Security Guideline-Cloud Computing
Security Guideline-Cloud Computing
Supply Chain
Risks Related to Cloud Service Providers
The objective of the reliability guidelines is to distribute key practices and information on specific issues
critical to promote and maintain a highly reliable and secure bulk power system (BPS). Reliability
guidelines are not binding norms or parameters to the level that compliance to NERC’s Reliability
Standards is monitored or enforced. Rather, their incorporation into industry practices is strictly
voluntary.
Introduction
Cloud computing offerings, defined as those which enable “ubiquitous, convenient, and on-demand
network access to a shared pool of configurable computing resources” i, have been introduced to the
market over the past decade. In some cases, this new model has resulted in the potential to reduce costs
and increase efficiency, but as with any major technological change, it also brought a range of risks and
security factors to be considered. Recognizing that the electricity subsector is among the potential
customer base for many of these new technologies, engagement and partnerships between the vendor
community and the electricity subsector are highly important – particularly given the rate at which these
technologies and offerings evolve. Vigilance and oversight from all parties are essential to both identify
and address risks associated with the paradigm shift.
This guideline presents some supply chain risk considerations associated with cloud computing. It is not
intended to endorse hosting Bulk Electric System (BES), BES Cyber Systems (BCS) or BCS Information
(BCSI) in the cloud. Rather, this guideline is provided to support entities in their evaluation of the supply
chain risks associated with vendors providing or utilizing cloud services.
Service Level - Cloud service solutions are available in various configurations and may involve multiple
tiers of vendors. The service model chosen should be considered and proper service level agreements
established commensurate with the value or sensitivity of data being stored. Organizations should clearly
understand their tolerance to interruptions in service. The National Institute of Standards and Technology
(NIST) provides a number of resources for helping an entity categorize the importance of information
being stored in the cloud. For example, NIST publication FIPS 199 iii uses the security objectives of
confidentiality, integrity, and availability to assess risk and categorize information.
Among the practices and controls a vendor and entity should implement are:
• Mitigate the effects of denial of service attacks and unauthorized access to information.
• Ensure individuals who have access protect the information entrusted to them.
• Ensure data is not modified by accidental or unauthorized means. This would include ensuring
each client’s data is segregated from other clients’ data.
Security Controls - The entity should determine the demarcation point of security controls between the
vendor and the entity to determine the scope of cloud service provider (CSP) security controls and the
entity’s security controls for the cloud services. A security controls gap analysis will assist the entity in
determining incident response and recovery strategies. Refer to the security frameworks addressed below
under “Verifications/Certifications.”
Service Model – CSPs’ service offerings include Infrastructure as a Service (IaaS), Platform as a Service
(PaaS), and Software as a Service (SaaS). Organizations can select the service model that best satisfies its
needs, but it is important to perform due diligence/analysis for services to be provided.
Each layer of cloud services (IaaS, PaaS, and SaaS) may encompass shared responsibility, meaning each
layer of the cloud stack may be provided by different vendors. Therefore, a vendor providing cloud
services may also be relying on other CSPs to support different service models. For example, an entity
could choose a SaaS vendor that is using another vendor for IaaS. Thus, while an entity may think its
attack surface includes only the SaaS vendor, there may actually be three vendors providing SaaS, PaaS
and IaaS.
An entity should always seek to understand what aspects of the cloud service are being provided by the
vendor or CSP and whether third parties are critical to that service delivery. Instituting clauses in contracts
or supplements, as well as asking questions in a risk assessment as to the number and types of vendors
the service provider uses to provide cloud services, is vital to understanding and addressing the actual risk
in the relationship.
Security Guideline for the Electricity Sector - Supply Chain | Risks Related to Cloud Service Providers 2
Approved by the Critical Infrastructure Protection Committee on December 10, 2019
Data Sovereignty - Data may be restricted legally from being stored in or routed through foreign
jurisdictions depending on data classification, sensitivity, ownership, and other factors. Such restricted
data may reside on servers that are accessible to and monitored by government entities. As a result,
organizations should ensure that agreements with CSPs include a high level of transparency. See
“Regulatory Limitations” below for additional information.
Regulatory Limitations – While the goal is always to reduce risk, there may be legal constraints that
limit the extent to which mitigations can be applied to cloud-based services. Regulations that prohibit the
vendor from customizing certain aspects of its service offerings may present inherent limitations to
mitigations that could otherwise be applied. One notable example is “eTag” – a specification required by
the North American Energy Standards Board.iv Consider issues like these when assessing risks.
Vendors adhering to security standards or frameworks should provide an attestation report from a
certified and independent third-party auditor on controls relevant to security, availability, processing
integrity, and confidentiality. It is a best practice to ensure the evaluation was conducted according to the
rules published by the standard’s governing authority. It is also imperative to understand the scope of the
products and services that are covered under the certification.
Alternatives to the above mentioned certifications or third party attestations include the vendor’s
assessment of controls in response to an Entity questionnaire or onsite inquiry. A greater level of scrutiny
should be applied with the security questionnaire method since it lacks independent verification of the
information being provided by the vendor.
It is important to note the direct relationship between the burden of proving security that is placed on
vendors and the cost of services. This is an important consideration when choosing the proper
verification/certification method. A program like FedRAMP imposes the greatest burden on the vendor,
which is attractive from a security standpoint, but could be very costly too. At the other extreme, a
security questionnaire can be very cost-effective, but lacks the impartiality of an independent third-party
review. In other words, there is a tradeoff between risk and cost associated with all of the verification
methods discussed above.
Response and Recovery - Incident response and recovery plans should identify responsibilities and
points of contact for both organizations to act appropriately to security incidents and interruptions of
Security Guideline for the Electricity Sector - Supply Chain | Risks Related to Cloud Service Providers 3
Approved by the Critical Infrastructure Protection Committee on December 10, 2019
service. The service level agreement should clearly define security incidents and expectations of all parties
involved.
For further information and references, visit the NERC Supply Chain Risk Mitigation Program site.xi
Security Guideline for the Electricity Sector - Supply Chain | Risks Related to Cloud Service Providers 4
Approved by the Critical Infrastructure Protection Committee on December 10, 2019
i National Institute of Standards and Technology (NIST) Special Publication (SP) 800-145 NIST Definition of Cloud Computing
ii https://www.us-cert.gov/ncas/alerts/TA18-004A
iii https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
iv https://www.naesb.org/
v https://www.iso.org/isoiec-27001-information-security.html
vi https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final
vii https://www.nist.gov/cyberframework
viii https://cloudsecurityalliance.org/star/
ix https://www.fedramp.gov/
x https://cloudsecurityalliance.org/articles/cloud-security-alliance-announces-fedstar-a-new-joint-certification-system-with-fedramp/
xi https://www.nerc.com/pa/comp/Pages/Supply-Chain-Risk-Mitigation-Program.aspx
xii https://www.sdxcentral.com/cloud/definitions/what-are-cloud-service-providers/
xiii https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
xiv https://www.us-cert.gov/ncas/alerts/TA18-004A
xv https://azure.microsoft.com/en-us/overview/what-is-saas/
xvi https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf
Security Guideline for the Electricity Sector - Supply Chain | Risks Related to Cloud Service Providers 5
Approved by the Critical Infrastructure Protection Committee on December 10, 2019