I participated in the third of the four panels in NERC’s
successful Cloud Technical Conference on November 1. Two of the three questions
that all panel members were asked were:
·
How does the shared responsibility model in
cloud computing reshape the way utilities manage accountability for security
and compliance, and what best practices can help clearly define these
responsibilities between utilities and cloud service providers?
·
How can utilities effectively manage and verify
that cloud providers are fulfilling their security responsibilities, and what
role do audits and third-party assessments play in this process?
Of course, these are both variations of the question, “How
will NERC entities assess their CSPs, once they are able to fully utilize their
services?” While I am satisfied with the separate answers I provided to these
two questions during the conference, I now realize it is much better to answer the
unified question.
First, I want to point out that in this post I’m treating
the term “cloud service provider” (CSP) to mean two types of organizations: “Platform”
CSPs like AWS, Azure and Google Cloud, and SaaS (“software-as-a-service”) providers,
meaning software providers that offer subscriptions for access to their
software in the cloud. Usually, I distinguish between the two, as I did in this post.
In the new or revised CIP standards that the NERC Project 2023-09 Risk Management for Third-Party Cloud
Services Standards Drafting Team will start drafting in 2025, I think the
CSPs should be assessed in two ways:
1.
While the CSPs are not subject to the
jurisdiction of either NERC or FERC directly, there needs to be an annual “audit”
of the CSPs. It should be conducted by the NERC ERO; the CSPs will never agree
to be audited by every NERC entity that is a customer. Kevin Perry, former
Chief CIP Auditor for SPP Regional Entity, suggested the Regional auditors
could conduct a joint audit (they perform these all the time).
a.
The audit will have two parts. First, there
should be an assessment of the audit report from either the CSP’s ISO 27001
certification or their FedRAMP authorization. This assessment does not need to
cover the entire report, but only certain topics that the current “cloud”
Standards Drafting Team (i.e., the team that is meeting now) has decided should
be a focus of the assessment. These might include topics such as background
checks for personnel, incident response plan, internal network security
monitoring (INSM), etc. The NERC assessors will look for adverse findings in
any of these areas and note them.
b.
For the second part of the audit, the current SDT
should identify cloud risks that are not addressed by the CSP’s authorizations
or certifications. The NERC assessors will need to interview CSP personnel
regarding the degree to which the CSP has mitigated each of these risks. They
might include:
i. Multitenant
databases in SaaS products. This isn’t itself a risk, since a SaaS provider can
never provide each customer with their own instance of the product without
completely breaking their business model. On the other hand, NERC entities shouldn’t
be sharing a database with organizations from Russia and Iran. The SDT will
need to debate this issue and come up with reasonable measures that mitigate
risk without putting the SaaS provider out of business.[i]
ii. Whether
the CSP is properly training their customers in how to manage the security
controls for their own cloud environment.
iii. How
well the platform CSP vets third parties that broker access to services in
their cloud.
c.
The ERO auditors will prepare a report on their
assessment of each platform CSP and SaaS provider and make these available on
request by NERC entities that are customers of those services, as well as to the
CSP itself.
d.
NERC will not “certify” the CSPs. Their job is
only to assess particular risks to which the CSP is subject, whether these
risks are addressed in a certification or whether they are subject to the
separate risk review described in item b above.
I want to point out that there is currently no provision in
the NERC Rules of Procedure for NERC to conduct assessments of third parties
that are not subject to NERC’s jurisdiction – which is the case with CSPs, of
course. If what I have just described is to come to pass, there will probably
need to be RoP changes; however, no Standards Drafting Team is currently empowered
to make those.
This is one of the many unknowns that will impact the likely
implementation date for the revised CIP Reliability Standards. In a recent post, I stated that I think the most likely date is Q2
of 2031; I also pointed out that if a change to the Rules of Procedure is required,
even that date might be too optimistic. Guess what? I now believe an RoP change
(or at least some sort of change to NERC rules, which the SDT has no authority
to change on their own) is required. Ergo, Q2 2031 is an optimistic estimate;
it would be safer to use a later one, although I have no idea what that would
be.
This gets me back to the conclusion of the post I just
linked: Asking NERC entities to wait until new or revised CIP standards are in
place to make full (and secure) use of the cloud isn’t workable. There are partial
measures that can be taken on an interim basis to enable at least some cloud
use by NERC entities with high or medium impact BES environments. I believe
it’s time to make some decisions on what needs to be done in say the next two years,
and how to do it.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] I
can see this debate alone taking six months; I’m sure there are a few other topics
that could be equally contentious. That is why I am now anticipating that new and/or
revised CIP standards that address cloud issues won’t
be in place until 2031.