The road to cloud CIP, part 3: the EACMS problem

There are several key components of the problem of complying with the NERC CIP Reliability Standards by NERC entities with high and/or medium impact Bulk Electric System (BES) environments. By far the most important of those (and the most important for the upcoming NERC “Risk Management for Third-Party Cloud Services” Standards Drafting Team to address) is what I call the EACMS problem. This is so important because a) it inhibits many NERC entities from using existing cloud-based security monitoring services, and b) because more and more on-premises security services are moving exclusively to the cloud, thus becoming off-limits to many NERC entities.

Why is this the case? This is the problem in a nutshell:

1.      EACMS stands for Electronic Access Control or Monitoring System. That is, any system that monitors or controls access to a high or medium impact Electronic Security Perimeter (ESP) or high or medium impact BES Cyber Systems (BCS) is ipso facto an EACMS. I italicized “or”, because that’s very significant. The previous definition included “and”, meaning a system had to both monitor and control access, to be an EACMS. That definition applied to a much more limited set of systems.

2.      While there are lots of security monitoring systems that don’t “control” access to an ESP or BCS, there probably aren’t many that don’t monitor access. After all, knowing who’s knocking on your door to the internet, and especially knowing who made it through, is probably the most important consideration for security monitoring.

3.      If a cloud-based system monitors access to a medium or high impact ESP, it’s an EACMS. Therefore, it needs to be compliant with all the CIP Requirements and Requirement Parts that apply to medium or high impact EACMS (of course, the terms ESP and EACMS are only defined within medium or high impact environments).

4.      While some of the CIP Requirements that apply to EACMS (e.g. the requirements of CIP-008 and CIP-009) aren’t impossible to comply with in a cloud environment, there are others, especially the requirements in CIP-006, for which strict compliance is almost impossible in the cloud. For example, since the security service’s EACMS must be within a PSP controlled by the NERC entity, some auditors might interpret this to require that each NERC entity (with high or medium impact BCS) that utilizes the service must authorize entry for any CSP employee who has access to the systems on which the service is implemented. Unless the systems are somehow segregated with access controlled by the entity, that will probably mean every employee that is allowed to enter a data center that contains one or more systems that implement the security service will need to first be approved by the NERC entity. Of course, no CSP will ever allow this to happen.

As I mentioned in the previous post in this series, one way that a cloud-based security service provider could get around this problem would be to create a separate instance of their service just for NERC entities. They would then lock the servers on which that instance is implemented in a separate room, with access controlled by the NERC entity. Of course, this solution technically breaks the cloud model and raises the CSP’s costs considerably. However, to retain their NERC CIP customers, the CSP may decide to “eat” this cost temporarily, pending full resolution (through the standards drafting process) of the problems with CIP compliance in the cloud.

So, how can a security service provider who wants to move to an entirely cloud-based model remain “CIP compliant” after their move – i.e., how can they avoid making their CIP customers non-compliant with most of the CIP requirements? Other than the locked-room solution just described, I know of no way to do that today, other than to change the nature of the service they offer, so that it doesn’t monitor access to the ESP (or so that ESP access is still monitored locally). That is why I say this is the biggest problem facing NERC entities with medium or high impact BES environments that want to utilize cloud services today.

Are you a vendor of current or future cloud-based services or software that would like to figure out an appropriate strategy for the next few years, as well as beyond that? Or are you a NERC entity that is struggling to understand what your current options are regarding cloud-based software and services? Please drop me an email so we can set up a time to discuss this!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.