BES Cyber System Information in the Cloud - Clearer Skies Ahead!

BES Cyber System Information in the Cloud - Clearer Skies Ahead!

In today's rapidly evolving technological landscape, cloud computing has become an essential component of modern businesses. With its scalability, cost-efficiency, and accessibility, it's no surprise that more companies are moving their data and operations to the cloud. However, Bulk Electric System (BES) owners and operators are faced with a unique set of challenges as they attempt to migrate to the cloud while at the same time remain compliant with NERC Critical Infrastructure Protection (CIP) standards for BES Cyber Systems (BCS) and related Information (BCSI).

Although technically allowed, proving compliance while having BCSI in the cloud has been stormy at best. Thankfully, there are clearer skies ahead. FERC has approved modifications to NERC CIP standards specifically addressing BCSI in the cloud. Acumen, a leading expert in CIP compliance, understands and presents the challenges that were faced by BES owners and operators, and how the changes to the CIP standards allow them to comply more easily going forward.

CIP-011: The Hurdles of Compliance in the Cloud

CIP-011 compliance was one of the most significant challenges for BCSI in the cloud. It required organizations to identify their BCSI, implement procedures for protecting and securely handling BCSI in storage, transit, and use, and ensure proper sanitization or destruction of cyber assets containing BCSI to prevent unauthorized retrieval of such information. While identification of BCSI was relatively straightforward, the “storage/transit/use” and sanitization requirements were more complex. In a cloud environment, the provider’s system administrators may be able to access cloud systems and data on those systems, and data is often distributed across numerous machines, disks, and locations. Proving to a NERC auditor that the data was protected from disclosure at all times, or that BCSI residing on cyber assets in the cloud were sanitized prior to disposal or reuse, were daunting tasks.

The approved modifications to CIP-011 provide some clarity on how to comply when BCSI is stored in the cloud. The language to always protect and securely handle BCSI, during “storage/transit/use” has been replaced with “to mitigate risks of compromising confidentiality.” It could be argued that the requirement has been changed from “zero defect” to one that is about mitigating risk, providing some relief. The revised standard provides examples of how to mitigate the risk of compromising confidentiality, such as masking or encrypting the data. The approved modifications do not address the issues of BCSI residing on cyber assets in the cloud. That being said, the compliance challenges of having cyber assets in the cloud are currently too great and too numerous; it is not recommended at this time.

💡
Although there is some relief for compliance with CIP-011, it was not the primary concern for BCSI in the cloud - the issue is CIP-004.

CIP-004: The Real Problem

CIP-004 requirement R4 mandated that access to Designated Storage Locations (DSL) for BCSI be authorized based on need, reviewed, and verified every 15 months, and promptly revoked when personnel are terminated. Auditors expect businesses to provide evidence of proper authorization, access review, and timely revocation for not only their employees but also the cloud provider's personnel. The BES owners and operators with BCSI in the cloud would need to manage and obtain detailed personnel access management information from the cloud providers, which could prove very difficult.

The approved modifications to CIP-004 provide good clarity on how to comply when BCSI is stored in the cloud. The parts of various requirements dealing with designated storage locations for BCSI have been moved into its own new requirement R6 with several parts. The new access management requirement language defines access to BCSI as being able to both obtain and use BCSI. For example, if the BCSI is encrypted and the cloud personnel do not have the passwords or keys to decrypt and use the BCSI, they are not considered to have access to the BCSI and are not in scope of the CIP-004 requirements. This alleviates much of the concerns and burden with respect to access management of BCSI stored in the cloud.

Why Acumen is the Expert You Need

With a team of seasoned professionals, Acumen can provide guidance on identifying BCSI, implementing the necessary protection measures, and ensuring compliance with CIP standards in a cloud environment. We understand the unique challenges that cloud computing presents and offer tailored solutions to help BES owners and operators overcome these obstacles to avoid potential violations. By partnering with Acumen, you can put the rainy days of BCSI in the cloud behind you and spend your time enjoying the clearer skies ahead!