The principal differences in the information collection requirements and resulting burden imposed by the proposed reliability standards in this rule are triggered by the proposed changes in reliability standard cip0024. The methodology sets the stage for the rest of the cyber security standards in that it defines the procedures. Some of these services refer to compliance manager, a software solution for managing nerc cip compliance offered by honeywell. They require bulk power system users, owners, and operators to establish a risk based vul nerability assessment methodology to identify and prioritize critical assets and critical. Com001 telecommunications fac001 interconnection requirements prc005 protection system maintenance fac008 ratings methodology and ratings. The previous riskbased assessment methodology for identifying critical assets will be replaced by 17 uniform bright line. The cornerstone to compliance with the nerc reliability standards cip0021 through cip0091, collectively referred to as the cyber security standards, is a meaningful risk based assessment methodology. Designed to streamline the approach to identifying and evaluating any risks to reliability throughout the ero enterprise, nerc has pledged to continue to work with res throughout 2016 and beyond to monitor the effects of the new rbr approach and to assess any potential impact of rbr on other ongoing riskbased cmep activities. Cip002, in particular, requires the identification and documentation of any critical cyberassets associated with the determined criticalasset in question that supports the reliable operation of the bes through the performance of a riskbased assessment by your auditing firm. They were already skeptical that nerc entities use of the rbam, as specified in cip0021 r1, would end up identifying many critical assets, and. Nextgen has worked on more than 300 nerccip sites, and our team of professionals has the experience, riskbased methodology, and practical skill to translate it into a security strategy that helps you meet nerccip security compliance requirements. The nerc version standards used the riskbased asset method rbam.
Riskbased requirements engineering proper design, maintenance, and technical calculations reduce risk of cascading problems. The north american electric reliability corporation critical infrastructure protection nerc cip is a plan comprised of a set of requirements. Requires the identification and documentation of the critical cyber assets associated with the critical assets that support the reliable operation of the bulk electric system. Critical infrastructure protection committee cipc operating committee oc.
Riskbased assessment methodology rbam to id critical assets ca attachment 1. Nerc cip standard mapping to the critical security. The solution provides integrated data protection combining a suite of applications. Nerc cyber security standards risk based methodology. These standards recognize the differing roles of each entity in. This document is designed to convey lessons learned from nerc s various activities. Effective nerc cip compliance program collaborative flexible and allows for inclusions or changes as required integrated. Overview of the ero enterprises riskbased cmep ero enterprise guide for compliance monitoring riskbased compliance. Click here for additional, more detailed information about nerccip. Loadside qse has cyber access into ercot so could be critical if ercot has critical cyber assets. The commission directed nerc to provide additional guidance regarding the development of a riskbased assessment methodology for the identification of critical assets pursuant to cip0021.
A riskbased approach to nerc compliance would begin by determining what regional risks are involved, such as telecommunications infrastructure for standby control services and facility ratings. Cip reliability r1 critical asset identification method the responsible entity shall identify and document a riskbased assessment methodology to use to identify its critical assets. Critical asset decision trees nu has developed critical asset decision trees to identify and classify critical assets as required by nu nerc cip 0021, r2. The ieso 1 recognizes that cyber attacks will happen. Nerc cyber security standards risk based methodology ieso. Nerc lse standards classification on december 4, 2008. These data requests, pursuant to the data specification from top003 and iro010 requirements, may also include other types of data under the same request. Compliance program documents as a roadmap to process. The nerc critical infrastructure protection cip reliability standards employ an assetcentric, riskbased approach to securing the bes.
After careful scrutiny, an entity would undergo further analysis based on specific areas, such as the facilities and the configurations. Cip 012 requires protection only for realtime assessment and realtime monitoring data. Risk based methodologies usually consider the threat likelihood of an event and its consequences. Ferc proposes to remove riskbased assessment methodologies. Nercs philosophy behind standards provide adequate level of reliability bulk electric system. Recommended guidelines for nerc cip compliance for. Is within limits during normal conditions performs acceptably after contingencies limits impact and scope of instability and cascading outages facilities protected from damage integrity can be restored if lost has ability to supply power and energy to all electricity. Spp re assessment monitoring and implementation of.
