CIP-002: Cyber Security Illustrative Approach

An entity should first identify Cyber Assets associated with the operation of an identified Critical Asset. This is not intended to be a complete inventory of all Cyber Assets at the facility, but rather an evaluation and then identification of all Cyber Assets that may have direct or indirect impact on the essential function of a Critical Asset. However, a comprehensive Cyber Asset inventory would be helpful in supporting CIP-005-1.

Entities may want to perform complete inventories of Cyber Assets if there are questions about the nature of their impact on essential functions - this will ensure that all appropriate Cyber Assets have been considered in the assessment. A Cyber Asset is defined to be "Programmable electronic devices and communication networks including hardware, software and data." For the purposes of this guideline, software, data, and cabling are considered to exist within the framework of the Cyber Asset and not as separate Cyber Assets.

In general Cyber Assets are digital elements that are part of control systems, data acquisition systems, or the networking equipment used by a control or data acquisition system.

  • Control systems comprise devices or sets of devices that act to manage, command, or regulate the behavior of processes, devices, or other systems.
  • Data acquisition systems are a collection of sensors and communication links that act to sample, collect, and provide data regarding the plant systems to a centralized location for display, archiving, or further processing.
  • Networking equipment includes devices such as routers, hubs, switches, firewalls, and modems.

When identifying Cyber Assets consider the different roles and functions of Cyber Assets that might directly or indirectly affect the essential functionality of a Critical Asset such as:

  • Provides operation information in real time
  • Controls parameters, manual or automated
  • Calculates important parameters or limits
  • Generates prompts or alarms
  • Provides connectivity between Cyber Assets within the ESP
  • Supports continuity of operations of the Critical Assets or local recovery plans

This approach assumes that the Responsible Entity has already identified its Critical Assets and has defined the essential functions of the Critical Assets. Defining the essential functions of the Critical Asset helps determine whether a particular Cyber Asset is essential to the operation of the Critical Asset. Cyber Assets that are connected to support systems (such as environmental and continuous power systems) that are indirectly essential to the operation of the Critical Asset could also be addressed. NERC recommends the following five steps:

Identify Cyber Assets associated with a Critical Asset.

Group Cyber Assets by application.

Identify Cyber Assets that support essential functions of Critical Assets.

Identify Cyber Assets with CIP-002 R3 qualifying characteristics.

Compile a list of Critical Cyber Assets.

Cyber Assets are considered essential to a Critical Asset if any one of the following criteria is met:

  • The Cyber Asset is involved in, or is capable of, supervisory or autonomous control that supports an essential function of a Critical Asset.
  • The Cyber Asset displays, transfers, or contains information used to make real time operational decisions that supports an essential function of a Critical Asset.
  • The Cyber Asset if lost would degrade the essential function of a Critical Asset.
  • The Cyber Asset if compromised could impact the essential function of a Critical Asset.