Until January 1, 2024, NERC entities with high and medium impact BES Cyber Systems were effectively “forbidden” to use software-as-a-service (SaaS) applications, if they required access to BES Cyber System Information (BCSI). This wasn’t because of an explicit prohibition in the CIP standards, but rather primarily because of the use of two words, “storage locations”, in previous versions of CIP-004. This problem was (theoretically) corrected when revised versions of two standards came into effect on January 1: CIP-004-7 and CIP-011-3.
The revisions (especially the addition of a new requirement CIP-004-7 R6) officially fixed the problem, yet it seems that NERC entities didn’t get this message. Other than one popular SaaS application for configuration management (which was already being widely used by NERC entities in their OT environments for at least the last six years), it is safe to say there has been close to zero additional SaaS use due to the two revised requirements coming into effect.
The primary reason for this result seems clear: Neither NERC nor the Regional Entities have made available clear guidance on how both the NERC entity and the SaaS provider can provide evidence of the entity’s compliance with the new or revised requirements. This is especially true for CIP-004-7 Requirement R6 Part 6.1, which applies to BCSI utilized by the SaaS application. Today, neither NERC entities nor SaaS providers have received guidance (or official guidelines) on how they can show they have complied with the strict wording of Part 6.1.
Part 6.1 appears to require the SaaS provider to request permission from the NERC entity for any individual to decrypt BCSI, so it can be available for processing by the SaaS application (this is needed, since most SaaS applications can’t process encrypted data). Few if any SaaS providers would be willing to do that, considering a) they would need to request permission from each NERC entity individually, and b) the permission would have to be for a particular individual (meaning it can’t apply to all individuals that fulfill a particular role or a similar consideration).
These concerns seem to be overblown. They can probably be addressed if each NERC entity signs a “delegation agreement” with the SaaS provider. The agreement will delegate to the provider the authority to authorize individual staff members for “provisioned access” to the entity’s BCSI, as long as each staff member meets whatever criteria the entity has set in its CIP-011-3 R1 Information Protection Plan (IPP). This seems to be hinted at by a statement on page 13 of the document endorsed by NERC in December as Implementation Guidance for the two revised CIP standards.
However, clearly just a hint on one page of an 18-page document isn’t enough for most NERC entities; it was wishful thinking to believe that this alone would persuade them to put aside whatever doubts they had and plunge wholeheartedly into using SaaS applications that require BCSI access. It will require some NERC document that clearly addresses the problem, like a CMEP Practice Guide.
Moreover, it’s safe to assume that, pending final approval and implementation (within probably 5-6 years) of whatever new or revised CIP standards are developed by the new NERC “cloud CIP” Standards Drafting Team (SDT), any other clarifications that are needed on particular areas of cloud use will require a separate document, such as a CMEP Practice Guide. This includes the question whether it’s fully “legal” to implement a low impact Control Center in the cloud; I said so in a recent post, but I got pushback from a respected former CIP auditor on my reasoning. As long as reasonable people may differ in their interpretations, it’s unlikely that many NERC entities will be willing to be the first kids on their block that venture into any area of cloud use that has previously been considered to be “off limits” to NERC entities.
This experience should teach the CIP community a good lesson: Even though some of us were thinking that NERC entities would rush to utilize the cloud whenever the door was even partially cracked open (as in the case of BCSI). However, it’s clear that NERC entities aren’t going to rush into the cloud until they’re sure they’re not running significant cybersecurity or CIP compliance risks. They’re going to require significant guidance and handholding.
Of course, there’s nothing wrong with that. If someone is a wild risk-taker, they shouldn’t be in the electric utility business, where the risks can easily involve human life.
Are you a vendor of current or future cloud-based services or software that would like to figure out an appropriate strategy for selling to customers subject to NERC CIP compliance? Or are you a NERC entity that is struggling to understand what your current options are regarding cloud-based software and services? Please drop me an email so we can set up a time to discuss this!
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com