This comment form is no longer interactive because the comment period is closed.

Project 2019-02 BES Cyber System Information Access Management

Description:

Start Date: 03/28/2019
End Date: 04/26/2019

Associated Ballots:

Ballot Name Project Standard Pool Open Pool Close Voting Start Voting End

Filter:

Hot Answers

CAISO proposes that any third party obligations for storing BCSI in the cloud should not be embedded in the requirements but deferred to cloud vendor risk asseements

Darcy O'Connell, On Behalf of: California ISO - WECC - Segments 2

- 0 - 0

Electric Reliability Council of Texas, Inc. (ERCOT) requests that the SAR expressly identify the option of creating a separate standard for solutions involving third-parties rather than embedding new requirements in existing requirements.

Brandon Gleason, On Behalf of: Brandon Gleason, , Segments 2

- 0 - 0

Other Answers

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 5, 6

- 0 - 0

Susan Sosbe, On Behalf of: Wabash Valley Power Association, , Segments 3

- 0 - 0

Leonard Kula, On Behalf of: Independent Electricity System Operator, , Segments 2

- 0 - 0

Manitoba Hydro, Segment(s) 5, 3, 6, 1, 8/8/2017

- 0 - 0

No comments.

Teresa Krabe, On Behalf of: Lower Colorado River Authority, , Segments 1, 5

- 0 - 0

Permitting methods such as encryption and key management to be utilized to as an additional protection for BCSI in transit and use allows improvements to the standard for CIP-011-2.

However, cloud services are of a concern to the security of storing and allow multiple methods for controlling access to the BES Cyber System Information storage location may pose additional risks.

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 0 - 0

GSOC supports the proposed scope of the SAR and we believe the changes to the standards will provide registered entities with additional options for using other efficient tools for CIP compliance activities. 

Andrea Barclay, On Behalf of: Andrea Barclay, , Segments 3, 4

- 0 - 0

Cassie Williams, On Behalf of: Cassie Williams, , Segments 5

- 0 - 0

In addition to the mentioned potential modifications for CIP-004-6 R4.1.3, R4.4, R5.3 & CIP-011-2 R1, Tacoma Power recommends the SAR be extended to include review of CIP-004-6 R2.1.5 which covers training for BES Cyber System Information Handling, and CIP-011-2 R2 which deals with preventing unauthorized access to BCSI when a system is being reused or disposed.

John Merrell, On Behalf of: Tacoma Public Utilities (Tacoma, WA), , Segments 1, 3, 4, 5, 6

- 0 - 0

In general, Idaho Power Company agrees with the scope of the SAR as described. BCSI protections should be flexible enough to provide an entity with the ability to adapt to different environments and situations while still being restrictive enough to provide assurance that information is protected in storage, transit, and use.

Laura Nelson, On Behalf of: Laura Nelson, , Segments 1

- 0 - 0

Reclamation agrees that a cost-effective, risk-based approach for the adoption and use of cloud services is needed within industry. BES Cyber System Information could be stored on third party systems if proper controls for confidentiality, integrity, and availability are implemented for acceptable risk to the BES. For example, if BCSI is stored within a cloud server and encrypted, the entity that owns the data should be the only one with access to the encryption keys capable of decrypting the data, availability during critical emergencies, and integrity of transport layers 2 and 3.

Reclamation disagrees with the statement, “As currently drafted, the requirement is focused on access to the ‘storage location,’ and therefore does not permit methods such as encryption and key management to be utilized in lieu of physical/electronic access controls. This wording also does not explicitly permit any flexibility in the audit approach.” The current CIP-004 standard does not exclude these methods.

Virtualization can and should be as simple as, “If it is something that needs to be protected, protect it.” Reclamation recommends registered entities be allowed to determine their risks. Reclamation is concerned that the proposed requirements will lead to increased requirements for low impact systems. The SDT must consider allocation of resources spent on managing and documenting efforts on low impact systems. The SAR seems to indicate that everyone would need specific authorization versus the current method of allowing a position of authority to delegate who may have access. More detailed categorization will require more tracking tools and create more opportunities for failure (non-compliance) without necessarily improving BES reliability or reducing risk.

Reclamation recommends the SDT focus on defining what BCSI is; specifically, if it is information carried through the BES Cyber System or about the BES Cyber System.

Richard Jackson, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 1 - 0

Duke Energy agrees with the proposed scope of this project, and agrees that additional clarity regarding this issue is sorely needed. 

Also, we would be interested to know if the drafting team has considered, or is aware if this project will impact CIP-013 specifically?

Duke Energy, Segment(s) 1, 5, 6, 4/23/2019

- 0 - 0

Tho Tran, On Behalf of: Oncor Electric Delivery, Texas RE, Segments 1

- 0 - 0

The goal of restricting access to BCSI to only authorized personnel is to ensure the confidentiality, integrity, and availability of the data. Entities need to have flexibility of defining how this is accomplished. Limiting entities to specific requirements and technology hinders a company's ability to use tools that may protect them more effectively.

A good example of this problem involves access revocation requirements for BCSI. Currently we must revoke access within the next business day. Certainly, a revocation process is necessary, but a specific time frame makes it almost impossible to manage service solutions such as cloud services.

The regulatory controls that govern BCSI should guide entities to build strong risk-based data protection plans for their BCSI, not limit them to specific technologies or measures. Doing this restricts their ability to implement modern security programs and best-of-breed tools based on current and evolving threat landscapes.

