I will be conducting
a webinar on November 7, 2019 from noon to 1:00 PM Eastern time, with the above
title. The webinar is sponsored by Henry Stewart Publications in the UK, who solicited and published an article of mine titled “How can we effectively regulate grid
security?” in their publication Cybersecurity: A
Peer-Reviewed Journal early this year; I described that article in this
blog post. While that journal doesn’t publish its contents on the web, if you
would like to read the article, you can email me and I’ll send you a (perfectly
legal) proof copy of it (of course, it’s a good publication and you might want
to subscribe. If you do, I’m sure you would receive the edition with my
article).
The article identifies
five serious problems that I’ve identified with the NERC CIP standards; I’ve
been writing about these problems for years, but I had never discussed them all
in one place. The article did that, and also briefly described how I would
address those problems if given the chance to completely rewrite the CIP
standards. The webinar will differ from the article in two ways:
First, the
focus will be how I would write cybersecurity standards for any critical energy
infrastructure (CEI), not just the power grid. Of course, the most serious
effort to date to regulate cybersecurity for CEI to date – anywhere in the
world – is NERC CIP, and I will constantly be referring to the lessons that
have been learned from the CIP experience.
Second, since
I first wrote the article in May 2018, I’ve come to realize there’s a sixth serious
problem with CIP that needs to be addressed. In fact, I now think it’s probably
the most serious problem of all, and its importance will keep growing in coming
years. Not to keep you in suspense, that problem is the fact that NERC entities
can’t put BES Cyber Systems in the cloud. Of course, information about BCS, known as BCSI, is now being put in the cloud
by many entities, and that activity will without doubt be “legalized”
in CIP in a couple of years. But a NERC entity that put a Medium or High impact
BES Cyber System itself in the cloud – e.g. outsourced SCADA – would find
itself being cited for a violation of just about every CIP requirement.
In fact,
addressing this sixth problem isn’t just another “checklist item” that must be
addressed in a different framework for CEI cybersecurity standards; it will literally
have to be baked into the foundation of those standards. The standards will
need to address both cloud and physical systems at their core, and it can’t be
simply through an adjunct that will bolt a cloud-based framework onto a physical
systems-based framework (as some have suggested as a solution to incorporating cloud-based
BCS into CIP).
I hope you’ll
join me for this. The signup link is here.
Any opinions expressed in this blog post are strictly mine
and are not necessarily shared by any of the clients of Tom Alrich LLC.
If you would like to comment on what you have read here, I
would love to hear from you. Please email me at tom@tomalrich.com. Please keep in mind that
if you’re a NERC entity, Tom Alrich LLC can help you with NERC CIP issues or
challenges like what is discussed in this post – especially on compliance with
CIP-013. My offer of a free
webinar on CIP-013, specifically for your organization, has received a
great response, and remains open to NERC entities and vendors of hardware or
software components of BES Cyber Systems. To discuss this, you can email me at
the same address.
No comments:
Post a Comment