Policy Pulse: NERC CIP-002 Standards Authorization Request - Project 2021-03
By Patrick Miller
NERC’s CIP-002 Project 2021-03 (Phase 2) introduces key updates to improve clarity and consistency in identifying and classifying BES Cyber Systems. The revisions address long-standing ambiguities by clarifying functional entity roles, refining the treatment of communication protocol converters, revising Criterion 1.3 to establish objective criteria for high-impact control centers, and expanding Criterion 2.6 to include control centers operated by Generator Operators and Transmission Owners. These changes aim to eliminate gaps in protection, align risk-based categorizations across all entities, and support more consistent compliance with CIP standards.
Overview
This internal summary outlines the NERC CIP-002 standards initiative’s Phase 2 developments for Project 2021-03. While Phase 1 established the foundational framework for control center classification, Phase 2 addresses remaining ambiguities by refining specific asset definitions and risk-based categorizations. Now, Phase 2 introduces specific component-level enhancements which:
Refine the impact categorization of BES Cyber Systems,
Clarify the role of functional entities, and
Incorporate evolving interpretations to align with current Bulk Electric System (BES) security requirements.
Key Drivers
Inconsistent enforcement and uncertainty in the identification of Protected Cyber Assets (PCA), Electronic Access Control or Monitoring Systems (EACMS), and Physical Access Control Systems (PACS). This inconsistency stems from their reliance on downstream standards like CIP-010, rather than clear primary criteria in CIP-002.
Inconsistent categorization of high, medium, and low impact Bulk Electric System (BES) Cyber Systems has resulted from unclear definitions for certain control centers.
Outdated legacy exclusions, such as those applied to communication protocol converters, no longer reflect modern BES cyber risk or architectural realities.
Discrepancies in impact ratings for control centers have emerged due to uneven application of Attachment 1, Criterion 2.6, across Generator Operator (GOP), Balancing Authority (BA), and Transmission Operator (TOP) functions.
These drivers originate from NERCs June 2025 and 2023 Standard Authorization Requests (SARs), which emphasize the need for improved clarity, consistency, and risk alignment in BES asset categorization.
What is Phase 2?
Phase Two introduces four enhancements to CIP-002: clarifying functional entity roles, addressing protocol converters, updating Criterion 1.3, and improving BES Cyber Asset identification. These aims are to strengthen consistency in classifying Transmission Owner Control Centers and BES Cyber Systems.
Phase 2 Elements
| Component | Proposed Update |
|---|---|
| 1. Functional Entity Clarification (CIP-002 and CIP-014) | Clarifies which entities (e.g., RCs, PCs, TPs) are responsible for identifying and communicating facilities critical to IROLs. |
| 2. Communication Protocol Converters | Adds consideration for protocol converters in Cyber Asset evaluation, given their integral role in network communication. |
| 3. Criterion 1.3 Revision (CIP-002-5.1a) | Restores Criterion 2.6 under Criterion 1.3 to align TOPs with BA and GOP responsibilities regarding IROLs. |
| 4. BES Cyber Asset Identification Enhancements | Improves guidance and consistency for identifying BES Cyber Assets and Systems across organizations. |
Component 1: Functional Entity Clarification
Industry Need
This project provides revisions to CIP-002 and CIP-014 to clarify the responsibility of Reliability Coordinators, Planning Coordinators and Transmission Planners in identifying Facilities that warrant consideration under these Reliability Standards. As it relates to the Transmission Planner and Planning Coordinator functions, the language “critical to the derivation of Interconnection Reliability Operating Limits (IROLs)” should be replaced/updated to appropriately identify Facilities that, if somehow compromised, could significantly impact the reliability of the Bulk Electric System (BES). Additionally this project will review the applicability of Facilities identified by the Reliability Coordinator as critical to the derivation of IROLs to CIP-002 and CIP-014
Purpose and Goal
This element intends to enhance clarity and consistency in how BES Cyber Systems are categorized. The project aims to minimize ambiguity in the standards language, clarify the definition of terms such as "functional equivalence," and provide updated criteria for categorizing assets under CIP-002-5.1a. Its goal is to align categorization with actual BES risk exposure.
Project Scope
The project will review and modify CIP-002-5.1a requirements, definitions, and Attachment 1 criteria related to impact categorization of BES Cyber Systems. Specifically, it will address areas where entities currently interpret requirements inconsistently, to ensure alignment with the original risk-based intent of CIP-002.
Component 2: Communication Protocol Converters
Industry Need
There are inconsistencies across the industry in how communication protocol converters are categorized under CIP-002. Specifically, these devices often exist within Transmission Operator (TOP) Control Centers or data centers and serve as bridges for serial communications with BES Cyber Systems at remote substations. Because they may not fall within two discrete Electronic Security Perimeters, entities interpret their impact differently resulting in under-categorization and gaps in BES reliability protections.
Ambiguities in classifying communication protocol converters may contribute to misidentifying PCA or EACMS assets. When this occurs, it can trigger non-compliance with other CIP requirements tied to those asset types, emphasizing the need for clearer guidance on their treatment under CIP-002.
Purpose and Goal
This project seeks to clarify under CIP-002 when a communication protocol converter qualifies as a BES Cyber Asset, especially in cases where it facilitates system-to-system serial communication between control centers and transmission facilities. The clarification supports more consistent classification of assets that could have a 15-minute operational impact, addressing both technical ambiguity and security concerns.