While this SAR doe mention specific technologies that could assist in preventing unauthorized access to BCSI, we are concerned that it will provide only minimal expansion of what is acceptable rather than giving each entity the flexibility it needs.

Oliver Burke, On Behalf of: Entergy - Entergy Services, Inc., , Segments 1

- 1 - 0

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

Support NRECA comments.

Mike Kraft, On Behalf of: Mike Kraft, , Segments 1, 3, 5, 6

- 0 - 0

We do not believe that the standards require revision in order to accommodate cloud storage, encryption, or various other tools which may be used for protection of BCSI. CIP-004-6 is written to accommodate a variety of vetting and authorization approaches. For BSCI access under CIP-004, R4.1 merely specifies that a Responsible Entity must have a process to “authorize based on need, as determined by the Responsible Entity,” for the types of access listed in 4.1.1 through 4.1.3. This provision does not specify a requirement to do background or identity checks on individual third party employees. It does not preclude the ability of a Responsible Entity to use a cloud provider to store BSCI; it merely requires codifying and implementing an approach to authorizing access to BCSI storage, if actual access will even occur. Terms such as “access,” “designated storage location,” and “termination action” are undefined in the standards, and, depending how defined in the Responsible Entity’s process, could allow third party cloud storage of BSCI while still meeting the current standards.

If the drafting team determines that changes should be made; however, we recommend that, (1) such changes should be clearly couched as clarifications, and (2) highly specific or qualitative requirements regarding cloud storage and encryption should be avoided. Technology and cyber attacks are changing daily, and our requirements should remain flexible regarding the protections we choose to use.

Shari Heino, On Behalf of: Brazos Electric Power Cooperative, Inc., , Segments 1, 5

- 1 - 0

Support NRECA Comments

Jeremy Voll, On Behalf of: Basin Electric Power Cooperative, , Segments 1, 3, 5, 6

- 0 - 0

While Dominion Energy supports cloud computing, Dominion Energy does not support the instant SAR. In stating the industry needs to allow BCSI data to be stored on the cloud using encryption rather than the current requirements of the CIP standards, the SAR does NOT present a reliability purpose to allow this less stringent method of storage of BCSI data. The need statement actually appears to potentially create a reliability gap by asserting that encryption alone could be an alternative to the existing requirements. The SAR is proposing to use specific technologies (i.e. encryption and key management) which could be less secure when used as an alternative to current CIP requirements.

Dominion Energy is also of the opinion that the SAR is requesting a modification solely for compliance clarification. A standard modification may not be the appropriate tool, rather Implementation Guidance should be used to clarify compliance expectation. The current requirements do not need to be modified to allow cloud storage of information and is appropriate based on the nature of the information being protected (BCSI). Dominion Energy is of the opinion that the term ‘access’, which is a key issue in the SAR, standard could be defined as “the ability to use” when used in the context of electronic access; therefore, a change to the standard wouldn’t be necessary to allow an entity to take credit for controls that prevent access; such as, encryption and key management as methods for controlling physical/electronic access.

As an example, if an individual can log into a server that contains an electronic storage location but doesn’t have the ability to use the data because the individual doesn’t  the rights to access the data, there’s no compliance issue because the individual doesn’t have the ability to use the data.

The issue statement for cloud computing is ensuring the entity has an ability to know who has access to the BCSI information. o   Given the nature of the environment, it may not be clear who (outside of the entity) has access to the designated electronic storage location.

There may also be supply chain implications to be able to contractually ensure an entity is able to ensure administrators of the cloud computing vendor are not provisioned in such a way that they would ever have unauthorized access to a designated BCSI storage repository.

From a cyber-security perspective, use of cloud computing for confidential information increases the risk of information falling into the hands of a ‘bad actor’:

An entity loses control of the data as soon as it’s in the cloud. This includes not only the storage location but the transport from the source to the third-party storage location.

Even though the BCSI may be may be encrypted, there’s no assurance that a copy of the encrypted data can’t be made.  A copy of the encrypted data can be held by “bad actors” until such time as the technology exists to break the encryption. 

It may not be clear who administratively has access to the electronic storage location from the cloud storage vendor.

The cloud storage vendor may subcontract portions of the administration of the environment.

There is no assurance that confidential files will be properly destroyed once it’s determined they’re no longer needed.

Due to the nature of cloud storage, multiple copies of a designated storage location may exist for redundancy in strategically placed data centers.  Deleting a repository in one data center doesn’t mean all copies (and backup copies) are also deleted.

For these reasons, Dominion Energy does not support this SAR and recommends that an Implementation Guidance document, which is appropriate to address the compliance concerns raised in the SAR, be explored.

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 1 - 0

We are in support of the scope of the SAR and believe changes to the standards will give registered entities additional options for using other methods for CIP compliance activities.

ACES Standard Collaborations, Segment(s) 1, 3, 4/25/2019

- 0 - 0

Westar and Kansas City Power & Light are supportive of Edison Electric Institute's response to Question 1.

Westar-KCPL, Segment(s) 1, 3, 5, 6, 12/18/2018

- 0 - 0

None

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Exelon agrees with the overall scope of the SAR. There are sections in the document that need clarification.  Example #4.X.2, the language “may include but are not limited to…” seems to imply that entities aren’t being held to any one thing specifically except identifying “… security protection(s) used to prevent unauthorized access to [BCSI] within each repository”.   Further define what’s expectations are around “Data loss prevention techniques and rights management services” in section 4.X.2.

