BCSI Data in the Cloud – A Field Guide to NERC Compliance

“You Are Here” 

As the energy utility sector increasingly leans towards embracing ”The Cloud” for efficiency and scalability, it grapples with the substantial challenges of maintaining compliance and security, especially regarding Bulk Electric System Critical Information (BCSI). This journey into the cloud, while driven by compelling economic incentives, is saturated with complex regulatory and security hurdles that require meticulous navigation. Even the acronym BCSI is two acronyms in one. It’s complicated. 

Understanding “The Cloud” 

The Cloud is a broad term encompassing numerous services – from hybrid environments to Software as a Service (SaaS) platforms. Each type of cloud service—whether it’s Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or SaaS—presents their own set of challenges and compliance considerations for energy utilities, particularly in handling BCSI securely and in compliance with NERC standards. But when you move BCSI to the Cloud, you’ve added risk and more points of failure for your compliance program. Internal Controls will need to be in place to try to be reliable, secure, safe, and resilient, but in the Cloud some things are beyond your control. When talking to an industry colleague with a decade in the NERC compliance and TSA space, he said that he believes what will drive BCSI to the cloud boils down to one thing, economics. And it’s going to happen. Every entity is talking about the possibilities, but no one wants to be the trailblazer through the thorns, as they’re going to likely end up with cuts and bruises. No one wants to be first. 

Regulatory Evolution Toward BCSI in the Cloud 

The journey toward clarifying and codifying the handling of BCSI in cloud environments has been marked by significant regulatory milestones: 

• 2018-2023 Regulatory Timeline: From initial discussions at NERC CIPC aimed at clarifying BCSI in the cloud, to the endorsement of Compliance Implementation Guidance for cloud solutions in 2023, the regulatory landscape has evolved significantly. Notably, modifications to CIP-004 and CIP-011 by 2021, effective starting 2024, highlight the shifting compliance requirements adapting to cloud integration. These updates pave the way for migrating BCSI to the Cloud. 

• Implementation Guidance and Security Guidelines: Publications like the RSTC Security Guidelines on Cloud Computing and the Primer for Cloud Solutions and Encrypting BCSI reflect a growing understanding and framework for securely integrating cloud solutions within utility operations. 

Technical and Administrative Challenges 

Integrating cloud solutions involves both technical and administrative hurdles, including challenges with both cyber security and NERC compliance: 

• Technical Challenges: These include implementing robust encryption, comprehensive access management, effective electronic key management, and stringent data loss prevention (DLP) measures. To effectively manage CIP-004 and CIP-011 requirements, it’s important to consider the vendor’s electronic access. If the entity can control this access and ensure data encryption, physical access by the vendor does not pose a compliance risk, as CIP-011 does not specifically address the protection of Sensitive Information in this context. 

• Administrative Challenges: Conducting thorough vendor risk assessments, ensuring adherence to service agreements, leveraging CSP certifications, and incorporating third-party audits are crucial for maintaining compliance and securing BCSI. And the team responsible for CIP-004, who now have to be responsible for parts of CIP-011, and managing access, has now been asked to do even more with the same amount of internal resources. 

Defining Access and Provisioned Access in Cloud Environments 

Understanding the nuances of access in cloud environments is critical: 

• Overlay vs. Underlay Considerations: Depending on the cloud service model adopted (SaaS, PaaS, IaaS), BCSI may reside in different layers (overlay or underlay), each with specific security and access implications. 

• CIP-011 and CIP-004 Distinctions: Access management for cloud services is now two standards in one, with CIP-011 governing the protection and handling of BCSI by cloud service providers and CIP-004 focusing on the entity’s responsibilities.  

Use of Third-Party Audit Reports 

Leveraging third-party audit reports as evidence of compliance is encouraged under NERC’s guidance. However, utilities must ensure these reports offer detailed insights into the security controls tested and the results to effectively demonstrate compliance. Anyone that has been through a recent NERC audit knows that the spotlight is on Internal Controls.  

Mixed Environment Considerations 

Utilities operating in mixed environments, where both cloud-based and on-prem infrastructures coexist, face added complexities. Ensuring consistent training, managing access across diverse platforms, and integrating security protocols require a unified strategy that addresses both cloud and traditional infrastructures. 

Well… Now What? 

As BCSI in the Cloud is now seemingly ordained by NERC itself, energy utilities must walk through a briar patch of regulatory, technical, and administrative challenges. The evolution of regulatory standards and the development of comprehensive security guidelines reflect the industry’s commitment to securely embracing cloud technologies. This transition, while complex, offers the promise of enhanced scalability, efficiency, and potentially significant cost benefits, if security and compliance are maintained at every step. It is a challenge that adds layers to the onion, which increases the points of failure in a compliance program where you must be perfect, every time. 

View our recent webinar, where we dive deeper into practical solutions to streamline CIP-004 compliance in your organization.

 

About the Author

Scott Crow is the Senior Business Systems Strategist – Energy & Utilities at AssurX. Scott has a proven track record of delivering successful IT/OT solutions that solve the challenges of cyber security for Critical Infrastructure. Passionate about bringing better ways of solving business problems through innovation to the marketplace and specializing in the intersection of people, technology and process.