The proposed CIP updates outlining cybersecurity requirements for virtual environments is now available for review at the link below.Â
I have to say, after reading these changes to address virtual environments, it's going to be really difficult to implement some of these controls and prove that an entity is in compliance during a NERC/FERC audit. I was trying to think of an analogy to describe this challenge. This is almost equivalent to asking a cook with a bowl of scrambled eggs to extract each egg and put it back into its original shell.
For example, memory is a hardware device that is shared by all processes, how will a NERC jurisdictional entity prove that no memory was shared. Good luck with that one, operating systems optimize memory all the time and there is no way, that I'm aware of, to tell an OS to never share physical memory across processes.Â
Â