Example #2 4.1.3 “Physical access to physical BES Cyber System Information storage locations;” appears somewhat redundant with 4.1.4, “Physical access to unencrypted electronic BES Cyber System Information storage locations;” where this may require a fairly significant effort. 

Daniel Gacek, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

MPC agrees that CIP-004 can be updated to better accommodate cloud-based storage, however, the current scope misses out on opportunites to align CIP-004 with the risk-based approach of CIP-012 and CIP-013.  CIP-011 is currently risk based, but the examples provided in the SAR are highly prescriptive and should be considered a step backwards.  The scope of this project should accommodate cloud storage by echoing CIP-012 R1 language, such as:

“The Responsible Entity shall develop one or more documented plan(s) to mitigate the risk of the unauthorized disclosure of BCSI. This shall be accomplished by one or more of the following means, to include BCSI that is in storage, transit, and use:

  • Encryption and key management;

  • Physical access management;

  • Electronic access management;

  • Data loss prevention techniques and rights management services; or

  • Using an equally effective method to mitigate the risk of unauthorized disclosure.”

The scope of this project needs to include authorization and access restrictions to BCSI, not to a “designated storage location”.

Andy Fuhrman, On Behalf of: Minnkota Power Cooperative Inc. - MRO - Segments NA - Not Applicable

- 0 - 0

DTE Energy - DTE Electric, Segment(s) 5, 4, 3, 2/27/2017

- 0 - 0

Kimberly Van Brimer, On Behalf of: Southwest Power Pool, Inc. (RTO), MRO, WECC, Segments 2

- 0 - 0

NRECA supports the proposed scope of the SAR and we believe the changes to the standards will provide registered entities with additional options for using other efficient tools for CIP compliance activities.

Barry Lawson, On Behalf of: Barry Lawson, , Segments 3, 4

- 0 - 0

Dominion Energy South Carolina (formerly SCANA) is in agreement with comments submitted by Dominion Energy (Sean Bodkin).

RoLynda Shumpert, On Behalf of: SCANA - South Carolina Electric and Gas Co., SERC, Segments 1, 3, 5, 6

- 0 - 0

OG&E supports the comments made by EEI:

 

Comments: EEI member companies support the intent of the proposed SAR but believe there is room to clarify the draft language to ensure the affected Reliability Standards continue to meet the Reliability needs of the Bulk Electric System.  From that perspective, we offer the following brief input for consideration:

 

Comments are provided by SAR Section Title:

 

Industry Need: We recommend removing the introductory statement (i.e., “While there is no direct benefit to the reliability of the BES”), because we believe this statement conflicts with the following text, as currently written.

 

Purpose or Goal: EEI members offer for consideration the following clarifying edits consideration:

 

This project is intended to Cclarifying and expand the the options available under the CIP requirements, related to BES Cyber System Information access, to remove unnecessary barriers and allow for alternative methods, (e.g., such as encryption, etc.), that could provide equally effective solutions for the storage, transit and access to be utilized in the protectioned of BCSI data.

 

Do you know of any consensus building activities in conjunction with this SAR?  EEI member companies ask that conclusions developed by the “informal team” assembled by the NERC Compliance Input Working Group be referenced within this SAR.  While it is clear that a large number of SMEs worked on this effort, their findings and recommendations are neither posted by NERC or referenced within this SAR.

 

Are there alternatives that have been considered or could meet the objectives?  EEI member companies question whether the detailed examples contained within the SAR might unintentionally limit the SDT from developing other, possibly more effective, solutions and offer the following edits.

 

As a means to assist the SDT, several possible options are provided for SDT consideration to address revisions to CIP-004-6 Requirement R4 Part 4.1.3. These options are not intended to limit the SDT from developing other more effective solutions.

 

 

Additionally, EEI member companies are  unclear whether the examples provided were developed as part of the informal team (previously mentioned in the proceeding question), that operated under the direction of the NERC Compliance Input Working Group.   If that is the case, we believe such information would be better placed under the proceeding question. 

Patrick Wells, On Behalf of: OGE Energy - Oklahoma Gas and Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

NV Energy supports the project as intended; to expand available options under current Standard related to an entity to utilize changes in technologies for data storage paltforms. That said, we do believe tht further clarifiaction and development still needs to take place to define scope.

NV Energy believes the current SAR language is still too general in its statement for allowing Industry and Entities to be more flexible in performing business function and using new technologies, but NV Energy would request more clarifying language to understand the burden of accountability via evidence on the Entity to provide after this change is made. It would benefit NV Energy to know this, prior to agreeing to creation of a SDT for the project.

Keeping the subject matter only in the scope of CIP-004 and CIP-011, we agree with a SAR to address a growth for technologies.

Kevin Salsbury, On Behalf of: Berkshire Hathaway - NV Energy, , Segments 5

- 0 - 0

While AEP agrees with the proposed scope of the SAR, we recommend that the examples provided for possible revisions to CIP-004-6 Requirement R4 Part 4.1.3 be deleted from the SAR.  The inclusion of the examples hinders the flexibility of the SDT to craft the revisons necessary to accurately address the use of encryption on BES Cyber System Information.  AEP recommends the SDT work off the scope and objectives as written in the Detailed Description section of the SAR.

