At their monthly “Sunshine Meeting” on September 19, the Federal Energy Regulatory Commission (FERC) announced a Notice of Proposed Rulemaking (NOPR) that says they intend to approve CIP-015-1, the new NERC Reliability Standard for internal network security monitoring (INSM); they also announced there will be a two-month comment period before they are ready to issue their order approving the standard.
E&E News described this, and two other important FERC
actions taken during the Sunshine Meeting, in this article
(which is behind a paywall). The article quotes me regarding the NOPR:
The new standard “is needed because there's nothing in the
[FERC] requirements now that deals with monitoring an internal network to catch
intruders. It's all about preventing bad guys from penetrating the network in
the first place,” said grid security consultant Tom Alrich.
“However, it's become painfully clear that nobody can count
on keeping the bad guys out forever. Once in, they need to be detected as soon
as possible, so they can be removed or at least prevented from causing damage,”
Alrich added.
FERC’s NOPR wasn’t a surprise. In Order 887 of January 19,
2023, FERC ordered that NERC develop “requirements within the Critical
Infrastructure Protection (CIP) Reliability Standards for internal network
security monitoring (INSM) of all high impact BES Cyber Systems and medium
impact BES Cyber Systems with External Routable Connectivity (ERC).”
The NERC Standards Drafting Team (SDT) that addressed Order
887 followed FERC’s instructions closely; the result was that FERC approved CIP-015-1
a little less than 4 months after final approval by the NERC Board of Trustees
and submission to FERC. This is lightning fast in the NERC/FERC world.
What also wasn’t a surprise – since FERC does this very
often when they approve a new or revised NERC CIP standard – was that FERC proposed
to require that NERC add something to CIP-015-1. Specifically, they suggested
they will direct NERC to expand the scope of CIP-015 to include high and medium
impact Electronic Access Control or Monitoring Systems (EACMS) and Physical
Access Control Systems (PACS); the standard submitted to FERC includes only
high and medium impact BES Cyber Systems (BCS) - which were all that FERC asked for in Order 887.
As in all cases where FERC has done this, the amendment will
not be made to the standard that FERC proposes to approve, namely CIP-015-1. Instead,
CIP-015-1 will come into effect as it stands now, once FERC issues their order
after the comment period ends. Then another Standards Drafting Team (which
could be the same one that developed CIP-015-1) will draft and seek approval for
version 2 of CIP-015, numbered CIP-015-2. FERC’s rationale for ordering this
change is interesting. It is discussed on pages 14-20 of the NOPR.
There is another interesting aspect of this development,
which is nowhere referenced in the NOPR (and since it’s not legally linked with
the subject of the NOPR, I would have been surprised if FERC had mentioned it):
It is very likely that many (or even most) services offered for INSM will be
based in the cloud. And since they will probably provide what a CIP auditor
might consider to be “access monitoring”, they may be judged to fall
under the EACMS definition: “Cyber Assets that perform electronic access
control or electronic access monitoring of the Electronic Security Perimeter(s)
or BES Cyber Systems. This includes Intermediate Devices.”
Given that INSM services (or more
specifically, the cloud-based software that implements the services) may be
considered EACMS, they would need to comply with the large number of current
NERC CIP Requirements and Requirements Parts that list EACMS in their scope. As
such, they would run into exactly the same problem that other medium and high
impact BES Cyber Systems, EACMS and PACS run into, when it comes to the
question of implementing them in the cloud: Many of the CIP requirements that the provider would need to comply with would be close to impossible for any cloud
service provider (CSP) to implement, unless they were willing to break their
cloud business model – for example, by locking the physical assets containing a
NERC entity’s BCS, EACMS and PACS in a single room, with access controlled by
the entity (in order to comply with the requirements of CIP-006-6). Few if any CSPs will
be willing to do this.
Ironically, this means that, if no
other changes are made to the CIP standards (or perhaps to related documents
like CMEP Practice Guides), NERC entities who wish to comply with CIP-015-1 once
the three-year implementation period[i]
finishes will have fewer compliance tools available to them than organizations
not subject to NERC CIP compliance, since they might not be able to use cloud-based INSM services. This may result in higher costs, reduced
functionality or both.
It might seem unlikely to you that the cloud/CIP problem, which is now under consideration
by a new
SDT, won’t be solved 3 ½ years from now - in other words, that new or revised CIP standards approved
by NERC and FERC will be in effect. However, I think it’s quite unlikely
that those standards will be in place that soon. On the
other hand, maybe the fact that CIP-015-1 compliance will be mandatory 3 ½ years
from now will help move the process along.
Are you a vendor of current or
future cloud-based services or software that would like to figure out an
appropriate strategy for selling to customers subject to NERC CIP compliance? Or
are you a NERC entity that is struggling to understand what your current
options are regarding cloud-based software and services? Please drop me an
email so we can set up a time to discuss this!
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i]
The implementation period for a new or revised NERC standard always starts soon
after FERC approves the standard, specifically, after the order is published in
the Federal Record.
No comments:
Post a Comment