Balloting on the second draft of NERC’s proposed Critical Infrastructure Protection (CIP) standards on cloud computing will be held from Sept. 11 to 21.

The commenting period on CIP-004-7 and CIP-011-3 (Project 2019-02), which also ends on Sept. 21, began Aug. 6.

On Wednesday, the standard drafting team (SDT) held a webinar explaining the revisions and answering questions on the standards, which are intended to offer increased flexibility and lower-cost options for entities to manage their bulk electric system cyber system information (BCSI) by allowing use of third‐party data storage and analysis systems.

The ballot on the first draft of the standards closed Feb. 3, with stakeholders rejecting CIP-004-7 by a 36-210 vote and CIP-011-3 by a 29-219 vote.

The team is “in alignment” with the industry feedback, SDT Vice Chair Josh Powers, of SPP, said Wednesday. In response to the comments, Powers said the team:

• restored to CIP-004 all BCSI access-control-related requirements that had been proposed for CIP-011 (requirement R6);
• clarified the intent of the BCSI vendor risk assessment in CIP-011 as a security and technical control method related to the vendor’s services and not the vendor;
• broadened a new requirement for “key management” to focus on “electronic technical mechanisms to protect BCSI” and moved the requirement to CIP-011 R1;
• added more specific use cases concerning entities engaging “vendor services to store, utilize or analyze BCSI”;
• reverted to the term “method(s)” where it had been called “procedure(s)” or “process(es)”; and
• left unchanged the current CIP-011 requirements regarding BES cyber asset reuse and disposal, which the team acknowledged was outside the scope of the standard authorization request.

Questions

In response to a question about whether the standards require data encryption for BCSI in all locations, Powers said “the expectation isn’t that it’s encrypted everywhere but it’s protected everywhere. So whatever information protection program is set up by the responsible entity, it must be protected everywhere,” including email and file sharing sites.

One questioner asked whether the SDT discussed the option of updating CIP-013 to cover requirement R1 in CIP-011 regarding supply chain risk.

SDT Chair John Hansen, of Exelon, said the team had detailed discussions with the leaders of the project revising CIP-013. “Both groups agree there was a gap in CIP-013 when it comes to BCSI in the cloud, and we took it on in CIP-011 revisions,” he said. “Longer term, I think we’re still going to be having more discussions on where that mostly will live. Right now, it will have to remain in CIP-011.” (See CIP Teams Compromise on Cloud Risk Assessment.)

Another questioner challenged CIP-011’s citing of vendors’ physical and electronic security management documentation, such as plans or diagrams as evidence of their protections. “Please reconsider because [it is] very unlikely to get this information,” the questioner said.

“It’s understood that certain details might not be divulged, but there should be a certain amount of transparency for you to entrust somebody with your sensitive information,” responded team member William Vesely, of Consolidated Edison of New York. “I would find it very difficult to trust an entity that doesn’t have any form of transparency. … In the measures, it’s pretty open on the various technologies and information that could be provided … so I think there’s enough leeway to address that.”

The team said it had not created a vendor questionnaire similar to what the North American Transmission Forum developed for CIP-013. “There are a lot of publications coming out that get to the heart of that question,” Hansen said. “A lot of good information is already out there.”