Until January 1, 2024, NERC entities with high and medium impact BES Cyber Systems were effectively “forbidden” to use software-as-a-service (SaaS) applications, if they required access to BES Cyber System Information (BCSI). This wasn’t because of an explicit prohibition in the CIP standards, but rather primarily because of the use of two words, “storage locations”, in previous versions of CIP-004. This problem was (theoretically) corrected when revised versions of two standards came into effect on January 1: CIP-004-7 and CIP-011-3.
The revisions (especially the addition of a new requirement
CIP-004-7 R6) officially fixed the problem, yet it seems that NERC entities
didn’t get this message. Other than one popular SaaS application for
configuration management (which was already being widely used by NERC entities
in their OT environments for at least the last six years), it is safe to say there
has been close
to zero additional SaaS use due to the two revised requirements coming into
effect.
The primary reason for this result seems clear: Neither NERC
nor the Regional Entities have made available clear guidance on how both the
NERC entity and the SaaS provider can provide evidence of the entity’s compliance
with the new or revised requirements. This is especially true for CIP-004-7 Requirement
R6 Part 6.1, which applies to BCSI utilized by the SaaS application. Today, neither
NERC entities nor SaaS providers have received guidance (or official
guidelines) on how they can show they have complied with the strict wording of Part
6.1.
Part 6.1 appears to require the SaaS provider to request
permission from the NERC entity for any individual to decrypt BCSI, so it can
be available for processing by the SaaS application (this is needed, since most
SaaS applications can’t process encrypted data). Few if any SaaS providers would
be willing to do that, considering a) they would need to request permission
from each NERC entity individually, and b) the permission would have to be for
a particular individual (meaning it can’t apply to all individuals that fulfill
a particular role or a similar consideration).
These concerns seem to be overblown. They can probably be addressed
if each NERC entity signs a “delegation
agreement” with the SaaS provider. The agreement will delegate to the
provider the authority to authorize individual staff members for “provisioned
access” to the entity’s BCSI, as long as each staff member meets whatever
criteria the entity has set in its CIP-011-3 R1 Information Protection Plan
(IPP). This seems to be hinted at by a statement on page 13 of the document endorsed
by NERC in December as Implementation Guidance for the two revised CIP standards.
However, clearly just a hint on one page of an 18-page
document isn’t enough for most NERC entities; it was wishful thinking to
believe that this alone would persuade them to put aside whatever doubts they
had and plunge wholeheartedly into using SaaS applications that require BCSI
access. It will require some NERC document that clearly addresses the problem,
like a CMEP Practice Guide.
Moreover, it’s safe to assume that, pending final approval and
implementation (within probably 5-6 years) of whatever new or revised CIP standards
are developed by the new NERC “cloud CIP” Standards
Drafting Team (SDT), any other clarifications that are needed on particular
areas of cloud use will require a separate document, such as a CMEP Practice
Guide. This includes the question whether it’s fully “legal” to implement a low
impact Control Center in the cloud; I said so in a recent post,
but I got pushback from a respected former CIP auditor on my reasoning. As long
as reasonable people may differ in their interpretations, it’s unlikely that many
NERC entities will be willing to be the first kids on their block that venture into
any area of cloud use that has previously been considered to be “off limits” to
NERC entities.
This experience should teach the CIP community a good
lesson: Even though some of us were thinking that NERC entities would rush to
utilize the cloud whenever the door was even partially cracked open (as in the case
of BCSI). However, it’s clear that NERC entities aren’t going to rush into the
cloud until they’re sure they’re not running significant cybersecurity or CIP
compliance risks. They’re going to require significant guidance and
handholding.
Of course, there’s nothing wrong with that. If someone is a
wild risk-taker, they shouldn’t be in the electric utility business, where the
risks can easily involve human life.
Are you a vendor of current or
future cloud-based services or software that would like to figure out an
appropriate strategy for selling to customers subject to NERC CIP compliance? Or
are you a NERC entity that is struggling to understand what your current
options are regarding cloud-based software and services? Please drop me an
email so we can set up a time to discuss this!
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment