Kevin Perry,
Chief CIP Auditor of SPP, took strong exception to one of the paragraphs in my
recent post
on the compliance methodology for CIP-002-5.1 R1. The paragraph – at the end of the section
headed “Task 3” – outlined a final step I thought should be taken after the
entity completes the “top-down” identification of BES Cyber Systems. It reads:
"The
final step of the top-down approach is to identify the component Cyber Assets
that make up each potential BCS. These will be either BES Cyber Assets or
Protected Cyber Assets. Since almost the same requirements apply to both
BCAs and PCAs, it might be easier just to declare them all BCAs."
Kevin
pointed out that you shouldn't label a
component of a BCS as a BCA unless it actually meets that definition. A
BCS must contain at least one BCA but can also include non-BCAs. Once
included as a component of a BES Cyber System, it no longer matters whether the
Cyber Asset is a BCA in its own right. The requirements all apply to the
BCS, not the individual components.
Kevin also pointed out that you shouldn't label a BCS component as a PCA; this is because at the time you are identifying BCA and BCS, CIP-005-5 R1 and the concept of PCA are not in play. From the perspective of CIP-002-5, there are BCA and there are non-BCA, both of which can constitute a BCS. The PCA only results from inclusion within a defined ESP, which does not exist until the BCS have already been identified. I agree with both of these points, of course, and thank Kevin for making them to me. He has just saved you an extra step which wouldn't serve any compliance purpose.
Kevin also pointed out that you shouldn't label a BCS component as a PCA; this is because at the time you are identifying BCA and BCS, CIP-005-5 R1 and the concept of PCA are not in play. From the perspective of CIP-002-5, there are BCA and there are non-BCA, both of which can constitute a BCS. The PCA only results from inclusion within a defined ESP, which does not exist until the BCS have already been identified. I agree with both of these points, of course, and thank Kevin for making them to me. He has just saved you an extra step which wouldn't serve any compliance purpose.
The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.
No comments:
Post a Comment