Part of Grid Network »
Grid Professionals Group
The Grid Professionals Group covers electric current from its transmission step down to each customer's home.
Post
Now I understand the useful purpose of Consequence-driven Cyber-informed Engineering (CCE)
image credit: Unsplash author
Consequence-driven Cyber-informed Engineering (CCE) is a methodology focused on securing the nation's critical infrastructure (CI) systems. In the past, I questioned the usefulness of this methodology and how it fits within the grand scheme of all the other methods, standards and practices, such as NERC CIP. After reading the CCE patent, I can now say – I get it.
To really understand the useful role CCE can perform to help protect the electric grid you must understand how “risk” is determined today in the Bulk Electric System – this is where we need to look, deeply into the NERC CIP standards. CIP-002 provides the clearest explanation of how the NERC 15-minute rule is applied when deciding which “BES Cyber Assets” need to be protected: “BES Cyber Assets are those Cyber Assets that, if rendered unavailable, degraded, or misused, would adversely impact the reliable operation of the BES within 15 minutes of the activation or exercise of the compromise.”
NERC CIP-002 is one of the most important CIP standards as it identifies which resources/assets are subject to NERC CIP regulations. Assets that do not qualify as a BES Cyber Asset, due to the 15-minute rule are not subject to NERC CIP standards. So, if a cyber incident were to occur and the grid impact occurs 20 minutes after the incursion begins, then the affected asset is NOT A BES Cyber Asset and is not subject to the NERC CIP regulations. The impact could be a total grid blackout, but the 15-minute rule would not require taking CIP standards action to protect the asset, because of the impact occurs at the 20-minute mark.
Consequence-driven Cyber-informed Engineering (CCE) represents a much more practical approach to helping identify those assets that need to be protected because of the potential impact that could occur from a cyber incident, or any other cause leading to impactful consequences on business operations.
It’s now clear to me that the NERC CIP method for identifying BES Cyber Assets should be replaced with the INL CCE method in order to identify those assets that deserve the most protection in order to prevent the most consequential impacts of a cyber-attack or other root cause, regardless of the “15 minute rule”.
Discussions
No discussions yet. Start a discussion below.
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
- Trip Report ISO New England Consumer Liaison Group Meeting Portsmouth NH
- The PJM Board of Managers has directed PJM to seek delay of the upcoming capacity market auctions
- CISA director urges top business leaders, board members to take cyber risk ownership
- Not ‘sick or dying or dead’: The great benefit of RTOs
Get Published - Build a Following
The Energy Central Power Industry Network® is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.
Your access to Member Features is limited.
Sign in to Participate