As I’ve mentioned before, the informal NERC Cloud Technical
Advisory Group (CTAG) and SANS are currently sponsoring a series of six
webinars (which will probably be extended by one or two) collectively titled “Cloud
Services and CIP Standards – Opportunities and Challenges”; all the webinars
are being recorded and posted on the SANS website. The second
of those webinars occurred more than two weeks ago. It might end up being
my favorite of the six, even though only three have taken place so far. Note
that the last three webinars in the list I posted
on July 3 have been postponed by a few weeks, but the new dates aren’t certain
yet. A seventh webinar will also be added. Once I know the details of these, I’ll
post them.
The reason I liked the second webinar so much is that it was
focused on the needs of end users. The two presenters very carefully explained why
it’s important that the NERC CIP standards be revised as soon as possible, to
permit NERC entities with medium and high impact environments to take full
advantage of the cloud. Both presenters – Peter Brown of Invenergy and Luke Oman of Midcontinent ISO – were able to
articulate clearly how the current restrictions on cloud use by NERC entities
with medium and/or high impact BES Cyber Systems are complicating life for
entities like them. They agreed that these complications are literally making
the grid less safe, not more so.
Here are some notes I took on their presentations, although
I strongly recommend you listen to the full recording. Peter and Luke’s
comments are in roman script, while mine are in italics. None of the quotations
are verbatim unless set off with quote marks.
Peter Brown
·
One ironic result of the CIP cloud restrictions
is that low impact BES systems can use advanced security services in the cloud
like EDR. Meanwhile, medium and high impact BES systems, especially in Control
Centers, are restricted to using older A/V software, because that is what’s
available for on-premises use.
·
Another ironic result is that OT systems that
can’t be implemented in the cloud get “left behind” when it comes to getting
access to new services, etc. By this, Peter meant that in many IT
departments, the focus is on moving to the cloud. This means that staff members
naturally want to focus on what they need to know to advance their careers,
which of course means the cloud. OT gets left behind in the “hearts and minds”
of IT.
·
One problem that is sure to come up, once new
CIP standard(s) are developed to fix the “cloud problem” is that NERC entities
will be slow to adopt them, since almost nobody wants to be the pioneer.
·
Tom’s note: This problem can probably be mitigated
by putting in place the equivalent of the V5TAG, short for CIP Version 5
Technical Advisory Group. The V5TAG was a group of NERC entities – observed by NERC
ERO staff and others – who pioneered use of the CIP version 5 standards in 2015
and 2016 with no risk of penalties for non-compliance (CIP v5 was a complete
rewrite of the CIP standards and definitions, which is why there was a lot of
concern about having a smooth transition). The V5TAG was created after FERC had
approved the v5 standards, but before they became enforceable.
·
A good example of slow adoption is CIP-004-7 and
CIP-011-3, the revised standards that came into effect on January 1 of this
year. They were drafted to finally make use of BCSI “legal” in the cloud. However,
very few NERC entities are taking advantage of them now.
·
Peter attributes this to the lack of good compliance
guidance. The only guidance on CIP-004-7 and CIP-011-3 at all is the already-existing
document that was unexpectedly approved by NERC as “implementation guidance” at
the end of 2023. I’ve heard there are already calls to create something better
than that; I agree with them. In fact, there needs to be a whole education
program on BCSI in the cloud; this needs to be combined with education on SaaS
that utilizes BCSI. The lack of SaaS/BCSI guidance has meant that, other than
one SaaS configuration management product that was already in use by a number
of NERC entities six years ago, I know of no other use of SaaS with BCSI today.
·
Another reason why NERC entities probably won’t rush
to comply with the cloud CIP standards is that early adoption of a new or
revised standard requires a big effort. Peter said, “Without helpful
information from peers, guidance from the ERO, and being able to learn from
others’ audit experience, extra research and time to analyze the guesswork
options are required.”
·
A cloud provider can do patching better, and
much more efficiently, than any NERC entity by itself.
Luke Oman
·
It seems that the “best of breed” software and
security service providers are moving to the cloud. This is especially true for
services that perform EACMS (Electronic Access Control or Monitoring) functions,
including multifactor authentication and external security monitoring. However,
if a cloud-based service performs EACMS functions for NERC CIP high and/or
medium impact BES environments (even if those services only form a small
portion of the services performed, and even if the NERC entity doesn’t need
them), the NERC entity customers will probably be in violation of 100 or more
CIP requirements (including those for protecting an ESP and a PSP). This is because
the SaaS provider (or CSP) could never furnish the required compliance
documentation for them.
·
Most of all, MISO wants to have options for the
software and services they use. As software and service providers move to a
cloud-only model, they are losing those options. When they’re constrained to
just one or two providers of an on-premises solution, they will likely face
higher prices, as well as lower service and functionality levels.
· Configuration management and physical access control can be performed both better and more efficiently by the CSP.
Are you a vendor of current or
future cloud-based services or software that would like to figure out an
appropriate strategy for selling to customers subject to NERC CIP compliance? Or
are you a NERC entity that is struggling to understand what your current
options are regarding cloud-based software and services? Please drop me an
email so we can set up a time to discuss this!
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.