Auto Article Submitter

Critical Asset Identification NERC CIP 002 3 NERC CIP

Critical Asset Identification NERC CIP 002 3 NERC CIP

By Jerry Ketterling

NERC CIP-002 requirements provide a structure for the identification and documentation of Critical Assets (those assets if compromised, degraded, misused, interrupted, etc.) can affect the operation of the Bulk Electric System (BES). The Bulk Electric System is the system whereby power is created and delivered throughout North America and many regional and local utilities. The protection of the BES requires that a single utility operation must have satisfactory controls and defenses on critical assets and cyber assets to prevent and isolate adverse events from occurring on the BES. Identification (CIP-002) and Protection (CIP-003 to CIP-009) are the keys to the well-being of the BES from the CIP viewpoint with each utility applying controls to ensure the safety and integrity of their Critical Assets (CA) and Critical Cyber Assets (CCA).

The Risk-Based Assessment Methodology (RBAM) is the pinnacle to successfully meeting CIP compliance. An entity that does not have a RBAM that correctly identifies which physical assets can affect the BES has no effective way to ensure that their efforts to protect the BES can be successful. Therefore the RBAM methodology, procedures and resulting CA lists MUST go through extensive review process by all key personnel and departments that have visibility to the criticality of assets.

Once the Critical Asset List is highlighted with a degree of assurance then the comprehensive review of these sites need to be executed to identify the specific Critical Cyber Assets that can affect the BES. The construction of the CCA list can be a chore depending upon the detailed information that exists and exactness of that documentation. Electronic means should be used to gather and confirm network and device information.

The CA reviews should include comprehensive identification and validation of significant data and communication paths (data flow documentation). This may include personally reviewing each site to the extent of following cables and wires to ensure every device has been identified and recorded. If you do not know it is there then how can a determination be made as to its criticality?

Unfortunately we have found utilities resistant to the use of electronic resources to assist with the inventory of assets. This is partly due to "Fear Factor" and lack of security tools awareness. The fear factor is propagated by the regional and national entities warning of impending disaster if real security and network tools are used. However, if an entity is compromised we doubt that they would be concerned with an outage due to the use of a security tool (nmap, Nessus, etc.).

A critical element of InfoSec is reliability. If a system, device or network cannot stand up against a basic security investigation then that needs to be identified as a risk and different controls implemented to provide a more complete level of protection. Clearly care and caution need to be taken but forbidding the use of these tools is not productive