NERC Issues Mandatory Data Request to All NERC Registered Entities

On August 6, 2010, the North American Reliability Corporation (NERC) issued for the first time a mandatory data request directed to all NERC registered entities in the United States and Canada.¹  The data request seeks to assess the impact of revising the criteria used to identify critical assets for purposes of compliance with NERC’s cyber security standards CIP-002 through CIP-009. Responding to the data request will provide registered entities the first opportunity to assess whether the revised criteria will significantly increase their compliance obligations. Responses to the data request are due by September 7, 2010.

Background

Reliability Standard CIP-002 requires registered entities to use a risk-based assessment methodology to self-identify their “critical assets”—i.e. facilities, systems, and equipment which, if destroyed or rendered unavailable, would affect the reliability of the bulk electric system. The standard, however, does not prescribe the adoption of a particular risk-based assessment methodology. Registered entities that have identified critical assets must comply with the cyber security reliability standards to establish protective measures against potential attacks to programmable electronic devices and communication networks.

In Order No. 706, the Federal Energy Regulatory Commission (FERC) directed NERC to provide additional guidance regarding the development of a risk-based assessment methodology for the identification of critical assets. In response to FERC’s directive, NERC is proposing to revise CIP-002 by adding bright line criteria for the identification of critical assets. The purpose of the data request is to gather empirical data on the impact that the proposed bright line criteria would have on the identification of critical assets.

Data Request

The data request consists of four questions and is directed to each of the registered entities subject to CIP-002. NERC states that it will contact the entities expected to respond to the data request. The first question asks to quantify the critical assets that the registered entities previously identified using their current methodology. The second question asks the registered entities to use the proposed bright line criteria to categorize their current critical assets as high, medium, or low impact assets. Attachment 1 to the data request contains the bright line criteria to be applied. The third question asks the registered entities to estimate the number of critical assets, and the impact level, that would be identified using the proposed bright line criteria instead of the current risk-based methodology. The final question requires the respondent to provide its NERC Compliance Registry number.

The data request provides that registered entities should coordinate their responses on a company-wide basis. For jointly owned facilities, NERC recommends that the operator of the facility be designated as the responder to ensure that critical assets are not accounted for more than once. NERC also states that the data request does not seek critical energy infrastructure information (CEII) and that NERC will not make publicly available any entity-specific information that it collects.

Responses to the data request must be completed by 5:00pm EDT on September 7, 2010 using the following website: https://www.nerc.net/nercsurvey/Survey.aspx?s=13b2fab74ab34943add9ff0885a56884

Implications

The current version of CIP-002 makes each registered entity responsible for choosing or developing a risk-based assessment methodology and self-identifying its critical assets. The adoption of bright line criteria is likely to increase consistency and transparency in how critical assets are identified and make the entire critical asset identification process more objective and simple. However, the result could be longer lists of critical assets.

The data request will disclose to NERC whether the proposed bright line criteria capture more or fewer critical assets than the methodologies currently used, i.e. whether the current methodologies are under- or over-inclusive. The data request will also give registered entities a first assessment of how their compliance obligations may change if the proposed criteria are adopted. Registered entities currently not subject to cyber security reliability standards—because they have not identified any critical assets—may become subject to new compliance obligations if critical assets are identified under the proposed bright line criteria. Similarly, registered entities that identify additional critical assets under the bright line criteria may need to adopt additional measures to ensure compliance with the cyber security reliability standards.

Once adopted by NERC, the proposed revisions to CIP-002 will be filed with FERC and subject to a comment period. The proposed revisions, and any related bright line criteria, will become mandatory only upon FERC approval.

¹ The data request is available for download at http://www.nerc.com/fileUploads/File/News/FINAL_CIP-002_Critical_Asset_Methodology_Data_Request_REVISED_20100809.pdf