Cyber Security Related FAQ

Answer:Interconnection Reliability Operating Limit (IROL) is a system-operating limit, which, if exceeded, could lead to instability, uncontrolled separation, or cascading outages that adversely impact the reliability of the bulk electric system. (See NERC under-development standard 200 and standard 600; IROL was not used in previous NERC policies or standards.)

Answer:In NERC�s cyber security standards No, redundancy does not affect the criticality of any asset. Redundancy will only affect availability and reliability while not improving integrity or information confidentiality and may in fact increase the cyber asset exposure to a cyber attack. For the purpose of security, each critical asset and redundant critical asset(s) must be protected under the cyber security standards as a Critical Cyber Asset.

Answer:In keeping with the NERC mission, the cyber security standards criteria for identifying critical bulk electric system assets is focused only on reliability criteria. The identification of critical assets which ��would have a significant impact on the ability to serve customers for an extended period of time...or would cause significant risk to public health and safety� should be performed by the asset owner in collaboration with federal, provincial, state governments, and local authorities as appropriate. The Responsible Entities using a risk-based assessment must define the additional necessary criteria for identifying critical bulk electric assets.

Answer:Routable protocols in the cyber security standard provide switching and routing as described by the Open System Interconnection (OSI) model layer 3 or higher. The OSI is a standard description or "reference model� that defines a networking framework for implementing protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in one station, and proceeding to the bottom layer, over the channel to the next station and back up the hierarchy. The OSI model is valuablereference view of communication that furnishes everyone a common ground for education and discussion. as a single Layer 3 provides switching and routing technologies, creating logical paths, known as virtual circuits, for transmitting data from node to node. Routing and forwarding are functions of this layer, as well as addressing, internetworking, error handling, congestion control and packet sequencing. Examples of protocols, which could be working at layer 3, are as follows: TCP/IP, Token Ring, DNP 3.0 (network mode only), etc. The OSI model guides product implementers so that their products will work consistently with other products. Although OSI is not always adhered to strictly in terms of keeping related functions together in a well-defined layer, many if not most products involved in telecommunication make an attempt to describe them in relation to the OSI model.

Answer:Dial-up accessible access in the cyber security standard CIP-002-1 refers to any temporary (non-permanent) or not continuously connected communication access to a Critical Cyber Asset from any remote site. Using a modem to connect to a Critical Cyber Asset from one or more locations or by one of more users are examples of dial-up accessible access. Access to a Critical Cyber Asset via a permanent communication connection from a specific computer over a dedicated communication circuit would not be considered dial-up accessible access.

Answer:Critical Cyber Assets with dial-up access not using a routable protocol must meet the Electronic Security Perimeters requirements for the remote access to that device but does not require a Physical Security Perimeter requirements or local Electronic Security Perimeter for the actual Critical Cyber Asset. Secure remote access meets the intent of the cyber security standards to provide a minimum level of security.

Answer:A control center or generation control center that provides critical operating functions and tasks as identified in Cyber Security Standard CIP-002-1 must be protected under the cyber security standard. The monitoring and operating control function includes controls performed automatically, remotely, manually or by voice instruction.

Answer:Jointly owned Critical Cyber Assets of Responsible Entities must be protected and secured as if the asset was not jointly owned. The nameplate value of the jointly owned critical assets will be used to identify critical assets as per Cyber Security Standard CIP-002-1 Requirement R1. All Responsible Entities having such joint assets are expected to ensure proper treatment according to the cyber security standard.

Answer:Communications or communication systems between Electronic Security Perimeters for Critical Cyber Assets do not require the same protection as their associated Critical Cyber Asset. Communications is not covered under this standard because communications are often leased by the Responsible Entities and the technologies for existing Cyber Assets do not always support encryption or other possible security alternatives. Asset owners are encouraged, whenever possible, to provide communications or communication systems with the same protection as their associated Critical Cyber Asset.

Answer:Environmental or support systems for Critical Cyber Assets do not require the same protection as the associated Critical Cyber Asset because compliance to all sections of the cyber security standard would affect only availability and reliability while not improving the integrity or information confidentiality of the Critical Cyber Asset. Asset owners are encouraged, whenever possible, to provide environmental or support systems with the same protection as their associated Critical Cyber Asset.