Tuesday, October 15, 2024

NERC CIP: Who is responsible for compliance in the cloud?


I have heard NERC entities ask the question in the title at least a few times regarding cloud service providers (note that I am using this term broadly to include not just “Platform CSPs” but providers of cloud-based services like SaaS and security monitoring services). My guess is they’re doing this just to show they have a sense of humor, since the answer is very clear: The entity that is responsible for compliance with any CIP requirement, whether the systems in scope are deployed onsite, in a third party’s cloud, or both, is the entity that is listed in Section 4.1 of each currently enforced CIP standard. That section is titled “Functional Entities”.

Of course, you’ll note there is no Functional Entity called “CSP”. The only entity responsible for CIP compliance is you, Mr./Ms. NERC entity. Even if NERC decided tomorrow that CSPs need to comply with the CIP Reliability Standards, NERC has no authority to enforce such a decision, since its regulatory authority comes from FERC – and FERC has no authority over CSPs, even if they happen to serve NERC entities (should the FDA have authority over CSPs, just because the CSPs provide services to pharmaceutical manufacturers?).

However, saying that the CSP isn’t responsible for CIP compliance is not the same as saying the CSP has no role to play in CIP compliance. If the NERC entity entrusts workloads subject to CIP compliance considerations to a CSP, often only the CSP will be able to provide the evidence required for the NERC entity to prove compliance. But the NERC entity should never assume the CSP knows what evidence they are on the hook to provide, or that they have implicitly agreed to provide it. For the time being, the NERC entity should assume it’s necessary to explain to the CSP exactly what evidence they will need and when they will need it. This would ideally be done during contract negotiations.

Recently, I wrote a post stating there are only two types of workloads subject to CIP compliance that can be safely trusted to the cloud today (meaning no compliance problems are likely to arise from doing so): BCSI used by a SaaS application and low impact Control Centers. I described in nausea-inducing detail what evidence should be required for each, although I need to point out that your mileage may vary, since I certainly don’t know what evidence your auditor will require.

I also pointed out that, unlike for medium or high impact BCS, EACMS or PACS implemented in the cloud, a CSP should be able to provide this evidence without a lot of trouble. But I didn’t point out that I sincerely wonder what kind of response you’ll get when you ask your CSP to take these special measures on your behalf.

Even though I combined both SaaS providers (those that require access to BCSI) and platform CSPs under the “CSP” moniker at the beginning of this post, I’ll break the two categories apart now:

First, I think SaaS providers (who are providing evidence for CIP-004-7 Requirement 6 Part 6.1 compliance) are likely to agree to provide evidence, for two reasons:

1.      They’re a lot smaller than the platform CSPs, and

2.      If they need to utilize BCSI, they’re obviously focused on power industry customers; they at least know that entities subject to NERC CIP compliance can make some strange requests for evidence. Rather than waste time trying to convince the entity that they don’t need that evidence (which is guaranteed to be a losing battle), they should just do what they’re asked to do. Fortunately, if one entity asks for certain evidence, other entities will as well, so the SaaS provider won’t have to provide different documentation for each customer. It’s not like NERC entities will make outlandish requests on their SaaS provider, unless they think it’s likely their auditors will ask for that evidence.

However, platform CSPs (which will presumably be required to provide evidence regarding low impact Control Centers deployed on their platform) are a quite different story:

1.      For one thing, they’re huge; it’s going to be very difficult to get them to agree to do anything that’s not part of their normal services.

2.      For another…how can I say this?...While I haven’t surveyed the platform CSPs on this issue, my guess is they’re not very inclined to bend over backwards for a small sliver - electric utilities and IPPs subject to NERC CIP compliance – of a small industry, namely the electric power industry. In other words, I don’t advise NERC entities to stomp on the floor and scream bloody murder if you don’t succeed in getting the CSP to do what you’re asking them to do. And certainly, don’t threaten to take your business elsewhere – it’s likely to be counterproductive at best.

All this is to say that the chances of convincing a platform CSP to provide compliance evidence for even a low impact Control Center (LICC) in the cloud (and not much evidence is required in that case. I detailed what’s required of an LICC in the post linked above) are very small. Which is another reason why deploying medium or high impact BCS, EACMS or PACS in the cloud now is the stuff of fantasy.

The day will likely come when such systems can be safely deployed in the cloud while maintaining CIP compliance, but that will be under a different set of CIP standards - one in which cloud-based systems (perhaps called “Cloud BCS”) are subject to their own requirements. That day is 5-6 years away, although it’s good there’s now a Standards Drafting Team that’s at least starting the process.

But that doesn’t mean you have to stay away from the cloud altogether for six years. You can’t deploy medium or high impact systems in the cloud, but you can certainly use SaaS to perform the functions of medium or high impact systems. More on that topic is coming soon to a blog near you.

“CIP in the cloud” is one of the most important issues facing the NERC CIP community; its importance is increasing every day. If your organization is a NERC entity or a provider/potential provider of software or cloud services to NERC entities, I would love to discuss this topic with you. Please email me to set up a time for this.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

No comments:

Post a Comment