Last December, the NERC Standards Committee approved a Standards
Authorization Request (SAR) that set
in motion the process of making revisions to the NERC CIP Standards (and
perhaps the NERC Rules of Procedure as well) that will finally allow NERC
entities with high and/or medium impact BES environments to make full use of
cloud services for those environments.
However, when I say “set in motion” I’m using that phrase
loosely, since the committee assigned the project medium priority - meaning it
would not even start until the third quarter of this year. I pointed out in this
post that, because of all the cats that need to be herded for this project
to succeed, it will probably take 5-6 years (at least) between the day the
project starts and the day the barriers to full use of the cloud by NERC entities
are finally removed.
I also pointed out there is growing concern among NERC and
Regional Entity staff members about the steadily increasing numbers of software
and service providers who are telling their NERC entity customers they no
longer have the option of providing a totally on-premises solution. Those NERC
entities will soon face the choice (or have already faced it) between doing
without those software products and services, and being in violation of a slew
of CIP requirements if they don’t move away from them.
These staff members fear that within 2-3 years there may be
real damage to the reliability - and especially the security - of the Bulk Electric
System. This is because some important NERC entities will no longer be able to
utilize software and services (especially security services) that they depend
upon today to keep the lights on. I speculated there might need to be some sort
of “break glass” measure that would allow at least some NERC entities to utilize
the cloud for high and medium impact BES environments, while still allowing the
standards development process to proceed at its accustomed geologic pace (in
fact, I suggested
one such measure, which I think is still an option that needs to be
discussed. In fact, it will not break much glass at all).
However, it seems the Standards Committee has been hearing
about these problems from other sources as well, since last week there was an
unexpected announcement that Project
2023-09: Risk Management for Third-Party Cloud Services has been set up and
is now soliciting comments on the SAR. Of course, there’s a huge journey ahead,
but it’s nice to see that the first step is being taken earlier than originally
planned.
In October, I was invited to present for a monthly webinar (called
a Tech talk) presented by the RF NERC Region; I chose as my topic the question
of how I would rewrite the NERC CIP standards to “pave the road” to full use of
the cloud by NERC entities. Lew Folkerth of RF – a good friend who has made
regular appearances in this blog for almost ten years – interviewed me for the
webinar.
As the basis for the webinar, I put together a lengthy article
describing in some detail the changes I would make; I published it in this post
(I also published a PDF of the article, which I’ll be glad to provide to anyone
who emails me for it).
Of course, now that the standards drafting process is finally
starting, it’s now more important than ever to get ideas on the table for what
the new standards should look like. The ideas in my article haven’t changed
hugely since I wrote it, but I would like to make them more accessible now by discussing
them in a set of short posts; this is the first of those posts. Since I’m sure
my ideas will evolve as the new Standards Drafting Team (SDT) meets and starts
having substantive discussions, this might be a series that goes on for years.
Something like this is needed since, unlike almost every
other NERC CIP standards drafting process since the CIP v1 drafting team
started meeting in 2006, this process is not driven by a FERC order. Even
though FERC staff members understand that the changes I’m hereby naming “Cloud
CIP” are sorely needed, and even though they are providing assistance when they
can, the drafting team doesn’t have an official FERC “blueprint” to follow. Instead,
it is up to the drafting team to figure out what it wants to be when it grows
up (the team hasn’t been constituted yet. If you work for a NERC entity, you
might consider getting nominated to the team. Having been an active observer of
several previous standards drafting efforts, I can promise it will take a lot
of your time, but I can also promise it will probably be one of the most
interesting efforts you’ve ever participated in).
I certainly can’t say I know exactly what is needed to solve
the problem of CIP in the cloud, but at least the posts I write will help
clarify people’s ideas. It’s almost impossible to get very far if you start
with a completely blank slate, which is essentially what the drafting team has
been presented with (the SAR rightfully doesn’t try to prescribe what the team
needs to do). It’s better to start from what later proves to be a dead end
position, than to start from no position at all.
