How Do I Define a Cyber Security Asset?

If your electric utility company is preparing for an audit, or if you are otherwise seeking to take steps toward compliance with NERC’s Security and Reliability Standards, you are most likely wondering, “How do I define a cyber security asset?” This can be a tricky question to answer as you navigate the many regulations of the industry, which are regularly updated to adjust to the changing needs of bulk power systems in North America. There are a few things to consider as you figure out how to define cyber security assets.

First, you should look at NERC’s comprehensive document, “Security Guideline for the Electricity Sector: Identifying Critical Cyber Assets.” This guideline will help you as you work toward creating a list of Critical Cyber Assets, which are the devices, software, and data described in the NERC glossary as “essential to the reliable operation of Critical Assets.” The security of your critical assets is essential for the operability of the Bulk Electric System.

The guideline lays out five basic steps for how to define a cyber security asset:shutterstock_159902675

  1. Identify Cyber Assets Associated with a Critical Asset. A responsible entity should inventory and evaluate cyber assets in order to identify those that might impact any of their critical assets. Cyber assets to consider include, but are not limited to:

    • Control systems

    • Data acquisition systems

    • Networking equipment

    • Hardware platforms for virtual machines or storage

    • Secondary or supporting systems such as virus scanners, HVAC systems, and uninterruptible power supplies (UPS)


  1. Group Cyber Assets. In order to simplify the process of cyber security asset definition, you can group your cyber assets according to various functions and characteristics. One category might include cyber assets that communicate with a particular software. Other examples would be groups based on functions that support specific critical assets.


  1. Determine Cyber Assets Which are Essential. Evaluate an asset’s impact on critical assets according to the following criteria:

    • Is it essential to the reliable operation of a critical asset?

    • Does it display, transfer, or contain information necessary for real-time operational decisions?

    • Would its loss, degradation, or compromise affect the reliability or operability of the bulk power system?


  1. Identify Cyber Assets with Qualifying Connectivity. According to standard CIP-002 R3, cyber assets that meet any of the following requirements are “critical”:

    • It uses a routable protocol to communicate outside the Electronic Security Perimeter (ESP).

    • It uses a routable protocol within a Control Center.

    • It is dial-up accessible.


  1. Compile the List of Critical Cyber Assets. Once you have evaluated your cyber assets and determined which of those are essential to the security of your critical assets, you must document them in a list in order to comply with NERC-CIP standards.


Beyond the Question, “How Do I Define a Cyber Security Asset?”

When it comes to your critical cyber assets, knowing is half the battle. Keeping up with regulations can be challenging, but with the right software for monitoring and reporting compliance-related incidents, you can be confident that your operations are reliable and secure. Versify Solutions offers a comprehensive software suite for managing your data and assets, including Versify’s Portal Compliance, a program that ensures your compliance with NERC standards

Contact Versify today to arrange a full capabilities demonstration, and learn more about how Versify can help you identify your critical cyber assets.