NERC CIP and the cloud: There’s been support for the cloud much longer than I thought

I have been looking into some of my old blog posts recently, trying to trace the history of how the NERC CIP community at first considered use of the cloud to be extremely dangerous, but more recently has embraced it wholeheartedly – or at least, many members of the community have. It at first seemed to me that there had been strong opposition to the cloud until about 2021 or 2022, but things changed with the pandemic, when the benefits of the cloud became readily apparent to essentially the whole world.

This post from early 2017, in which I quoted a well-known NERC auditor, as well as Dave Norton of FERC (who’s kind of the “grand old man” of NERC CIP, as you’ll see from this post), made it clear that at that time, both NERC and FERC thought putting BES Cyber Systems in the cloud was far too risky to even try (although BES Cyber System Information – BCSI - in the cloud was another story. There was always support for making that fully “legal” under CIP).

However, in reading a post from December 2018 (which in retrospect said a lot of interesting things. I’ll return to it in another post or two), I came across this parenthetical expression: “(and by the way, at last December’s CIPC[i] meeting, both NERC and even a senior FERC staff member – as always, speaking for himself, not the Commissioners – indicated they don’t have fundamental objections to BCS in the cloud).”

In other words, at the December 2017 CIPC meeting, people from both NERC and FERC said they didn’t have a fundamental objection to BCS in the cloud. Of course, neither of those people was authorized to speak on behalf of the organization they worked for. Literally nobody can speak for NERC itself, while the only people who can speak on behalf of FERC are the five Commissioners, whose votes determine FERC’s policies – but each Commissioner only speaks for his or herself, not the Commission as a whole. And of course, the FERC person speaking at the CIPC meeting wasn’t a Commissioner.

However, it’s also true that neither of those people would have said what they did unless they thought there was general agreement for what they said among their staff colleagues. Thus, I was quite surprised to realize that in 2017, there was already support in NERC and FERC for BES Cyber Systems (and presumably EACMS - electronic access control and monitoring systems - and PACS – physical access control systems - as well) in the cloud.

Of course, it’s very hard to believe that the situation would have changed for the worse today – i.e., that people at FERC and NERC that supported the cloud seven years ago have now changed their minds and oppose it. It really shouldn’t be very hard to get consensus around making full use of the cloud “legal” today (although with regulatory safeguards, of course). Don’t you agree?

Are you a vendor of current or future cloud-based services or software that would like to figure out an appropriate strategy for selling to customers subject to NERC CIP compliance? Or are you a NERC entity that is struggling to understand what your current options are regarding cloud-based software and services? Please drop me an email so we can set up a time to discuss this!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

---

[i] Those of you who don’t remember the NERC CIPC – which stands for CIP Committee – should know that it was a group of 100-150 cybersecurity professionals from across the NERC community, that met quarterly (and later three times a year) to discuss cybersecurity issues for the grid (don’t be fooled by the title of the committee. Its purpose was to discuss critical infrastructure protection, not the CIP standards. In fact, it predated the development of the CIP standards, which started in 2006).

The CIPC was abruptly discontinued, for reasons that were never clear to me, in around 2019. I really miss it and would love to see it reinstated, although with a virtual component now (remote attendance wasn’t allowed for that group, although I would think it might be possible were the group to be revived today).