Thursday, August 12, 2021

Just to be clear, you’re “allowed” to put BCS in the cloud now

In my last post, I made the case (although this wasn’t the main reason for the post) that the CIP standards, in order to solve the problems found in CIP today, must be rewritten as risk-based; this is a point I’ve made in a number of posts in the past year or so. One of the problems that I pointed out, that can be solved if CIP is rewritten, is the problem of BES Cyber Systems in the cloud, as in outsourced SCADA (note this is different from the problem of BCS Information in the cloud. A lot of NERC entities are storing BCSI in the cloud now, and the changes to the requirements that will make that completely “legal” have been approved).

Putting BCS themselves in the cloud is a very tricky question, mainly because doing so potentially puts the entity in violation of a whole host of CIP requirements (assuming the BCS is High or Medium impact. If it’s Low impact, there’s no restriction at all on putting BCS in the cloud today). The main reason why I say this is that there’s no feasible way to prove in a CIP audit that the cloud provider is actually performing all the acts required by the requirements in CIP-004, CIP-005, CIP-007, and CIP-010 (as well as some of the other CIP requirements).

Of course, this statement always seems strange to people who don’t understand how CIP is audited, since they will usually point out – with good reason – that if anything, the cloud providers have better security than any electric utility, as evidenced by the rigorous FedRAMP and SOC II audits that the major cloud providers have to pass. FedRAMP requires everything that CIP does and a lot more. You’ll get no argument from me on that point.

But what FedRAMP doesn’t require is that the cloud provider store evidence in a way that would enable them to pass a CIP audit; this is because NERC requires – for audits of all standards, not just the CIP standards – that the entity show evidence that they complied with a requirement in every instance. For example, CIP-004-6 R5.1 requires that the “individual’s ability for unescorted physical access and Interactive Remote Access upon a termination action” be removed within 24 hours of their termination (which includes termination for cause or just quitting). The cloud provider would have to retain evidence (e.g. screenshots) that this was done for every termination during the audit period, for any individual that had access to any system that contains “part” of the BCS (since the whole idea of the cloud is that particular functions are broken down into a lot of small functions, that can be executed almost simultaneously on many systems located in data centers that are probably all over the world - or at least all over the US).

But even this might not seem too hard – the cloud provider would just need to track everyone who is authorized to access the servers (physically or logically) that your BCS are stored on, and record the evidence that their access was removed within 24 hours when they left the provider. Is that so hard?

It is, when you consider that this applies to every data center where some part of the operations of your BCS  might have been stored during some period of time (even if that’s just a few minutes) during the audit period. Moreover, this applies to every employee who worked in one of those data centers during the audit period (which is usually three years) – since any employee who could have walked by a server containing some part of your BCS by definition has physical access to that server (unless it’s in a rack with a locked door, protected by a card reader that only provides access to a small number of data center employees).

In order to comply with this one requirement, the cloud provider would most likely have to provide evidence that they had removed access within 24 hours for any employee in the US who could have even walked by a system that housed some part of your BCS, for even the briefest amount of time during the three-year audit period. In other words, they would need to do this for a significant percentage of all of their US employees. And this is a walk in the park, compared to the evidence that would be required for compliance with CIP-007 R2 (patch management) and CIP-010 R1 (configuration management)!

So even though the cloud provider’s practices almost certainly far exceed what the NERC CIP standards require, it’s literally impossible that they could ever document that compliance. Could that problem be fixed by amending the CIP standards, so that cloud providers would just be able to point to their FedRAMP certification as the only evidence they need?

Absolutely it could (although it would very likely take at least 3-4 years before this change would actually come into effect, from the day that a Standards Authorization Request was written for it). And what would happen then? Literally every NERC entity with Medium and/or High impact BCS would immediately outsource everything they could to the cloud, since their compliance documentation from then on would just consist of one sentence: “See XYZ Cloud Provider’s FedRAMP certification.” Of course, I would hope those entities would find a way to employ the large number of people who were previously doing nothing but document CIP compliance – I’d hate to see so many people out on the street at once.

I agree that allowing cloud vendors to just point to FedRAMP as evidence of compliance with the various CIP requirements would be an extremely popular move, but I also believe some people might object that this could very well put the BES at much more serious risk than it’s ever been in before. In fact, I’d have to withdraw what I’ve said previously, that there’s no way a cyberattack (or even a coordinated set of cyberattacks) could bring down the “whole” US power grid or even a substantial portion of it. If almost all electric utilities put most of their BCS in the cloud, it would just take attacks on the two or three major cloud providers to literally shut down a lot of the US power grid. But other than that, I don’t see anything wrong with this idea…

So what does this mean for the idea of having BCS in the cloud? Should you try it? Like a lot of things, it depends on your risk appetite. You might find that the auditors are very sympathetic to this idea – especially if you’re say a renewables producer who’s just starting out, and you have a heart attack when you see the cost of running your Medium impact Control Center on outsourced SCADA vs. the cost of building everything yourself in a facility that you own. But it’s probably more likely that they’ll tell you to drop the outsourced SCADA and create your own Control Center in say one year – and if you don’t do that, they’ll throw the book at you.

But the choice is yours. Nothing in the CIP standards says you can’t outsource BCS to the cloud.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the National Technology and Information Administration’s Software Component Transparency Initiative, for which I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment