subject: Critical Infrastructure Protection Nerc Cip-002-3 Critical Cyber Asset Identification [print this page] NERC CIP-002 prerequisites stipulate a framework for the classification and documentation of Critical Assets (those assets if compromised, degraded, misused, interrupted, etc.) can affect the operation of the Bulk Electric System (BES). The Bulk Electric System is the system whereby power is produced and conveyed throughout North America across many regional and local utilities. The protection of the BES necessitates that a single entity (utility) must have acceptable controls and protections on critical assets and cyber assets to prevent and isolate undesirable events from the BES. Identification (CIP-002) and Protection (CIP-003 to CIP-009) are the secret to the health of the BES from the CIP viewpoint with each utility implementing controls to safeguard the security and integrity of their Critical Assets (CA) and Critical Cyber Assets (CCA).
The Risk-Based Assessment Methodology (RBAM) is the pinnacle to successfully meeting CIP compliance. An entity that does not have a RBAM that correctly identifies which physical assets can affect the BES has no effective way to ensure that their efforts to protect the BES can be successful. Therefore the RBAM methodology, procedures and resulting CA lists MUST go through extensive review process by all key personnel and departments that have visibility to the criticality of assets.
Once the Critical Asset List is highlighted with a degree of assurance then the comprehensive review of these sites need to be executed to identify the specific Critical Cyber Assets that can affect the BES. The construction of the CCA list can be a chore depending upon the detailed information that exists and exactness of that documentation. Electronic means should be used to gather and confirm network and device information.
The CA reviews should include complete identification and validation of important data and communication paths (information flow records). This may include physically reviewing each site to the extent of following cables to ensure all devices have been identified and recorded. If you do not know it exists then how can you determination its level of importance?
Unfortunately we have found utilities resistant to the use of electronic resources to assist with the inventory of assets. This is partly due to "Fear Factor" and lack of security tools awareness. The fear factor is propagated by the regional and national entities warning of impending disaster if real security and network tools are used. However, if an entity is compromised we doubt that they would be concerned with an outage due to the use of a security tool (nmap, Nessus, etc.).
The last critical element of InfoSec is reliability. If a system, device or network cannot stand up against basic security tools then that needs to be identified as a problem and balancing controls implemented to provide an satisfactory level of protection. Obviously care and caution need to be taken but prohibiting the use of these tools is counterproductive.
