or power flows. An SPS does not include (a) underfrequency or undervoltage load shedding or (b) fault conditions that must be isolated or (c) out-of-step relaying (not designed as an integral part of an SPS). Also called Remedial Action Scheme.


13


R1.2.7. Any additional assets11 that support the reliable operation of the Bulk Electric System that the Responsible Entity deems appropriate to include in its assessment.

11Additional assets may include capacitor banks, transmission lines, or any other assets the entity wishes to consider as a critical asset. Note that to impact the reliability of the BES it is not necessary for an asset to operate at a voltage greater than 100KV. A capacitor bank is seldom operated at more than 100KV, but the loss or misoperation of a capacitor bank could seriously impact the reliability of the BES.


14

CIP-002-1 R1Items for Consideration – Pre-audit

1. In compliance with CIP-002, Requirement R1, Registered Entities may define a single Risk-Based Assessment Methodology that applies to all registered functions, or the entity may define multiple methodologies applicable to subsets of their registered functions. For each defined Risk-Based Assessment Methodology, please answer the following questions:

a. What registered functions are applicable to the Risk-Based Assessment Methodology?

b. Describe the approach to defining and conducting the Risk-Based Assessment Methodology.


15

CIP-002-1 R1 Items for Consideration – Pre-audit (cont’d)

c. Does the Risk Based Assessment Methodology consider assets at the level of granularity specified in the Standard? Examples include control centers, substations and generation resources.


16


d. If the approach relies upon engineering or other criteria thresholds to distinguish between Critical Assets and other Bulk Electric System assets, what is the basis for selecting the threshold values?

e. To what extent does the Risk-Based Assessment Methodology rely upon N-1 contingencies as criteria for eliminating Bulk Electric System assets from the Critical Asset list?


17


f. If the Risk-Based Assessment Methodology relies upon N-1 contingencies as criteria, at what granularity is the contingency applied? Examples of granularity include element, facility, and system, as defined in the NERC Glossary.

g. To what extent does the Risk-Based Assessment Methodology rely upon redundancy as criteria for eliminating Bulk Electric System assets from the Critical Asset list?


18


h. To what extent do the entity’s assets utilize common control systems? Examples would include generating units with a common control room and breakers or substations with a common control system.

i. To what extent does the Risk-Based Assessment Methodology rely upon assistance from neighboring Registered Entities as criteria for eliminating Bulk Electric System assets from the Critical Asset list?


19


j. If an element, facility, or system as defined in the NERC Glossary is deemed to be operationally significant per other NERC or regional standards, how does this determination factor into the Risk-Based Assessment Methodology?

k. To what extent does the Risk-Based Assessment Methodology consider the misuse of the asset when evaluating Bulk Electric System assets for inclusion on the Critical Asset list?


20


l. To what extent does the Risk-Based Assessment Methodology request a review and concurrence by the Registered Entity’s Balancing Authority (if applicable), neighboring Registered Entities, and/or Reliability Coordinator?

m. If multiple Risk-based Assessment Methodologies are used to identify Critical Assets, what measures are taken to ensure all Bulk Electric System assets are considered by at least one methodology?


21

CIP-002-1 R1 Notes on the Methodology

• Risk-based assessment methodology (RBAM)• Strong preference (supported by the language of the standard)

is for no more than one RBAM per registered function. • Each asset identified by the BES asset list must be assessed by

at least one RBAM. • The RBAM must be sufficient to explain the determination of an

asset as critical or not critical. (Order 706 P 288)• Each entity is responsible for identifying and maintaining its own

RBAM.• Possible approaches (per NERC Workshop):

• Calculation based evaluation• Experience based evaluation• Combination of calculation and experience based

evaluation© ReliabilityFirst Corporation

22

CIP-002-1 R1 Notes on the Methodology (cont’d)

• Risk-based assessment methodology (RBAM) (cont’d)• Calculation based evaluation

• Uses the Risk = Threat x Vulnerability x Impact equation. An entity may choose to set Threat and Vulnerability to 1.0, thereby making the equation Risk = Impact. While this approach is not required, it is the approach recommended by NERC. If numbers are assigned to various threat and vulnerability configurations, expect the source of those numbers to be examined.

• A calculation based RBAM may be based on megawatt (MW) values determined by an impact study. If so, be prepared to demonstrate how and when the MW values are measured. If a loadflow was used, explain what case was used and the reason that case was chosen.


23


• Risk-based assessment methodology (RBAM) (cont’d)• Experience based evaluation

• Also known as a “Red Team” evaluation• Document the scenarios that were considered. How and

why were these scenarios chosen? Ensure the number and variety of scenarios considered is appropriate and sufficient to provide valid results. Ensure the scenarios consider loss of functionality at the level required by the standard (substation, etc.).

• If actual past experiences are used as all or part of the evaluation, the experienced must be documented and not anecdotal. The experiences need to be recent enough to be valid.


24


• Risk-based assessment methodology (RBAM) (cont’d)• Combination of calculation and experience based evaluation

• Calculations may be used to fill gaps in the experience based assessment.

