NERC Issues Draft Guidelines Addressing Identification of Critical Cyber Assets

On July 1, the North American Electric Reliability Corporation (NERC) issued draft security guidelines providing guidance to entities that are required to identify Critical Cyber Assets under NERC Standard CIP-002 R3. Under that standard, certain entities must develop a list of Critical Cyber Assets that are essential to the operation of the entities' Critical Assets.[1]

As stated in the draft guidelines, CIP-002 R3 is applicable to Responsible Entities, which include reliability coordinators, balancing authorities, interchange authorities, transmission service providers, transmission and generator owners and operators, load serving entities, regional entities, and nuclear facilities that have nonsafety Critical Assets not subject to the Nuclear Regulatory Commission's cyber security regulations.

The draft guidelines suggest an entity subject to CIP-002 R3 follow six steps to ensure that all Cyber Assets are evaluated when the entity is compiling a list of Critical Cyber Assets:

1. Define Critical Assets and determine the essential functions of those Critical Assets.
2. Identify Cyber Assets associated with the Critical Assets.
3. Group Cyber Assets by application.
4. Identify Cyber Assets that support essential functions of Critical Assets.
5. Identify Cyber Assets that meet any of three qualifying connectivity requirements.
6. Compile the list of Critical Cyber Assets.

With regard to step (v), CIP-002 R3 states that a Cyber Asset supporting an essential function of a Critical Asset is deemed a Critical Cyber Asset if the Cyber Asset qualifies. A Cyber Asset may qualify if it uses a routable protocol to communicate outside an entity's electronic security perimeter, uses a routable protocol within a control center, or is dial-up accessible.

The draft guidelines also provide several instructive tables and diagrams illustrating how an entity can proceed through each step. Four tables illustrate questions an entity can analyze to determine whether a Cyber Asset supports an essential function of a Critical Asset. These tables are particularly instructive because NERC addresses several specific Cyber Assets and provides its opinion on whether those assets support essential functions of Critical Assets. Similarly, several diagrams describe example system configurations of Cyber Assets essential to Critical Assets that meet the routable protocol qualifying criteria as a Critical Cyber Asset.

Stakeholders are invited to provide comments at any time on or before July 31, 2009. The draft guidelines may be accessed at http://www.nerc.com/filez/sgwg.html, under the title Security Guideline for the Electricity Sector: Identifying Critical Cyber Assets - Draft, available at http://www.nerc.com/docs/cip/sgwg/Critcal%20Cyber%20Asset%20ID%20V0%20R902%20for%20CIPC%20Review.pdf.

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact either of the following Morgan Lewis attorneys:

Washington, D.C.
Stephen M. Spina
Levi McAllister

[1] The terms "Critical Cyber Asset" and "Critical Asset" are defined in both the draft guidelines and NERC's Glossary of Terms.