Transient Cyber Assets, Removable Media and PRC-005

Author: Jack Jackson

In 2020, NERC’s revision 7 to CIP-003 added protection requirements to the standard for Transient Cyber Assets (TCA) and Removable Media (RM) when connecting to the Bulk Electric System Cyber System (BCS). As protection systems become smarter and more integrated into the control system, it is important to remember that they are more than just protection system devices, they are becoming BES Cyber Assets.

Just to briefly recap, Transient Cyber Assets are Cyber Assets capable of transmitting executable code and not part of the BCS or connected to the BCS for 31 consecutive days or longer. Removable media are not Cyber Assets (cannot execute code) but can store/copy/move data and is also not connected to the BCS for 30 consecutive days or longer.  They have similar protection and documentation requirements to demonstrate that an antivirus/malware scan for the device comes back with a clean scan and its approved for use.

Being a newer part of the standard, there were many questions regarding the scope and applicability of how TCAs/RMs connect to the BCS as well as storage and management of those devices.  The phrase “connected to the BCS” is interpreted as any TCA/RM ‘directly’ connected to any BES Cyber Asset device that is part of a BCS.  This includes programmable protection system devices that qualify as BES Cyber Assets.

For programmable relays with either ethernet or serial ports, any device, such as testing equipment or data extraction devices, using these ports for connection should be treated as a TCA or RM depending on their capabilities.  Obvious devices like laptops or USB drives should be documented as TCA/RM, but other diagnostic equipment will need to be evaluated based on its capability to store and transmit data and code to determine if they are a TCA or RM.

In preparation for the next cycle of protection system maintenance consider the following additional steps to keep the facility compliant:

  • Evaluate protection system devices to determine if they are programmable (Cyber Assets).
  • Mark up drawings identifying devices that are or may be Cyber Assets.
  • Evaluate the diagnostic equipment to determine if it meets the criteria of TCA or RM.
  • Ensure that all TCAs have Bluetooth, Wireless and Internet Access disabled while connected to BCAs.
  • If unable to determine if a device is a Cyber Asset, TCA or RM it’s better to be safe than sorry.
  • Make sure to file the scans of RCA/TM with the CIP-003 documentation and not PRC-005.

The progress of technology is a steady march towards integration.  It’s a good thing with regards to the useful data and analysis that can be performed in real time.  However, it does carry the burden of requiring proper protections as they get smarter.