Part of Energy & Sustainability Network »

The Energy Collective Group

This group brings together the best thinkers on energy and climate. Join us for smart, insightful posts and conversations about where the energy industry is and where it is going.

Shared Link

Cloud providers are wasting their time pursuing NERC CIP

Richard Brooks's picture
Richard Brooks 106310
Co-Founder and Lead Software Engineer Reliable Energy Analytics LLC

Inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software and SAGScore™...

  • Member since 2018
  • 1,462 items added with 612,739 views
  • Nov 22, 2021
  • 602 views

I completely agree with Tom Alrich, an industry expert on NERC CIP-013-1 Supply Chain standards, that cloud providers are wasting their time pushing for Bulk Electric System entities under NERC jurisdiction to use the cloud infrastructure for NERC CIP compliance.

I do see a supporting role for cloud services to assist an entity with implementation of their NERC CIP Supply Chain controls, but it's not what the cloud providers are suggesting in the AWS report that Tom identifies.

Cloud providers are wasting their time pursuing NERC CIP

Don't look for Medium and High impact BES Cyber Systems to be "legal" in the cloud under CIP anytime soon.

Read More
Source: energycentral.com
Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Discussions
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Bob Meinetz's picture
Bob Meinetz on Nov 22, 2021

From Tom's article:

"Like the document and presentation that Microsoft Azure prepared for the NERC CIPC (remember the CIPC?) in around 2016, AWS seems to think that what needs to be done is just convince NERC and utilities that AWS has good security."

Richard, I had to laugh when I saw Microsoft, the company whose Exchange server was responsible for tens of thousands of (successful) ransomware attacks last year, was promoting security in the cloud. Other than a foreign government ransoming the U.S. to turn its electricity back on, what could possibly go wrong?

Richard Brooks's picture
Richard Brooks on Nov 23, 2021

Bob, I know from my experiences developing software since 1979 that it's rather easy to introduce unintended taint in a program. The notorious buffer overflow is a prime example, which many C programmers have unintentionally put into their code, without realizing. I don't envy Microsoft's position; there must be millions of potential vulnerabilities laying around, with all the software in their possession. The M$ Exchange vulnerability is particularly dangerous and easily exploitable, as you point out.

Bob Meinetz's picture
Bob Meinetz on Nov 23, 2021

Agree, Richard. I think Microsoft's original sin was selling system software separately from the equipment on which it ran. But hindsight is 20/20, and in the early 1980s the ease with which DOS could be hacked was a feature. Developers could essentially add their own options to MS software (by hacking the Microsoft File Allocation Table in 1984, I was able to create a niche Terminate-But-Stay-Resident (TSR) program that predated Windows). Overall, it probably helped to advance personal computing.

Apple's long-term strategy of forcing customers to buy integrated software/hardware solutions ultimately paid off, however. Though Mac integrated solutions are still more expensive, companies are realizing that security holes can be more so - that sometimes, they can be disastrous.

Richard Brooks's picture
Richard Brooks on Nov 26, 2021

The good old days Bob, when you could hook an interrupt and nothing stopped you. Go ahead create that TSR program, I think it was INT(10), if memory serves me well - which it probably doesn't. I think INT(13) became the replacement - but those are some very old (and abused) brain cells I'm calling into action. I'm sure I could verify this with a google search, but it's late in the day on a Friday, and I'm running out of steam. Have a good weekend.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »

Your access to Member Features is limited.

Apply for membership
Related Content
What’s the best SBOM? No SBOM. What’s the best VEX? No VEX.
9 ½ years!
What are NERC CIP Supply Chain Standards? An Overview of New Compliance Regulations
Beware the Cost of Data Breaches
Recent Comments
Matt Chester
Matt commented on ...
Weekly Energy Video Week 2 August 2022: NRC to Approve NuScale Modular Nuclear Reactor Design
   17 states, plus Washington DC and Quebec sign onto action plan for 100% electric medium and heavy-duty vehicles by 2050, calling for: more...
Mark Silverstone
Mark commented on ...
Storing energy on a massive scale!
Really interesting video. Northfield is a remarkable facility. Thanks for the info.Yes, there is hope!
JESSE NYOKABI
JESSE commented on ...
SOLAR FOR GREEN HYDROGEN
Spot on.
Matt Chester
Matt commented on ...
Storing energy on a massive scale!
Sometimes it's too easy to take for granted the innovation we see happening in real-time, but this explains that area (both the need and the...