Our blogs Blogs home
Energy in Transition

Energy in Transition

Transmission & Distribution

Grouping BES Cyber Assets into BES Cyber Systems under CIP Version 5

This author no longer works for DNV GL.

With CIP Version 5, a new term BES Cyber System has wormed its way into the NERC lexicon. CIP V5 explains this new concept and how it can be applied to simplify the organization of evidence needed for compliance. Countless articles to date have been written on the topic, many of which replay verbatim language from the Standards while lacking a fresh perspective. In today’s blog post, we purposely stay out of the weeds to make our points, but do include citations where additional detail may be found. This allows the reader to pause and dig further into unfamiliar terms, concepts, rules, and applications as needed before resuming with the main thread.

Early in CIP-002-5.1 NERC espouses that a fundamental difference between CIP V3/V4 and CIP V5 is the shift from identifying Critical Cyber Assets to identifying BES Cyber Systems.[1] The statement is followed by a diagram illustrating the changes between versions.[2] At this point it starts to get a bit muddy. Missing from the diagram is a key concept: the shift from Critical Cyber Assets and to the new CIP V5 term, BES Cyber Asset. Before going much further, we need to stop and address this new term.

Jumping to the glossary[3] and then reading ahead in the Standard, one comes to the realization that BES Cyber Assets are very much like Critical Cyber Assets, except the definition of the former is more technical in detail. CIP V5 defines a BES Cyber Asset, or a grouping of BES Cyber Assets (called a BES Cyber System) as follows:

  • Performs or supports the reliable operation of the BES[4]. NERC continues by defining reliability functions as those tasks defined in the NERC Functional Model[5] for each functional entity.
  • If it fails or degrades in operation, it can adversely affect the reliable operation of the BES within 15 minutes.[6]

So what exactly is a BES Cyber System? Simply stated, it is a grouping of BES Cyber Assets possessing one or more common characteristics, which can serve as the object of a requirement.[7] The “object” concept becomes clearer when noting NERC’s change to a tabular format for presenting CIP V5 requirements. The table, called a Requirements Table, is more than just a list of requirements and sub-requirements; it also addresses Applicable Systems and Measures. Coming full circle we discover “object” is a generic reference to one or more Applicable Systems to which a requirement pertains. Further reading reveals BES Cyber System to be a name given a particular type of Applicable System. More can be learned about the Applicable Systems in play for each CIP V5 Standard by reviewing Section 6 of each Standard, under the header Applicable Systems Columns in Tables.

The term BES Cyber System rarely, if ever, stands by itself in the Requirements Table. It is nearly always associated with an impact rating. Therefore, we have the terms High Impact BES Cyber Systems, Medium Impact BES Cyber Systems, and Low Impact BES Cyber Systems.

The assignment of impact ratings is largely driven by two factors.

  • Where the BES Cyber System is used and located, such as in use at transmission or generation control centers
  • What the BES Cyber System is associated with, where such Systems may be associated with transmission facilities at specific voltage levels, generation facilities operating above a prescribed capacity, or special protection systems.

NERC’s rollout of impact rating criteria[8] is logical and well presented in CIP-002-5.1 Attachment 1. However, noticeably missing are step-by-step procedures for applying the criteria to arrive at an assignment for each BES Cyber System. There’s a reason for this. CIP V5 extends greater latitude to Registered Entities to define their own processes and procedures. These include processes for evaluating BES assets, identifying BES Cyber Assets, grouping assets into BES Cyber Systems, and assigning impact ratings. Greater latitude does not mean all the hitches go away. Registered Entities must still implement[9] their processes and show evidence[10] of execution. And implicit in the word “implementation” is documentation and training.

WECC, as one of the Regional Entities, has stepped up to address asset identification and groupings by incorporating the following in its roadshow presentations:

  • Examples of an auditable process[11]
  • A guide for identifying and documenting BES Cyber Systems[12].
  • Approaches for identifying BES Cyber Assets[13]
  • Pictorial examples of BES Cyber Asset groupings into BES Cyber Systems[14]

NERC has also done its part by publishing lesson-learned papers on the pros and cons of specific BES Cyber Assets groupings. One particular paper[15] gives examples of possible groupings:

  • BES Cyber Assets that serve a common function of protecting the BES
  • BES Cyber Assets that are connected via routable protocol on the same communications network
  • BES Cyber Assets that are subject to the same software patching requirements
  • BES Cyber Assets that share the same impact rating.

One must be careful not to neglect the electronic and physical security implications when grouping BES Cyber Assets.  A group must exhibit certain attributes to qualify as a BES Cyber System. The grouping exercise might have been easier to accomplish had the electronic and physical rules been in one place. In reality the rules are dotted across a landscape of rather complex Standards, with further clarification provided at workshops and webinars sponsored by NERC and the Regional Entities. At last count the new CIP standards were running close to 330 pages. No doubt as more is learned and shared, the number will grow. Some of the more important rules to know about are gathered below with citations for those who want to drill down further:

