|
Assessment Processes for Identifying Cyber Assets for Which NERC CIP-002-1 Compliance Requirements Apply 1) Create facility lists: a. Generation sites b. Operations Control Centers c. T&D Substations d. Other owned facilities with networked-computing needs, e.g., parts depot, maintenance shed, etc. e. Facilities owned by someone else that are connected to the grid within our aegis as a Reliability Coordinator f. Other resources where the Standard could potentially apply 2) ID/adopt an internal-standard facility risk assessment methodology (tool) and: a. Formulate the defining characteristics of a facility (or other resource) that make it “critical to reliability of the bulk electric system” (by definition) b. Conduct a consistent risk assessment of each facility/other resource in terms of its criticality, based upon the defining characteristics (from #2a above) c. Document the reasoning behind the categorization of individual facilities/resources as being critical or not critical to reliability of the bulk electric power system d. Distill the facility/other resource listings to subset lists containing only critical facilities and other critical resources 3) For each critical facility: a. Make a list of all cyber assets in use within and/or at the perimeters of each critical facility; (cyber assets also include physical access controls, monitoring) b. Assemble a list of cyber assets associated with other resources not situated within a facility but also deemed critical c. Subtract from each critical facility’s cyber asset list (created in #3a), and the list of other critical resources (created in #3b), those cyber assets which are not critical to reliability of the bulk electric system d. Subtract from each critical facility’s/other critical resource cyber asset lists those cyber assets specifically excluded from NERC 1300 compliance requirements (e.g., devices serving non-routable communications) e. The difference resulting from #3c & #3d are discrete lists of facility and other-resource critical cyber assets for which full NERC 1300 cyber security compliance requirements apply 4) ID/adopt internal-standard vulnerability assessment methodologies (tools) for each type of critical cyber asset in use and: a. Conduct and record vulnerability assessments for each type of critical cyber asset as used in each critical facility/other resource b. ID/adopt and document defensible vulnerability mitigation strategies and tactics (countermeasures) c. Create a plan to apply countermeasures 5) ID/adopt and document internal-standard security administration methods and procedures for measuring and maintaining the effectiveness of applied countermeasures |