I and other consultants have been pointing out the serious problems being caused by the fact that the current CIP standards effectively prohibit use of the cloud for medium and high impact systems. This is not because the requirements explicitly forbid cloud use – indeed, the current requirements say nothing at all about the cloud - but because cloud service providers would never be able to provide the evidence required for a NERC entity to prove compliance with prescriptive CIP requirements like CIP-007 R2 and CIP-010 R1.
Now, two highly respected staff members from the Regional
Entities, Lew Folkerth of RF and Chris Holmquest of SERC, have written an
excellent document that states the problem very clearly. It was published in
the newsletters of both Regions: SERC (https://serc1.org/docs/default-source/outreach/communications/serc-transmission-newsletter/2024-newsletters/2024-05-newsletter/n-the-emerging-risk-of-not-using-cloud-services_2024-05.pdf?sfvrsn=e6923606_2
) and RF (https://www.rfirst.org/resource-center/the-emerging-risk-of-not-using-cloud-services/
).
I am reproducing the article below with permission from both
Regions. I have highlighted two paragraphs I think are especially important. The
one problem I have with this document is that it doesn’t emphasize the most serious
issue here: It will likely take at a minimum 5-6 years for the new
standard(s) to be developed and approved, along with changes to the NERC Rules
of Procedure that will probably be required, and for all of this to take
effect.
Yet, given the accelerating pace at which software and
service providers are moving to the cloud, it is likely there will be negative
impacts to grid security and reliability within a couple of years. There will
probably need to be a shortcut
available soon that will allow some NERC entities to continue using software
and services (especially cybersecurity services) they would otherwise have to
stop using. We don’t want the NERC CIP
standards, which were implemented to improve grid reliability and security (and
have done so, to be sure) to become the biggest impediment to that improvement.
If you have questions for either Region, you can get them
answered here: SERC (https://www.serc1.org/contact-us) and RF (https://www.rfirst.org/contact-us/). Also note that the project
page for the new NERC “Risk Management for Third Party Cloud Services”
standards development project – which will begin operations in Q3 – has been
created. You should bookmark this and check it regularly.
THE EMERGING RISK
OF NOT USING CLOUD SERVICES
By: Chris Holmquest,
Senior Reliability and Security Advisor, SERC Lew Folkerth, Principal
Reliability Consultant, RF
In the ERO, we are seeing forces that foretell an inevitable
move to cloud-based services for many operational technology (OT) applications
and services. Cloud technology has been advancing for many years, and software
and service vendors are now migrating their products to take advantage of this
new technology. Even when our industry addresses the security concerns of this
migration, there will still be compliance concerns. We will share the efforts
underway to identify the risks to reliability, security, and compliance that
our industry must address before we can move forward in this area.
Security challenges for on-premises OT systems
Vendors of security monitoring, asset management, work
management, and other essential services are moving toward cloud-based services
at a very rapid pace with their applications and infrastructure. This brings a
new risk to light: soon we may be seeing end-of-life notices for on-premises
systems, which translates to lessened or non-existing support, including
security patches. Some members of our industry have already observed that new
and important features are being implemented only in the cloud-based offerings.
Entities are looking at the potential benefits that
cloud-based software and services can bring. As entities in our industry are
challenged to acquire sufficient resources to manage their reliability,
security, and compliance risks, cloud services can offer attractive solutions
to manage these risks while lowering costs in capital investment and support.
Moving to the cloud presents risks as well, not the least of
which is being confident that your systems and data are secure. Even when
you are confident in the security of your systems and data,
you will still face compliance risks.
Compliance challenges for OT cloud services
The use of cloud services will not
be possible for high and medium impact BES Cyber Systems under the present CIP
Standards because compliance risk will be increased beyond an acceptable level,
except for BES Cyber System Information in the cloud. New Reliability Standards
will be required, and those standards will need to be risk-based. There are too
many variables in cloud environments to be able to write prescriptive standards
for these cases.
Your compliance processes will need to be very mature and
integrated with operational processes and procedures. Internal controls will
become even more important.
Auditing processes will need to be
adapted to cloud environments to determine the type, quality and quantity of
evidence that will be needed to provide reasonable assurance of compliance.
The path forward
There are efforts underway to help with this complex
dilemma. We are looking at these various issues and have formed an ad-hoc team
of Electric Reliability Organization and Federal Energy Regulatory Commission
staff, cloud service provider vendors, industry consultants, training experts,
and electric industry security, compliance, and management personnel. This team
is providing ad-hoc support to other existing groups working to advance the use
of cloud technologies. So far, these efforts include work on a series of
industry webinars to address issues with using cloud in our OT and CIP
environments. Awareness of cloud technologies for our systems is crucially
important, and these webinars will be designed for a broad audience. Efforts
also include a field test of a cloud-based system and investigating third-party
assessments, which may be essential to accommodate the CIP Standards with a
cloud system.
There is a formal NERC subcommittee under the Reliability
and Security Technical Committee called the Security Integration and Technology
Enablement Subcommittee (SITES). Registered entity staff and vendors are
members of this group, and they have published a white paper called “BES
Operations in the Cloud” that we recommend.
A SITES sub-team, New Technology Enablement (NTE), is in the
process of creating a series of white papers to help move the standards
development effort from a stance that follows technology developments after the
fact, to a leading process where standards development is part of early
adoption of applicable technologies. The goal of NTE is to enable use of the
best available tools and techniques in our most critical systems. Their first
effort will be a paper titled “New Technology Enablement and Field Testing.”
Getting involved
The ability to use cloud services to reduce security risk
and to improve reliability and resilience is important to the future of our
industry.
We suggest that you read the SITES white paper and consider
volunteering to participate in the SITES and/or NTE groups if you would like to
contribute.
SANS, the well-known security training organization, will be
hosting the series of webinars mentioned above. Please watch for the
announcements for these webinars. Also, there is a recorded SANS Summit Panel
discussion (link below) of this risk and possible directions forward.
A new standards development project, Risk Management for
Third-Party Cloud Services, has been established (see link below). This project
is scheduled to become active in the third quarter of 2024.
Please stay abreast of these developments and consider how
your knowledge and industry experience can contribute to these efforts.
References
•
Security Integration and Technology Enablement Subcommittee (SITES)
• White paper: BES
Operations in the Cloud
• SANS
Summit Panel – We Hear You Cloud and Clear
• 2023-09
Project – Risk Management for Third-Party Cloud Services
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com. Also, if you would like to learn more about or join the OWASP SBOM Forum, please email me.
My book "Introduction to SBOM and VEX"
is now available in paperback
and Kindle versions! For background on the book and the link to order it,
see this post.
No comments:
Post a Comment