Monday, September 15, 2025

Upcoming NERC webinar on BCSI

 

Note from Tom:

I have moved to Substack as my primary blog platform. If you want to see all my new posts, as well as my 1200+ legacy posts starting in 2013, please support me by becoming a paid subscriber to my Substack blog. The cost is $30 a year. Thanks!

 

If you’re interested in the NERC CIP “cloud problem”, you may know that I’ve been pointing out for a while that:

1.      Use of BCSI (BES Cyber System Information) in the cloud has been “legal” since two revised NERC standards, CIP-004-7 and CIP-011-3, came into effect on January 1, 2024. The main reason why this is important is that, before that date, NERC entities with high and/or medium impact BES environments couldn’t officially use SaaS (i.e. cloud-based software) products that require BCSI access.

2.      However, since that date, very few (if any) new SaaS products that use BCSI have been introduced, probably because few NERC entities today feel they understand the new and revised BCSI requirements well enough to comply with them.

3.      NERC entities especially need to understand what compliance documentation their SaaS provider will need to give them, since few if any SaaS providers to the power industry today even know they have a role to play in complying with the two revised standards.

Unfortunately, neither NERC nor any of the Regions (to my knowledge) has stepped up to fill this understanding gap using webinars or other means. Until last week, when NERC announced a webinar on the topic to be held on September 29; signup is here. NERC’s description of the webinar is:

The ERO Enterprise will conduct a webinar on September 29, 2025 at 1:00 p.m. Eastern to provide information on protections and controls related to BES Cyber System Information (BCSI) in the cloud. The webinar will review examples, considerations, and best practices. 

Since I’m not involved in this webinar and don’t know the presenters (two CIP auditors, I believe), I can’t tell you in advance whether it will be good or mediocre (I’m sure it won’t be bad). I can say it’s worth watching, if you’re at all involved with this question.

 

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com, or even better, sign up as a free subscriber to the Substack community chat for my subscribers and make your comment there.

 

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)