My first topic in this series is an idea that I definitely
didn’t originate, but which I now realize is probably the key to a successful Cloud
CIP effort. This is an idea that the CIP Modifications drafting team learned the
hard way in 2018. I hope to describe that bit of history in another post soon,
but to summarize, that drafting team proposed a thoroughgoing change to CIP
that in retrospect was exactly what’s needed to fix the cloud problem (it was
actually intended to be a framework for integrating virtualization support into
the CIP standards). However, the SDT’s proposal was going to require that every
NERC entity throw away most of their existing CIP program (including documentation,
training, software, etc.) and start with a brand new one.
The new CIP program that the SDT outlined (which I discussed
in this
and two subsequent posts) would have rewritten many of the CIP requirements so they
were all risk-based. It was certainly the right overall approach, but a lot of big
utilities, who had millions of dollars invested in their existing CIP programs
and neither the budget nor the inclination to throw all of that away and start
over, made it clear they would never do that. The drafting team realized they’d
been beaten and dropped the whole idea.
I had been a big supporter of the drafting team’s ideas in
2018, but after they went down in flames, I decided there’s no fighting City
Hall; I stopped advocating for those changes. About once a year, I put out a post
stating that I saw no prospect for the cloud becoming completely “legal” for
NERC entities until the NERC community had a change of heart and decided that
the long term benefit of having CIP requirements that would allow full use of the
cloud was worth the short-term hassle of having to throw away their existing
processes and start over.
However, early last year a new SAR was developed that was
quite short on details but threw in one new concept which turned out to be the
key to making Cloud CIP a real possibility. This SAR (which developed into the
one that was adopted in December) raised the idea of two CIP “forks” for two
different groups.
One group is the set of NERC entities (which might even be
the majority, although I have no way to know if that’s the case now) that is
perfectly fine with the existing CIP standards, and more importantly doesn’t
want to make a radical change to what they’re doing now. They don’t particularly
care about making full use of something they don’t think they need anyway: use
of the cloud by medium and high impact BES Cyber Systems, Electronic Access
Control or Monitoring Systems (EACMS), etc. The other group is NERC entities
that are painfully aware of how much not being able to make full use of the cloud
is hurting both their organization’s bottom line and increasingly their levels
of reliability and security, as their most important vendors start to tell them
they are moving to the cloud – and by the way, will they join them there?
For the first group, the solution is simple: They can keep
doing exactly what they’re doing now. The CIP requirements they comply with won’t
change at all, except for changes already proceeding that have nothing to do
with the cloud. For the second group, the CIP changes will be big (including completely
risk-based requirements), but only for systems they wish to “outsource” to the
cloud – either by use of SaaS offerings or by actually transferring existing
on-premises systems to the cloud. For their on-premises systems, there will be
no change at all in the CIP requirements.
Does this two-track system sound like a big mess to you? I
thought that might be the case, but when I looked at how it could be
accomplished, I realized that in principle it’s not that hard. The principal changes
required are a) defining new types of assets with “Cloud” in the name (e.g., “Cloud
BES Cyber System”) and b) making some surprisingly minor changes to wording in
CIP-002 R1 and Attachment 1. Almost no changes are required in the other CIP
standards, since they will henceforth just apply to on-premises systems (i.e.,
what they apply to now). The requirements that apply to cloud systems will be
found in new CIP standards that apply only to cloud-based systems.[i]
There’s a reason why the changes to the existing CIP
standards to accommodate the two-track Cloud CIP system turn out to be so easy
to describe. That’s a subject for one of the next posts in this series. I’m
giving you something to look forward to.
Are you a vendor of cloud-based
services or software (or services or software you would like to be cloud-based,
were it not for problems like those discussed above), that would like to figure
out an appropriate strategy for the next few years, as well as beyond that? Or
are you a NERC entity that is struggling to understand what your current
options are regarding cloud-based software and services? Please drop me an
email so we can set up a time to discuss this!
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] NERC
entities that choose to put systems in the cloud under Cloud CIP will still
need to follow the “classic” CIP standards for their on-premises systems.
No comments:
Post a Comment