Up until last summer, I said frequently something to the effect that there’s no good reason – other than the current wording of CIP-004 - why NERC entities shouldn’t be able to store information on their OT systems in the cloud. After all, I reasoned, there isn’t a single electric utility organization, no matter how large, whose level of security isn’t far surpassed by that of any major cloud provider. How could it possibly be otherwise, since cloud providers have to protect thousands of customers and a utility only has to protect itself? The fact that there hadn’t been any major cloud breaches reported at the time was all the evidence I needed for my position.
Another consideration that reinforced my thinking: FedRAMP is much more stringent than NERC CIP or any other cyber regulation that most industries have to deal with (probably including the U.S. military and the U.S. nuclear industry). If a cloud service provider has that certification (and the big ones all do), what could possibly go wrong?
The answer to that question came when the Capitol One breach was revealed last summer to be the work of a terminated ex-employee of AWS who had been able to penetrate at least 30 companies’ environments on Amazon’s cloud – and had bragged online about how no Amazon customer had a particular service configured correctly. This pointed to a big vulnerability at Amazon that was going to require a big effort by Amazon – and also their customers, although much more by Amazon itself – to fix. And it’s a vulnerability that I’m sure FedRAMP doesn’t address now.
However, I have to admit that I continued to believe that the cloud was far safer than any single utility, once AWS and its competitors got the problems that led to Capital One and Paige Thompson taken care of. But now there are two more news stories that have definitely left me wondering about this. This is because both of these stories show that there actually can be cloud-based attacks that impact multiple customers at once – the dreaded common-mode vulnerability.
One of those stories was by Rob Barry and Dustin Volz in today’s Wall Street Journal (note: The link goes to a non-paywall version of the article, but Rob is worried that may not always be available. Here is a link to a PDF of the artile on Rob's personal web site, in case that happens). In the article, the reporters describe in great detail how Chinese attackers had conducted a long-term campaign to infiltrate cloud providers and hop from one customer’s cloud environment to many others’ – all the while stealing terabytes of valuable data. This was something I always believed was impossible. Even Paige Thompson didn’t do this – she attacked each of her victims individually, going through the firewalls (which were their responsibility, not AWS’s, of course) in front of their AWS environments. Ever efficient and resourceful, the Chinese seem to have leapfrogged over what she could do.
The other story was forwarded to me about a month ago by Kevin Perry, retired former Chief CIP Auditor of SPP Regional Entity. This one describes how some cloud-based service providers[i], and managed service providers utilizing the cloud as their computing environment (which I would imagine just about all MSPs do now, given how much more efficient that makes them), have become infected with ransomware and have spread it to their customers.
Kevin pointed out in an email “Purportedly, the group of schools hit earlier this year in Texas were attacked through their MSP.” This is quite interesting: A number of members of one particular “industry” (education in this instance) all are attacked through their cloud-based MSP. What would happen if you just substituted “utilities” for “schools” in Kevin’s statement (and maybe “the US” for “Texas”)?
Of course, the solution for Paige Thompson, and these latest two stories, is encrypting the data being stored in the cloud – and the BCSI Access Management standards drafting team is making that the centerpiece[ii] of their revisions to CIP-011 and CIP-004. These will, when enacted, hopefully allow NERC entities to feel safe storing BES Cyber System Information in the cloud (which a number of entities are already doing today).
However, the recent NERC CIPC meeting also made clear that not everybody in the CIP community agrees with the SDT’s approach – and they would like more consideration given to using FedRAMP (or possibly other certifications) as the standard for evidence of the security of a cloud provider. If one of those people wishes to state their position to me, I’ll be glad to publish it, even without mentioning their name.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org. Please keep in mind that if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or challenges like what is discussed in this post – especially on compliance with CIP-013. My offer of a free webinar on CIP-013, specifically for your organization, remains open to NERC entities and vendors of hardware or software components for BES Cyber Systems. To discuss this, you can email me at the same address.
[i] Which isn’t the same thing as a cloud service provider, of course. We’re not talking about MS Azure and AWS here.
[ii] Actually, when John Hansen of Exelon, the chairman of this SDT, spoke to the recent NERC CIPC meeting in Atlanta a few weeks ago, he made clear that they’re not requiring encryption per se, but any means of masking the data so that it’s only readable by users equipped with a software key. The new CIP-011 includes a requirement for protection of those keys, which of course is “key” (OK, bad joke) to the success of this effort. You can read their current first draft here.