Leanna Lamatrice, On Behalf of: Leanna Lamatrice, , Segments 3, 5

- 0 - 0

Southern Company supports the intent of the proposed SAR but believes there is room to clarify the draft language to ensure the affected Reliability Standards continue to meet the Reliability needs of the Bulk Electric System. 

 

Southern Company requests that the scope of the SAR allows the SDT to specifically address and clarify the interpretation around encrypted BCSI and how encrypted data (cyphertext) does not constitute “information that can be used”, as per the BCSI definition.  To consider cyphertext to still meet the definition of BCSI is in opposition to the plain language of the existing defined term, and to consider it as such nullifies any benefit to be gained or optionality for using 3rd party hosting solutions as a Registered Entity would have no control over those physically accessing the 3rd party’s data centers.  Physical access to electronically stored and encrypted cyphertext should be considered outside of the scope of this SAR based on the grounds that access to cyphertext without the ability to decrypt that data should not be considered “access to BCSI.”

 

The SAR should also clarify that the inclusion of encryption as an option to secure BCSI is in addition to other acceptable means available to Registered Entities, such as other physical and electronic security controls, and that the SAR will not force the SDT into limiting a Registered Entity’s options for complying with the Standard. Southern is concerned that the detailed examples contained within the SAR might unintentionally limit the SDT from developing other, possibly more effective, solutions.

Southern Company, Segment(s) 1, 3, 5, 6, 10/30/2017

- 0 - 0

Support NRECA comments.

Jerry Horner, On Behalf of: Basin Electric Power Cooperative, , Segments 1, 3, 5, 6

- 0 - 0

Texas RE suggests adding verbiage to the SAR to indicate entities should use the strongest encryption algorithm since not all encryption algorithms are secure.

Rachel Coyne, On Behalf of: Texas Reliability Entity, Inc., , Segments 10

- 0 - 0

LaTroy Brumfield, On Behalf of: American Transmission Company, LLC, , Segments 1

- 0 - 0

RSC no Dominion, Segment(s) 10, 2, 4, 5, 7, 3, 1, 0, 6, 4/26/2019

- 0 - 0

Maryanne Darling-Reich, On Behalf of: Black Hills Corporation - WECC - Segments 1, 3, 5, 6

- 0 - 0

Chinedu Ochonogor, On Behalf of: Chinedu Ochonogor, , Segments 1, 3, 5, 6

- 0 - 0

Constantin Chitescu, On Behalf of: Ontario Power Generation Inc., , Segments 5

- 0 - 0

Comments:  The impact of nondisclosure agreements (NDAs) also should be considered on  managing access to BSCI. In some cases within the NERC CIP Standards, a properly constructed NDA apparently can provide sufficient evidence of adequate information handling, and in other cases it cannot.

For sensitive CIP-014 documents, for instance, an NDA is explicitly identified within the Standard (R2, R6) as sufficient for protecting the information, and in practice validating the existence of such an NDA appears to be the audit approach for the information protection aspect of CIP-014 R2 and R6. There is no effort on the part of ERO auditors to identify CIP-004 R4 and R5 details, such as who has access to the information, when they were disabled, or how or where it is stored by the third party signing the NDA.

Similarly, an NDA appears audit-sufficient for BSCI or sentitive information provided to third party consultants as part of a mock audit, say, or for program improvement work, or for such information shared among regulated entities themselves as necessary for reliable operation of operation of the power grid. To date, NERC CIP auditors do not appear to require or request CIP-004-type evidence of how the third-party handled or stored the sensitive information or BCSI. The existence of the NDA is sufficient.

Finally the ERO enterprise itself provides a third example of how NDAs, by themselves, are sometimes deemed sufficient for third-party handling and storage of sensitive information and BCSI. Here, the general NDA among the entity and regulator is considered sufficient, even for third-party (ERO) storage of sensitive information and BCSI in cloud-based systems such as webCDMS. Again, no CIP-004-type evidence is requested or expected.

In other cases, an NDA is not deemed sufficient. The most obvious case is that an NDA, by itself, does not appear to considered by NERC auditors as sufficient evidence of adequate protection of BCSI provided by an entity to a third-party cloud storage providers. In such cases, whether a proper NDA exists or not, the audit approach typically calls for review of evidence that all CIP-004 R4 and R5 requirements have been met by the third-party cloud provider.

These different audit approaches for sensitive information and BCSI under an NDA raise several questions. Under what conditions is an NDA, alone, sufficient and why? What is the expectation under CIP-004 R4 for BCSI that is protected pursuant to an NDA? Does the NDA authorize blanket access for the company to which it applies, or is individual authorization expected in addition to the NDA? If the former, what is the expectation regarding access tracking, revocations, and reviews? Including NDA issues within the SAR scope may reveal alternative paths towards secure cloud management of BCSI under NERC CIP.

Matthew Nutsch, On Behalf of: Seattle City Light, WECC, Segments 1, 3, 4, 5, 6

- 0 - 0

PSEG supports the proposed scope of the SAR. Proposed changes to the standards would provide industry with more tools and greater flexibility in complying with the CIP standards.

PSEG REs, Segment(s) 5, 6, 3, 1, 11/2/2017

- 0 - 0

EEI member companies support the intent of the proposed SAR but believe there is room to clarify the draft language to ensure the affected Reliability Standards continue to meet the Reliability needs of the Bulk Electric System.  From that perspective, we offer the following brief input for consideration:

Comments are provided by SAR Section Title:

Industry Need: We recommend removing the introductory statement (i.e., “While there is no direct benefit to the reliability of the BES”), because we believe this statement conflicts with the following text, as currently written.

