In my most
recent post
I stated that I thought cloud storage of BES Cyber System Information was
permitted by NERC CIP v5 and v6, and quoted a CIP auditor on what NERC entities
(with High and/or Medium impact assets) needed to do to remain compliant with
CIP if they do this.
The next day
I received an email from Judy Koski of Tucson Electric Power, a NERC compliance
professional I have known for many years. She pointed out “You have left out
any mention of encrypted BCSI in the cloud.
If the information is encrypted in storage, the third party supplier
does not have access, except to very limited personnel. Does this not solve the problem?”
I immediately
sent this question to the auditor who contributed to the previous post, and he
quickly replied “I would argue that it is BCSI[i] and that
the CIP-011-2 requirement to protect that information is achieved, in part, by
encryption of the data at rest, what P1.2 refers to as in storage. The fact that it is encrypted does not change
the fact that the data is information about BCS. So, yes, the other Requirements/Parts still
apply.”
Since this
auditor won’t ever use two words where one will suffice, I will “decrypt” his
statement. He first points out that CIP-011-2 R1.2 requires the entity’s
Information Protection Plan to include “Procedure(s) for protecting and securely
handling BES Cyber System Information, including storage, transit, and use.” He
agrees that encryption of BCSI while at rest at the cloud provider (or other
third party) addresses the “storage” side of this, but that entities must also
protect BCSI in transit and in use (of course, not necessarily with encryption,
since there are many other ways to do this).
In addition
to addressing the “transit” and “use” aspects of the above requirement, the
auditor also pointed out that the three other requirement parts, included in a
numbered list in my last post, still need to be complied with. Encryption won’t
help with any of these, so you still have to address each of them.
The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte.
[i]
In my email to the auditor, I had speculated that perhaps the encrypted data
wouldn’t be BSCI at all, since the definition of BCSI includes the statement “BES
Cyber System Information does not include individual pieces of information that
by themselves do not pose a threat or could not be used to allow unauthorized
access to BES Cyber Systems…” I reasoned that encryption meant the information
couldn’t be used to allow unauthorized access to BCS. The auditor rightly
pointed out that it’s still BCSI even though it’s encrypted. The encryption is one
control that can be used to block
unauthorized access.
No comments:
Post a Comment