Tuesday, July 26, 2016

Stop Making Sense!

Many of you may know this was the title of a Talking Heads concert film. I thought of it in relation to a conversation I had recently with a CIP compliance professional.

The conversation was about the fact, which I have discussed previously, that NERC CIP is almost indisputably hindering deployment of important technologies on the OT networks of electric utilities. In particular, the subject was the cloud. I pointed out to this person that the literal wording of CIP-004 pretty much precludes using cloud services within an ESP (e.g. SCADA in the cloud).

This person was quite surprised by that statement, and was sure I was wrong. Being an IT person, he had deployed other applications in the cloud with no problem. He pointed out that security shouldn’t be an issue if the cloud vendor could provide an SSAE 16 report attesting to their security controls. He said it just didn’t make sense that the only area where such a report wouldn’t carry any weight would be NERC CIP.

Stroking my chin in a wise fashion (which he didn’t see since he was on the other end of a phone line), I said, “Unfortunately, CIP compliance is based entirely on compliance with the literal wording of the requirements, not on what makes sense.” And this is true! Given the prescriptive nature of the CIP standards (indeed of all NERC standards, although I think a prescriptive format probably makes sense for the other standards like COM and TOP), there is simply no way that an SSAE 16 will overcome the fact that no cloud provider will be willing to comply with the access control requirements of CIP-004. Were CIP-004 to be modified so that an SSAE 16 could be taken as an alternative compliance methodology for those requirements, then that would be one way of dealing with the problem; of course, if someone were to write a SAR for this today, it would still be 3-4 years before that change came into effect.

However, as readers of this blog are hopefully beginning to realize, I see a whole host of problems flowing from the fact that the NERC CIP standards are prescriptive[i]. I am not at all in favor of making any further modifications to the current CIP standards, other than the ongoing effort to draft CIP v7 (which I am trying to assist with, time permitting). I think the next version needs to be a non-prescriptive one, since that is the only type of standards that are sustainable in the long run (in fact, even in the not-so-long run. Were the CIP standards to become non-prescriptive tomorrow, a lot of benefits would immediately be realized. But if we keep with the current format, I strongly believe the whole current edifice of CIP will collapse of its own weight in 3-5 years. The tangible and intangible costs of the current prescriptive format are already too high, and will only continue to grow by leaps and bounds, especially as new areas are covered like supply chain security).

Were a set of non-prescriptive standards to be drafted, there would then be a requirement that read something like "For any providers of outsourced services that have access to BES Cyber System Information, take steps to ensure that appropriate security is applied". It would be up to the entity to demonstrate to the auditor's satisfaction that the cloud provider was secure, using SSAE 16 or some other method (and there would be guidelines associated with the requirement, providing suggestions of what might be acceptable evidence).

Of course, I haven’t so far said exactly what form these non-prescriptive CIP standards should take, because I am still trying to figure that part out.[ii] But I really do need to get moving on that, since there is now an urgent need for it. As I will describe in a new post shortly, the new supply chain security standard will almost certainly only be workable if it is non-prescriptive. And as discussed in my last post, NERC effectively only has about six months to draft that standard. 

The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.

[i] With two exceptions, as discussed in this post: CIP-007-6 R3 and CIP-010-2 R4. In addition, as I discussed in this post, the new requirement part for electronic access control for Low impact assets in CIP-004-7 R2 has been initially drafted by the v7 SDT as a non-prescriptive requirement.

[ii] I am also planning on writing a book on this topic with two co-authors. However, when I have a good idea of what form the standards should take I will post it in this blog. I won't wait for the book - which definitely is at least a year away from publication.

No comments:

Post a Comment