A group of these standards address cyber security for critical cyber assets and are designated as cip002 through cip009. Classifies and lists assets consistently assists in the collection and logging of supporting evidence for nerc cip audits solidifies nerc cip compliance solution at a glance nerc cip risk assessment. Standard cip0023i cyber security critical cyber asset identification the senior manager or delegatess approval of the riskbased assessment methodology, the list of critical assets and the list of critical cyber assets even if such lists are null. The various risk, control, and compliance activities will support the idea of scoping or reducing the sampling to verify compliance. Develop riskbased assessment methodology per cip0023 ri for each facility perform engineering assessments based upon the assessment methodology and develop a list of identified critical assets per cip0023 ri, including transmission substations provide a final report summarizing the activities performed and results conclusions 4200 s.
Recommended guidelines for nerc cip compliance for synchrophasor systems 1. Nerc implements formal risk based compliance program. Howard gugel, nerc, vice president of engineering and standards. Sep 20, 2011 a group of these standards address cyber security for critical cyber assets and are designated as cip002 through cip009. Critical asset decision trees nu has developed critical asset decision trees to identify and classify critical assets as required by nunerc cip0021, r2. Ferc staff preliminary assessment of the north american. Critical asset identification method the responsible entity shall identify and document a riskbased assessment methodology to use to identify its critical assets. Cyber security communications between control centers. This approach requires systems or facilities that have the highest impact to the grid receive the highest level of protections while the lowest impact systemsreceive the fewest security requirements. Annual report 2011 risk assessment of reliability performance culminates a 3 year process to provide a view of risks to reliability approved by the nerc board of trustees on august 4, 2011. This set of standards is known as the critical infrastructure protection cip standards cip002 cip011.
The stated purpose of mandatory nerc standards cip002 through cip009 is to provide a cyber security framework for the identification and protection of critical cyber assets to support reliable operation of the bulk electric system. Apr 07, 2009 standard cip002 requires the identification and documentation of the critical cyber assets associated with the critical assets that support the reliable operation of the bulk electric system. Version 4 critical infrastructure protection reliability. It is not intended to establish new requirements under nerc s reliability standards or to modify the requirements in any existing reliability standards. Nerc cip and the importance of consistent compliance i. Nerc states that these cip reliability standards provide a comprehensive set of requirements to protect the bulkpower system from malicious cyber attacks. Ero enterprise inherent risk assessment guide nerc.
The stated purpose of mandatory nerc standards cip 002 through cip 009 is to provide a cyber security framework for the identification and protection of critical cyber assets to support reliable operation of the bulk electric system. Rbam riskbased assessment methodology rto regional transmission organization. Compliance with the nerc requirements for critical infrastructure protection cip for synchrophasor. Pursuant to section 215 of the federal power act, the commission approves the version 5 critical infrastructure protection reliability standards, cip 0025 through cip 0111, submitted by the north american electric reliability corporation nerc, the commissioncertified. Nerc state s that these cip reliability standards provide a comprehensive set of requirements to protect the bulk power system from malicious cyber attacks. Performance audits provide objective analysis to assist management and those. Attachment 1 cip0025 incorporates the bright line criteria to classify bes assets as low, medium, or high. They require bulkpower system users, owners, and operators to establish a risk based vulnerability assessment methodology to identify and prioritize critical assets and critical cyber. Assessment and realtime monitoring data from their rcs, bas and tops. The standard goes on to specify that these assets are to be identified through the application of a riskbased assessment. Compliance program documents as a roadmap to process maturity.
Critical asset criteria added to determine criticality. Critical asset identification method the responsible entity shall identify and document a riskbased assessment methodology to use to. Dec 11, 2006 and critical cyber assets using a risk based methodology. These standards for cyber security are mandatory and enforceable. Compliance, content, risk, policy, control, audit etc. Policy sets can be easily customized to the environment or used as templates to create new policies. The critical infrastructure protection cip standard by the north american electric reliability corporation nerc through version 4 has defined a critical cyber asset or cca as any device that uses a routable protocol to communicate outside the electronic security perimeter esp, uses a routable protocol within a control center. The responsible entity shall maintain documentation describing its risk based assessment methodology that includes procedures and evaluation criteria. Nercs new riskbased approach, challenging compliance. This requirement can be viewed as the decisive first step that can affect the chances for successful implementation of the remaining cip reliability standards. The cornerstone to compliance with the nerc reliability standards cip 0021 through cip 0091, collectively referred to as the cyber security standards, is a meaningful risk based assessment methodology. Ferc approves riskbased approach ferc issued order on electric reliability organization reliability assurance initiative on february 19, 2015, in docket rr152000 requiring.
