I’ve mentioned many times that
last year a new NERC Standards
Drafting Team started the long process of
developing new or revised CIP standards to make full use of the cloud completely
“legal” for systems and information subject to NERC CIP compliance. This is the
second SDT that has addressed the cloud problem, in whole or in part. In 2019,
a similar team started meeting to draft changes to multiple CIP standards that
would enable BES Cyber System Information (BCSI) to be stored in the cloud, as
long as it was appropriately protected and “securely handled”.
I wrote about that drafting team in
this post in 2020. The team ultimately produced two revised CIP
standards, CIP-004-7 and CIP-011-3; these came into effect on January 1, 2024. When
I wrote the post in 2020 and when the standards came into effect, I thought they
were perfect for what they were intended to do: require logical (as opposed to
physical) protection for BCSI stored in the cloud. This change was needed to make
it possible for a NERC entity to store BCSI in the cloud without falling out of
compliance with the CIP standards.
That drafting team was constituted
to solve a problem caused by a requirement part (in the then-current CIP-004-6)
that mandated physical protection for servers in which BCSI might be stored, if
these servers were outside the NERC entity’s Physical Security Perimeter (PSP).
Of course, any requirement to protect information, by applying special physical
protection for individual devices that it’s stored on, won’t work in the cloud.
In the cloud, information moves constantly from server to server and data
center to data center; this is required by the cloud business model.
When that drafting team first met,
there wasn’t much disagreement about what they needed to do: remove the requirement
for special physical protection of BCSI stored outside of a PSP and replace it
with a requirement that allowed BCSI to be logically protected instead. In
other words, the revised CIP standards would allow NERC entities to protect
BCSI at rest or in transit by encrypting it (other methods of protecting the
data are permitted, but it’s likely that encryption will almost always be the
option of choice). If someone can access the encrypted data but they don’t have
the keys needed to decrypt it, they obviously don’t really have “access” to the
data.
It seemed to me that CIP-004-7 and
CIP-011-3 were just what the doctor ordered. Therefore, starting in January
2024 I expected to see lots of BCSI moving to the cloud. However, it turns out
that the drafting team – and a lot of other people like me – didn’t recognize that
merely storing BCSI in the cloud isn’t much of a use case. BCSI is never
voluminous, so it can easily be stored within the on-premises ESP and PSP,
where it’s very well protected and easily backed up. In itself, cloud storage
of BCSI doesn’t solve a problem.
It turns out that the real problem
was that the previous requirement for physically protecting BCSI prevented NERC entities from using SaaS that required
access to BCSI - especially online configuration and network management
applications. After all, SaaS applications never reside in a defined physical
location in the cloud, any more than data does. Since BCSI had to be confined
to particular physical locations with special protection, that meant cloud-based
SaaS could never use BCSI without putting the NERC entity into a position of
non-compliance, even if the BCSI was encrypted. This was unfortunate,
since there wasn’t much argument that encryption provides a much higher level
of data security than just preventing unauthorized physical access.
Thus, I expected there would be a
big surge in use of SaaS applications that utilize BCSI when the two revised
CIP standards came into effect on New Year’s Day 2024. Yet as far as I know - i.e.,
relying on statements made by NERC entities and SaaS providers – today (more
than one year later) there is literally zero use of SaaS by NERC entities with
high or medium impact CIP environments.
Why is this the case? The answer
is simple: Ask yourself when you last saw guidance (or at least guidelines)
from NERC or any of the NERC Regions on use of BCSI in the cloud…You’re right, no
official guidance has yet been published since the two standards came into
effect.[i] In fact, I’ve seen close
to nothing written by non-official sources, other than my blog posts.
And NERC entities aren’t the only
organizations that need guidance on complying with CIP-004-7 and CIP-011-3. The
SaaS provider needs to furnish their NERC CIP customers with some simple
compliance documentation; there’s been no official guidance on that, either.
However, the group that I feel sorriest for isn’t the NERC entities
or the SaaS providers – it’s the drafting team members. How would you feel if
you’d dedicated a good part of a couple years of your life to making some
changes to the CIP standards, yet it turns out that those changes aren’t being
used at all, more than one year after the changes came into effect? This shows that
just drafting new or revised CIP standards and getting them approved by NERC
and FERC isn’t enough. NERC entities need to clearly understand what they need
to do to comply. Moreover, they also need to understand what compliance
evidence to require from third parties – in this case, SaaS providers.
This is an especially good lesson for the members of the
current CIP/cloud drafting team. They already have a long
road ahead of them. If they reach the end of that road and find that the
NERC community is rushing to make full use of the cloud, that will be a great feeling.
On the other hand, if they come to the end of their road and realize that few
NERC entities are even trying to use the cloud in their OT environments –
because the new standards are too complicated or because nobody has made an
effort to explain them to the community - how do you think they’ll feel? I know
how I would feel…
If you are involved with NERC CIP compliance and would like to discuss issues related to “CIP in the cloud”, please email me at tom@tomalrich.com.
No comments:
Post a Comment