With regard to BCSI (BES (Bulk Electric System) Cyber System Information) in the cloud, responsible entity sentiments at the moment may be akin to Prince Hamlet as he contemplated death and suicide, “bemoaning the pain and unfairness of life but acknowledging that the alternative might be worse.”
As currently written and subject to enforcement, components of CIP-011-2 quite frankly make it near impossible to be compliant in designating a cloud-hosted BCSI repository much less actually choosing to store documentation classified as such in your favorite Document Management SaaS.
I won’t debate whether or not this is a decision any responsible and security-conscious steward of BCSI would make lightly, but it is an inevitability that the question will be posed to those of you who are Tripwire admins. From purely a compliance monitoring perspective, I wanted to take some time to enlighten you about some capabilities in the Tripwire suite of solutions that you can leverage. But first, a word on the Standard Drafting Team’s (SDT) recent activity.
On January 16th, 2020 the SDT held a webinar titled “BES Cyber System Information Access Management” to report on the progress of the new CIP-011 draft and solicit industry comment. A recording is available here, and the slides can be found here.
As a Tripwirean (not sure if this is a newly minted term?), I was particularly intrigued by a newly proposed sub-requirement, CIP-011-3 R1.4. The requirement is focused on risk and requires the entity to perform an assessment to figure out how to protect the BCSI they will store in the cloud based on the risk it presents. It starts off with “Process(es) to identify, assess, and mitigate risks in cases where vendors store Responsible Entity’s BES Cyber System Information.”
- 1.4.1 Perform initial risk assessments of vendors that store the Responsible Entity’s BES Cyber System Information; and
- 1.4.2 At least once every 15 calendar months, perform risk assessments of vendors that store the Responsible Entity’s BES Cyber System Information; and
- 1.4.3 Document the results of the risk assessments performed according to Parts 1.4.1 and 1.4.2 and the action plan to remediate or mitigate risk(s) identified in the assessment, including the planned date of completing the action plan and the execution status of any remediation or mitigation action items.”
To put it simply, the entity has to do a risk assessment of the cloud provider to determine if they have an appropriate level of security such that the entity is comfortable that any residual risk to BCSI stored with the provider is low. This sounds like a job for Tripwire Enterprise!
Additionally, we cannot dismiss a recent 2018 notice of penalty against a utility in the WECC region for accidental exposure of sensitive data resulting in a $2.7M penalty. The data was copied to a contractor’s network where it was ultimately exposed.
All that being said, how could a TE administrator leverage their solution to monitor their cloud infrastructure security and perform an automated risk assessment to help satisfy the forthcoming CIP-013-3 R1.4 requirements? Well lucky for you, the Cloud Management Assessor (CMA) exists for that reason!
CMA can assist with ensuring the secure configuration of your Amazon Web Services (AWS), Azure and Google Cloud Platform (GDP) accounts and assess these configurations against canned Center for Internet Security (CIS) Policies available on the Tripwire Customer Center today. It can also assess storage configurations of AWS S3, Azure Blobs, and GCP Bucket storage for proper configuration as well as track content for unauthorized changes. (This can help avoid accidental data exposure which often occurs by making storage locations publicly readable). Thus, it would be worth strong consideration to leverage the CMA for CIP-011-3 R1.4 as much as as technical controls underpin the risk assessment. Moreover, the CAM fits with automated assessment approaches, and results would fold seamlessly into current evidence reporting practices with Tripwire Enterprise.
Anecdotally, some entities have already taken the plunge and have successfully begun storing BCSI in the cloud. If you’re one of these early implementers, we would love to hear your story. Contact us via Twitter, Facebook or LinkedIn. If you’ve considered undertaking this feat (either now or in the future when the rewritten standards become subject to enforcement), we would also love to hear about your perspective, as well.