Correction to My Post on CIP-002-5.1 R1 Compliance Methodology

Kevin Perry, Chief CIP Auditor of SPP, took strong exception to one of the paragraphs in my recent post on the compliance methodology for CIP-002-5.1 R1.  The paragraph – at the end of the section headed “Task 3” – outlined a final step I thought should be taken after the entity completes the “top-down” identification of BES Cyber Systems.  It reads:

"The final step of the top-down approach is to identify the component Cyber Assets that make up each potential BCS.  These will be either BES Cyber Assets or Protected Cyber Assets.  Since almost the same requirements apply to both BCAs and PCAs, it might be easier just to declare them all BCAs."

Kevin pointed out that you shouldn't label a component of a BCS as a BCA unless it actually meets that definition.  A BCS must contain at least one BCA but can also include non-BCAs.  Once included as a component of a BES Cyber System, it no longer matters whether the Cyber Asset is a BCA in its own right.  The requirements all apply to the BCS, not the individual components.

Kevin also pointed out that you shouldn't label a BCS component as a PCA; this is because at the time you are identifying BCA and BCS, CIP-005-5 R1 and the concept of PCA are not in play.  From the perspective of CIP-002-5, there are BCA and there are non-BCA, both of which can constitute a BCS.  The PCA only results from inclusion within a defined ESP, which does not exist until the BCS have already been identified.  I agree with both of these points, of course, and thank Kevin for making them to me.  He has just saved you an extra step which wouldn't serve any compliance purpose.

Note: Kevin pointed out a more fundamental issue with Tasks 3 and 4 in my post.  I will have a new post out addressing that in a few days.

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Honeywell.