The responsible entity shall maintain documentation describing its riskbased assessment methodology that includes procedures and evaluation criteria. Nerc critical infrastructure protection cip compliance. Identify and document a riskbased assessment methodology to use to identify its critical assets. Cip004 requires an appropriate level of personnel risk assessment, training, and. Nerc cip standard mapping to the critical security controls.
Assessing risk to bulk power system generation ensuring the reliability of the power system is the responsibility of many industry participants. The riskbased assessment shall consider the following assets. A risk based approach to nerc compliance would begin by determining what regional risks are involved, such as telecommunications infrastructure for standby control services and facility ratings. Dp and to critical responsible wirespoles, scada system access. An inadequate risk based methodology may fail to capture some facilities that are essential to effective cyber protection. The ieso1 recognizes that cyber attacks will happen. A decision tree has been developed for the following subgroups. Loadside qse has cyber access into ercot so could be critical if ercot has critical cyber assets is the lse for this cip0021 r1. Standard cip 0023i cyber security critical cyber asset identification the senior manager or delegatess approval of the riskbased assessment methodology, the list of critical assets and the list of critical cyber assets even if such lists are null. Nerc ero enterprise inherent risk assessment guide october 2014 1 1. Our assessments follow a proven and repeatable methodology that. They require bulkpower system users, owners, and operators to establish a riskbased vulnerability assessment methodology to identify and prioritize critical assets and critical cyber. All advisory bodies have agreed on the context of the riskbased approach as a methodology to.
Version 5 critical infrastructure protection reliability. To do this, it is recommended to use the existing methodology as a baseline for comparison. Critical cyber asset an overview sciencedirect topics. Critical cyber asset cca identification methodology. Interestingly enough, the nerc cip002 standard does not apply to cyber assets that are associated. Riskbased assessment methodology rbam to id critical. Nercs programs impact more than 1,900 bulk power system owners and operators, and focus on reliability, assurance, learning, and riskbased approaches to improve the reliability of the electricity grid across the continent.
Standard cip002 requires the identification and documentation of the critical cyber assets associated with the critical assets that support the reliable operation of the bulk electric system. Michael assante vice president and chief security officer. Revisions to the nerc rules of procedure to include riskbased approach concepts public posting similar to ffts completion of ice or alternate methodology in. An inadequate riskbased methodology may fail to capture some facilities that are essential to effective cyber protection.
Standard cip0023 cyber security critical cyber asset. Jan 01, 2018 the commission directed nerc to provide additional guidance regarding the development of a riskbased assessment methodology for the identification of critical assets pursuant to cip0021. Nerc cip and the importance of consistent compliance. Progress being made on cybersecurity guidelines, but key challenges remain to be addressed feb.
Nerc administers a critical infrastructure protection cip program, encompassed in cip standards 001 to 014. Riskbased methodologies usually consider the threat likelihood of an event and its consequences. Schneider electric nerc cip assessment methodology one of the most important and critical elements spanning all nerc cip regulations is the identification of bulk electrical system bes cyber systems. Through rai, nerc completed the design of the risk. Attachment 1 cip0025 incorporates the obright line criteriao to classify bes assets as low, medium, or high. Standard cip 0023 cyber security critical cyber asset identification draft 1. Risk assessment methodologies for critical infrastructure. First enforceable cybersecurity standards for the bes. The following steps should be taken to ensure that all bes cyber systems and. The cip0103 effective july 1st cyber vulnerability assessment is a critical component of the nerc cip program.
167 1132 1250 315 855 282 659 648 940 1496 1004 1428 1187 1489 333 52 259 1432 556 712 924 1153 678 702 792 565 157 911 1078 158 395 1100