Purpose or Goal: EEI members offer for consideration the following clarifying edits consideration:

This project is intended to clarify and expand the options available under the CIP requirements, related to BES Cyber System Information access, to remove unnecessary barriers and allow for alternative methods, (e.g., encryption, etc.) that could provide equally effective solutions for the storage, transit and access to protected BCSI data.  (strike throughs removed due to the system not allowing its use)

Do you know of any consensus building activities in conjunction with this SAR?  EEI member companies ask that conclusions developed by the “informal team” assembled by the NERC Compliance Input Working Group be referenced within this SAR.  While it is clear that a large number of SMEs worked on this effort, their findings and recommendations are neither posted by NERC or referenced within this SAR.

Are there alternatives that have been considered or could meet the objectives?  EEI member companies question whether the detailed examples contained within the SAR might unintentionally limit the SDT from developing other, possibly more effective, solutions and offer the following edits.

As a means to assist the SDT, several options are provided for SDT consideration to address revisions to CIP-004-6 Requirement R4 Part 4.1.3. These options are not intended to limit the SDT from developing other more effective solutions. (strike throughs removed due to the system not allowing its use)

 

Additionally, EEI member companies are  unclear whether the examples provided were developed as part of the informal team (previously mentioned in the proceeding question), that operated under the direction of the NERC Compliance Input Working Group.   If that is the case, we believe such information would be better placed under the proceeding question. 

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

Gregory Campoli, On Behalf of: New York Independent System Operator, , Segments 2

- 0 - 0

Glenn Barry, On Behalf of: Los Angeles Department of Water and Power, , Segments 1, 3, 5, 6

- 0 - 0

Hot Answers

The CAISO offers the following feedback on the SAR.

 

INDUSTRY NEED SECTION:

CAISO contends that this initiative could have a direct benefit to reliability. The use of third-party solutions (aka cloud) for the storage of BES Cyber System Information can provide a reliability benefit in having recovery plans and other information available to the entity in the event they are needed and the entity’s systems are unavailable.

Further, as technologies and cyber attacks advance and become more complex, Responsible Entities are becoming increasingly interested in collecting and correlating electronic access monitoring events across their enterprises. This broad-based information collection provides Responsible Entities with more visibility into emerging threats and trends.  Many of these types of software providers are no longer offering on-premises solutions. Allowing the use of third parties for these solutions to analyze and take action serves to improve the overall cybersecurity and reliability of the BES through early detection of compromise.

CAISO would also note that the SAR does not address the use of applications. The SAR only addresses storage. The SAR should account for both.

 

PURPOSE OR GOAL SECTION:

CAISO contends that encryption is already recognized as a means to protect BCSI. Under CIP-011-2 R2, Part 2.1, encryption is listed as a means to prevent “unauthorized retrieval” of BCSI. Unauthorized retrieval is basically the same concept as unauthorized access. The use of encryption should be applied consistently to CIP-004 R4, CIP-004 R5, and CIP-011 R2, Part 2.1.

 

DETAILED DESCRIPTION SECTION: 

CAISO contends that encryption is already recognized as a means to protect BCSI. Under CIP-011-2 R2, Part 2.1, encryption is listed as a means to prevent “unauthorized retrieval” of BCSI. Unauthorized retrieval is basically the same concept as unauthorized access. The use of encryption should be applied consistently to CIP-004 R4, CIP-004 R5, and CIP-011 R2, Part 2.1. The use of encryption can be used to prevent access. Therefore, CIP-004 R4 and R5 should not apply since access is prevented.

CAISO agrees that audit evidence should be addressed. This should include the use of external audit reports to demonstrate compliance in lieu of detailed evidence that would be available for on-premises implementations. In the context of these services, the Responsible Entity’s obligations may only be limited to due diligence in reviewing third party audit and certification details.

                                

ALTERNATIVES SECTION:

CAISO agrees with the concept of Example #1, but requests clarification on the inclusion of “virtual or non-virtual environment” on Example #1.

 

ADDITIONAL COMMENTS:

One area that should be considered is to address the geographical location of BCSI stored with a third party (aka cloud). Requirements should be drafted for entities to evaluate the geographic location of hosted solutions in their risk assessment of the service.

Any requirement language should include provisions of a CIP Exceptional Circumstance in addressing access controls under CIP-004.

 

Darcy O'Connell, On Behalf of: California ISO - WECC - Segments 2

- 0 - 0

ERCOT offers the following additional comments for the SAR drafting team to consider.

INDUSTRY NEED SECTION

ERCOT believes this initiative could have a direct benefit to reliability. The use of third-party solutions (aka cloud) for the storage of BES Cyber System Information can provide a reliability benefit in having recovery plans and other information available to the entity in the event they are needed and the entity’s systems are unavailable.

In addition, as technologies and cyber attacks advance and become more complex, Responsible Entities are becoming increasingly interested in collecting and correlating electronic access monitoring events across their enterprises. This broad-based information collection provides Responsible Entities with more visibility into emerging threats and trends. Many of these types of software providers are no longer offering on-premises solutions. Allowing the use of third parties for these solutions to analyze and take action serves to improve the overall cybersecurity and reliability of the BES through early detection of compromise.

