Updates to the North American Electric Reliability Corporation critical infrastructure protection plan - or NERC CIP - are on their way. How prepared is your business' IT department and change management team?
How electric reliability organizations (EROs) maintain their most crucial digital assets impacts how energy moves throughout regions of the U.S., possibly even the whole country. In conjunction with the Federal Energy Regulatory Commission, NERC lays out best practices for companies overseeing bulk electrical system cyber assets to ensure these organizations adhere to a set of principles supporting critical equipment and preventing disruptions resulting from cyberattacks and administrative errors.
In this four-part series, we'll shine a light on the three major changes coming with the fifth iteration of the NERC CIP. First, let's address CIP 002-5 and how adjustments to NERC CIP version 5 will affect IT departments managing BES cyber assets.
Starting With the Basics of BES Systems Categorization
Any organization enforcing compliance would be wise to provide regulated parties with a rubric by which to gauge and self manage their level of compliance - NERC CIP does just that with CIP 002-5. Essentially, CIP 002-5 focuses on how EROs classify their physical assets and cyber assets so they can apply subsequent compliance standards accordingly. Between CIP versions 4 and 5, NERC has switched categorization and security compliance standards away from individual assets to groups of assets, as this more adequately works with how things like malware protection are applied, not case-by-case, but rather to the BES system as a whole.
Additionally, this update aims to empower EROs to outline compliance clearly to regulatory bodies. One resource NERC offers EROs to perform this task is a Reliability Standard Audit Worksheet, a guide by which EROs can prove compliance. According to the NERC, RSAWs don't dictate a single method for enhancing cyber assets to the latest CIP standards, but discuss multiple channels through which EROs can achieve compliance using whatever technique works best for their organizations individually.
This introductory alteration helps IT departments build more compliant change management processes from the ground up. CIP 002-5 not only pushes IT to organize under a recognized standard for easy oversight, but provides resources necessary to show compliance to regulatory bodies in a universally recognizable way.
Projecting Impact of Compromised BES Systems
So what is a BES cyber assets that CIP 002-5 deal with? As of this last January, Nerc recognizes a BES cyber asset as:
A Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or nonoperation, adversely impact one or more Facilities,systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems.
With that in mind, a vital step to BES categorization includes detailing exactly how configuration changes to BES cyber assets affect physical assets. In determining the responsibilities assigned to each BES cyber asset, EROs can judge and respond to system failure based on asset criticality.
Continuing from enhanced categorization, CIP 002-5 requires EROs to not only identify the impact levels of each BES asset, cyber and physical, but also explain the nature of BES cyber/physical relationships. For instance, one cyber asset may allow remote access to physical assets, whereas another physical asset can only be compromised on-site, like keycard readers for ERO facilities.
From a general change management perspective, CIP 002-5 informs IT departments as to the potential scope of configuration issues caused by unauthorized or unintentional changes. This is a valuable resource, as this data supports emergency change initiatives sparked as a result of adverse changes corrupting BES cyber systems and major grid functionality. With a cache of possible causes for every infrastructure failure event, IT teams can be more responsive and address problems faster and with greater efficacy.