I’m hereby
starting a long-standing tradition of writing one or two (or more, if possible)
posts around the holiday season containing unadulterated good news. While it
certainly isn’t true – as I’m sure a few people believe - that I’m a doom-and-gloom
blogger, for whom every glass is half empty, I probably do talk more about
disturbing developments (or discoveries I’ve made) than about good stuff. So
here’s the first of two attempts to redress the balance a little.
At the
December meeting of the NERC CIPC in Atlanta two weeks ago, an important FERC
staff member made the statement that – while he in no way speaks for the
Commission – he doesn’t believe that FERC will stand in the way of a reasonable
effort to make whatever changes need to be made to the CIP standards to allow
NERC entities to locate entire BES Cyber Systems in the cloud. In other words,
cloud services like outsourced SCADA, whose use has already been embraced by
other industries besides electric power, but which haven’t so far been used
much by the power industry simply because of concerns about how this would be
possible given the current CIP standards, should one day be open to power
industry participants.
Let’s review
how this concern about CIP and the cloud came about:
- There is nothing in CIP-002 R1, which determines which
Cyber Assets need to be included in BES Cyber Systems and classifies BCS
as Low, Medium and High impact, that says BCS can’t be physically located
at cloud providers. However, I – as well as many others – have always
believed that, in the case of Medium and High impact BCS, the demands that
the entity would need to place on the cloud provider in order to ensure
compliance with some of the Medium and High impact requirements,
especially CIP-004 R3 to R5, would be such that the cloud provider would
never agree to them.
- This in itself doesn’t mean that BCS couldn’t be
outsourced to the cloud while the current CIP standards are in effect.
Whatever you may have heard about NERC auditors always auditing to the
letter of the requirement, there are many cases now of practices that are
tolerated even though they don’t comply with what is actually written in
the requirement[i].
- However, the trump card, in my opinion,
has always been the fact that NERC and FERC – especially FERC – were fundamentally
opposed to the idea that BES Cyber Systems could be outsourced to the
cloud. Without their active support for doing this, there would be no
formal or informal way to get around the problems posed by certain CIP
requirements. With their active support, these CIP problems could be
expected to just melt away (see number 2 above).
- Where did I get the idea that FERC was opposed to
outsourcing BCS to the cloud? Certainly from hearing one or two FERC staff
members speak at public meetings (even though they always acknowledged
that they don’t speak for the Commission), as well as from interpreting
statements made by NERC staff members (especially at the Emerging
Technologies roundtable discussion that was held after the June CIPC
meeting in San Diego). But the main reason I have always assumed FERC was
opposed to this is the fact that I have never heard anyone from FERC say
anything different. Until two weeks ago.
This is why,
when I wrote a post
in March that wrapped up a series of posts on the cloud and CIP, I stated (in
bullet point 7 toward the end of the post):
“Regarding the second fundamental
question, whether High or Medium impact BCS themselves (not just information
about them) can be stored in the cloud, the answer is: Not if you want to have
any friends at NERC or your Regional Entity. Regardless of whether this is
compliant or not, I know that both NERC and FERC are very much against
“real-time operations in the cloud” – as I pointed out in this
post in January….”
However,
after having heard the statement from the FERC staff member at the CIPC meeting
two weeks ago, I can no longer say that outsourcing Medium and High impact BCS
to the cloud will never be allowed by NERC and FERC. On the other hand, if I
were you I wouldn’t rush out tomorrow and outsource all your Medium and High
BCS to the cloud[ii].
NERC will need to offer some sort of guidance document that will make clear
both what is allowed in this regard and what kind of evidence will be required
from the cloud provider in order for a CIP potential violation not to be
identified.
But at least
this is a good step in the right direction.
The views and opinions expressed here are my own, and do
not reflect those of any organization I work with. If you would like to comment
on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i]
For example, almost every NERC entity – and NERC auditor – will tell you that
Attachment 1 of CIP-002 exists to classify assets like substations, generating
plants, etc. as High, Medium or Low impact. But a plain reading of Attachment 1
leaves little doubt that what is being classified are BES Cyber Systems, not
the assets themselves. Moreover, Attachment 1 makes clear that Medium BCS can
be found at other locations than the asset they are located at (an unfortunate
side effect of which I recently discussed in this
post). This means that an entity with Medium impact assets (there, I’ve just
committed the same sin!) in theory needs to look all through their system to
find the BCS associated with a particular Medium asset (especially Medium
control centers). Yet I strongly doubt any NERC entity has ever received a PNC
for not doing this, or ever will for that matter. It is a settled practice now
that NERC entities only need to look for BCS associated with a Medium or High
impact asset at the asset itself, nowhere else.
[ii]
Low impact BCS are another story. Given that the only CIP requirement that applies
to them is CIP-003 R2, and given that there is nothing in that requirement that
isn’t already being done in spades by every cloud provider, I don’t see
anything in CIP now that should prevent Low BCS from being outsourced to the
cloud. However, as with all questions about CIP requirements, you should talk
with your NERC Regional Entity before doing this.
No comments:
Post a Comment