NERC CIP in the cloud: Is there a difference between SaaS and BCS?

In the meetings of the informal NERC Cloud Technical Advisory Group (CTAG), we’re starting to discuss some of the fundamental questions that will arise when the CIP standards are revised to accommodate use of the cloud.

One important question we’ve discussed is, “What is the difference between SaaS and a BES Cyber System in the cloud?” The reason that’s an important question is that currently, because the compliance reporting requirements for medium and high impact BES Cyber Systems require tracking individual physical and virtual devices used in the cloud, platform CSPs can’t provide compliance evidence for BCS in the cloud. Therefore, those systems are effectively “banned” from the cloud today. If a SaaS application had to be treated as if it were a BCS in the cloud, that could prevent use of SaaS in high and medium impact CIP environments today.

Let’s rephrase the question above in a way that might help us find an answer. Suppose a SaaS product performs a function that a BES Cyber System might normally perform. Since systems that perform one or more of the BES Reliability Operating Services (BROS) are definitely BCS, let’s choose one of those services, say “Inter‐Entity Real‐Time Coordination and Communication” (for a list of the BROS, see pages 17-22 of CIP-002-5.1).

CIP-002-5.1 (page 22) states that this BROS “..includes activities, actions, and conditions established by policy, directive, or standard operating procedure…” Note that, while a SaaS product can certainly take the current situation into account and recommend a particular action, it can’t take that action itself, e.g., calling an adjacent Control Center and requesting they make some adjustment. That action needs to be taken by someone (or some system) located in the Control Center. The person or system may be supported by information they receive from a SaaS product, but the SaaS product itself can’t take the action.

The same consideration applies to the other BROS: They require a person or a system to perform some particular action, meaning the person or system needs to be in a Control Center, control room, transmission substation, or some other physical location where those actions are normally performed. A Control Center employee can’t perform those actions while sitting in front of their home computer in their bedroom at night. If they were doing that, their bedroom would need to be declared a Control Center and would need to comply with all the CIP requirements for physical and cyber security that apply to Control Centers. Therefore, since SaaS can’t fulfill a BROS, it can’t be a BES Cyber System.

On the other hand, SaaS products that perform services like configuration management or remote access authorization may need to utilize BES Cyber System Information (BCSI). If the SaaS were compromised and the BCSI were obtained by a malicious party, the information might be used to harm the Bulk Electric System (BES). Does that make the SaaS a BCS?

No, it doesn’t. In fact, if a NERC entity uses SaaS that requires BCSI access today, the entity needs to provide evidence that the SaaS provider followed the CIP requirements that refer to BCSI: CIP-004-7 R6, CIP-011-3 R1 and CIP-011-3 R2. However, the entity doesn’t need to provide evidence for the 100+ CIP Requirements and Requirement Parts that would be in scope if the SaaS were in fact a BCS. Only if a system in the cloud could directly perform actions like causing a circuit breaker to open a line (which could be the case if the right wiring were in place), would the cloud system be a BCS; otherwise, it is SaaS.

Of course, the current CIP standards don’t make any reference to SaaS, since the compliance burden for the three BCSI requirements falls entirely on the NERC entity (although the entity will need some minimal evidence that only the SaaS provider can make available to them). However, when the standards are revised to accommodate use of the cloud, it’s likely they will distinguish SaaS providers from Platform CSPs, who could potentially host entire BES Cyber Systems (along with the connections they require to the outside world). As they do today, the SaaS providers will need to provide evidence to their NERC entity customers that they are adequately protecting the BCSI they utilize, but they will not need to provide all the evidence that an operator of a medium or high impact BCS in the cloud would need to provide.

If you are involved with NERC CIP compliance and would like to discuss issues related to “cloud CIP”, please email me at tom@tomalrich.com.