Today (August 16) marks the first virtual meeting of the Standards Drafting Team called “Project 2023-09 Risk Management for Third-Party Cloud Services”. This team will draft the changes to the NERC CIP standards (and perhaps the NERC Rules of Procedure as well) that are required to finally make full use of the cloud completely “legal” for all NERC entities subject to compliance with the CIP standards. I plan to attend that meeting (which is very unlikely to get into any details regarding what will be proposed), but here – for the record – are the changes that I think are most needed:
First, it’s vital that CIP compliance for on-premises
systems be as unaffected as possible by these changes. Of course, CIP for cloud
systems will have to be very different from the CIP standards that are in place
today, but if we try to create a single compliance program for both
environments, we will probably end up with a debacle like what
occurred in 2018, when a different SDT started down the road of radically
revising CIP for everybody and got slapped down hard for doing so.
I fully supported that team’s efforts, and I still believe
it’s necessary that all of CIP be “reformed” - although not today. However, the
pushback the 2018 team (which is still in operation today – CIP Modifications
SDT) received from the large IOUs (who understandably were reluctant to throw
out compliance programs in which they’d already invested millions of dollars) forced
the SDT to retreat. Let’s not repeat the 2018 experience. Been there, done
that, got the T-shirt.
Instead, this new effort needs to result in two “tiers” of
CIP compliance (as I discussed in this
post) - one almost exactly like the existing CIP standards and only applicable
to on-premises systems, and one that applies only to cloud-based systems.
Fortunately, the Standards Authorization Request (SAR) on which the group is
operating recommends this system, although the SDT is always allowed to do
something differently from what the SAR recommends.
Second, it’s vital that any new requirements for
cloud-based systems be risk-based, not prescriptive. Compliance with
prescriptive requirements like CIP-005 R1, CIP-007 R2, and CIP-010 R1 would
literally be impossible for systems based in the cloud. There are far too many
ways in which cloud systems can be implemented than could possibly be accounted
for in prescriptive requirements.
Third, and probably most important (as well as
hopefully most obvious), any requirements that apply to cloud-based systems cannot
be device-based. There is simply no way that a cloud service provider can keep
track of individual devices (whether physical or virtual or both) on which a
cloud-based system like a BES Cyber System is installed, especially since the
BCS (or more accurately, parts of the BCS) could be installed on different
devices, in different data centers, the next minute. The concepts of Cyber
Asset, BES Cyber Asset and Protected Cyber Asset have no place in the cloud;
the “cloud track” CIP requirements need to start with identification of BES
Cyber Systems, independently of the hardware or VMs on which they may be
installed at any particular moment.
Fourth, any requirements that apply only to cloud
systems need to take into account the fact that CSPs, given the slew of heavy
compliance regimes they need to follow all the time, have almost certainly
covered the basics of cybersecurity much better than any electric utility, no
matter how large, could ever do. Let’s not worry about whether Humongous CSP no.
1 has applied every O/S patch released in the last 35 days, or whether
Gargantuan CSP no. 2 is constantly verifying that only ports and services that
are required to be open in fact are open. Let’s assume that the FedRAMP and ISO
27001 auditors have taken care of those issues (although it’s important to at
least check the audit results made available to customers by the CSP).
Instead, how about asking these questions?
1.
Does the user database in a SaaS application
include users from every country and industry, as well as every security level
– an issue called multi-tenancy?
2.
Does the CSP adequately vet its third party
access brokers?
3.
Does the CSP take adequate steps to ensure its
customers understand how securing infrastructure in the cloud is different from
securing it on-premises?
My guess is none of these questions (or many others like
them) is even asked in a FedRAMP or ISO 27001 audit. These are questions that the
drafting team should focus on.
Fifth, it can’t be up to each NERC entity to judge the level of
security of a CSP. For one thing, the CSPs would never accept being “audited”
by every entity; for another, most entities are likely to do a very superficial
assessment of a CSP whose services they use, since they depend as much on the
CSP’s good graces as the CSP depends on theirs.
Instead, NERC – or a third party
engaged by NERC – needs to do an assessment of each platform CSP (and perhaps
larger SaaS providers as well), based on questions like the ones immediately
above, as well as inspection of their FedRAMP and/or ISO 27001 audit results
(and penetration tests, in the case of FedRAMP). They then need to share this
assessment with any NERC entity that asks to see it.
NERC’s assessment shouldn’t be
up-or-down; instead, it should simply describe the information the assessors
received from the CSP, including answers to questions and any audit results.
The NERC entities are all free to contract with anyone they want.
I am going to follow the SDT’s
deliberations as much as I have time for and will be posting on what I learn
(and other recommendations, I’m sure). Stay tuned!
Are you a vendor of current or
future cloud-based services or software that would like to figure out an
appropriate strategy for selling to customers subject to NERC CIP compliance? Or
are you a NERC entity that is struggling to understand what your current
options are regarding cloud-based software and services? Please drop me an
email so we can set up a time to discuss this!
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment