In my last post, I made the case (although this wasn’t the main reason for the post) that the CIP standards, in order to solve the problems found in CIP today, must be rewritten as risk-based; this is a point I’ve made in a number of posts in the past year or so. One of the problems that I pointed out, that can be solved if CIP is rewritten, is the problem of BES Cyber Systems in the cloud, as in outsourced SCADA (note this is different from the problem of BCS Information in the cloud. A lot of NERC entities are storing BCSI in the cloud now, and the changes to the requirements that will make that completely “legal” have been approved).
Putting BCS themselves in the
cloud is a very tricky question, mainly because doing so potentially puts the
entity in violation of a whole host of CIP requirements (assuming the BCS is
High or Medium impact. If it’s Low impact, there’s no restriction at all on
putting BCS in the cloud today). The main reason why I say this is that there’s
no feasible way to prove in a CIP audit that the cloud provider is actually
performing all the acts required by the requirements in CIP-004, CIP-005,
CIP-007, and CIP-010 (as well as some of the other CIP requirements).
Of course, this statement always
seems strange to people who don’t understand how CIP is audited, since they will
usually point out – with good reason – that if anything, the cloud providers
have better security than any electric utility, as evidenced by the rigorous
FedRAMP and SOC II audits that the major cloud providers have to pass. FedRAMP
requires everything that CIP does and a lot more. You’ll get no argument from
me on that point.
But what FedRAMP doesn’t require
is that the cloud provider store evidence in a way that would enable them to
pass a CIP audit; this is because NERC requires – for audits of all standards,
not just the CIP standards – that the entity show evidence that they complied
with a requirement in every instance. For example, CIP-004-6 R5.1 requires that
the “individual’s ability for unescorted physical access and Interactive Remote
Access upon a termination action” be removed within 24 hours of their
termination (which includes termination for cause or just quitting). The cloud
provider would have to retain evidence (e.g. screenshots) that this was done
for every termination during the audit period, for any individual that had
access to any system that contains “part” of the BCS (since the whole idea of
the cloud is that particular functions are broken down into a lot of small functions,
that can be executed almost simultaneously on many systems located in data
centers that are probably all over the world - or at least all over the US).
But even this might not seem too
hard – the cloud provider would just need to track everyone who is authorized
to access the servers (physically or logically) that your BCS are stored on,
and record the evidence that their access was removed within 24 hours when they
left the provider. Is that so hard?
It is, when you consider that this
applies to every data center where some part of the operations of your
BCS might have been stored during some
period of time (even if that’s just a few minutes) during the audit period.
Moreover, this applies to every employee who worked in one of those data
centers during the audit period (which is usually three years) – since any
employee who could have walked by a server containing some part of your BCS by
definition has physical access to that server (unless it’s in a rack with a
locked door, protected by a card reader that only provides access to a small
number of data center employees).
In order to comply with this one
requirement, the cloud provider would most likely have to provide evidence that
they had removed access within 24 hours for any employee in the US who could
have even walked by a system that housed some part of your BCS, for even the
briefest amount of time during the three-year audit period. In other words,
they would need to do this for a significant percentage of all of their US
employees. And this is a walk in the park, compared to the evidence that would
be required for compliance with CIP-007 R2 (patch management) and CIP-010 R1
(configuration management)!
So even though the cloud provider’s
practices almost certainly far exceed what the NERC CIP standards require, it’s
literally impossible that they could ever document that compliance. Could that
problem be fixed by amending the CIP standards, so that cloud providers would
just be able to point to their FedRAMP certification as the only evidence they
need?
Absolutely it could (although it
would very likely take at least 3-4 years before this change would actually
come into effect, from the day that a Standards Authorization Request was
written for it). And what would happen then? Literally every NERC entity with Medium
and/or High impact BCS would immediately outsource everything they could to the
cloud, since their compliance documentation from then on would just consist of
one sentence: “See XYZ Cloud Provider’s FedRAMP certification.” Of course, I
would hope those entities would find a way to employ the large number of people
who were previously doing nothing but document CIP compliance – I’d hate to see
so many people out on the street at once.
I agree that allowing cloud
vendors to just point to FedRAMP as evidence of compliance with the various CIP
requirements would be an extremely popular move, but I also believe some people
might object that this could very well put the BES at much more serious risk
than it’s ever been in before. In fact, I’d have to withdraw what I’ve said
previously, that there’s no way a cyberattack (or even a coordinated set of
cyberattacks) could bring down the “whole” US power grid or even a substantial
portion of it. If almost all electric utilities put most of their BCS in the
cloud, it would just take attacks on the two or three major cloud providers to
literally shut down a lot of the US power grid. But other than that, I don’t
see anything wrong with this idea…
So what does this mean for the
idea of having BCS in the cloud? Should you try it? Like a lot of things, it
depends on your risk appetite. You might find that the auditors are very
sympathetic to this idea – especially if you’re say a renewables producer who’s
just starting out, and you have a heart attack when you see the cost of
running your Medium impact Control Center on outsourced SCADA vs. the cost of building
everything yourself in a facility that you own. But it’s probably more likely
that they’ll tell you to drop the outsourced SCADA and create your own Control
Center in say one year – and if you don’t do that, they’ll throw the book at
you.
But the choice is yours. Nothing
in the CIP standards says you can’t outsource BCS to the cloud.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared by the National Technology and Information Administration’s
Software Component Transparency Initiative, for which I volunteer as co-leader
of the Energy SBOM Proof of Concept. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment