I have heard NERC entities ask the question in the title at
least a few times regarding cloud service providers (note that I am using this
term broadly to include not just “Platform CSPs” but providers of cloud-based
services like SaaS and security monitoring services). My guess is they’re doing
this just to show they have a sense of humor, since the answer is very clear:
The entity that is responsible for compliance with any CIP requirement, whether
the systems in scope are deployed onsite, in a third party’s cloud, or both, is
the entity that is listed in Section 4.1 of each currently enforced CIP
standard. That section is titled “Functional Entities”.
Of course, you’ll note there is no Functional Entity called
“CSP”. The only entity responsible for CIP compliance is you, Mr./Ms. NERC
entity. Even if NERC decided tomorrow that CSPs need to comply with the CIP
Reliability Standards, NERC has no authority to enforce such a decision, since
its regulatory authority comes from FERC – and FERC has no authority over CSPs,
even if they happen to serve NERC entities (should the FDA have authority over
CSPs, just because the CSPs provide services to pharmaceutical manufacturers?).
However, saying that the CSP isn’t responsible for CIP compliance
is not the same as saying the CSP has no role to play in CIP compliance. If the
NERC entity entrusts workloads subject to CIP compliance considerations to a
CSP, often only the CSP will be able to provide the evidence required for the
NERC entity to prove compliance. But the NERC entity should never assume the CSP
knows what evidence they are on the hook to provide, or that they have
implicitly agreed to provide it. For the time being, the NERC entity should assume
it’s necessary to explain to the CSP exactly what evidence they will need and
when they will need it. This would ideally be done during contract
negotiations.
Recently, I wrote a post
stating there are only two types of workloads subject to CIP compliance that
can be safely trusted to the cloud today (meaning no compliance problems are
likely to arise from doing so): BCSI used by a SaaS application and low impact Control
Centers. I described in nausea-inducing detail what evidence should be required
for each, although I need to point out that your mileage may vary, since I certainly
don’t know what evidence your auditor will require.
I also pointed out that, unlike for medium or high impact
BCS, EACMS or PACS implemented in the cloud, a CSP should be able to provide this
evidence without a lot of trouble. But I didn’t point out that I sincerely
wonder what kind of response you’ll get when you ask your CSP to take these
special measures on your behalf.
Even though I combined both SaaS providers (those that
require access to BCSI) and platform CSPs under the “CSP” moniker at the
beginning of this post, I’ll break the two categories apart now:
First, I think SaaS providers
(who are providing evidence for CIP-004-7 Requirement 6 Part 6.1 compliance)
are likely to agree to provide evidence, for two reasons:
1.
They’re a lot smaller than the platform CSPs,
and
2.
If they need to utilize BCSI, they’re obviously
focused on power industry customers; they at least know that entities subject
to NERC CIP compliance can make some strange requests for evidence. Rather than
waste time trying to convince the entity that they don’t need that evidence
(which is guaranteed to be a losing battle), they should just do what they’re
asked to do. Fortunately, if one entity asks for certain evidence, other
entities will as well, so the SaaS provider won’t have to provide different
documentation for each customer. It’s not like NERC entities will make outlandish
requests on their SaaS provider, unless they think it’s likely their auditors
will ask for that evidence.
However, platform CSPs (which
will presumably be required to provide evidence regarding low impact Control
Centers deployed on their platform) are a quite different story:
1.
For one thing, they’re huge; it’s going to be very
difficult to get them to agree to do anything that’s not part of their normal
services.
2.
For another…how can I say this?...While I haven’t
surveyed the platform CSPs on this issue, my guess is they’re not very inclined
to bend over backwards for a small sliver - electric utilities and IPPs subject
to NERC CIP compliance – of a small industry, namely the electric power
industry. In other words, I don’t advise NERC entities to stomp on the floor
and scream bloody murder if you don’t succeed in getting the CSP to do what you’re
asking them to do. And certainly, don’t threaten to take your business elsewhere
– it’s likely to be counterproductive at best.
All this is to say that the chances of convincing a platform
CSP to provide compliance evidence for even a low impact Control Center (LICC)
in the cloud (and not much evidence is required in that case. I detailed what’s
required of an LICC in the post linked above) are very small. Which is another
reason why deploying medium or high impact BCS, EACMS or PACS in the cloud now
is the stuff of fantasy.
The day will likely come when such systems can be safely
deployed in the cloud while maintaining CIP compliance, but that will be under
a different set of CIP standards - one in which cloud-based systems (perhaps
called “Cloud BCS”) are subject to their own requirements. That day is 5-6 years
away, although it’s good there’s now a Standards
Drafting Team that’s at least starting the process.
But that doesn’t mean you have to stay away from the cloud
altogether for six years. You can’t deploy medium or high impact systems in the
cloud, but you can certainly use SaaS to perform the functions of medium
or high impact systems. More on that topic is coming soon to a blog near you.
“CIP in the cloud” is one of the
most important issues facing the NERC CIP community; its importance is
increasing every day. If your organization is a NERC entity or a provider/potential
provider of software or cloud services to NERC entities, I would love to
discuss this topic with you. Please email me to set up a time for this.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment