Definitions matter

There is a need to revise CIP language to clarify “programmable” due to differences between the current NERC CIP definition of Cyber Asset, the language in Section 215 of the Energy Policy Act of 2005 that discusses Cyber Assets as Electronic Programmable Devices, and commonly understood security standards and definitions of computers or cyber devices.

There is a perception that the particular wording of “Cyber Asset” is a deliberate, well-thought-out, and legally binding definition. However, there are multiple inconsistencies between NERC CIP Standards, the Energy Policy Act, and FERC Orders which have not been legally challenged and have not prevented progress from being made to security standards. This being so, there is no practical benefit in objecting to modifications based on a presumption of precision in the original wording.

These varying definitions have caused some confusion in categorizing Cyber Assets as in-scope. There may be gains to be achieved by modifying the definition to be more consistent both internally and with cross-sector IT security practices that are more technically in line with the way devices are designed by vendors and intended to be operated. When the parsing of the grammar becomes too circular, the utility of the definition is lost. The main goal of NERC CIP standards MUST be usefulness of the standard.

Some commenters have made the point that NIST does not use the term “Cyber Asset” and recommend using the term “computer”. However “computer” also has connotations of server/workstation to many people and is not inclusive of other information processing devices such as network and security appliances, cyber-physical industrial control system devices, etc. “Cyber Asset” is a workable, comprehensible and inclusive term that provides benefit to the security discussion and therefore should be retained.

Cyber Assets are platforms which can accept variable sets of encoded instructions known as operating systems and software programs. They use these instructions to manipulate data inputs to create outputs in the form of processed data or in the case of Cyber-Physical devices, control signals. This programming is stored in either volatile or non-volatile memory, and may reside in the device or on other devices in the overall Cyber System that provides storage services to the device.

Conversely, dedicated devices which perform a function defined purely by the physical configuration of the device (dip switches, jumper connectors, or EEPROM) and not in a changeable, encoded set of logic-based instructions are not generally considered to be Cyber Assets, but rather microprocessors. The modification of that dedicated function (control plane logic) is not programmable via a human or network-accessible communications interface (management plane) that can be interacted with logically by other Cyber Assets. Re-programming requires physical modifications to the micro-processor device, often by a vendor technician at a factory using tools that change the physical or electrical properties of the device. These devices are not in any practical way “programmable” by the user and the risk of them being re-programmed maliciously or covertly are mitigated by physical access controls.

Additionally, devices which have a stored firmware not accessible unless installed in another device (such as but not limited to internal/external hard drives, flash drives, Ethernet or Wireless NICs cards or USB, Security dongles, serial adapters, etc.) are not Cyber Assets in themselves because they are not capable of being re-programmed or executing code without being installed (permanently or temporarily) in a Cyber Asset. These types of devices are peripheral components of a Cyber Asset or removable media. While these devices may pose a risk of carrying mal-ware, the means of mitigating that risk is separately covered by removable media controls and supply chain requirements.