To my many readers who don’t know much if anything about NERC CIP, I’ll explain the title of this post: A large number of important systems that operate the North American power grid are indirectly forbidden from being located in the cloud, because of the nature of the current NERC CIP requirements – which no cloud provider could ever comply with.
It seems that every few years,
there’s a lot of talk about moving Medium and High impact BES Cyber Systems (BCS)
into the cloud. The reason that topic keeps coming up is it would undoubtedly
be much more efficient and cost-effective to do that, and probably more secure, not less. However, the problem is also
that any utility that did that wouldn’t be able to prove CIP compliance with a
huge percentage of the CIP requirements.
I have believed for a long time
that medium and high BCS will never be allowed in the cloud until the whole CIP
compliance regime, which is now based on compliance for individual cyber assets
(both physical and virtual) changes to being based on compliance for systems
(i.e., BCS needs to be the foundation of CIP compliance, not BCA).
Ironically, the CIP Modifications drafting
team outlined almost exactly that approach in 2018 in one or two webinars and
started to work on redrafting the CIP requirements as needed to implement that
approach. However, it seems that effort got set aside, perhaps because a lot of
NERC entities have a substantial investment in compliance with the CIP
standards as they are – which they’re reluctant to throw away (I might well
agree with them, were I in their shoes). The team then turned to the more
conventional approach to virtualization (i.e., basing it on cyber assets, but virtual
ones as well as physical), which it continues to pursue today. See this post
for a description of the unhappy 2018 experience.
There is a proposal being
circulated now that would essentially create a “parallel CIP” for medium and
high BCS that are in the cloud (lows can be there now without a problem, as far
as I know). Of course, compliance will be much easier for the NERC entities that
pursue that approach, since their evidence in all cases will probably be the
CSP’s FedRAMP certification. The inevitable result of implementing this will be
that all medium and high impact Control Centers (and perhaps even parts of
substations) will be moved to the cloud, if it’s at all possible for the
utilities to do that. Obviously, that might make the grid more vulnerable
to cyberattack, not less.
Two of my posts from 2021 flesh this
out: from August
and November.
I don’t see any way to
change this situation, other than starting to contemplate wholesale changes to
NERC CIP. But I currently doubt there’s the will to do that.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment