If you're looking for my pandemic posts, go here.
After last week’s post on CIP and the cloud – which painted a pretty gloomy picture of the likelihood that BES Cyber Systems will be able to be “legally” (as far as CIP is concerned ) placed in the cloud in the near future – a good friend of mine, who is CISO of a large NERC entity, dropped me an email which led to a good exchange in which we discussed three major points. This post discusses one of those points. I’ll discuss the other two in subsequent posts.
My friend started off by pointing out that a FedRAMP certification could easily be seen
as evidence of compliance with a number of the CIP-003 through CIP-011 requirements,
since it’s doubtful there’s any requirement in those standards that isn’t
addressed in some way in FedRAMP already. He also noted that at least a couple
groups within NERC or one of the Regions have engaged with one of the major
cloud providers, presumably to see how perhaps some of the FedRAMP controls
might be accepted as compliance evidence for at least some CIP risks.
This idea has been discussed for a while, especially within
the Compliance Input Working Group (CIWG) of the late, lamented NERC CIPC (which
was this year swallowed whole – and thoroughly digested, it seems - by the new
Reliability and Security Technical Committee or RSTC). However, it hasn’t been
discussed in the concept of BCS in the cloud – just of BCS Information (BCSI)
in the cloud.
In fact, the CIWG discussed this idea when they started
considering how the CIP standards could be modified to allow BCSI to be stored
in the cloud at least a couple of years ago. As I discussed briefly in the
previous post, the drafting team that was later assigned the task of making
this happen has focused on a different solution to the problem, which I prefer
because it takes a more comprehensive, risk-based approach. But I believe the
immediate BCSI problem could also have been solved by changing the Measures for
the requirements in question, so that FedRAMP certification would be accepted
as evidence of compliance.
However, my previous post pointed out that the problem of
BCSI in the cloud is very different from that of BES Cyber Systems themselves
in the cloud – and the latter simply has no good solution within the current
CIP standards. The biggest problem is that so many of the CIP-003 through CIP-011
requirements would apply either to individual cloud employees or to individual
cloud systems, and there must be documentation of every instance when a control
was applied. There’s simply no way any cloud provider could ever provide the
required evidence without breaking their business model.
I suppose that it might be possible to “solve” this problem
by kind of “forking” the Measures sections of the requirements. In other words,
there would be two ways an entity could demonstrate compliance with each
requirement. One is to have the documentation currently required. To use the
example of CIP-007 R2.2 compliance, this means evidence that, for every piece
of software installed on any Medium or High impact BCS or PCA, the entity “contacted”
the patch source to determine whether a new security patch has been issued in
the last 35 days (and of course, this evidence needs to be available for every piece
of software – in fact, every version of every piece of software used on a
BCS or PCA - in scope, for every month of the audit period).
The other fork would be for the NERC entity to show that the
cloud provider where the BCS was implemented has a FedRAMP certification, and
beyond that, they have a passing grade (or whatever it’s called) for the FedRAMP
requirement that “maps” to the CIP requirement in question. Now, I want to ask you (and I request you
answer honestly): If for example you have 1,000 pieces of software within your ESPs,
would you find it easier to:
1.
Gather 1,000 pieces of evidence that you had
contacted a patch source every month, with the result that you will need to
have those 36,000 pieces of evidence all indexed and available for your next
audit (which of course will be roughly 36 months after your last one) – and of course,
woe betide you if you’re missing more than one or two of those 36,000 pieces of
evidence (yea verily, great will be the weeping, wailing and gnashing of teeth of
the poor souls condemned to this hell); or
2.
Just get the cloud provider to copy the section
of their FedRAMP certification that shows they have in place controls somewhat
similar to those in CIP-007 R2.2 (OK, so it might be a little more complicated
than that. But certainly nothing like the first option)?
If you said number 2, I’m sure you’ll agree with 99.9% of
the other readers – in fact, I’d seriously wonder about anyone who said item 1
might be easier (and remember, if FedRAMP were to be included in the CIP Measures
in this way, it would only have been with the prior agreement of the major
cloud providers that they would provide the required evidence. In fact, they
could just provide it once to each Region, rather than make every entity in the
Region obtain it and submit it. So this might even be a zero-effort option).
What will be the effect of changing the Measures section of
each CIP requirement to include this FedRAMP “get out of jail free” card? You got
it: as soon as it was clear these changes had been approved by FERC, just about
every CIP entity with Medium or High impact BCS would be on the phone to their
friendly neighborhood cloud provider, making arrangements to transfer as many
of their BES Cyber Systems as possible into the cloud, probably the day after
the implementation date for the revised standards.
And this, Dear Reader, is why I don’t think the idea of NERC
simply waving its hands and declaring that FedRAMP certification is evidence
for CIP compliance is really going to be successful. Sure it will enable those entities
who already wanted to do this to move their BCS to the cloud. But it also would
literally force all other entities to do their darndest to move their BCS to
the cloud as well, whether or not they had security or other concerns about
doing this. And believe it or not, this wouldn’t be good for the cybersecurity
of the grid.
In other words, changing the CIP standards so that BCS can
be installed in the cloud doesn’t have an easy solution. Two hard questions
need to be addressed first:
1.
How can the CIP standards be rewritten so that they
don’t require evidence based on individual instances of compliance – i.e. evidence
that controls were applied for particular systems or for particular
individuals? The point is that it won’t help to fix this problem for NERC
entities that have BCS at cloud providers, but not at the same time for
entities that aren’t inclined to pick up their BCS and move as many of possible
into the cloud as soon as possible, without a full consideration of the risks.
Unless you want to make the latter as hard-to-find as the passenger pigeon or
dodo bird, of course. I gave some brief hints at the answer to this question in
my previous post.
2.
Are there any serious cyber risks that apply to
cloud providers, that aren’t addressed either by CIP or by FedRAMP (spoiler
alert: I think the answer is yes, as discussed in this
post, and this
one)? If so, doesn’t that mean there might need to be some new CIP requirements
before the Good Housekeeping Seal of Approval is bestowed on the cloud
providers, FedRAMP or no FedRAMP?
I will discuss this second question in the next of the three
posts in this series, coming soon to a blog near you.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
Are you wondering if you’ve
forgotten something for the 10/1 deadline for CIP-013 compliance? This
post describes three important tasks you
need to make sure you address. I’ll be glad to discuss this with you as well –
just email me and we’ll set up a time to talk.
No comments:
Post a Comment