One of many good reasons to fix the cloud problem in NERC CIP

Note from Tom: As of August 11, all but a few of my new posts will only be available on Substack to paid subscribers. Subscriptions cost $30 per year (or $5 per month); anyone who can’t afford to pay that should email me, since I want everyone to be able to read the posts. To have uninterrupted access to my new posts, please open a paid Substack subscription or upgrade your free Substack subscription to a paid one. 

On Wednesday evening, Microsoft and CISA announced a “high-severity vulnerability” that affects on-premises versions of Exchange. The vulnerability also affects the Entra cloud-based authentication system.

I won’t discuss the details of the vulnerability, since they’re not important for this post. What is important is the fact that this high-severity vulnerability only affects the on-premises version of Exchange, not the cloud version (Exchange Online). Of course, since it’s on-premises, users have to a) see the patch availability notification, b) locate and download the patch, and c) apply the patch, to fix the vulnerability. None of these steps are hard, but since human beings miss emails or forget to follow up on them, leave on vacation without performing all 1,963 items on their to-do list, etc., it’s certain that some users won’t have the patch applied even a year from now.

This is a reminder of one of the biggest reasons for using the cloud (especially SaaS applications in the cloud): The CSP just needs to apply a patch once, for all their users to be protected. The users don’t necessarily need to be told about the patch, although they should be informed for peace of mind.

Of course, this is one of many reasons why it’s important that the “Cloud CIP” problem be solved as soon as possible, so that full use of the cloud will be possible for NERC entities with medium and high impact CIP environments. Fortunately, I think the solution is right around the corner in…2031.

What, you say it’s unacceptable that we need to wait so long for the solution? If it will make you feel better, I’ll point out that it’s possible that 1) the current Standards Drafting Team will produce their first draft of the new standards sometime next year, 2) that it will take just a year for the standards to be debated and balloted at least four times by the NERC ballot body (I believe this has historically been the minimum number of ballots required to pass any major change to the CIP standards), 3) that it will be approved in six months by FERC, and 4) that the ballot body will agree to a one-year implementation period.

In all of these things come to pass, and with a helping of good luck, the new and/or revised CIP standards will be in place in mid-2029; you might think even that is slow, but I can assure you it’s lightning-fast by NERC standards; it took five and a half years for the last major change to CIP – CIP version 5 – to go through these same steps. To be honest, I consider the above to be a wildly over-optimistic scenario. In fact, I think that, if the required processes are all followed, even the 2031 target may be over-optimistic.

What can be done to shorten this time period? There is an “In case of emergency, break glass” provision in the NERC Rules of Procedure that might be used to speed up the whole process. However, it would require a well-thought-out plan of action that will need to be approved by the NERC Board of Trustees. I doubt they’re even thinking about this now.

The important thing to remember here is that there are some influential NERC entities that not only swear they will never use the cloud (on either their IT or OT sides), but they also are opposed to use of the cloud by any NERC entity – even though they know they won’t be required to use the cloud themselves.

Another thing to remember: Unlike almost any other change in the CIP standards, FERC didn’t order this one. This means they might take a long time to approve the new standards (I believe it took FERC at least a year and a half to approve CIP version 1); it also means they might order a number of changes. These changes would be included in version 2 of the “Cloud CIP” standards, which would appear 2-3 years after approval of the version 1 standards. FERC could also remand the v1 standards and send NERC back to the drawing board. However, since one or two FERC staff members are closely monitoring the standards development process, that is unlikely.

The danger is that, if the standards development process is rushed and the standards are watered down to get the required supermajority approval by the NERC ballot body, what comes out in the end won’t address the real risks posed by use of the cloud by medium and high impact CIP environments. In fact, this is what happened with CIP-013-1: It didn’t address most of the major supply chain security risks for critical infrastructure. The fault in that case was FERC’s, since they gave NERC only one year to draft and approve the new standard - which was one of the first supply chain security standards outside of the military.

This is why FERC put out a new Notice of Proposed Rulemaking (NOPR) last fall. Essentially, it said, “We admit we should never have approved CIP-013-1 mostly as is. Now we intend to rectify that error.” The NOPR suggested a few changes, but its main purpose was to request suggestions for improving the standard by early December 2024. I thought that, once that deadline had passed, FERC would quickly come out with a new NOPR – or even an Order – that laid out what changes they want to see in CIP-013-3 (CIP-013-2 is the current version, although its only changes were adding EACMS and PACS to the scope of CIP-013-1). However, as my sixth grade teacher often said, “You thought wrong.” There’s been nary a peep from FERC on this topic since December. In my opinion, a revised CIP-013 is still very much needed.

So, I hope the current SDT doesn’t feel rushed to put out a first draft of the new or revised standard(s) they’re going to propose. Just like for on-premises systems, there are big risks for systems deployed in the cloud – and few of them are the same as risks that apply to on-premises systems. It’s those cloud-only risks that need to be addressed in the new standards. There’s more to be said about this topic, coming soon to a blog near you. 

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com, or even better, sign up as a free subscriber to this blog’s Substack community chat and make your comment there.