NERC’s 6-hour virtual Cloud Technical Conference on November 1 was quite successful. The conference included three panels of industry types (including me) discussing questions mostly posed to them in advance, followed by a discussion by members of the team that will draft changes to the CIP standards to address what I call the “CIP in the cloud” problem.
The discussions were very productive and produced some great
insights. I took a lot of notes and will produce multiple posts on those
insights in the coming month or so. However, I’m going to start off with a
question that wasn’t discussed in the conference, but was very much hanging
over it: When will new or revised CIP standards be in place, so that full, but
secure, use of the cloud by NERC entities with BEES assets will finally be
possible?
This isn’t an academic question at
all. As multiple panelists pointed out, previously on-premises software products
and security services are moving to the cloud all the time. In some cases, they
retain an on-premises option, with the caveat that the most innovative changes
will only go into the cloud. In other cases, the vendor is making a clean break
with on-premises systems, leaving NERC entities with high- or medium-impact BES
environments with no other choice than to find a totally on-premises replacement.
And as Peter Brown of Invenergy pointed out (in the conference as well as an
earlier webinar sponsored by the informal NERC Cloud Technology Advisory Group
and SANS, which I wrote about in this
post), those replacements are inevitably more expensive and offer less
functionality.
In January, I wrote a post
that examined this question. I concluded by saying:
So, if we get lucky and there are
no major glitches along this path, you can expect to be “allowed” to deploy
medium and high impact BCS, EACMS and PACS in the cloud by the end of 2029.
Mark your calendar!
Of course, the end of 2029 sounds
like a long time to have to wait, especially with security services and
software already abandoning their on-premises options. Do I still think the
industry will have to wait five years for the cloud to be completely “legal”? I
have good news and bad news, but finally some good news, for you:
·
The first good news is
I no longer think the end of 2029 is the likely date by which cloud-based
systems and services for systems to which the CIP standards apply will be fully
“legalized”.
·
The bad news is I
think it will probably be later than 2029.
·
However, the second
good news is that, given how this problem is affecting more and more NERC
entities all the time, it’s unlikely there won’t be at least a partial solution
to this problem before 2029 – although don’t ask me what form that solution
will take. This is very much uncharted ground.
Here's a short summary of my
timeline and the reason for my changes:
1.
I had thought the new Standards
Drafting Team (SDT) would start their drafting work when they convened in July.
However, it turns out they are now working on revising their Standards
Authorization Request (SAR). They will finish that by the end of this year and
will submit it to the NERC Standards Committee for approval. That approval is
likely to be quickly granted, so the team will probably start drafting in
January 2025, not last July as I had anticipated.
2.
There are some huge
issues that will need to be discussed when the SDT starts drafting. I attended
a lot of the meetings of the CSO706 SDT that drafted CIP version 5. V5 completely
rewrote the CIP standards and definitions that had been put in place with CIP version
1. Even though there were a lot of fundamental questions discussed in those
meetings, I also know the SDT had a good idea of what they needed to do when
they started drafting v5 in early 2011. Even then, developing the first
draft took a year and a half (see the January post linked above). The “cloud”
SDT might take that long or even longer to develop their first draft.
3.
Once the SDT has their
first draft, they will submit it to the NERC Ballot Body for approval. It’s
100% certain it won’t be fully approved on the first ballot. With each ballot,
NERC entities can submit comments – which, of course, mainly discuss why the commenter
didn’t vote for the standard in question (each new or revised standard will be
voted on separately). The drafting team needs to respond to every comment,
although in practice they group similar comments and respond to them at one
time. For just one of the CIP v5 ballots, 2,000 pages of comments were
submitted.
4.
It’s close to certain
that the new or revised standards will go through at least four ballots before
they’re approved, with three comment periods in between them. The balloting
process alone took the CIP v5 SDT a year, and I assume the new SDT’s experience
will be roughly the same. Adding that to the estimate of 18 months to draft the
first version of the new standads, we’re at 2 ½ years, starting in January.
5.
When the new or revised
standards have been approved by the ballot body, they will go to the NERC Board
of Trustees for approval at their next quarterly meeting; it’s close to certain
the BoT will approve it in one meeting. So, BoT approval requires 3 months,
bringing us to two years and nine months for the process so far.
6.
At that point, the standards
go to FERC for approval. Even though individual FERC staff members have been quite
supportive of the need for changes to accommodate cloud use (and two staff
members spoke in the technical conference), the staff might very well not be in
line with some of the actual changes that are proposed. Of course, the five FERC
Commissioners are the ones who must approve those changes; they always take a
lot of time to come to general agreement. I’ll stick with my earlier estimate
of one year for FERC to approve the new or revised standards, but it could well
be longer than that. We’re now at three years and nine months from next
January, which is the third quarter of 2029.
7.
However, FERC
approval doesn’t mean that NERC entities can rush off and start using the
cloud. There will without doubt be an implementation period of more than one year;
I’ll say it will be 18 months[i], but even that may be a
low estimae. This puts us at the first or second quarter of 2031, before the
new or revised CIP standards are enforced.[ii]
Thus, instead of saying that the
cloud will be completely “legal” for NERC entities by the end of 2029, I’m now
saying this will happen by the second quarter of 2031, which is 6 1/2 years
from now. But that isn’t all: In my January 2024 post, I pointed out that I
thought it was possible that the changes required for the cloud will also
require changes to the NERC Rules of Procedure; I now believe it’s likely this step
will be needed.
The SDT has no power to make RoP changes,
and my guess is there might need to be a separate drafting team for those changes.
Of course, this alone could add a couple more years to the whole process. Since
I don’t know what’s involved, I won’t change my estimate of Q2 2031 as the date
when systems subject to NERC CIP compliance can be freely used in the cloud, subject
to the controls in the CIP standards. But there’s now a big asterisk beside
that date.
If you’re like some NERC entities, as well as some members of the NERC ERO, you’ll probably look at my Q2 2031 date and say something like, “This is unacceptable! The NERC community can’t wait this long.” You would be right; this is unacceptable. This is why I’m sure that some measures will be taken long before that date to allow at least some cloud use cases for BES Cyber Systems, EACMS and PACS. However, I have no clear idea of what those measures will be, beyond my own wishful thinking.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] The CIP v5 standards were approved by FERC in November 2013,
but were enforced on July 1, 2016. That was 2 ½ years after approval.
[ii] Since
many NERC entities are eager to start using the cloud for OT systems, there
will probably be accommodations for entities that wish to follow the new
standards before the implementation period is finished. However, only a small
number of NERC entities will be allowed to take advantage of those
accommodations, and they will be closely monitored. This was done when CIP v5
had been approved by FERC in 2013. At that time, NERC established the Version 5
Technical Advisory Group (V5TAG), a small group of NERC entities that implemented
the v5 standards before the enforcement date. They were closely monitored by
NERC and documented their experiences.
No comments:
Post a Comment