Thursday, December 14, 2023

NERC takes the first step toward the cloud


Yesterday, the NERC Standards Committee approved a Standards Authorization Request which is meant to lead to a complete “normalization” of cloud use by entities subject to the NERC CIP standards. Even though BES Cyber System Information (BCSI) in the cloud will be “legal” on January 1, 2024, deploying medium or high impact BES Cyber Systems or Electronic Access Control or Monitoring Systems (EACMS) in the cloud is currently all but impossible, if an entity wants to maintain compliance with all the NERC CIP requirements. The new SAR is intended to lead to a new standard or standards (although more than new standards may be required), which will remove these final barriers.

You can find the SAR on pages 56-61 of this agenda package from the meeting. The SAR doesn’t seem to have changed much from when I reviewed it in this post, so I won’t go over the same ground again. It now looks like the earliest the complete fix for the cloud will be in place will be early 2028 and more likely after that; if you think it should come much more quickly, you should make your opinion known through your company, your Region, etc.

I certainly think these changes are long overdue, and the idea that it will take four or more years to implement them – God willing, and the creek don’t rise – is to me quite disappointing.

But much more disappointing is that a current problem that everyone thought would be solved on January 1 is in fact not solved at all. I’m referring to the fact that use of SaaS (software as a service), which is now officially illegal for entities with medium and or high impact BES Cyber Systems, but was supposed to be “legal” when BCSI in the cloud becomes allowed on January 1, is now as far away as ever from being approved (I explained the reasons for that sad situation in this post).

I had hoped that the new SAR would include a directive for the standards drafting team to take up this new problem as well, hopefully before their other business. However, the new SAR is silent on the problem. This means there will need to be a new SAR and a new SDT dedicated to just this problem. On face value, it seems to me that it should be able to be fixed with just a few word tweaks, but I’m told that it’s much harder than that. Regardless, it needs to get done, starting with a new SAR.

Since NERC has faced other situations in which it had to deliver a narrowly conscribed solution to a difficult CIP problem very quickly, I don’t think it's expecting too much to suggest the revised standard (and really just one requirement) be delivered within one year. At least one new standard was put in place in only three months, although since that standard had to be redrafted soon afterwards, I don’t recommend pushing it that fast. But 6-9 months to have the new standard approved by FERC and ready to implement (no implementation period will be needed) doesn’t strike me as very hard at all.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

I lead the OWASP SBOM Forum. If you would like to join or contribute to our group, please go here, or email me with any questions.

 

No comments:

Post a Comment