Thursday, August 8, 2024

NERC CIP and the cloud: Are lows “legal”?

Yesterday, SANS and the unofficial NERC Cloud Technical Advisory Group (CTAG) sponsored the second webinar of a series of six on use of the cloud by NERC entities subject to compliance with the CIP Reliability Standards. You can listen to the webinar here (and if you want to register for the next webinar, go here. You will have to sign up for each webinar separately, although you can “register” for the webinar even while it’s in progress).

One of the speakers was my longtime friend Peter Brown. He is with Invenergy, one of the largest renewable energy providers. He gave a good presentation on how they use the cloud today, and more broadly on how he sees the renewable energy industry using the cloud. He pointed out that many renewables providers only have low impact BES Cyber Systems. He said that made it easy for them, since there are no real limitations on deploying low impact systems in the cloud.

I used to say the same thing until earlier this week. Then, I was looking through CIP-003-8 R1 and R2 (the substance of R2 is in Attachment 1, found later in the standard). There is a problem with these two requirements, which becomes apparent if you ask the question, “How will the entity provide compliance evidence for this requirement if some of their BES Cyber Systems are deployed in the cloud?”

Let’s start with R1.2, which requires that a NERC entity with low impact BCS develop policies for cyber security awareness, physical and electronic security controls, etc. Let’s say that for awareness, the entity develops a policy that reads roughly, “We will conduct multiple cybersecurity awareness activities for our staff, including emails, posters, and lunch ‘n’ learns every month.” Of course, they can provide lots of evidence that they have followed this policy.

But what about evidence for their CSP, if they have BCS in the cloud? Is the CSP bound to follow this policy for their own staff members? Of course, their own awareness policy might well be stricter than the NERC entity’s policy, due in part to their need to comply with ISO 27001, FedRAMP, etc. But nowhere in the NERC CIP requirements or Rules of Procedure is there any mention of utilizing compliance with another organization’s standards as evidence of compliance with NERC CIP requirements. In fact, there’s widespread agreement among NERC enforcement staff members that reliance on “the work of others” (meaning other auditing bodies) is not acceptable for determining NERC CIP compliance.

Let’s look at Section 3 of CIP-003-8 Requirement R2 Attachment 1. That requires the NERC entity with low impact BCS to “Permit only necessary inbound and outbound electronic access as determined by the Responsible Entity for any communications…” that are between a BES Cyber System installed in the low impact asset and any system outside the asset. Of course, in most cases this means that the entity should deploy a firewall and make sure all open ports have a business justification. Again, this is something the cloud provider is without a doubt already doing for compliance with other standards, but there’s no way for the NERC entity to point to that fact as evidence that the CSP is in compliance with this section.

In fact, it seems that the only way the NERC entity with low impact BCS in the cloud can demonstrate compliance for the CSP is to get them to provide evidence that every physical or virtual system, in any data center, that happened to contain any part of any one of their BCS for even a few seconds during the 3-year audit period, is protected by a firewall that is properly maintained. Needless to say, that isn’t going to happen. If you ask the same question for the other parts of CIP-003-8 R1 and R2, you will find the same situation: there is no way for the NERC entity to provide compliance evidence on behalf of the CSP. Moreover, even if the CSP were willing to provide evidence themselves, in many cases it would be physically impossible.

Of course, this is very ironic, since if anything the CSP maintains a much higher level of security than any customer ever could – at least, as far as the requirements in CIP-003 are concerned.[i] But as we all know, that fact alone means very little. The only thing that matters, when it comes to proving compliance with any NERC Requirement, is the wording of the requirements and the Rules of Procedure.

However, it will probably be 5-6 years before the changes to the CIP requirements (and most likely the NERC Rules of Procedure as well) are in place that will make use of the cloud completely acceptable for low, medium and high impact BES assets. Do we just need to be patient and wait that long for this problem (and the more serious problems that effectively prohibit most cloud use by medium and high impact BES environments) to be fixed?

There is general agreement among NERC, the Regional Entities (including the auditors), the NERC entities themselves, the CSPs and other vendors (and even FERC staff members, although they’ll never confirm this for you) that 5-6 years is too long to wait. More and more software and service providers (especially security service providers) are announcing that they will either move exclusively to the cloud in a couple of years, or at least they will freeze development of their on-premises version and just develop new capabilities for the cloud version from now on. There are already impacts to grid security due to this situation. They will only continue to grow, with the result that grid reliability may itself be affected – and “reliability” is NERC’s middle name!

Fortunately, the NERC CTAG is doing more than organizing webinars. We have recently formed a sub-group that is starting to draft at least two NERC CMEP Practice Guides (CMEP stands for Compliance and Monitoring Enforcement Program), one on BCSI use in the cloud and the other on the meaning of “access control and monitoring” in the definition of Electronic Access Control or Monitoring System (EACMS).[ii] CMEP Practice Guides are intended to provide guidance to auditors regarding particular technical subjects; they aren’t meant to be interpretations of the NERC Reliability Standards. There are two auditor-focused NERC ERO committees that need to approve a CMEP Practice Guide, so it’s possible these could be approved in one year (this is just my guess)

I haven’t discussed this with the CTAG yet, but it seems like the issue with low impact systems in the cloud might also be addressed through the CMEP process, so maybe there’s some hope in this matter.

In any case, I don’t think any NERC entity with low impact BES Cyber Systems that are deployed or used in the cloud today should pull them out tomorrow because of what I’ve just written. There’s been no official NERC notification on this subject, and I doubt there will ever be a notification[iii], until the problem is fixed.

Are you a vendor of current or future cloud-based services or software that would like to figure out an appropriate strategy for selling to customers subject to NERC CIP compliance? Or are you a NERC entity that is struggling to understand what your current options are regarding cloud-based software and services? Please drop me an email so we can set up a time to discuss this!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.


[i] There are other areas of security in which the CSPs have work to do, for instance in vetting third parties who resell their cloud services. The new drafting team for cloud services should focus on those areas. I’m willing to stipulate that the CSPs are doing a good job of patch and configuration management, although there needs to be a way to document that fact without requiring a pointless “audit” of the CSP’s basic security practices.

[ii] A number of cloud based security services are currently not available to medium and high impact NERC entities because auditors believe those services meet the EACMS definition. Even worse, some heavily used security monitoring services that are delivered on premises today have already announced, or will soon, that their regularly updated versions will be delivered exclusively from the cloud. In fact, some services that may be needed to provide internal network security monitoring for CIP-015 compliance (which will be due in 3-4 years; don’t panic yet) may also be out of reach for NERC entities because of the current interpretation of “access monitoring” in the EACMS definition.

[iii] You may be surprised to learn that notification in this blog doesn’t take the place of official NERC notification, despite that fact that NERC almost bought the blog on April 1, 2015. 

No comments:

Post a Comment