DOC

denial-of-service

By Annette Garcia,2014-09-13 21:07
7 views 0
denial-of-service

    Security Guideline for the Electricity Sector:

    Identifying Critical Assets

Preamble:

    It is in the public interest for NERC to develop guidelines that are useful for 1improving the reliability of the Bulk Electric System (BES). Guidelines provide

    suggested guidance on a particular topic for use by BES entities according to each entity’s facts and circumstances and are not to provide binding norms, establish mandatory reliability standards, or be used to monitor or enforce compliance.

    This Guideline is the first part of a two volume set. This volume provides a methodology to identify Critical Assets essential to the reliable operation of the BES. The resulting list of Critical Assets is used as input to identify Critical Cyber Assets as described in Volume Two.

    The second volume of this Guideline provides a methodology to identify which, if any, of the Cyber Assets associated with each Critical Asset are essential to their operation, and therefore qualify as Critical Cyber Assets as described in NERC Standard CIP-002-1 R3. The Critical Cyber Assets on the resulting list are to be protected as required by NERC Critical Infrastructure Protection cyber security standards CIP-003-1 through CIP-009-1.

    Purpose:

    This Guideline provides a methodology to help identify BES assets which are critical assets as described in CIP-002-1 R2.

    This methodology is intended to provide a basis for making a reasonable determination of whether or not the loss of an applicable BES asset would affect the reliability or operability of the BES.

     1 Note: For purposes of this document, the terms “Bulk Power System” and “Bulk Electric System are considered to be identical. NERC will revisit the document when the issues relating to different uses of the term are resolved. In the interim, the reader should assume a broader and more inclusive definition if any specific differences in actual definitions are encountered.

Identifying Critical Assets

    Version 0.8 1 Approved by:

    Effective Date: XXXX X, 2008 Critical infrastructure Protection Committee

Scope of Application:

    The criteria in this Guideline are not requirements, nor should they be construed as such. This Guideline does not supersede reporting required for power system operation or as required by law.

    Applicability:

    NERC Standard CIP-002 requires that applicable responsible entities identify and document a risk-based methodology to identify Critical Assets. Application of the risk-based assessment must result in a list of Critical Assets (even if such list is null), defined in terms of facilities, systems, and equipment which, if destroyed, degraded, compromised or otherwise rendered unavailable, would affect the reliability of the BES as whole, not risk to a Responsible Entity’s individual asset.

    Figure 1 provides a commonly accepted definition of risk. As illustrated, “Risk” is a function of Impact or Consequences and the Probability of Occurrence of an attack.

    Impact;/;

    Consequences

    Risk

    Probability;of;Occurrence

    =;Threat;x;Vulnerability

    Figure 1

    The Probability of Occurrence of an attack is determined by considering the Threat against a particular facility or system and the Vulnerability of that facility or system to that Threat.

A threat is “the potential for a particular threat-source to successfully exploit a

    particular vulnerability” according to NIST Special Publication 800-30, Risk

    Management Guide for Information Technology Systems, which discusses a variety of threat sources, motivations, and actions. Quantitatively determining threat is a difficult and subjective task. For example, the physical threat to an obscure low power substation would clearly seem to be different than that of a denial-of-service

Identifying Critical Assets

    Version 0.8 2 Approved by:

    Effective Date: XXXX X, 2008 Critical Infrastructure Protection Committee

    cyber threat on a transmission grid control system, however, the difference is difficult to characterize or quantify. A conservative approach is to assume that threats always exist.

    Likewise, vulnerability is “a weakness that can be accidentally triggered or intentionally exploited”. Quantifying vulnerabilities is also difficult and dynamic. Cyber hackers discover new vulnerabilities every day. Therefore, it is conservative to assume that vulnerabilities will always be present in any network or physical protection scheme.

In developing the “risk-based” assessment methodology, threat and vulnerabilities

    are assumed to exist. For example, it is assumed a control system placed directly on the Internet without a firewall will be compromised, which makes the Probability of

    Occurrence 1.0. Therefore, the “risk-based” assessment essentially becomes an

    “Impact Analysis” from the point of view of the BES. In other words, if an asset is 2destroyed, degraded, compromised, or otherwise rendered unavailable and impacts

    the reliability or operability of the BES, then the asset is a Critical Asset, regardless of the types of threats or vulnerabilities that may exist.