ERCOT also notes that the SAR does not address the use of applications. The SAR only addresses storage. The SAR should take both into consideration.

PURPOSE OR GOAL SECTION

Encryption is already recognized as a means to protect BCSI. Under CIP-011-2 R2, Part 2.1, encryption is listed as a means to prevent "unauthorized retrieval" of BCSI. Unauthorized retrieval is basically the same concept as unauthorized access. The use of encryption should be applied consistently to CIP-004 R4, CIP-004 R5, and CIP-011 R2, Part 2.1.

DETAILED DESCRIPTION SECTION

Encryption is already recognized as a means to protect BCSI. Under CIP-011-2 R2, Part 2.1, encryption is listed as a means to prevent "unauthorized retrieval" of BCSI. Unauthorized retrieval is basically the same concept as unauthorized access. The use of encryption should be applied consistently to CIP-004 R4, CIP-004 R5, and CIP-011 R2, Part 2.1. The use of encryption can be used to prevent access. Therefore, CIP-004 R4 and R5 should not apply because access is prevented.

ERCOT concurs with the SAR drafting team that audit evidence should be addressed. This should include the use of external audit reports to demonstrate compliance in lieu of detailed evidence that would be available for on-premises implementations. In the context of these services, the Responsible Entity’s obligations may only be limited to due diligence in reviewing third party audit and certification details.

ALTERNATIVES SECTION

ERCOT agrees with the concept of Example No. 1, but requests clarification on the inclusion of "virtual or non-virtual environment" in Example No. 1.

ADDITIONAL COMMENTS

An additional area that should be considered is the geographical location of BCSI stored with a third party (aka cloud). Requirements should be drafted for entities to evaluate the geographic location of hosted solutions in their risk assessment of the service. Finally, any new requirement language should include provisions concerning CIP Exceptional Circumstance in addressing access controls under CIP-004.

Brandon Gleason, On Behalf of: Brandon Gleason, , Segments 2

- 0 - 0

Other Answers

Marty Hostler, On Behalf of: Northern California Power Agency, , Segments 5, 6

- 0 - 0

The standards development team should favor non-prescriptive standards for protection of BES Cyber System Information that requires an appropriate level security within (1) individual Entities, (2) Application Providers, (3) Public Cloud Providers, (4) Entities that hold protected information for other utilities business partners, and (5) business partners that need access and temporarily retain this information.

 

Susan Sosbe, On Behalf of: Wabash Valley Power Association, , Segments 3

- 0 - 0

Leonard Kula, On Behalf of: Independent Electricity System Operator, , Segments 2

- 0 - 0

Given that the Example #2 proposes a reasonable and alternative approach that permits encryption and key management to be utilized in lieu of physical/electronic access controls, we support Example #2 to be considered for modifying CIP-004-6 R4 Part 4.1.3. This encryption and key management method woud provide flexibility for entities to manage BCSI access and facilitate the cloud storage solution. Note that if the CIP-004-6 R4 Part 4.1.3 is revised using Example #2, the CIP-004-6 R4 Part 4.3 and R5 Part 5.3 should be revised in accordance with the modification of CIP-004-6 R4 Part 5.1.3.

Manitoba Hydro, Segment(s) 5, 3, 6, 1, 8/8/2017

- 0 - 0

No comments.

Teresa Krabe, On Behalf of: Lower Colorado River Authority, , Segments 1, 5

- 0 - 0

SRP agrees with the SAR that additional considerations need to be given to other ways to protect BCSI beyond access to storage locations.  There are more methods to protect BCSI and the standards need to be flexible enough to allow it.  The current requirements apply to BCSI in the cloud, however, it is not feasible to expect third party providers of hosted solutions (cloud BCSI storage locations) to comply with CIP-004-06 R4.1.3 and CIP-004-6 R5.3, so entities have to look for other options – and not using cloud providers is no longer an option.

SRP suggests the SDT look for opportunities to update CIP-011 requirements to better document the types of protections in place for BCSI storage locations where the only available control is CIP-004-6 (access management), then CIP-004 applies.

SRP disagrees with an approach that encryption or masking BCSI renders it no longer BCSI.  This would create a need for entities to know when information is no longer BCSI (upon encryption) and when it becomes BCSI again (upon decryption).  It will be difficult to apply the current CIP-004 storage locations based requirements.  SRP agrees with the SAR’s approach that the standards should be updated to allow for other methods to protect BCSI.  This will ensure a complete inventory of BCSI and a better overall understanding of the protections in place.

The SDT may want to consider minimum requirements (or guidance) for an approach to properly sanitize (i.e. cryptographic erase) off premise BCSI.

Russell Martin II, On Behalf of: Salt River Project, WECC, Segments 1, 3, 5, 6

- 1 - 0

GSOC appreciates the efforts of Tri-State G&T and the other members of the NERC Compliance Input Working Group for submitting this SAR. Drafting team should consider how entities and NERC could rely on third party audit assessment of cloud services provider. They should also evaluate the requirement for access management, revocation, disposal and information protection.

