Can Cyber Data be Stored in the Cloud?
Updated: Aug 18, 2020
With the redesign and update of the North American Electric Reliability Corporation, NERC, Critical Infrastructure Protection, CIP, Standards and the changes to the NERC Glossary of Terms that occurred on July 1st 2016, there has been some debate within the industry on whether or not information can be stored in the cloud. Each entity makes this decision based on their individual corporate posture, but the decision usually considers at the minimum the compliance of all responsible all NERC CIP Standards. The responsibility of each Standard is based on the entity’s Impact Rating determination.
In general, most information that entities collect can be stored in the cloud safely and still be compliant with the current set of CIP Standards. For entities that have additional CIP requirements to comply with due to their Impact Rating determination, most information can still be stored in the cloud but they may need to take specific actions (i.e. scrubbing parts of the data) prior to exporting the data into cloud storage. Once these actions are taken, the data can be stored in the cloud and the entity can confidently state they are compliant.
NERC has listened to the industry and is currently reviewing and editing two CIP standards to address exactly how information considered “sensitive” can be stored in the cloud. The goal of this review is to clarify the CIP requirements related to “sensitive” information access, to allow for additional methods, such as encryption, to be applied in the protection of the “sensitive” information. This is just one example of how NERC is changing with the times and addressing the new normal.
NERC itself is even jumping on the idea of cloud storage. NERC is current implementing the Align Project and the goal of this Program is to improve and standardize processes across the industry by creating a single platform where all registered entities will submit their compliance evidence. NERC has decided that this platform will be stored in the cloud. When asked where will the Align tool will be hosted, NERC responded by stating “The Align infrastructure is provided by a fedRAMP-certified cloud services provider, while the application and other services are installed on a private VLAN within this infrastructure. The virtualization layer of the solution and the application data will be encrypted.” This response shows that there is a way to securely store information in the cloud that NERC is utilizing itself and therefore endorsing.
With the current changes underway, the debate on cloud storage will be old news and most, if not all, entities will be storing their information in the cloud with no questions pertaining to CIP Standard compliance in the near future. Storage of information in the cloud is just one example of how NERC is trying to keep up with the evolution of technology, while still keep the grid secure with the enforcement of the NERC CIP standards.