A recent post has stirred some good comments. This is my third of three posts inspired by those comments.
In a recent post I stated “I happen to think that most if not all of the RE’s (i.e. Regional Entities) will be open to entities that want to utilize the cloud (as they have been to entities implementing virtualization in the ESP).” In stating this, I forgot there are two primary ways that a NERC entity could utilize the cloud in their CIP environments; they both raise CIP concerns, but one much more so than the other. One would be to store BES Cyber System Information in the cloud, but the other is to “outsource” actual BES Cyber Systems to the cloud, e.g. with cloud-based SCADA.
An auditor who has contributed to many of my posts immediately pointed out to me that the second of these ways of utilizing the cloud is very problematic, to say the least. To quote his email, “Don't think for a moment that the Regions embrace the idea of using the cloud for real-time operations.” He explains that putting BES Cyber Systems in the cloud "is excessively risky with too many unknowns.” He clearly isn’t too wild about storing BCSI in the cloud, either, but he thinks the risks are much less in that case[i]. So if you’re thinking of outsourcing your SCADA or other BCS to the cloud (for High or Medium impact assets), you should definitely check with your region to see how they feel about this before moving forward.
I do want to add that I heard Dave Norton of FERC say almost the same thing two years ago at a TCIPG conference at the University of Illinois. He said that any systems used for BES “command and control” should never be put in the cloud. Of course, Dave wasn’t speaking at the time about CIP compliance at all, and he certainly wasn’t speaking for the Commission; he was stating his opinion as a respected ICS security professional. But Dave does happen to know a thing or two about CIP. He wrote the SAR for CIP version 1, and he served on the drafting teams for CIP versions 1 through 5. It is very safe to assume that when he is talking about “BES command and control systems”, BCS will be a clear subset of those.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte Advisory.
[i] I have recently heard other information to the effect that even storing BCSI in the cloud may not be acceptable to NERC and FERC. So I need to temper the optimism I showed in the previous post; it is possible that no use of the cloud will pass muster. The moral of this story: Don’t put either BCSI or BCS into the cloud without first discussing it with your region. And if NERC actually does put out a guidance document, you should consider that carefully – but also keep in mind that NERC is not the ultimate authority on what is or isn’t going to be permitted in CIP.