Andrea Barclay, On Behalf of: Andrea Barclay, , Segments 3, 4

- 0 - 0

Cassie Williams, On Behalf of: Cassie Williams, , Segments 5

- 0 - 0

John Merrell, On Behalf of: Tacoma Public Utilities (Tacoma, WA), , Segments 1, 3, 4, 5, 6

- 0 - 0

Laura Nelson, On Behalf of: Laura Nelson, , Segments 1

- 0 - 0

Reclamation recommends IT systems that store BCSI be certified and accredited for operation in accordance with federal and Department of Homeland Security (DHS) standards. Boundaries and security authorization(s) must be defined for systems with common security controls. National Institute of Standards and Technology (NIST) Information Management Security suggests entities should control risks by evaluating the system’s or information’s importance and designating the confidentiality, integrity, and availability necessary for the system or information. The entity’s CIP Senior Manager or delegate should accept (approve) the risk for the responsible entity.

Additionally, the revised standards must specifically account for the requirements pertaining to Controlled Unclassified Information (CUI) in 32 CFR 2002. Reclamation recommends the SDT obtain a full understanding of overall information protection requirements, to include requirements beyond IT systems. For example, there is no mechanism to encrypt hard copy data, so physical protection requirements cannot be totally removed.

Reclamation also recommends the SDT incorporate the following definition of “Information Security” as stated in NIST SP800-12r1, Section 1.4 Important Terminology, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf:

“Information Security – The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure confidentiality, integrity, and availability.”

Richard Jackson, On Behalf of: U.S. Bureau of Reclamation, , Segments 1, 5

- 0 - 0

Duke Energy would like to recommend that the drafting team consider the potential impacts of setting encryption at the document level or the repository level.

Duke Energy, Segment(s) 1, 5, 6, 4/23/2019

- 0 - 0

Tho Tran, On Behalf of: Oncor Electric Delivery, Texas RE, Segments 1

- 0 - 0

No additional comments.

Oliver Burke, On Behalf of: Entergy - Entergy Services, Inc., , Segments 1

- 0 - 0

Agree with the objective of the proposal, but are we certain that the current language of CIP-004-6 Requirement R4 Part 4.1.3 cannot accommodate third-party cloud-based encrypted BCSI? The “or” in “physical or electronic” access to designated storage locations (an undefined term that can be defined by the Responsible Entity) permits electronic authorization exclusively, relieving the Responsible Entity of any physical access concerns. Encryption key management can be the process to authorize electronic access to BCSI. The designated storage location could be defined as the Responsible Entity’s encrypted BSCI in a designated third-party data repository.

Does the requirement language need to be changed to explicitly permit, or can other options be pursued to ascertain whether or not current language can accommodate? Has anyone submitted implementation guidance for ERO endorsement showing how industry believes this can be done compliantly?

If NERC is receptive to encryption satisfying R4.1.3, a SAR may yet be required to specify minimum acceptable encryption key strength, such as NIST Advanced Encryption Standard AES 256-bit, just as minimum password length and complexity requirements are set forth in CIP-007-6 R5.5

MRO NSRF, Segment(s) 3, 4, 5, 6, 1, 2, 7/19/2017

- 0 - 0

Support NRECA comments.

Mike Kraft, On Behalf of: Mike Kraft, , Segments 1, 3, 5, 6

- 0 - 0

Shari Heino, On Behalf of: Brazos Electric Power Cooperative, Inc., , Segments 1, 5

- 0 - 0

Support NRECA Comments

Jeremy Voll, On Behalf of: Basin Electric Power Cooperative, , Segments 1, 3, 5, 6

- 0 - 0

Dominion, Segment(s) 3, 5, 1, 4/6/2017

- 0 - 0

ACES would like to thank the SAR Team for their efforts and opportunity to comment on the SAR.

ACES Standard Collaborations, Segment(s) 1, 3, 4/25/2019

- 0 - 0

None.

Westar-KCPL, Segment(s) 1, 3, 5, 6, 12/18/2018

- 0 - 0

None

Aaron Cavanaugh, On Behalf of: Bonneville Power Administration, WECC, Segments 1, 3, 5, 6

- 0 - 0

Daniel Gacek, On Behalf of: Exelon, , Segments 1, 3, 5, 6

- 0 - 0

TVA supports review of the CIP-004 and CIP-011 language as currently written, specifically with regard to the use of encryption in place of physical access controls.  However, TVA cautions against including discussion of specific technologies in the language of the standards that could prohibit or discourage innovation or use of emerging technologies.

Tennessee Valley Authority, Segment(s) 1, 3, 5, 6, 10/18/2018

- 0 - 0

MPC has additional concerns regarding the ambigious term: “designated storage location”.  The ultimate objective of CIP-004 R4.1.3 is to protect BCSI, not a server, room, locker, computer, vehicle, etc.  BCSI can be anywhere as it is stored, used, and transported.  A “designated storage location” is a challenge to define and difficult to audit.  A risk-based approach allows an entity to define the risk and the adequacy of the actions taken to mitigate that risk, without confining those actions to prescriptive definitions or an out-of-date or restrictive framework. The term “designated storage location” could be removed from CIP-004 altogether, with all requirements for the protection of BCSI being specified within CIP-011 in a manner similar to what is suggested above.

The examples provided in the SAR are restrictive, burdensome, and costly, and do not allow the entity to address the level of risk posed by a particular situation.  MPC is strongly opposed to any language that resembles the examples provided in the SAR.  The Cost Impact Assessment notes potential savings due to economies of scale.  While this my be true when considering the use of cloud storage, the reality is that highly prescriptive requirements such as the examples that are provided, would significantly increase costs without an appropriate risk analysis.

