Many of you
may know this was the title of a Talking Heads concert film. I thought of it in
relation to a conversation I had recently with a CIP compliance professional.
The
conversation was about the fact, which I have discussed previously,
that NERC CIP is almost indisputably hindering deployment of important
technologies on the OT networks of electric utilities. In particular, the
subject was the cloud. I pointed out to this person that the literal wording of
CIP-004 pretty much precludes using cloud services within an ESP (e.g. SCADA in the
cloud).
This person
was quite surprised by that statement, and was sure I was wrong. Being an IT
person, he had deployed other applications in the cloud with no problem. He
pointed out that security shouldn’t be an issue if the cloud vendor could provide
an SSAE 16 report attesting to their security controls. He said it just didn’t
make sense that the only area where such a report wouldn’t carry any weight
would be NERC CIP.
Stroking my
chin in a wise fashion (which he didn’t see since he was on the other end of a
phone line), I said, “Unfortunately, CIP compliance is based entirely on
compliance with the literal wording of the requirements, not on what makes
sense.” And this is true! Given the prescriptive nature of the CIP standards
(indeed of all NERC standards, although I think a prescriptive format probably
makes sense for the other standards like COM and TOP), there is simply no way
that an SSAE 16 will overcome the fact that no cloud provider will be willing
to comply with the access control requirements of CIP-004. Were CIP-004 to be
modified so that an SSAE 16 could be taken as an alternative compliance
methodology for those requirements, then that would be one way of dealing with
the problem; of course, if someone were to write a SAR for this today, it would
still be 3-4 years before that change came into effect.
However, as
readers of this blog are hopefully beginning to realize, I see a whole host of
problems flowing from the fact that the NERC CIP standards are prescriptive[i]. I am
not at all in favor of making any further modifications to the current CIP
standards, other than the ongoing effort to draft CIP v7 (which I am trying to assist with, time permitting). I think the next version needs
to be a non-prescriptive one, since that is the only type of standards that are
sustainable in the long run (in fact, even in the not-so-long run. Were the CIP
standards to become non-prescriptive tomorrow, a lot of benefits would
immediately be realized. But if we keep with the current format, I strongly believe the whole
current edifice of CIP will collapse of its own weight in 3-5 years. The
tangible and intangible costs of the current prescriptive format are already
too high, and will only continue to grow by leaps and bounds, especially as new
areas are covered like supply chain security).
Were a set of non-prescriptive standards to be drafted, there would then be a requirement that read something like "For any providers of outsourced services that have access to BES Cyber System Information, take steps to ensure that appropriate security is applied". It would be up to the entity to demonstrate to the auditor's satisfaction that the cloud provider was secure, using SSAE 16 or some other method (and there would be guidelines associated with the requirement, providing suggestions of what might be acceptable evidence).
Were a set of non-prescriptive standards to be drafted, there would then be a requirement that read something like "For any providers of outsourced services that have access to BES Cyber System Information, take steps to ensure that appropriate security is applied". It would be up to the entity to demonstrate to the auditor's satisfaction that the cloud provider was secure, using SSAE 16 or some other method (and there would be guidelines associated with the requirement, providing suggestions of what might be acceptable evidence).
Of course, I
haven’t so far said exactly what form these non-prescriptive CIP standards
should take, because I am still trying to figure that part out.[ii] But I
really do need to get moving on that, since there is now an urgent need for it.
As I will describe in a new post shortly, the new supply chain security
standard will almost certainly only be workable if it is non-prescriptive. And
as discussed in my last
post, NERC effectively only has about six months to draft that standard.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.
[i]
With two exceptions, as discussed in this
post: CIP-007-6 R3 and CIP-010-2 R4. In addition, as I discussed in this
post, the new requirement part for electronic access control for Low impact
assets in CIP-004-7 R2 has been initially drafted by the v7 SDT as a
non-prescriptive requirement.
[ii]
I am also planning on writing a book on this topic with two co-authors. However, when I have a good idea of what form the standards should take I will
post it in this blog. I won't wait for the book - which definitely is at least a year away from publication.
No comments:
Post a Comment