Project Scope
The drafting team will revise CIP-002 to address how protocol converters between Control Centers and field devices, especially those lacking Electronic Security Perimeters—should be categorized. This includes situations where the converter is owned by a different entity (e.g., within a Wide Area Network) or when its placement bypasses Electronic Access Points. The standard updates will account for associated cyber assets, such as routers and switches, and provide guidance on how these should be addressed by Registered Entities under Appendix 5B of the NERC Rules of Procedure.
Component 3: Criterion 1.3 Revision
Industry Need
There is ambiguity surrounding the application of Criterion 1.3 in Attachment 1 of CIP-002-5.1a. Some control centers may not meet the explicit thresholds of Criterion 2.6 but still perform essential BES functions. This has led to inconsistent interpretations about whether such control centers qualify as high impact, particularly due to reliance on subjective terms like “functional equivalence.”
This lack of clarity has resulted in the uneven classification of control centers across responsible entities, posing a risk to BES reliability by potentially leaving critical facilities outside the scope of required cybersecurity protections.
Inaccurate or inconsistent application of Criterion 1.3 may result in failing to recognize control centers as hosting BES Cyber Systems like PACS or EACMS. Such oversights can lead to broad compliance consequences across multiple CIP standards and asset protections.
Purpose and Goal
The goal of this effort is to review and revise Criterion 1.3 to eliminate vague language and formally implement clear, measurable criteria for identifying High Impact control centers.
Specifically, the project seeks to:
Eliminate or clarify vague references to “functional equivalence” to reduce inconsistent interpretations;
Define objective, quantifiable criteria for classifying control centers as High Impact;
Promote uniform application and enforcement of control center classifications across all Registered Entities.
Project Scope
This project element focuses on reviewing and potentially revising Criterion 1.3 of Attachment 1 to eliminate reliance on vague or subjective terminology, such as "functional equivalence." The scope includes clarifying the language to establish more objective and measurable criteria that support uniform interpretation by both Registered Entities (REs) and Regional Entities (Regional Regulators), ensuring aligned implementation and oversight. This revision is intended to ensure alignment between Criterion 1.3 and related criteria, particularly Criterion 2.6, to promote consistency and strengthen the risk-based identification of high impact control centers.
Inaccurate or inconsistent application of Criterion 1.3 may result in failing to recognize control centers as hosting BES Cyber Systems like PACS or EACMS. Such oversights can lead to broad compliance consequences across multiple CIP standards and asset protections.
Component 4: BES Cyber Asset Identification Enhancements
Industry Need
Criterion 2.6 currently applies only to entities registered as Reliability Coordinators (RC), Transmission Operators (TOP), or Balancing Authorities (BA). However, Generator Operators (GOP) and Transmission Owners (TO) also may operate control centers that can have comparable operational significance to the BES.
Many PACS, PCA, and EACMS assets may remain unidentified despite performing critical functions—such as enforcing access rules at substations or serving as jump hosts for remote access, creating blind spots in CIP compliance. This omission presents a reliability risk, as some key control facilities may not be covered under CIP-002 protection.
Under the SAR, failing to find a PACS, PCA, or EACMS is not strictly a breach of one CIP requirement—but can precipitate breaches of many connected standards. Specifically, there would be 28 requirements and 87 sub-requirements for EACMS, 22 requirements and 63 sub-requirements for PACS, and 14 requirements and 49 sub-requirements for PCA. This distinguishes the building-block character of CIP-002 asset identification and its trickle-down impact throughout the CIP framework.
Purpose and Goal
The project aims to revise Criterion 2.6 to include control centers operated by GOPs and TOs that perform functions equivalent in risk and scope to those currently included.
Objectives include:
Ensuring consistent classification of control centers across all functional roles.
Accurately reflecting modern operational responsibilities that may not align neatly with legacy NERC functional categories.
Enhancing security coverage for critical infrastructure regardless of entity type.
Project Scope
The scope of this project includes reviewing and revising Criterion 2.6 of Attachment 1 to incorporate control centers operated by GOPs and TOs when they perform functions that pose a similar risk to those currently designated under this criterion. This effort aims to ensure uniform application of medium impact designation across all functional roles by defining relevant thresholds or operational responsibilities. The scope is narrowly focused on Criterion 2.6 and does not include changes to other parts of Attachment 1 or the broader CIP-002 standard.
If adopted, these changes would clarify and revise BES Cyber Asset identification by explicitly referencing PCA, EACMS, and PACS in CIP-002, update ambiguous control center classification criteria, remove references to obsolete communication converter exclusions, and align Attachment 1 criteria across TOP, GOP, and BA functions. These updates aim to eliminate interpretive gaps, align compliance obligations across stakeholders, and enforce consistent categorization and protections.
Action Steps
| Immediate Actions | Ongoing Monitoring |
|---|---|
|
• Review the four Phase 2 components and associated SARs, focusing on updated identification criteria and functional roles. • Assess current asset inventories, particularly CPCs and control centers, for alignment with proposed classification changes. • Coordinate with internal teams and clients to raise awareness of potential changes to BES Cyber System categorization. |
• Monitor SBS comments and standard drafting activity through July 9, 2025. • Prepare to interpret finalized changes to Criterion 1.3, CPC treatment, and asset identification guidance. • Track any updates to TFE procedures and internal classification documentation following NERC's official guidance. |