  1. A grouping should be based on the primary use of the BES Cyber Assets.[16]
  2. Each BES Cyber Asset is included in at least one BES Cyber System grouping[17]
  3. A Cyber Asset is not a BES Cyber Asset if, for 30 consecutive calendar days or less, it is directly connected to a network within an ESP, a Cyber Asset within an Electronic Security Perimeter, or to a BES Cyber Asset, and it is used for data transfer, vulnerability assessment, maintenance, or troubleshooting purposes[18] [Please note, this statement is being re-evaluated by the NERC Standards Drafting Team for CIP-004-6, CIP-010-2, and CIP-011-2. The current drift is to designate such assets as Transient Cyber Assets, and to further differentiate between transient cyber assets owned and operated by the Responsible Entity versus those owned and operated by Vendors.][19]
  4. All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined ESP (Electronic Security Perimeter)[20]
  5. The logical border surrounding a network to which BES Cyber Systems are connected using a routable protocol requires an ESP[21]
  6. Many different impact classifications can be identified within an ESP, however, the highest level of the BCS (BES Cyber System) within the ESP sets the High Water Mark for all associated assets within that ESP[22]
  7. A BCS can span multiple facilities crossing discrete ESPs[23]
  8. All protected cyber assets take on the impact level of the BCS[24]
  9. A BCS may not require an ESP[25]
  10. A BCA (BES Cyber Asset) with no routable connectivity cannot be part of an ESP[26]
  11. Serial field devices are no longer under a serial exemption, therefore are included within BCS as a BCA[27]
  12. ESPs need two distinct security measures such that the Cyber Assets do not lose all perimeter protection if one measure fails or is misconfigured.[28]

Looking ahead, the process for assigning BES Cyber Assets to BES Cyber Systems will be at best an iterative one. The rollout of new terms, changes in rule sets, and alternatives for grouping assets is just too difficult to absorb and get right the first time. Registered Entities must take advantage of the time between the new CIP Standard release dates and effective dates to get their act together. A head-in-the-sand approach now will lead to a last minute scramble come audit time to resolve where your company stands with CIP V5, BES Cyber Assets, and BES Cyber Systems.

A better plan is to start early by evaluating different grouping strategies to create processes that make sense within your organization. Start simple! Further refinement can come later as more is learned and the case made for additional resources.

To reaffirm a previous remark, NERC has provided greater latitude in CIP V5 for Registered Entities to develop their own cyber security processes. But with the added rope comes the responsibility that you must document what you do, and do what you document. In the auditor’s eyes, not documenting what your company is doing is as good as not doing it at all, and can open the door to additional potential violations.

Related information:
Complimentary RAI webcast: Bolstering your internal controls for compliance in the new paradigm. (WHEN: Tuesday 10/28 at 12 pm EST)
NERC Compliance
Cyber Security (Service overview)
Cyber Security Health Test


[1] CiP-002-5.1, Section A.6 Background, First paragraph under header BES Cyber Systems

[2] CiP-002-5.1, Section A.6 Background, Transition illustration under header BES Cyber Systems

[3] Glossary of Terms Used in NERC Reliability, August 20,  2014, Page 10

[4] CIP-002-5.1, Section A.6 Background, Paragraph under header Reliable Operation of the BES

[5] NERC Functional Model V5 dated 5/12/2010

[6] CIP-002-5.1, Section A.6 Background, Paragraph under header Real-Time Operations

[7] CiP-002-5.1, Section A.6 Background, First paragraph under header Transition illustration under header BES Cyber Systems subsection

[8] CIP-002-5.1 – Attachment 1, Impact Rating Criteria

[9] CIP-002-5.1 – Section B, Requirement R1

[10] CIP-002-5.1 – Section B, Measurement M1

[11] WECC CIP v5 Roadshow, May 14-15, 2014 – CIP-002-5 Outreach Session, Dr. Joseph B. Baugh, Presenter, Slides 21-40

[12] WECC CIP v5 Roadshow, May 14-15, 2014 – CIP-002-5 Outreach Session, Dr. Joseph B. Baugh, Presenter, Slides 41 and 43

[13] WECC CIP v5 Roadshow, May 14-15, 2014 – CIP-002-5 Outreach Session, Dr. Joseph B. Baugh, Presenter,  Slide 47

[14] WECC CIP v5 Roadshow, May 14-15, 2014 Salt Lake City – CIP-002-5 Outreach Session, Dr. Joseph B. Baugh, Presenter,  Slides 49-53

[15] NERC Lessons Learned, CIP Transition Program, CIP-002-5 R1, Group BES Cyber Assets, January 31, 2014

[16] NERC Lessons Learned, CIP Transition Program, CIP-002-5 R1, Group BES Cyber Assets, January 31, 2014

[17] NERC Lessons Learned, CIP Transition Program, CIP-002-5 R1, Group BES Cyber Assets, January 31, 2014

[18] Glossary of Terms Used in NERC Reliability, August 20, 2014, Page 10

[19] Critical Infrastructure Protection (CIP) Version 5 Revisions, NERC 2014 Standards and Compliance Fall Workshop, September 24, 2014

[20] CIP-005-5, Section B, Requirement 1.1

[21] WECC CIP v5 Roadshow, May 14-15, 2014  – CIP-005-5 Outreach Session, Mick Neshem, Presenter,  Slide 18

[22] WECC CIP v5 Roadshow, May 14-15, 2014 – CIP-005-5 Outreach Session, Mick Neshem, Presenter,  Slide 25

[23] WECC CIP v5 Roadshow, May 14-15, 2014 – CIP-005-5 Outreach Session, Mick Neshem, Presenter,  Slides 34-36

[24] WECC CIP v5 Roadshow, May 14-15, 2014 – CIP-005-5 Outreach Session, Mick Neshem, Presenter,  Slide 40

[25] WECC CIP v5 Roadshow, May 14-15, 2014 – CIP-005-5 Outreach Session, Mick Neshem, Presenter,  Slide 42

[26] WECC CIP v5 Roadshow, May 14-15, 2014 – CIP-005-5 Outreach Session, Mick Neshem, Presenter,  Slide 42

[27] WECC CIP v5 Roadshow, May 14-15, 2014 – CIP-005-5 Outreach Session, Mick Neshem, Presenter,  Slide 71

[28] WECC CIP v5 Roadshow, May 14-15, 2014 – CIP-005-5 Outreach Session, Mick Neshem, Presenter,  Slide 93

0 Comments Add your comment

Reply with your comment

Your email address will not be published. Required fields are marked *