• As two approaches are being used, particular care should be taken to ensure no gaps in the assessment remain.


25


• Risk-based assessment methodology (RBAM) (cont’d)• Explicitly required elements of the documentation

• Procedures (How is the RBAM applied?)• Evaluation criteria (What parameters are used by the

RBAM?)


26


R2. Critical Asset Identification — The Responsible Entity shall develop a list1 of its identified Critical Assets determined through an annual2 application of the risk-based assessment methodology required in R1. The Responsible Entity shall review this list at least annually3, and update it as necessary4.

1While a single list of Critical Assets is called for by the language of the standard, if an entity chooses to keep one list per registered function this should be considered acceptable. If CIP-003-1 R4 is enforceable then the Critical Asset list must have been identified, classified and protected per that requirement.

Note that approval of this list is not explicitly required by R2. See R4 for required approvals.2See the discussion of time-based terminology for issues related to the term “annual.”


27


R2. Critical Asset Identification — The Responsible Entity shall develop a list1 of its identified Critical Assets determined through an annual2 application of the risk-based assessment methodology required in R1. The Responsible Entity shall review this list at least annually3, and update it as necessary4.

3It is not acceptable for an entity to declare that the words “annual application” and “review this list at least annually” mean that the initial review may be performed up to a year after the “Compliant” date for this requirement. The plain language of the standard means that Critical Assets must be identified prior to the “Compliant” date in the appropriate table in the Implementation Plan. 4The issue of adding new assets which are then identified as critical is addressed in CIP-002-2.


28

CIP-002-1 R2 Items for Consideration – Pre-audit

1. How are Bulk Electric System assets identified for inclusion in the list of assets to be considered for Critical Asset designation by application of the Risk-Based Assessment Methodology?

2. Has the “reasonable business judgment” clause been used to exclude any assets from consideration as Critical Assets?


29


R3. Critical Cyber Asset Identification — Using the list of Critical Assets developed pursuant to Requirement R2, the Responsible Entity shall develop a list1 of associated Critical Cyber Assets essential to the operation2 of the Critical Asset. Examples3 at control centers4 and backup control centers5 include systems and facilities at master and remote sites that provide monitoring and control6, automatic generation control, real-time power system modeling, and real-time interutility data exchange. The Responsible Entity shall review this list at least annually, and update it as necessary. For the purpose of Standard CIP-002, Critical Cyber Assets are further qualified to be those having at least one of the following characteristics:

R3.1. The Cyber Asset uses a routable protocol to communicate outside the Electronic Security Perimeter; or,

R3.2. The Cyber Asset uses a routable protocol within a control center; or,

R3.3. The Cyber Asset is dial-up accessible.


30


1In this case the language of the standard makes it clear that each Critical Cyber Asset (CCA) may have its own list.2The key words in this requirement: “essential to the operation.”

Critical Cyber Assets: Cyber Assets essential to the reliable operation of Critical Assets.

Cyber Asset: Programmable electronic devices and communication networks including hardware, software, and data.

Electronic Security Perimeter: The logical border surrounding a network to which Critical Cyber Assets are connected and for which access is controlled.


31


1. For identified Critical Assets, how are Cyber Assets identified for inclusion in the list of Cyber Assets to be considered for Critical Cyber Asset designation?

2. What processes and/or criteria are used to determine which Cyber Assets are designated as Critical Cyber Assets?

a. To what extent does the process or criteria rely upon redundancy as criteria for eliminating Cyber Assets from the Critical Cyber Asset list?

b. To what extent does the process or criteria consider the misuse of the Cyber Asset as criteria for evaluating Cyber Assets for inclusion on the Critical Cyber Asset list?

3. Has the “reasonable business judgment” clause been used to exclude any Cyber Assets from consideration as Critical Cyber Assets?


32


R4. Annual Approval — A senior manager or delegate(s)1 shall approve annually2 the list of Critical Assets and the list of Critical Cyber Assets. Based on Requirements R1, R2, and R3 the Responsible Entity may determine that it has no Critical Assets or Critical Cyber Assets. The Responsible Entity shall keep a signed and dated record3 of the senior manager or delegate(s)’s approval of the list of Critical Assets and the list of Critical Cyber Assets (even if such lists are null4.)

1Note that the senior manager or delegate per CIP-003-1 R2 is not explicitly required. This changes in version 2.2See discussion of “annual” below.3This is one place where a “wet ink” signature is required.4If the list of CAs and/or CCAs is null, these must still be approved.


33


1. How is the senior manager referred to in R4 designated?

2. If the senior manager has delegated authority to approve the list of Critical Assets and/or the list of Critical Cyber Assets, how is that delegation documented?

3. Is a signed and dated list of Critical Assets and a signed and dated list of Critical Cyber Assets available for the entire audit period?


1 cip-002-1 critical cyber asset identification a compliance perspective lew folkerth cip compliance...

Documents

time of year

consecutive year

calendar year

annual review

term annual

leap year days

annual festival

intended practice