After my last blog on CIP V5 (CIP Version 5 – Are you Ready for CIP? ) I had the opportunity to discuss my observations with James Holler of Abidance Consulting (www.abidanceconsulting.com). In that conversation, we dug into the confusion around Impact ratings in CIP V5, Critical Assets (V3), and BES Cyber Systems / BES Cyber Assets (V5). Being upfront about things, I admit that the first line in my blog article referenced above added to that confusion. Let’s see if I can make things a bit clearer.
1 – Critical Assets, Exit Stage Left
V3 starts with the identification of Critical Assets (facilities / systems) determined through a Risk Based Assessment Methodology (RBAM). In V3, if you have no Critical Assets (as determined by your RBAM) then you do not fall under the majority of the CIP standards.
2 – Enter Stage Right, BES Cyber Systems (and their associated BES Cyber Assets)
In V5 we now have BES Cyber Systems, determined by “bright line” criteria in the standard. This aligns with the NIST Risk Assessment Framework where it is analogous to the use of the term “information system.” BES Cyber Systems provide the means to group BES Cyber Assets that behave as a “system” where it makes sense to manage compliance and security requirements on the group as an object.
Utilities also have flexibility in how they define BES Cyber Systems. A previously identified Critical Asset could be defined as one BES Cyber System or be broken down into multiple BES Cyber Systems. It is important to understand how compliance and security relate to “system groupings” as BES Cyber System definitions can simplify, or complicate, the compliance practice.
3 – Name Change: Critical Cyber Assets = BES Cyber Assets
The term Critical Cyber Asset (CCA) in V3 maps over to the term BES Cyber Asset in V5. So in V5 we have BES Cyber Assets instead of Critical Cyber Assets.
4 – Categorization – Not High? Not Medium? Low!
Another point I gleaned from my conversation with Mr. Holler is clarity on BES Cyber Systems Impact Categorization. CIP-002-5 provides the criteria for determining BES Cyber Systems. Once BES Cyber Systems have been identified, the Impact for each BES Cyber System must be categorized as High, Medium or Low using the Criteria provided in the CIP V5 standards.
BES Cyber Systems that are NOT categorized as High or Medium Impact are by DEFAULT Low Impact. This means that every Utility organization that has at least one BES Cyber System will come under new expectations in respect to CIP with V5. Interestingly enough, the compliance expectations set by the current wording of CIP V5 for Low Impact BES Cyber Systems does not specify auditable expectations and this is one of the key areas where FERC is seeking modifications.
Obviously there are significant implications to Utilities from these changes, and many Utilities that have not fallen under CIP in V3 will do so under V5. However, V5 is a significant step forward in helping protect us from cyber security attacks that seek to disrupt the reliable operation of our grid – the grid we depend on in every aspect of our lives.