    This “risk-based” assessment methodology reduces the evaluation to a simple question: Does an asset if destroyed, degraded, compromised or otherwise rendered unavailable, impact the reliability of the BES?

    Definitions:

    NERC Glossary Terms Used:

    Refer to the NERC Glossary for definitions of the following terms:

Critical Assets

    Cyber Assets

    Critical Cyber Assets

    Element

    Interconnection Reliability Operating Limit

     2 Responsible Entities should consider BES reliability impacts from intentional or unintentional changes in an asset's functional integrity, not solely it's availability. Questions such as "Can this asset be mis-configured in such a way as to impact BES reliability?" should be asked in addition to "Is the BES reliability impacted by the loss of this asset?" 'Compromised' is related to 'degraded', but degraded usually implies the asset is operating in a noticeably hampered state, while the effects of a compromise may not be immediately apparent.

Identifying Critical Assets

    Version 0.8 3 Approved by:

    Effective Date: XXXX X, 2008 Critical Infrastructure Protection Committee

    Additional Terms Used in the Document Not Defined as NERC Glossary Terms:

    Control Center For the purpose of this Guideline, control centers are defined to perform one or more of the functions listed below for multiple, geographically separated BES assets (generation plants, substations, etc.). Functions of a control center typically include one or more of the following:

    ; Supervisory control of BES assets, including generation plants, transmission

    facilities, substations, AGC systems and automatic load-shedding systems

    ; Data acquisition, aggregation, processing, interutility exchange, and display

    ; BES and system status monitoring and processing for reliability and asset

    management purposes (e.g., for situational awareness)

    ; Alarm monitoring and processing

    ; Support for, or coordination of, BES restoration activities

     3Transmission Elements Elements that perform a switching, transforming voltage, regulating power, or metering function on the BES or are components of associated protection systems.

    Reliability of BES For purposes of CIP-002, Reliability of the BES is defined as: The extent which BES assets are operated within equipment and electric system thermal, voltage, frequency, and stability limits such that instability, uncontrolled separation, cascading failures of such a system will not occur as a result of a sudden disturbance, including a cybersecurity incident, or unanticipated failure of system 4Elements.

Common Mode Impact Impact on multiple components, systems, units or

    facilities with similar, same or related functions due to a single event.

     3 The terms transmission and element are independently defined in the NERC Glossary but in this Guideline are defined together as indicated. 4 From Title 16 United States Code, Chapter 12, Subchapter II, Regulation of Electric Utility Companies Engaged in Interstate Commerce, Section 824o, for “reliable operation”

Identifying Critical Assets

    Version 0.8 4 Approved by:

    Effective Date: XXXX X, 2008 Critical Infrastructure Protection Committee

Guideline Details:

    Overall Approach

    This Guideline defines which assets should be evaluated, provides risk-based evaluation criteria for determining Critical Assets, and provides examples of reasonable bases that could be used to determine if an asset meets any of the evaluation criteria. The process of identifying Critical Assets in this Guideline consists of the following five steps:

    A. Determination of asset types that should be evaluated.

    B. Defining assets

    C. Application of evaluation criteria

    D. Listing essential functions

    E. Documentation of assessment.

    Section A defines which assets should be evaluated. Section B describes how and at what level of detail Critical Assets should be defined and special considerations with respect to asset types. Section C defines the evaluation criteria used to determine if an asset is a Critical Asset. Section D discusses listing all the essential functions of the asset. Section E discusses what should be documented and what forms a reasonable basis for determining whether assets meet evaluation criteria. It also describes the importance of sharing information with other BES entities.

    A. Determination of Asset Types That Should Be Evaluated An entity should first identify all of the BES assets for which it is responsible. BES assets to be evaluated against the risk-based criteria may include facilities, systems, or equipment.

    Facility types, systems and equipment that may be evaluated include:

    Transmission Substations Facilities containing BES transmission Elements that perform electrical Element switching, transforming voltage, regulating power, or metering on the BES.

Generation Resources Assets owned or operated by a Responsible Entity that 5meet criteria for their inclusion into the NERC compliance registry.

