These are genuinely exciting times to be working in the power industry. The volume of new generation and storage resources coming online has been well-publicized. But each new resource also introduces a new risk to the reliability and security of the grid. In WECC and TRE alone, there have been more than 130 new registered Generator Owners (GO) introduced to those Interconnections in the past five years. And we are only getting started, as we expect the next five years to see considerably more resource additions to the grid than the previous five years.

Naturally, with all of the new market entrants comes confusion and anxiety. Digesting and understanding the NERC Reliability Standards is certainly part of that. Two of the Reliability Standards that cause the most confusion and anxiety for new Registered Entities (RE) are CIP-002-5.1a Cyber Security – BES Cyber System Categorization and CIP-003-8, Cyber Security – Security Management Controls. These Reliability Standards require soon-to-be REs to first identify and categorize their BES Cyber Systems, and then implement one or more documented cyber security plan(s) for its BES Cyber Systems. Aside from requiring those plans to contain, at a minimum, certain components, the Standard leaves considerable discretion to the you, the Registered Entity.

The CIP journey begins with CIP-002 and the confusion quickly starts right there. The most common question about CIP-002 is whether the RE needs to generate an inventory of its devices that are part of its BES Cyber System. No, the Standard does not explicitly require an RE with low impact BES Cyber Systems to inventory its devices. But once you consider the objective of the CIP Standards is to identify and protect your critical infrastructure, it is almost impossible to get around inventorying the devices that comprise your BES Cyber System(s). After all, it is very difficult for an auditor to assess the effectiveness of your CIP-003 cyber security plans if you do not have not specifically identified what it is you are protecting. How do you protect what you have not identified? CIP-002 and the device inventory is also where the auditor (e.g., WECC, TRE) will begin its assessment. So, although there is no explicit requirement in CIP-002, we highly recommend REs maintain a current inventory of the devices that comprise its BES Cyber System. Additionally, the Regional Entities (i.e., SERC, WECC, TRE) who you will deal directly with on compliance issues, in many cases are requesting that inventory as part of an initial CIP Self-Certification review which may be conducted any time after registration.

CIP-003 is also a considerable source of confusion for new REs. CIP-003 requires REs to develop and implement cyber security plan(s) for the BES Cyber Systems it identified and categorized in CIP-002. CIP-003 is not prescriptive and NERC is intentional in making it non-prescriptive. There are at least a couple reasons for this. First, NERC acknowledges there are many ways an entity might accomplish the Standard’s objective, which is to protect critical infrastructure from cyber and physical security risks. Also, NERC’s strategy for compliance is not to tell REs that if you do these specific things, you will be secure, NERC’s approach is to define the performance objective that needs to be achieved. As we know, there are no absolutes when it comes to security and risk management.

Given the lack of specificity in the CIP-003 Standard, how does an RE really know what to put in its cyber security plans and if they are compliant? The inherent ambiguity and lack of specificity in the Standard confuses many REs on how to build their cyber security plans. And once those plans are developed and implemented, some REs then struggle to assess whether those plans are compliant and “audit-ready.” In evaluating whether its cyber security plans are sufficient and effective in meeting CIP-003’s objectives and therefore compliant, the RE should first ask the question: does our cyber security plan identify sufficient controls to protect its assets?

For example, to meet the requirement and objective to protect its cyber assets from malicious code introduced by Transient Cyber Assets and Removable Media (TCA/RM), an RE may implement a policy control forbidding the use of any TCA/RMs in its BES Cyber Systems. If the RE were audited, the auditor would assess the effectiveness of this policy control by reviewing evidence that proves the null (i.e., is there evidence that demonstrates no TCA/RMs were plugged into the BES Cyber Systems?).

Another RE may also meet the Standard’s objectives by implementing a policy that allows TCA/RMs use with its BES Cyber Systems and to mitigate the risk of malicious code, all TCA/RMs must first be scanned by a device outside of its BES Cyber Systems. In this case, the auditor would then look at a log of all TCA/RMs plugged into the BES Cyber Systems and evaluate evidence showing that each of those devices were properly scanned and cleared beforehand.

Another key to understanding CIP-002 and CIP-003 is in the Reliability Standard Audit Worksheet (RSAW). When conducting an audit, the auditor uses the RSAW, its questions, and assessment tools to assess the effectiveness of your CIP program. An RE can therefore use an RSAW outside of an audit environment to periodically evaluate its compliance program through the lens of the auditor. This can be an especially valuable tool for a newly registered entity looking to gain assurance that it is on the right track. While the heart of your compliance program should not be the RSAW, it can be a valuable tool an RE can use to periodically evaluate how it is doing and where it may have gaps.

To recap, in CIP-002, NERC requires REs to first identify and categorize its BES Cyber Systems – i.e., what it is you need to protect. Next, NERC requires REs to design and implement controls to meet the security objectives addressed in CIP-003. To demonstrate it has met the requirements of these two Standards, the RE must generate evidence that demonstrates it has identified and categorized what it needs to protect, implemented security plans to protect those assets, and the plan’s controls are effective in meeting the plans’ security objectives.