In a recent post, I described a document that was recently emailed to the “Plus list” for the NERC Standards Drafting Team (SDT) that is working on removing the barriers to full use of the cloud by NERC entities subject to CIP compliance. The well-written document, which has no official status, is a “discussion draft” of a new standard: CIP-016.
Like NERC Reliability Standards, the document includes a set
of suggested requirements. Each suggested requirement loosely refers to one of
the CIP standards. The author of this document assumes that CIP-016 will just
apply to systems deployed in the cloud. On-premises systems will continue to be
required to comply with standards CIP-002 through CIP-014, but those standards
will now be understood not to apply to use of the cloud by those systems.
The suggested requirement that refers to CIP-013 reads, “The
Responsible Entity shall perform risk assessments of cloud providers...This
includes ensuring that all cloud providers comply with relevant security
standards (e.g., SOC 2, FedRAMP).”
In other words, to comply with this suggested requirement,
the NERC entity will need to:
1.
Perform a risk assessment of each cloud (service)
provider, which presumably includes their Platform CSP (e.g., AWS or Azure);
and
2.
“Ensure” that they comply with “security
standards” like SOC 2 and FedRAMP. Neither of those is a security standard, so
I’ll take the liberty of replacing those two names with “ISO 27001”, which definitely
is a security standard.
In fact, these two “sub-requirements” are the same. This is
because a risk assessment always needs to ascertain the subject’s compliance
with a certain grouping of risks. In some cases, that grouping is called a
standard; in others, it’s called a framework. Let’s say the NERC entity decides
to assess the CSP based on ISO 27001. How are they going to do this?
One way for a NERC entity to assess a CSP based on ISO 27001
is to conduct a full audit; of course, the audit would need to (at least in
principle) cover all the CSP’s data centers and systems. Is it likely that AWS
or Azure would allow every NERC CIP customer to do this on their own, or that
those customers, no matter how large, would have the resources to conduct this
audit? Of course not.
The only realistic way for a NERC entity to perform a risk
assessment of a CSP, based on ISO 27001 or any other true security standard, is
to review the audit report and identify risks revealed in the report. For
example, if the report noted a weakness in the CSP’s interactive remote access
system, that would be one risk for the entity to make note of.
Since I believe CSPs will usually let customers see their
cybersecurity audit reports, this would be a good way for NERC entities to assess
their CSPs. However, given that there are only a small number of platform CSPs,
why should each customer of “CSP A” have to request the same audit report,
review it, and presumably identify a similar set of risks? Instead, why not
have NERC itself – or perhaps a third party acting on NERC’s behalf – perform their
own assessment of the CSP, then share the results with every NERC entity that utilizes
the CSP’s services?
A word from our sponsor: To
produce these blog posts, I rely on support from people like you. If you
appreciate my posts, please donate here. Any amount is welcome.
Of course, NERC wouldn’t be acting as a gatekeeper, determining
whether the CSP is secure enough to merit designation as a “NERC authorized
cloud provider” for entities subject to CIP compliance. Instead, it would be performing
a service on behalf of many separate NERC entities. More importantly, since the
CSP will know that they only need to be assessed once rather than once for every
NERC CIP customer they have, they may be more open to having the assessors go
beyond just an examination of the audit report.
That is, the CSP may be willing to have NERC ask them
questions that are relevant to cloud providers, but are most likely not included
in ISO 27001. For example, the Capital One breach in 2019 was due in part to the
fact that many customers of one of the major platform CSPs had all made the
same mistake when securing their environments in that CSP’s cloud. One of the CSP’s
technical staff members, who had been terminated by the CSP, took revenge by
breaking into – according to boasts she posted online – over 30 customers who
had made the same mistake.
Of course, the fact that so many customers had made the same
mistake should be taken as evidence that the CSP needed to beef up their cloud
security training for their customers. Thus, one question that the NERC
assessors could ask is what security training is provided to all customers at
no additional cost, rather than simply being available for a fee. This question
is almost certainly not included in an ISO 27001 audit.
Thus, I’m proposing that, in the new “cloud CIP” standard(s)
that will be developed, NERC should be tasked with assessing cloud service providers
in two ways: by reviewing their ISO 27001 audit report and by asking them
questions that are most likely not asked in a normal assessment based on ISO
27001 (the current SDT should start thinking about what these questions should
be).
NERC will review the audit report and the CSP’s answers to
the cloud-specific questions, to identify risks that apply to this CSP; they
will then pass those results to NERC entities that utilize the CSP’s services. NERC
will not make any judgment on whether NERC entities can utilize the CSP’s
services, or on measures that a NERC entity should take to mitigate the
identified risks.
Of course, my suggestions above suffer from one little
problem: NERC’s current Rules of Procedure (RoP) would never allow NERC (or
even a third party engaged by NERC) to assess a CSP and share the assessment
results with NERC entities. As I stated in the post
I referred to earlier, I believe that accommodating use of the cloud by all
NERC entities that wish to do so will require changes to the RoP – even though
doing so may require an additional 1-2 years, beyond what just redrafting the
CIP standards would require. This is just one example of that.
If you have comments on this
post, please email me at tom@tomalrich.com. And don’t forget to donate!
No comments:
Post a Comment