Part of Energy & Sustainability Network »

The Energy Collective Group

This group brings together the best thinkers on energy and climate. Join us for smart, insightful posts and conversations about where the energy industry is and where it is going.

Shared Link

Cloud providers are wasting their time pursuing NERC CIP

Richard Brooks's picture
Richard Brooks 104,001
Co-Founder and Lead Software Engineer, Reliable Energy Analytics LLC

Dick Brooks is the inventor of patent 11,374,961: METHODS FOR VERIFICATION OF SOFTWARE OBJECT AUTHENTICITY AND INTEGRITY and the Software Assurance Guardian™ (SAG ™) Point Man™ (SAG-PM™) software...

  • Member since 2018
  • 1,534 items added with 670,596 views
  • Nov 22, 2021
  • 730 views

I completely agree with Tom Alrich, an industry expert on NERC CIP-013-1 Supply Chain standards, that cloud providers are wasting their time pushing for Bulk Electric System entities under NERC jurisdiction to use the cloud infrastructure for NERC CIP compliance.

I do see a supporting role for cloud services to assist an entity with implementation of their NERC CIP Supply Chain controls, but it's not what the cloud providers are suggesting in the AWS report that Tom identifies.

Cloud providers are wasting their time pursuing NERC CIP

Don't look for Medium and High impact BES Cyber Systems to be "legal" in the cloud under CIP anytime soon.

Read More
Source: energycentral.com
Discussions
Bob Meinetz's picture
Bob Meinetz on Nov 22, 2021

From Tom's article:

"Like the document and presentation that Microsoft Azure prepared for the NERC CIPC (remember the CIPC?) in around 2016, AWS seems to think that what needs to be done is just convince NERC and utilities that AWS has good security."

Richard, I had to laugh when I saw Microsoft, the company whose Exchange server was responsible for tens of thousands of (successful) ransomware attacks last year, was promoting security in the cloud. Other than a foreign government ransoming the U.S. to turn its electricity back on, what could possibly go wrong?

Richard Brooks's picture
Richard Brooks on Nov 23, 2021

Bob, I know from my experiences developing software since 1979 that it's rather easy to introduce unintended taint in a program. The notorious buffer overflow is a prime example, which many C programmers have unintentionally put into their code, without realizing. I don't envy Microsoft's position; there must be millions of potential vulnerabilities laying around, with all the software in their possession. The M$ Exchange vulnerability is particularly dangerous and easily exploitable, as you point out.

Bob Meinetz's picture
Bob Meinetz on Nov 23, 2021

Agree, Richard. I think Microsoft's original sin was selling system software separately from the equipment on which it ran. But hindsight is 20/20, and in the early 1980s the ease with which DOS could be hacked was a feature. Developers could essentially add their own options to MS software (by hacking the Microsoft File Allocation Table in 1984, I was able to create a niche Terminate-But-Stay-Resident (TSR) program that predated Windows). Overall, it probably helped to advance personal computing.

Apple's long-term strategy of forcing customers to buy integrated software/hardware solutions ultimately paid off, however. Though Mac integrated solutions are still more expensive, companies are realizing that security holes can be more so - that sometimes, they can be disastrous.

Richard Brooks's picture
Richard Brooks on Nov 26, 2021

The good old days Bob, when you could hook an interrupt and nothing stopped you. Go ahead create that TSR program, I think it was INT(10), if memory serves me well - which it probably doesn't. I think INT(13) became the replacement - but those are some very old (and abused) brain cells I'm calling into action. I'm sure I could verify this with a google search, but it's late in the day on a Friday, and I'm running out of steam. Have a good weekend.

Richard Brooks's picture
Thank Richard for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »

Your access to Member Features is limited.

Apply for membership
Related Content
The need for correct, authenticated pressure measurements for reliability, safety, and cyber security
Stop Passing the Buck on Cybersecurity
300 million!
CISA’s got a plan to strengthen corporate cybersecurity
Recent Comments
Matt Chester
Matt commented on ...
Wind and solar generated more electricity than gas or coal in the EU in 2022
The pivot point is upon us, that seems clear
Jim Stack
Jim commented on ...
How to accelerate the global energy transition
The best way we could speed the transition to renewable energy would be to stop subsidizing COAL and OIL and Nuclear.
Sandy Lawrence
Sandy commented on ...
Nuclear Power Getting a New Look in a Zero Carbon-Driven World
Vogtle reactors 3 + 4 under construction are identical Westinghouse 4-Loop reactors with a combined nameplate capacity of 2430 megawatts, about 2.
David Svarrer
David commented on ...
Is nuclear essential to achieving our climate goals?
Dear Tony. We are many who know into the intestines of the indeed enormous benefits of nuclear power.