Wednesday, December 27, 2017

Two Holiday Presents for you – Present Number One

I’m hereby starting a long-standing tradition of writing one or two (or more, if possible) posts around the holiday season containing unadulterated good news. While it certainly isn’t true – as I’m sure a few people believe - that I’m a doom-and-gloom blogger, for whom every glass is half empty, I probably do talk more about disturbing developments (or discoveries I’ve made) than about good stuff. So here’s the first of two attempts to redress the balance a little.

At the December meeting of the NERC CIPC in Atlanta two weeks ago, an important FERC staff member made the statement that – while he in no way speaks for the Commission – he doesn’t believe that FERC will stand in the way of a reasonable effort to make whatever changes need to be made to the CIP standards to allow NERC entities to locate entire BES Cyber Systems in the cloud. In other words, cloud services like outsourced SCADA, whose use has already been embraced by other industries besides electric power, but which haven’t so far been used much by the power industry simply because of concerns about how this would be possible given the current CIP standards, should one day be open to power industry participants.

Let’s review how this concern about CIP and the cloud came about:

  1. There is nothing in CIP-002 R1, which determines which Cyber Assets need to be included in BES Cyber Systems and classifies BCS as Low, Medium and High impact, that says BCS can’t be physically located at cloud providers. However, I – as well as many others – have always believed that, in the case of Medium and High impact BCS, the demands that the entity would need to place on the cloud provider in order to ensure compliance with some of the Medium and High impact requirements, especially CIP-004 R3 to R5, would be such that the cloud provider would never agree to them.
  2. This in itself doesn’t mean that BCS couldn’t be outsourced to the cloud while the current CIP standards are in effect. Whatever you may have heard about NERC auditors always auditing to the letter of the requirement, there are many cases now of practices that are tolerated even though they don’t comply with what is actually written in the requirement[i].
  3. However, the trump card, in my opinion, has always been the fact that NERC and FERC – especially FERC – were fundamentally opposed to the idea that BES Cyber Systems could be outsourced to the cloud. Without their active support for doing this, there would be no formal or informal way to get around the problems posed by certain CIP requirements. With their active support, these CIP problems could be expected to just melt away (see number 2 above).
  4. Where did I get the idea that FERC was opposed to outsourcing BCS to the cloud? Certainly from hearing one or two FERC staff members speak at public meetings (even though they always acknowledged that they don’t speak for the Commission), as well as from interpreting statements made by NERC staff members (especially at the Emerging Technologies roundtable discussion that was held after the June CIPC meeting in San Diego). But the main reason I have always assumed FERC was opposed to this is the fact that I have never heard anyone from FERC say anything different. Until two weeks ago.

This is why, when I wrote a post in March that wrapped up a series of posts on the cloud and CIP, I stated (in bullet point 7 toward the end of the post):

“Regarding the second fundamental question, whether High or Medium impact BCS themselves (not just information about them) can be stored in the cloud, the answer is: Not if you want to have any friends at NERC or your Regional Entity. Regardless of whether this is compliant or not, I know that both NERC and FERC are very much against “real-time operations in the cloud” – as I pointed out in this post in January….”

However, after having heard the statement from the FERC staff member at the CIPC meeting two weeks ago, I can no longer say that outsourcing Medium and High impact BCS to the cloud will never be allowed by NERC and FERC. On the other hand, if I were you I wouldn’t rush out tomorrow and outsource all your Medium and High BCS to the cloud[ii]. NERC will need to offer some sort of guidance document that will make clear both what is allowed in this regard and what kind of evidence will be required from the cloud provider in order for a CIP potential violation not to be identified.

But at least this is a good step in the right direction.

The views and opinions expressed here are my own, and do not reflect those of any organization I work with. If you would like to comment on what you have read here, I would love to hear from you. Please email me at

[i] For example, almost every NERC entity – and NERC auditor – will tell you that Attachment 1 of CIP-002 exists to classify assets like substations, generating plants, etc. as High, Medium or Low impact. But a plain reading of Attachment 1 leaves little doubt that what is being classified are BES Cyber Systems, not the assets themselves. Moreover, Attachment 1 makes clear that Medium BCS can be found at other locations than the asset they are located at (an unfortunate side effect of which I recently discussed in this post). This means that an entity with Medium impact assets (there, I’ve just committed the same sin!) in theory needs to look all through their system to find the BCS associated with a particular Medium asset (especially Medium control centers). Yet I strongly doubt any NERC entity has ever received a PNC for not doing this, or ever will for that matter. It is a settled practice now that NERC entities only need to look for BCS associated with a Medium or High impact asset at the asset itself, nowhere else.

[ii] Low impact BCS are another story. Given that the only CIP requirement that applies to them is CIP-003 R2, and given that there is nothing in that requirement that isn’t already being done in spades by every cloud provider, I don’t see anything in CIP now that should prevent Low BCS from being outsourced to the cloud. However, as with all questions about CIP requirements, you should talk with your NERC Regional Entity before doing this.

No comments:

Post a Comment