CIP-002: Cyber Security Requirements

  • R1. Critical Asset Identification Method - The Responsible Entity must identify and document a risk-based assessment methodology to identify Critical Assets in the organization.
  • R2. Critical Asset Identification - The Responsible Entity creates a list of Critical Assets determined through an annual application of the risk-based assessment methodology required in R1. The Responsible Entity reviews this list at least annually and updates it as necessary.
  • R3. Critical Cyber Asset Identification - Using the list of Critical Assets developed pursuant to R2, the Responsible Entity must develop a list of associated Critical Cyber Assets essential to the operation of the Critical Asset.

    Examples at control centers and backup control centers include systems and facilities at master and remote sites that provide monitoring and control, automatic generation control, real-time power system modeling, and real-time inter-utility data exchange. The Responsible Entity shall review this list at least annually, and update it as necessary. For the purpose of Standard CIP-002, Critical Cyber Assets are further qualified to be those having at least one of the following characteristics:

    • The Cyber Asset uses a routable protocol to communicate outside the Electronic Security Perimeter;
    • The Cyber Asset uses a routable protocol within a control center; or,
    • The Cyber Asset is dial-up accessible.
  • R4. Annual Approval - The senior manager or delegate(s) shall approve annually the risk- based assessment methodology, the list of Critical Assets, and the list of Critical Cyber Assets. Based on Requirements R1, R2, and R3 the Responsible Entity may determine that it has no Critical Assets or Critical Cyber Assets.

    The Responsible Entity shall keep a signed and dated record of the senior manager or delegate(s)'s approval of the risk-based assessment methodology, the list of Critical Assets, and the list of Critical Cyber Assets (even if such lists are null.)