Yesterday, SANS and the unofficial NERC Cloud Technical Advisory Group (CTAG) sponsored the second webinar of a series of six on use of the cloud by NERC entities subject to compliance with the CIP Reliability Standards. You can listen to the webinar here (and if you want to register for the next webinar, go here. You will have to sign up for each webinar separately, although you can “register” for the webinar even while it’s in progress).
One of the speakers was my longtime friend Peter Brown. He
is with Invenergy, one of the largest renewable energy providers. He gave a
good presentation on how they use the cloud today, and more broadly on how he
sees the renewable energy industry using the cloud. He pointed out that many renewables
providers only have low impact BES Cyber Systems. He said that made it easy for
them, since there are no real limitations on deploying low impact systems in the
cloud.
I used to say the same thing until earlier this week. Then,
I was looking through CIP-003-8 R1 and R2 (the substance of R2 is in Attachment
1, found later in the standard). There is a problem with these two requirements,
which becomes apparent if you ask the question, “How will the entity provide
compliance evidence for this requirement if some of their BES Cyber Systems are
deployed in the cloud?”
Let’s start with R1.2, which requires that a NERC entity
with low impact BCS develop policies for cyber security awareness, physical and
electronic security controls, etc. Let’s say that for awareness, the entity
develops a policy that reads roughly, “We will conduct multiple cybersecurity
awareness activities for our staff, including emails, posters, and lunch ‘n’
learns every month.” Of course, they can provide lots of evidence that they
have followed this policy.
But what about evidence for their CSP, if they have BCS in
the cloud? Is the CSP bound to follow this policy for their own staff members? Of
course, their own awareness policy might well be stricter than the NERC entity’s
policy, due in part to their need to comply with ISO 27001, FedRAMP, etc. But
nowhere in the NERC CIP requirements or Rules of Procedure is there any mention
of utilizing compliance with another organization’s standards as evidence of
compliance with NERC CIP requirements. In fact, there’s widespread agreement
among NERC enforcement staff members that reliance on “the work of others”
(meaning other auditing bodies) is not acceptable for determining NERC CIP
compliance.
Let’s look at Section 3 of CIP-003-8 Requirement R2
Attachment 1. That requires the NERC entity with low impact BCS to “Permit only
necessary inbound and outbound electronic access as determined by the
Responsible Entity for any communications…” that are between a BES Cyber System
installed in the low impact asset and any system outside the asset. Of course, in
most cases this means that the entity should deploy a firewall and make sure all
open ports have a business justification. Again, this is something the cloud
provider is without a doubt already doing for compliance with other standards,
but there’s no way for the NERC entity to point to that fact as evidence that
the CSP is in compliance with this section.
In fact, it seems that the only way the NERC entity with low
impact BCS in the cloud can demonstrate compliance for the CSP is to get them
to provide evidence that every physical or virtual system, in any data
center, that happened to contain any part of any one of their BCS for even a few
seconds during the 3-year audit period, is protected by a firewall that is
properly maintained. Needless to say, that isn’t going to happen. If you ask
the same question for the other parts of CIP-003-8 R1 and R2, you will find the
same situation: there is no way for the NERC entity to provide compliance
evidence on behalf of the CSP. Moreover, even if the CSP were willing to
provide evidence themselves, in many cases it would be physically impossible.
Of course, this is very ironic, since if anything the CSP maintains
a much higher level of security than any customer ever could – at least, as far
as the requirements in CIP-003 are concerned.[i]
But as we all know, that fact alone means very little. The only thing that matters,
when it comes to proving compliance with any NERC Requirement, is the wording
of the requirements and the Rules of Procedure.
However, it will probably be 5-6
years before the changes to the CIP requirements (and most likely the NERC
Rules of Procedure as well) are in place that will make use of the cloud completely
acceptable for low, medium and high impact BES assets. Do we just need to be
patient and wait that long for this problem (and the more serious problems that
effectively prohibit most cloud use by medium and high impact BES environments)
to be fixed?
There is general agreement among NERC, the Regional Entities
(including the auditors), the NERC entities themselves, the CSPs and other
vendors (and even FERC staff members, although they’ll never confirm this for
you) that 5-6 years is too long to wait. More and more software and service
providers (especially security service providers) are announcing that they will
either move exclusively to the cloud in a couple of years, or at least they
will freeze development of their on-premises version and just develop new capabilities
for the cloud version from now on. There are already impacts to grid security
due to this situation. They will only continue to grow, with the result that
grid reliability may itself be affected – and “reliability” is NERC’s middle
name!
Fortunately, the NERC CTAG is doing more than organizing
webinars. We have recently formed a sub-group that is starting to draft at
least two NERC CMEP Practice Guides (CMEP stands for Compliance and Monitoring
Enforcement Program), one on BCSI use in the cloud and the other on the meaning
of “access control and monitoring” in the definition of Electronic Access
Control or Monitoring System (EACMS).[ii]
CMEP Practice Guides are intended to provide guidance to auditors regarding particular
technical subjects; they aren’t meant to be interpretations of the NERC
Reliability Standards. There are two auditor-focused NERC ERO committees that
need to approve a CMEP Practice Guide, so it’s possible these could be approved
in one year (this is just my guess)
I haven’t discussed this with the CTAG yet, but it seems
like the issue with low impact systems in the cloud might also be addressed through
the CMEP process, so maybe there’s some hope in this matter.
In any case, I don’t think any NERC entity with low impact
BES Cyber Systems that are deployed or used in the cloud today should pull them
out tomorrow because of what I’ve just written. There’s been no official NERC
notification on this subject, and I doubt there will ever be a notification[iii],
until the problem is fixed.
Are you a vendor of current or
future cloud-based services or software that would like to figure out an
appropriate strategy for selling to customers subject to NERC CIP compliance? Or
are you a NERC entity that is struggling to understand what your current
options are regarding cloud-based software and services? Please drop me an
email so we can set up a time to discuss this!
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] There
are other areas of security in which the CSPs have work to do, for instance in vetting
third parties who resell their cloud services. The new drafting team for cloud
services should focus on those areas. I’m willing to stipulate that the CSPs
are doing a good job of patch and configuration management, although there
needs to be a way to document that fact without requiring a pointless “audit”
of the CSP’s basic security practices.
[ii] A
number of cloud based security services are currently not available to medium
and high impact NERC entities because auditors believe those services meet the
EACMS definition. Even worse, some heavily used security monitoring services
that are delivered on premises today have already announced, or will soon, that
their regularly updated versions will be delivered exclusively from the cloud. In
fact, some services that may be needed to provide internal network security
monitoring for CIP-015 compliance (which will be due in 3-4 years; don’t panic
yet) may also be out of reach for NERC entities because of the current interpretation
of “access monitoring” in the EACMS definition.
[iii]
You may be surprised to learn that notification in this blog doesn’t take the
place of official NERC notification, despite that fact that NERC almost
bought the blog on April 1, 2015.
No comments:
Post a Comment