With regard to BCSI (BES (Bulk Electric System) Cyber System Information) in the cloud, responsible entity sentiments at the moment may be akin to Prince Hamlet as he contemplated death and suicide, “bemoaning the pain and unfairness of life but acknowledging that the alternative might be worse.”
As currently written and subject to enforcement, components of CIP-011-2 quite frankly make it near impossible to be compliant in designating a cloud-hosted BCSI repository much less actually choosing to store documentation classified as such in your favorite Document Management SaaS.
I won’t debate whether or not this is a decision any responsible and security-conscious steward of BCSI would make lightly, but it is an inevitability that the question will be posed to those of you who are Tripwire admins. From purely a compliance monitoring perspective, I wanted to take some time to enlighten you about some capabilities in the Tripwire suite of solutions that you can leverage. But first, a word on the Standard Drafting Team’s (SDT) recent activity.
On January 16th, 2020 the SDT held a webinar titled “BES Cyber System Information Access Management” to report on the progress of the new CIP-011 draft and solicit industry comment. A recording is available here, and the slides can be found here.
As a Tripwirean (not sure if this is a newly minted term?), I was particularly intrigued by a newly proposed sub-requirement, CIP-011-3 R1.4. This is focused on risk and requires the entity to perform a risk assessment to figure out how to protect the BCSI they will store in the cloud based on the risk it presents. It starts off with “Process(es) to identify, assess, and mitigate risks in cases where vendors store Responsible Entity’s BES Cyber System Information.”