Critical Asset Identification Methodology William E. McEvoy Northeast Utilities
Disclaimer This NPCC TFIST workshop provides a forum for the presentation and discussion of member experience in the implementation of compliance programs for the NERC CIP Cyber Security Standards. Materials presented or discussed are the presenters own interpretation and recommendations and do not necessarily represent those of their organizations or NPCC. May 15, 2008 2
CIP002 - Identifying Critical Cyber Assets Audit Deliverables - Measures M1 - A documented risk-based methodology (RBM) used to identify an entity s Critical Assets M2 - A list of Critical Assets M3 - A list of Critical Cyber Assets M4 - Proof of an annual review and approval of 1) the list of Critical Assets and 2) the list of Critical Cyber Assets by a senior manager or designee 3
CIP002 - Identifying Critical Cyber Assets Bulk Electric System Assets CIP002 R1.2.1 - R1.2.7 Filtering Identifying Critical Assets Inputs Risk Based Assessment Measure 1 Critical Assets Cyber Assets Filtering Essential to operation of Critical Asset and meets CIP002-R3 Output list of CAs Measure 2 Measure 4 Annual Review and Approval Critical Cyber Assets Output list of CCAs Measure 3 4
Implementation Examples May 15, 2008 5
Enterprise Risk Management Process The NU Executives and Board adopted a Enterprise Risk Management process for managing the principal risks of the organization Risk management at the enterprise level incorporates several key components including: Identification, Assessment, Cataloguing, Assigning ownership, Managing within approved risk tolerances, Communicating, Continuous monitoring, and Annual reviewing of the key business risks. Risk management actively assesses the principal risks that have been identified for the business or for certain corporate initiatives, such as Cyber Security.
The Cyber Security - Enterprise Risk Management Process
Critical Asset Identification Method NU has applied the NU Enterprise Risk Management process in order to meet NERC requirements for applying a risk based methodology to identify critical assets, and associated critical cyber assets. Critical Asset Decision Trees NU has developed Critical Asset Decision Trees to identify and classify Critical Assets as required by NU-NERC CIP-002-1, R2. A decision tree has been developed for the following subgroups: Transmission Generation Control Centers The end result of the application of the decision trees provide NU with the necessary data to develop the Critical Asset list
Critical Assets Identification Transmission Substations A Substation that meets any of the following criteria is included as a critical asset: ISO key facilities Bulk Power Station by NPCC Criteria A-10 Ties to balancing authorities Connecting to a non-nu owned generating unit > 300MW System Protection System Type I or II 9
Transmission Critical Asset Decision Tree
Critical Assets Identification Control Centers A Control Center that meets any of the following criteria is a critical asset: Perform primary or back-up command and control functions for assets listed on CA List Has any distribution level SCADA control over transmission assets on the CA list that might create conditions such as a transfer trip Capable of controlling load shedding of 300MW or greater 11
Critical Assets Identification Control Centers
Critical Assets Identification Generation A Generation Unit that meets any of the following criteria is included as a critical asset: Part of NPCC Blackstart Capability Plan Connected to >100KV Reliability Must Run Required for voltage support Special protection system for N-1 13
Critical Assets Identification Generation
Critical Cyber Assets Identification
Non-Critical Cyber Assets to be protected - Identification
General Comments Closing Use the Industry Guidelines being published NPCC B-27 NERC CIPC Critical Asset Identification Guideline (near future) Work with your Balancing Authority (ISO) to ensure consistency within that area Document, document, document May 15, 2008 17
? Questions or Comments? May 15, 2008 18