Combined Cycle Solutions

Power Plant Consulting Blog

NERC BES Cyber System Categorization

NERC’s CIP-002-5.1a requires functional entities to identify and categorize their BES cyber systems and associated BES cyber assets.


  • List all Cyber Assets which may impact operation of the Bulk Electrical System (BES). A Cyber Asset is any programmable device that includes the hardware, software, and data on that device. Programmable relays, programmable AVR’s, PLC’s, etc. fall into this; not just the plant’s DCS.
  • Identify all BES Cyber Assets on the above list. The NERC BES Cyber Asset definition is too lengthy for this post, so paraphrasing the criteria into two questions yields:

Does the device’s function affect the reliable operation of a BES asset?

Is the impact within 15 minutes or less?

If you answered ‘yes’ to both of the above questions, this is a BES Cyber Asset.

Group identified BES Cyber Assets into one or more BES Cyber Systems. A BES Cyber System is “One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.”

For example, most or all of the Distributed Control System (DCS) cyber assets could be logically grouped into one BES Cyber System. A generator AVR may be its own BES Cyber System.

Categorize The Remaining, Associated Cyber Assets As Follows:

Electronic Access Control or Monitoring Systems: “Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.”

Physical Access Control Systems: “Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers.”

Protected Cyber Assets:“One or more Cyber Assets connected using a routable protocol within or on an Electronic Security Perimeter that is not part of the highest impact BES Cyber System within the same Electronic Security Perimeter. The impact rating of Protected Cyber Assets is equal to the highest rated BES Cyber System in the same ESP.”

A PI server which resides inside the ESP is an example if it contains no other functions which could interfere with the BES operation within 15 minutes. Printers and switches are also examples.

The Guidelines and Technical Basis section in CIP-002-5.1a includes a list of ‘Services’ which will aid you in identifying BES Cyber Assets.

Categorize all identified BES cyber systems into high, medium, or low impact. The criteria is based upon the type of facility’s type, ratings, functional obligations, and/or any special designations (Adverse Reliability Impact, IROL’s, etc). See Attachment 1 of CIP-002-5.1a.

Ensure all of the above are on electronic or physical lists.

Review, update, and approve every 15 calendar months.

Combined Cycle Solutions offers NERC compliance consulting solutions for CIP and PRC standards compliance. Services include plan development, training, and auditing for all of the above.