Wednesday, October 16, 2024

NERC CIP: What’s the difference between SaaS and BES Cyber Systems in the cloud?

My most recent post concluded with this paragraph:

But that doesn’t mean you have to stay away from the cloud altogether for six years. You can’t deploy medium or high impact systems in the cloud, but you can certainly use SaaS to perform the functions of medium or high impact systems. More on that topic is coming soon to a blog near you.

The post had already made it clear there’s no good way to deploy or utilize medium and high impact BES Cyber Systems (BCS), Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) in the cloud today. Why did I say you can use SaaS to perform the functions of those systems? Isn’t SaaS just software that the vendor has implemented in the cloud for other organizations to access? Why is that different from BCS in the cloud?

The difference is this: If a SCADA vendor implements their software in the cloud with the intention of having multiple users, none of the normal I/O that handles communications with substations and generating facilities will be implemented with it; this is because the I/O is always customer specific. This means the cloud implementation will not have an impact on the BES in 15 minutes or otherwise, so it will clearly not be a BCS. It will be SaaS, which is now “allowed” in the cloud.[i]

However, if the same vendor implemented their software in the cloud for a particular customer and implemented all the customer’s required I/O with it, that would be a BCS in the cloud. This isn’t currently “legal” for medium or high impact systems. Moreover, it will never be permitted until there is a major revision to the CIP standards (fortunately, this long process has at least started).

As I discussed in the previous post, there will still be a compliance obligation for the EMS-as-SaaS, since some of the data it utilizes will be BCSI. This means that, while the obligation to comply will fall entirely on the NERC entity, the SaaS provider will need to provide appropriate compliance evidence, which I described in the previous post. The NERC entity must also take account of the SaaS provider’s use of their BCSI in their CIP-011-3 R1 Information Protection Plan.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.


[i] It isn’t likely that most (or even any) SCADA implementations for electric utilities would tolerate not having direct I/O to substations and/or generating stations. Those communications usually need to be as real-time as possible. On the other hand, a renewables Control Center (which manages multiple wind and/or solar installations) will not usually require real-time communications.

No comments:

Post a Comment