In my most recent post I stated that I thought cloud storage of BES Cyber System Information was permitted by NERC CIP v5 and v6, and quoted a CIP auditor on what NERC entities (with High and/or Medium impact assets) needed to do to remain compliant with CIP if they do this.
The next day I received an email from Judy Koski of Tucson Electric Power, a NERC compliance professional I have known for many years. She pointed out “You have left out any mention of encrypted BCSI in the cloud. If the information is encrypted in storage, the third party supplier does not have access, except to very limited personnel. Does this not solve the problem?”
I immediately sent this question to the auditor who contributed to the previous post, and he quickly replied “I would argue that it is BCSI[i] and that the CIP-011-2 requirement to protect that information is achieved, in part, by encryption of the data at rest, what P1.2 refers to as in storage. The fact that it is encrypted does not change the fact that the data is information about BCS. So, yes, the other Requirements/Parts still apply.”
Since this auditor won’t ever use two words where one will suffice, I will “decrypt” his statement. He first points out that CIP-011-2 R1.2 requires the entity’s Information Protection Plan to include “Procedure(s) for protecting and securely handling BES Cyber System Information, including storage, transit, and use.” He agrees that encryption of BCSI while at rest at the cloud provider (or other third party) addresses the “storage” side of this, but that entities must also protect BCSI in transit and in use (of course, not necessarily with encryption, since there are many other ways to do this).
In addition to addressing the “transit” and “use” aspects of the above requirement, the auditor also pointed out that the three other requirement parts, included in a numbered list in my last post, still need to be complied with. Encryption won’t help with any of these, so you still have to address each of them.
The views and opinions expressed here are my own and don’t necessarily represent the views or opinions of Deloitte.
[i] In my email to the auditor, I had speculated that perhaps the encrypted data wouldn’t be BSCI at all, since the definition of BCSI includes the statement “BES Cyber System Information does not include individual pieces of information that by themselves do not pose a threat or could not be used to allow unauthorized access to BES Cyber Systems…” I reasoned that encryption meant the information couldn’t be used to allow unauthorized access to BCS. The auditor rightly pointed out that it’s still BCSI even though it’s encrypted. The encryption is one control that can be used to block unauthorized access.