Sunday, February 11, 2024

NERC CIP: A big security issue with SaaS


As the NERC community starts to move toward making full use of the cloud “legal” for all systems owned or operated by NERC entities, it is inevitable we will all learn of security issues that only come up with respect to cloud-based systems, and which are most likely not addressed by FedRAMP, ISO 27001/2 and other certifications.

One issue that I have learned about in the last two months, which only comes up with respect to SaaS (software as a service), is called “multi-tenancy”. It comes about when what was previously a software product sold to individual organizations, for installation in their individual environments, is moved to the cloud and offered to many organizations. The problem comes up because:

1.      Many applications have their own database to store user data. Of course, the database will have originally been designed to accommodate multiple users from a single organization. There should always be controls to prevent one user from seeing another user’s data, but they are never completely foolproof. However, since every user is presumably from the same organization, this normally does not create a big problem.

2.      When the application is moved to the cloud and becomes SaaS, often the vendor will assume that the controls that are already in place to prevent one user from seeing another user’s data are adequate to prevent a user from Organization A from seeing data of a user from Organization B, where A and B are both customers of the SaaS product.

3.      Often, this will be a good assumption, especially if there were no problems reported with the existing controls when the product was sold for standalone use.

4.      However, critical infrastructure (CI) is different. CI users are often sensitive to even a small possibility that someone from outside their organization – and especially someone from an organization or country that might be contemplating an attack on their CI in the future – will be able to see their data. When these users, or at least the organizations that employ them, learn that the data of the users of a SaaS product, no matter where they reside or work or who they work for, will all be stored in a single database, they may be concerned about this. And their regulators may be very concerned.

Two months ago, I learned of a previously standalone software product that was moved into the cloud as SaaS, without making any changes to the database. Users from all over the world and all industries are using the common database.

A staff member of the vendor assured me that none of their users had even mentioned this issue, let alone objected to it. However, it is safe to say that no NERC entities with high and/or medium impact BES Cyber Systems are using the SaaS product now (the standalone product is still being offered, although that will end in the future). I stated my opinion that such NERC entities may well have objections when they hear they will have to share this database.

I want to make it clear that “multi-tenant” databases (where “tenant” refers to separate organizations, not to individuals within an organization) are not in any way “forbidden” by NERC CIP. Of course, since the existing CIP standards were all drafted without any consideration of the cloud, this isn’t surprising. And even though a new standards drafting process has been scheduled to start in July, it isn’t at all certain that the new standards will in any way restrict or prohibit multi-tenancy in SaaS applications used by NERC entities.

This is because it isn’t clear whether and how muti-tenancy poses a risk to organizations that use SaaS, and if it does, what exactly that risk is. Especially when you consider that eliminating multi-tenancy altogether (i.e., each organization using the SaaS product having its own database instance) would be very expensive for the SaaS provider – and they would need to pass this cost on to their customers. Any “solution” to this problem would have to be weighed against its cost by considering risk: i.e., will the dollar value of risk avoided by the solution be greater than the dollar value of the costs of providing that solution?

Because this isn’t an open-and-shut cybersecurity question (like the question whether a critical infrastructure system should require strong passwords or multi-factor authentication), my guess is there won’t be a specific requirement – in whatever comes out of the new “Cloud CIP” standards drafting process) – forbidding multi-tenancy. At most, there may be a requirement for the NERC entity to consider this and other risks when choosing a new SaaS provider, and document how they (and/or the provider) are addressing those risks.

In fact, maybe this will just be an item for auditors to look at in a performance audit, and document an Area of Concern (with recommended mitigation steps and a fixed timeline) when needed. Not everything has to be a requirement with $1MM/day penalties!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

I lead the OWASP SBOM Forum. If you would like to join or contribute to our group, please go here, or email me with any questions.

 

No comments:

Post a Comment