NERC CIP Asset Identification 

Welcome to the first blog in our new series on NERC CIP compliance and OT security! This blog focuses on asset identification, an essential process for ensuring NERC CIP compliance. Whether you’re a seasoned professional or new to NERC CIP, you’ll gain actionable insights into managing assets and securing your operational technology. Now, let’s dive into the critical topic of asset identification and its role in NERC CIP compliance. 

Asset identification is a cornerstone of NERC CIP compliance, yet it’s often one of the most misunderstood aspects of the process. For entities subject to NERC CIP, whether at the low, medium, or high impact level, understanding the different asset types is crucial. However, asset classification requires deep knowledge and context. If you work for a NERC entity subject to CIP compliance at the low, medium or high impact level, it’s good to know something about the different asset types. However, you should never take it on yourself to identify or classify assets – unless you have been asked to do that. These decisions require a lot of contextual knowledge. On the other hand, if you feel someone has made a mistake in identifying or classifying a NERC CIP asset, you should bring this up to your CIP compliance team.  

The following are the primary types of assets subject to NERC CIP compliance: 

Cyber Asset. This is defined as a “programmable electronic device”. What does “programmable” mean? In 2016, that question became crucial to NERC CIP compliance, because of the fundamental role that Cyber Assets play in asset identification under CIP version 5 and all later versions of the CIP Reliability Standards.  

Today, there’s still no definition of “programmable”. However, most NERC entities have long ago documented a heuristic approach to distinguish programmable from non-programmable electronic devices. You need to follow your organization’s approach to “programmable”. In general, if an electronic device contains a microprocessor, the device will be considered a Cyber Asset, although the converse isn’t true. In other words, if a device lacks a microprocessor, this doesn’t mean it is not a Cyber Asset. 

BES Cyber Asset (BCA). Every device that has been identified as a Cyber Asset must be evaluated as to whether it is a BCA (unless it is located in a low impact asset). You should read the full definition of BCA, but here is the Cliff Notes™ version: “A device whose loss, compromise, misuse, etc. when needed would affect the reliable operation of the Bulk Electric System (BES) within 15 minutes.” (my emphasis)  

It’s important to understand these points about BCAs: 

1. “Impact” has never been defined, so you need to assume that any BES impact, no matter how small, makes a Cyber Asset a BCA. Therefore, if the Cyber Asset has any connection to a transmission substation, fossil or renewable generation facility, or Control Center, it is safer to classify it as a BCA (or perhaps a “potential BCA”, if someone else needs to make the final decision). 

2. Note that BCAs can be found in low, medium and high impact facilities. However, in low impact facilities, designating BCAs may not be required. Before spending a lot of time identifying BCAs in a low impact facility, it is a good idea to discuss whether this is necessary with management. 

3. “15 minutes” is misleading, since in most cases BES impact will be almost instantaneous. The NERC Standards Drafting Team (SDT) that drafted CIP version 5 wanted to use the word “instantaneous”. However, they realized it would be a mistake to include that in the BCA definition, since then there would be endless arguments about whether one microsecond or one picosecond was effectively “instantaneous”. The SDT decided that setting the threshold at 15 minutes would prevent such arguments, but it would also prevent slow-moving processes (e.g., loading coal into a coal plan through a barge and a long conveyor belt) from being identified as having “BES impact”. The general idea is that, if there’s always enough time to prevent damage to the BES from a compromised Cyber Asset, the Cyber Asset doesn’t have a sub-15 minute impact and is not a BCA. 

4. What about the case where a relay is compromised, but that isn’t known until it’s ordered to open a line three months later and it doesn’t do it? Obviously, that’s not 15 minutes. That’s where “when needed” comes in. The BES impact occurs when the relay is needed to open the line, not when it’s compromised. In other words, the 15-minute clock starts running when the relay is commanded to open the line.  

5. Even if a Cyber Asset is fully redundant, meaning its “twin” will immediately take over if it is compromised, the Cyber Asset still has an impact on the BES and is a BCA. What if the failover system fails as well, since it should “reflect” whatever flaws are found in the BCA itself? 

6. What if the Cyber Asset just monitors the BES? Can it be a BCA? Yes, that’s where “reliable operation” comes in. The reliable operation of the BES requires constant monitoring. If an asset that performs monitoring is lost and a dangerous situation arises, the lack of that monitoring can cause a disaster. In fact, that was the case during the 2003 Northeast Blackout, when the lack of proper monitoring in two instances turned a manageable local outage into a blackout that killed six people and brought down a huge swath of eastern US and Canada. That blackout also resulted in the (at the time) voluntary NERC standards being made mandatory. 

7. If a Cyber Asset is connected within an ESP for less than 30 consecutive days, it’s not a BCA. When FERC approved CIP version 5 in 2013, they noted that this clause in the definition opened a huge door for attackers to compromise the BES. They ordered NERC to develop what became CIP-010 Requirement R4, “Transient Cyber Assets and Removable Media”.  

BES Cyber System (BCS). This is defined as “One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.” Given that the purpose of the NERC CIP Reliability Standards is to “protect BES Cyber Systems”, it might seem strange that BCS is just defined as a grouping of BCAs. However, it’s true that the most important definition in NERC CIP is BCA, not BCS.  

There are no restrictions on how BCAs can be grouped into BCS: 

1. A BCS can include just one BCA or it can include thousands. 

2. Devices that are not BCAs but are networked with a BCA should normally be included in the BCS that includes the BCA; if not, they should be identified as Protected Cyber Assets (see below). 

3. BCAs that are part of one BCS can be on one network at one location, or they can be on hundreds of separate networks at hundreds of locations. 

4. BCAs can be grouped in different ways for different requirements. For example, compliance with requirements that apply to individual BES Cyber Assets, like CIP-007 R2 Patch Management, might be easier if a BCS were defined to be a single BCA. However, compliance with requirements that just apply on a system level, like all the requirements in CIP-004, might be easier if the BCS were defined to be as inclusive as possible. 

Protected Cyber Asset (PCA). Since any Cyber Asset that’s connected to a network using a routable protocol can be used to compromise other assets on the same network, it doesn’t make sense to require a lot of controls for BES Cyber Assets, but no controls at all for other devices on the same network. Since PCAs are subject to almost all the CIP requirements that apply to BCA/BCS, all the devices within an ESP – other than EACMS and PACS – should be treated almost the same, as far as CIP compliance goes. 

Electronic Access Control or Monitoring Systems (EACMS). These are defined as “Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Devices.” Examples are firewalls, routers, AD servers, jump hosts, log monitoring and alerting systems, authentication servers, and more. 

Physical Access Control Systems (PACS). These are defined as “Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers.” Note that the components that control, alert, or log access to the Physical Security Perimeter (PSP) should be within the ESP, but that is not true for the mechanisms that effectuate that control. 

Moving Forward Together 

Knowing your assets is where it all begins. Without a clear inventory, there’s no way to assess risks, address vulnerabilities, or ensure compliance with NERC CIP standards. At Foxguard, we understand that asset identification is a critical step in building a security process that evolves with your operations, and from there, it’s about turning data into action: prioritizing what matters, remediating vulnerabilities, and validating that your systems are secure. 

To make this process seamless, we’ve developed tools like Cyberwatch, designed to bring clarity to complex environments. By consolidating asset data, tracking changes in real time, and streamlining patch management, Cyberwatch helps you stay ahead of threats while meeting compliance requirements. 

Need help navigating NERC CIP compliance? Contact us today to learn how Foxguard’s solutions can simplify your asset identification and enhance OT security.