     5 Per Statement of NERC Compliance Registry Criteria (Rev 4.0)

Identifying Critical Assets

    Version 0.8 5 Approved by:

    Effective Date: XXXX X, 2008 Critical Infrastructure Protection Committee

    Control Centers Operations facilities containing primary or backup control 6systems that are used to monitor and/or operate BES equipment. Also see, “Systems,” following.

    Systems Systems that perform a function essential to maintaining reliable operation of the BES. Systems, in this case, are those that if destroyed, degraded or compromised may influence the ability to maintain reliable operation of the BES. This includes Systems that support wide-area reliability through one or more of the following:

    ; Situational awareness,

    ; Supervising and control capability,

    ; Special Protection systems

    ; Systems essential to BES restoration

    ; Systems performing automatic load shedding

    ; Other systems that may perform a function directly related to BES system

    reliability

    Systems with scope and/or potential impact limited to a single noncritical BES facility are not expected to be evaluated independently as Critical Assets. For example, a control system with scope limited to a single generation resource would not be evaluated as a Critical Asset. However, it may receive additional evaluation in Volume Two if its associated generation resource is a Critical Asset.

    Equipment An entity may wish to perform Critical Asset identification at a lower level resolution by identifying the specific equipment within facilities or systems capable of influencing the BES. Identification of Critical Assets at the equipment

    ; Individual generating unit > 20 MVA (gross nameplate rating) and is directly connected to the

    bulk power system, or;

    ; Generating plant/facility > 75 MVA (gross aggregate nameplate rating) or when the entity has

    responsibility for any facility consisting of one or more units that are connected to the bulk

    power system at a common bus with total generation above 75 MVA gross nameplate rating,

    or;

    ; Any generator, regardless of size, that is a blackstart unit material to and designated as part

    of a transmission operator entity’s restoration plan, or;

    ; Any generator, regardless of size, that is material to the reliability of the bulk power system. 6 The NERC Glossary does not define the term, “Control Center”, but the CIP Guideline entitled

    Control System Business Network Electronic Connectivity” defines it as: “Those facilities, systems,

    and equipment that comprise the operational real-time control environment, services, diagnostics, and functional capabilities necessary for the effective and reliable operation of the BES.”

Identifying Critical Assets

    Version 0.8 6 Approved by:

    Effective Date: XXXX X, 2008 Critical Infrastructure Protection Committee

    level may facilitate a more directed approach to ensuring the appropriate equipment is afforded the protection outlined in the CIP standards. For example, an entity may wish to evaluate the specific transmission Elements within a substation.

B. Defining Assets

    It is expected that Critical Assets will primarily be identified either as facilities or special Systems impacting the BES. The evaluation criteria presented in Section C are specific to facilities and systems. However, an entity may also consider identifying specific equipment within facilities. A logic diagram that shows identification of a Critical Asset as an element or system is shown in Appendix A.

    It is not intended that systems or equipment that are elements of a facility identified as a Critical Asset be identified separately from the facility. Those systems can be considered part of the Critical Asset.

    There is a special consideration related to defining generator assets. Generator units should not be considered separate facilities if there is a support or control system that spans the units. If common support or control systems span the units, then the units as a set should be defined as the facility, because of the potential for Common Mode Impact. It is intended that Common Mode Impact concerns within a facility will be addressed thoroughly in Volume Two of this Guideline. A logic diagram that shows other decision points related to identification of a Generation Resource as a Critical Asset is shown in Appendix B.

Generation Assets to be evaluated are expected to be dispatchable. Certain kinds

    of generation (e.g. wind, solar, run-of-river hydro) cannot be relied upon to support the BES at any given time, so the grid is operated to accommodate the possible loss of output from these sources.

    Control centers are also of special interest in defining assets. Control centers typically contain a number of computer-based systems and the office infrastructure (workstations, tables, telephones, etc.) necessary for them to be manned by 7specially trained BES operations personnel. Control centers may be instantiated in

    multiple locations within a given facility, or in multiple facilities. They may or may not be collocated with other BES assets. Control centers may or may not be Critical Assets, according to the criteria described in Section C. If a control center is

     7 Depending on its specific set of functions, a control center may be manned on a 7x24 basis, manned part time, or unmanned. Fully automated and backup control centers are normally unmanned.

Identifying Critical Assets

    Version 0.8 7 Approved by:

    Effective Date: XXXX X, 2008 Critical Infrastructure Protection Committee

    determined to be a Critical Asset, cyber assets that support its operation should be evaluated to determine whether they are Critical Cyber Assets.

    BES control facilities that have been identified as control centers based on the definitions presented in Section A should be evaluated as potential Critical Assets according to the criteria in Section C, Table C-3. With one exception, discussed in the paragraph immediately following, control centers that are collocated with one or more other BES assets should be evaluated separately from those assets in order to determine whether or not they are Critical Assets.

The exception to this guidance applies to what will be referred to here as “single-

    asset control centers,” which are control centers that perform supervisory control and/or monitoring functions for a single BES asset (e.g. plant control system controlling a single generating unit). In such instances, it should not be necessary to evaluate a control center separately from the single BES asset it controls and/or 8monitors.

    A final area of special interest in defining assets is related to transmission. The concern is ensuring that certain switch yards are appropriately considered and not inadvertently overlooked. Switch yards on the premises of a generating resource need to be considered either as part of the generating resource or as part of transmission. In some cases there may be a need to communicate between Responsible Entities which one of them is considering the switchyard.

    C. Application of Evaluation Criteria:

    The Critical Asset evaluation criteria are organized into separate tables for Transmission Substations, Generator Resources, Control Centers and Special Systems. The evaluation criteria themselves are presented in the first column and examples (not an exhaustive set) considered reasonable bases for the determination of a Critical Asset are presented in the second column. Responsible Entities are encouraged to cooperate with Reliability Coordinators and Balancing Authorities in performing the evaluation of assets against these criteria. Assets meeting any single criterion should be considered Critical Assets.

     8 As discussed earlier in this Guideline, if that single BES asset is determined to be a Critical Asset, the Cyber Assets comprising the control systems should subsequently be evaluated to determine whether they are Critical Cyber Assets.

Identifying Critical Assets

    Version 0.8 8 Approved by:

    Effective Date: XXXX X, 2008 Critical Infrastructure Protection Committee

    Table C-1 Evaluation Criteria for Transmission Substations

Criteria Example Bases

    Essential to system Transmission critical to system restoration, including substations identified

    restoration. in a primary Cranking Paths document in the regional system restoration

    plan developed pursuant to the EOP standards (e.g. EOP-004-1, 005-1,

    007-0 or 008-0),

    Essential to critical The loss of the substation, as determined by an engineering evaluation or

    generation. other assessment method, may result in the loss of generation identified

    as a Critical Asset.

    or

    The substation is identified as essential to meeting Nuclear Plant

    Interface Requirements developed in accordance with NUC-001.If an

    entity is responsible for a substation associated with a facility regulated by

    the Nuclear Regulatory Commission, the entity should refer to NUC-001

    and associated Nuclear Plant Interface Requirements(NPIR)

    Essential for voltage The loss of the substation, as determined by an engineering evaluation or support. other assessment method, may result in any of the following:

    ; Sustained voltage excursions equal to or greater than ?10%

    ; Voltage going below the under-voltage load shed points

    ; System-wide voltage reductions of 3% or more

    or

    The loss of the substation, as determined by an engineering evaluation or

    other assessment method, may result in an Interconnection Reliability

    Operating Limit (IROL) violation (FAC-011-1)

    Essential for The loss of the substation, as determined by an engineering evaluation or frequency support. other assessment method, may result in any of the following:

    ; Frequency going below the under-frequency load shed points.

Identifying Critical Assets

    Version 0.8 9 Approved by:

    Effective Date: XXXX X, 2008 Critical Infrastructure Protection Committee

    Table C-1 Evaluation Criteria for Transmission Substations

Criteria Example Bases

    Essential for system The loss of the substation, as determined by an engineering evaluation or stability. other assessment method, may result in any of the following:

    ; Complete operational failure or shutdown of the transmission system

    ; Diminished system restoration capability

    ; Transmission line thermal limits exceeded beyond 135% of normal

    rating

    ; Impact to reliability of neighboring system

    or

    ; The loss of the substation, as determined by an engineering

    evaluation or other assessment method, may result in an

    Interconnection Reliability Operating Limit (IROL) violation (FAC-011-

    1)

Identifying Critical Assets

    Version 0.8 10 Approved by:

    Effective Date: XXXX X, 2008 Critical Infrastructure Protection Committee

Report this document

For any questions or suggestions please email
cust-service@docsford.com