Last Friday, the Project
2023-09 Risk Management for Third-Party Cloud Services Standards Drafting Team
(SDT) held their first meeting. It’s an excellent and very experienced team (for
example, one member has served on a CIP SDT since 2008 – and has contributed a
huge amount to the CIP standards in that time); I’m looking forward to
attending as many meetings as possible.
However, I realized early in the meeting that the team’s
current focus is entirely on the Standards Authorization Request (SAR), which
serves as the “statement of work” for the project. Like all NERC SARs, this one
was first approved
by the NERC Standards Committee in December. In some cases, an SDT is allowed
to utilize that version of the SAR unchanged, but in other cases (don’t ask me
why) the SDT is required, or at least allowed, to make modifications to that
version. Whatever the reason, this SDT is going to spend the rest of this year
revising their SAR.
I’m not objecting to the SDT revising their SAR, since, even
if the team had started to develop new standard(s) right away, they would have
needed first to conduct the same sort of fundamental discussions that started
on Friday. In Through the Looking-Glass, Alice asks the Cheshire Cat,
"Would you tell me, please, which way I ought to go from here?". The
Cat replies, "That depends a good deal on where you want to get to”.[i]
The SDT knows they’ll never get anywhere unless they first decide where they’re
going. The revised SAR will document that decision.
But I also understand that the road ahead for this team is a
loooong one. In fact, in this
post in January, I estimated that the elapsed time between when the SDT will
start developing a new standard and when that standard (plus any required
changes to the NERC Rules of Procedure, which also may be needed in this case)
would come into effect would be 5 ½
years. Specifically, if the SDT started work on a new standard or standards on
July 1, 2024 (as I estimated when I wrote the post), NERC entities could expect
compliance with those standards to be mandatory by the end of 2029.
What surprised me on Friday was the SDT’s proposed timeline:
It starts with the first meeting and ends in mid-December, when the SDT will turn
over their revised SAR to the Standards Committee. What will happen to the
revised SAR after the SC gets it? They will probably approve it, which shouldn’t
take very long.
However, I’m told that the next step will be for the SAR to
be put through the NERC balloting process – the same process that the standards
themselves will go through once they’re developed. That process almost always
requires multiple ballots by NERC members, as well as comment periods in
between the ballots. It's safe to say this step alone will require six months.
Only when the SAR has gone through that process will the drafting team be able
to get to work on drafting whatever new or revised standards are required.
I was quite disappointed when I heard this, since this the
SAR balloting alone will probably add six months to the timeline for the new CIP
standards to come into effect. And because I wasn’t expecting that revisions to
the SAR would take four months, the two changes add almost a full year to the
whole process. Therefore, my new estimate of when the “cloud CIP” standards
will become effective is around the end of 2030, or almost 6 ½ years from now.
However, as I pointed out in the January post (and have
pointed out in other posts since then), the NERC CIP community can’t wait much
longer to be able to make full use of the cloud. This is because more and more
software and security service providers are announcing they will soon move
exclusively to the cloud, or that they will henceforth make improvements to
their product available in the cloud first and only later (or sometimes never)
in the on-premises version.
In fact, in the SANS/CTAG webinar today – which you can
watch here
soon – Ruston Johnson of Splunk showed a chart indicating that updates to their
on-premises product will occur more slowly than updates to the cloud product (although
he emphasized that they have no plans to discontinue their on-premises product,
which evidently had been rumored). Both the security and the reliability of the
grid will soon be impacted by this trend, although security has already been
impacted by it for years[ii].
So what’s Plan B? In April, I described this
possible “shortcut” to full cloud usage, based on a reasonable interpretation
of the wording of CIP-013-2 Requirement R1 Part R1.1. This seems even more
reasonable to me now, given that I don’t know of any good option other than the
“nuclear” one allowed by the NERC Rules of Procedure. That option requires the
NERC Board of Trustees essentially to declare a “compliance emergency”[iii].
This would be a last resort and in any case is currently out of the question,
since there’s not even discussion of it yet.
As far as I can see, my shortcut doesn’t contradict anything
in CIP-013 or any other current CIP standard. However, I admit that NERC
entities aren’t likely to try this option, unless there’s a statement by some
body within NERC that this is a reasonable interpretation of the wording of
CIP-013-2 R1.1. I think it’s time to at least look at this more seriously. Six
and a half years is a long time to wait for something that’s essential!
Are you a vendor of current or
future cloud-based services or software that would like to figure out an
appropriate strategy for selling to customers subject to NERC CIP compliance? Or
are you a NERC entity that is struggling to understand what your current
options are regarding cloud-based software and services? Please drop me an
email so we can set up a time to discuss this!
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] Alice
then says, "I don't much care where" and the Cat responds, "Then
it doesn't much matter which way you go". It’s hard to argue with
that logic!
[ii] I
say this because some of the most important security monitoring services are
exclusively cloud-based, meaning that, at least since CIP version 5 came into
effect in 2016, NERC entities with high or medium impact BES Cyber Systems have
not been able to use those services.
[iii] I’m
greatly simplifying what this option involves, and “compliance emergency” is my
term. The point is that this measure is drastic. It shouldn’t be the first
choice for solving this problem.
No comments:
Post a Comment