My most recent post concluded with this paragraph:
But that doesn’t mean you have to
stay away from the cloud altogether for six years. You can’t deploy medium or
high impact systems in the cloud, but you can certainly use SaaS to perform
the functions of medium or high impact systems. More on that
topic is coming soon to a blog near you.
The post had already made it clear
there’s no good way to deploy or utilize medium and high impact BES Cyber Systems
(BCS), Electronic Access Control or Monitoring Systems (EACMS) and Physical
Access Control Systems (PACS) in the cloud today. Why did I say you can use
SaaS to perform the functions of those systems? Isn’t SaaS just software that the
vendor has implemented in the cloud for other organizations to access? Why is
that different from BCS in the cloud?
The difference is this: If a SCADA
vendor implements their software in the cloud with the intention of having multiple
users, none of the normal I/O that handles communications with substations and
generating facilities will be implemented with it; this is because the I/O is
always customer specific. This means the cloud implementation will not have an
impact on the BES in 15 minutes or otherwise, so it will clearly not be a BCS.
It will be SaaS, which is now “allowed” in the cloud.[i]
However, if the same vendor
implemented their software in the cloud for a particular customer and
implemented all the customer’s required I/O with it, that would be a BCS in the
cloud. This isn’t currently “legal” for medium or high impact systems. Moreover,
it will never be permitted until there is a major revision to the CIP standards
(fortunately, this long process has at least started).
As I discussed in the previous
post, there will still be a compliance obligation for the EMS-as-SaaS, since some
of the data it utilizes will be BCSI. This means that, while the obligation to
comply will fall entirely on the NERC entity, the SaaS provider will need to
provide appropriate compliance evidence, which I described in the previous post.
The NERC entity must also take account of the SaaS provider’s use of their BCSI
in their CIP-011-3 R1 Information Protection Plan.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] It
isn’t likely that most (or even any) SCADA implementations for electric utilities
would tolerate not having direct I/O to substations and/or generating stations.
Those communications usually need to be as real-time as possible. On the other
hand, a renewables Control Center (which manages multiple wind and/or solar installations)
will not usually require real-time communications.
No comments:
Post a Comment