Yesterday, the NERC Standards
Committee approved a Standards Authorization Request which is meant to lead to
a complete “normalization” of cloud use by entities subject to the NERC CIP
standards. Even though BES Cyber System Information (BCSI) in the cloud will be
“legal” on January 1, 2024, deploying medium or high impact BES Cyber Systems
or Electronic Access Control or Monitoring Systems (EACMS) in the cloud is
currently all but impossible, if an entity wants to maintain compliance with all
the NERC CIP requirements. The new SAR is intended to lead to a new standard or
standards (although more than new standards may be required), which will remove
these final barriers.
You can find the SAR on pages 56-61
of this
agenda package from the meeting. The SAR doesn’t seem to have changed much from
when I reviewed it in this
post, so I won’t go over the same ground again. It now looks like the earliest
the complete fix for the cloud will be in place will be early 2028 and more
likely after that; if you think it should come much more quickly, you should
make your opinion known through your company, your Region, etc.
I certainly think these changes
are long overdue, and the idea that it will take four or more years to
implement them – God willing, and the creek don’t rise – is to me quite
disappointing.
But much more disappointing is
that a current problem that everyone thought would be solved on January 1 is in
fact not solved at all. I’m referring to the fact that use of SaaS (software as
a service), which is now officially illegal for entities with medium and or
high impact BES Cyber Systems, but was supposed to be “legal” when BCSI in the
cloud becomes allowed on January 1, is now as far away as ever from being approved
(I explained the reasons for that sad situation in this
post).
I had hoped that the new SAR would
include a directive for the standards drafting team to take up this new problem
as well, hopefully before their other business. However, the new SAR is silent
on the problem. This means there will need to be a new SAR and a new SDT
dedicated to just this problem. On face value, it seems to me that it should be
able to be fixed with just a few word tweaks, but I’m told that it’s much
harder than that. Regardless, it needs to get done, starting with a new SAR.
Since NERC has faced other
situations in which it had to deliver a narrowly conscribed solution to a
difficult CIP problem very quickly, I don’t think it's expecting too much to suggest
the revised standard (and really just one requirement) be delivered within one
year. At least one new standard was put in place in only three months, although
since that standard had to be redrafted soon afterwards, I don’t recommend pushing
it that fast. But 6-9 months to have the new standard approved by FERC and
ready to implement (no implementation period will be needed) doesn’t strike me
as very hard at all.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
I lead the OWASP SBOM Forum. If
you would like to join or contribute to our group, please go here, or email me with any questions.
No comments:
Post a Comment