I’ve been hearing for over a year
about software and security service providers who are moving their platform to
the cloud and either abandoning or deprecating their on-premises solution for
NERC CIP customers. This week, I heard a story from a large NERC entity about their
experience with a software provider whose product they wanted to purchase for
on-premises use. However, before they purchased it, the provider told them they
were moving to the cloud, although they would still be able to offer them a
fully functional on-premises version.
The good news is that the provider
is willing to support them on premises and will include full functionality in
that version. What’s the bad news? The price tag for the software in the cloud
is $80,000, but the price tag for the on-premises version is…drum roll, please…$800,000.
In other words, the provider is willing to support an on-premises version just
for this one customer, but the customer will have to pay the full cost of it.
Of course, the NERC entity
declined the software provider’s offer; they found another on-premises product
to purchase. It doesn’t have all the functionality of the other package, but they
say it will meet their needs.
I’ve heard that, even though this
problem was getting bad one year ago, now it’s getting much worse. What’s even worse
than having to pay $800,000 for an on premises software product is not being
able to find an on premises version for any price. I’m sure that’s already
happening now. For example, software for Internal Network Security Monitoring,
which will be required for CIP-015 compliance, will probably never be available
in an on-prem version. Of course, CIP-015 enforcement is more than three years
away and FERC still has not approved the standard yet, so this isn’t an
immediate problem.
Is help on the way? Yes, it is. A
Standards Drafting Team is hard at work on considering what will be required,
although they haven’t drafted a single word yet (I don’t blame them for this,
because there are multiple conceptual problems that need to be worked through
before they can even take their first baby step toward a new or revised
standard). I predicted last year that the new or revised standards will be
enforced starting
in 2031, and I see no reason to move that date backwards.
Of course, by 2031 there might not
be any software left to run the BES – at least for NERC entities with medium
and high impact CIP environments – other than MS Excel™. I don’t think we can
wait that long for the problem to be fixed. Do you?
If you are involved with NERC
CIP compliance and would like to discuss issues related to “cloud CIP”, please email
me at tom@tomalrich.com.
No comments:
Post a Comment