NERC CIP and the Cloud

Overview:

The term “NERC CIP” refers to a family of 14 cybersecurity standards that are developed and audited by NERC, a nonprofit organization owned by its members, which are referred to as “NERC Entities”. NERC entities primarily include North American electric utilities and Independent Power Producers (IPPs). The latter include oil and gas-burning generators and renewable power producers (mostly wind and solar energy producers). 

All NERC standards (including the CIP standards) are enforced in the US under the supervision of the Federal Energy Regulatory Commission (FERC) and in Canada under the supervision of the provincial governments. The standards are enforced through regular audits conducted by auditors employed by the six NERC “Regional Entities”. Penalties for non-compliance with just one of the approximately 45 CIP requirements can run into tens or hundreds of thousands of dollars per requirement violated; the largest NERC CIP fine so far (which covered extended violations of many requirements) was $10 million. Needless to say, NERC entities are very concerned about maintaining compliance with the CIP standards.

Because cybersecurity threats are constantly changing and are often difficult to define, there is much concern in the NERC community about how to interpret the CIP standards, especially since NERC is not allowed by their Rules of Procedure to provide compliance guidance to NERC Entities. Training by outside experts is the most effective way to train employees on CIP compliance.

Why you should Attend:

This problem affects anyone employed by a NERC entity that is involved with CIP compliance or use of the cloud.

Currently, the most important OT (operational technology) systems subject to NERC CIP compliance (high and medium impact systems) cannot be deployed in the cloud. This isn’t due to any explicit prohibition in the CIP standards, but to the fact that Cloud Service Providers could never furnish the required NERC CIP compliance evidence. This means that many electric utilities and Independent Power Producers (IPPs) cannot benefit from the lower costs, higher availability, and increased security available through use of the cloud to support their OT systems. 

Fixing the problem will most likely require fundamental changes to all the CIP standards. A NERC Standards Drafting Team is working on those changes, but it is struggling to articulate the fundamental changes that will be required to accommodate use of the cloud. 

Meanwhile, the software industry can achieve huge savings in money and time by moving their products from an on-premises delivery model to an exclusively cloud-based one (i.e., software-as-a-service or SaaS). Developers of software products used for power operations are increasingly notifying their industry customers that they will either move exclusively to a SaaS model, or they will make all future upgrades available exclusively on their cloud platform, even though they will continue supporting their on-premises platform at the current release level. 

In fact, on-premises software is sometimes going up in price (often dramatically), even though its functionality is no longer advancing. In general, users who can’t take advantage of cloud-based software are receiving less functionality and paying more for what they get. Even worse, there are already many products and services that are only available in the cloud.

Fortunately, some important services for NERC entities, including SaaS that uses BES Cyber System Information (BCSI) and low impact Control Centers deployed in the cloud, are currently usable in the cloud without compliance risk. However, due to widespread confusion about CIP and the cloud, even these “100% legal” services are hardly being used.

Areas Covered in the Session:

• How BES Cyber Systems are classified into high, medium and low impact. The “Cloud/CIP” problem directly affects use of the cloud by high and medium impact systems, although it indirectly affects any cloud use by OT systems.
• How NERC audits are conducted.
• How NERC CIP audits on medium and high impact assets are conducted, including evidence production.
• Two proposed types of cloud CIP requirements: requirements applicable to BES Cyber System Information (BCSI) used by SaaS, and requirements applicable to medium and high impact systems deployed in the cloud. The BCSI requirements are already in place. However, they are not used very much, due to compliance uncertainty. A separate course, “CIP-011, CIP-004 R6, BCSI and the Information Protection Program”, is available on this topic.
• What changes are needed to CIP to make it possible to deploy medium and high impact systems in the cloud?
• Why low impact systems can be deployed in the cloud today, yet few NERC Entities are taking advantage of that.
• What are the likely path and timeline for making the cloud completely “legal” for all NERC Entities?

Who Will Benefit:

• CISO and staff, Training Department, NERC Compliance Department, T&D Operations, and other departments in target companies who are concerned with operational security and compliance.
• Sales and Technical Support Departments (for vendors to the power industry)
• Individual employees who know NERC CIP is important to the company and want to learn about it to further their career. 

People who work in other industries (or for consulting organizations), who would like to hear what lessons can be learned from the power industry’s experience with CIP.