Andy Fuhrman, On Behalf of: Minnkota Power Cooperative Inc. - MRO - Segments NA - Not Applicable

- 0 - 0

DTE Energy - DTE Electric, Segment(s) 5, 4, 3, 2/27/2017

- 0 - 0

Kimberly Van Brimer, On Behalf of: Southwest Power Pool, Inc. (RTO), MRO, WECC, Segments 2

- 0 - 0

NRECA appreciates the efforts of Tri-State G&T and the other members of the NERC Compliance Input Working Group for submitting this SAR.

Barry Lawson, On Behalf of: Barry Lawson, , Segments 3, 4

- 0 - 0

RoLynda Shumpert, On Behalf of: SCANA - South Carolina Electric and Gas Co., SERC, Segments 1, 3, 5, 6

- 0 - 0

Patrick Wells, On Behalf of: OGE Energy - Oklahoma Gas and Electric Co., , Segments 1, 3, 5, 6

- 0 - 0

NV Energy shares EEI's comments that conclusions developed by the “informal team” assembled by the NERC Compliance Input Working Group be referenced within this SAR.  While it is clear that a large number of SMEs worked on this effort, their findings and recommendations are neither posted by NERC or referenced within this SAR.

Additionally, NV Energy is unclear whether the examples provided were developed as part of the informal team that operated under the direction of the NERC Compliance Input Working Group.  

Kevin Salsbury, On Behalf of: Berkshire Hathaway - NV Energy, , Segments 5

- 0 - 0

Leanna Lamatrice, On Behalf of: Leanna Lamatrice, , Segments 3, 5

- 0 - 0

If approved, the following is provided as feedback to the NERC SDT that will be addressing the SAR:

 

Southern Company suggests the SDT consider modifying the glossary definition of BCSI in the section of the defined term that states what is not BCSI to add language to the effect of “encrypted cyphertext without the ability to decrypt or access the encryption key”.  Properly encrypted data is not actual information, but cyphertext and not useable without a “key” to decrypt it.

 

Southern Company also suggests the SDT consider requirements for the use of two-factor authentication when accessing BCSI stored on 3rd party hosted solutions.

 

 

Southern Company, Segment(s) 1, 3, 5, 6, 10/30/2017

- 0 - 0

Support NRECA comments.

Jerry Horner, On Behalf of: Basin Electric Power Cooperative, , Segments 1, 3, 5, 6

- 0 - 0

Rachel Coyne, On Behalf of: Texas Reliability Entity, Inc., , Segments 10

- 0 - 0

LaTroy Brumfield, On Behalf of: American Transmission Company, LLC, , Segments 1

- 0 - 0

RSC no Dominion, Segment(s) 10, 2, 4, 5, 7, 3, 1, 0, 6, 4/26/2019

- 0 - 0

Maryanne Darling-Reich, On Behalf of: Black Hills Corporation - WECC - Segments 1, 3, 5, 6

- 0 - 0

Chinedu Ochonogor, On Behalf of: Chinedu Ochonogor, , Segments 1, 3, 5, 6

- 0 - 0

Constantin Chitescu, On Behalf of: Ontario Power Generation Inc., , Segments 5

- 0 - 0

None

Matthew Nutsch, On Behalf of: Seattle City Light, WECC, Segments 1, 3, 4, 5, 6

- 0 - 0

PSEG REs, Segment(s) 5, 6, 3, 1, 11/2/2017

- 0 - 0

Mark Gray, On Behalf of: Edison Electric Institute, NA - Not Applicable, Segments NA - Not Applicable

- 0 - 0

The NYISO offers the following feedback on the SAR.

INDUSTRY NEED SECTION:

NYISO contends that the standard revision should be specific to storage of BCSI.  This would include modifications to support the use of encryption as an acceptable level of protection for data being stored within third party infrastructure. 

PURPOSE OR GOAL SECTION:

NYISO contends that encryption is already recognized as a means to protect BCSI. Under CIP-011-2 R2, Part 2.1, encryption is listed as a means to prevent “unauthorized retrieval” of BCSI. Unauthorized retrieval is basically the same concept as unauthorized access.

DETAILED DESCRIPTION SECTION:

The use of encryption to ensure both integrity and confidentiality at a minimum should be the focus.

Modifications to the standards should include the establishment of acceptable levels of encryption, the management of keys, the establishment and testing of encryption for data stored and in transit to/from third party providers of cloud storage.   

CIP modifications need to provide clarity in establishing what obligations the responsible entity would have in order to establish and maintain compliance and what aspects could be left to the third party provider of cloud storage.

Modifications should include noting contractural provisions that would need to be in place to assure the controls are in place (i.e. testing, alerting) and what obligations the third party provider would have as it pertains to data destruction once contractual relationship is terminated.

ALTERNATIVES SECTION:

NYISO agrees with the concept of Example #1, but requests clarification on the inclusion of “virtual or non-virtual environment” on Example #1.

ADDITIONAL COMMENTS:

One area that should be considered is to address the geographical location of BCSI stored with a third party (aka cloud). Requirements should be drafted for entities to evaluate the geographic location of hosted solutions in their risk assessment of the service.

Any requirement language should include provisions of a CIP Exceptional Circumstance in addressing access controls under CIP-004.

 

 

Gregory Campoli, On Behalf of: New York Independent System Operator, , Segments 2

- 0 - 0

Glenn Barry, On Behalf of: Los Angeles Department of Water and Power, , Segments 1, 3, 5, 6

- 0 - 0