Low-impact assets and NERC CIP-003-9: Should dos vs must dos

Perhaps the best way to think about how to respond to NERC-CIP-9, which seeks to protect the bulk electric system from a coordinated attack on smaller, low-impact assets which can result in a catastrophic event on the interconnected system, is this: Rather than think in terms of complying with the new standard, think about defending yourself in court after a malicious attack through your facility.

The panel of specialists in the second of three NAES webinars on the subject put it a bit more gingerly: What you should do vs what you must do. Example: Regarding remote access by vendors, a site must determine who, how, and where vendors access devices and have a program to document its methodology for remote access controls. What should you do? Suggests the panel, automate the detection of vendor access, alarm occurrences of such access (to the control room, for example), and long and record all sessions in which vendors made changes to the system.

That might not sound so terrible until you realize that some of your primary vendors might have fifty people authorized to access equipment on your site remotely.

Here’s another example: A site must have procedures to disable access to the network boundary (not the device) and physical or electronic methods for removing access. What you should do is:

  • Have granular controls per vendor
  • Test and validate controls per vendor and cyber-asset
  • Have methods for terminating a previously authorized session (even mid-session)
  • Form a global access management team with a two-man rule

There are several of these examples available in the recording of the webinar.

The panel concedes that some of the key language in the draft is fuzzy, but NERC will be making modifications during the 18 months owner/operators have to comply. The term asset, for example, is not explicitly defined in 003 (unlike in 002); thus, it is difficult to define the scope a site implementation. Another term, the asset boundary, which experts call a “term of art,” is not a NERC-defined term.

What should sites do know? That’s difficult to say, but be prepared for today’s “shoulds” to become tomorrow’s “musts.”

Access CCJ recaps and recordings of the three webinars here:

Scroll to Top