Image courtesy of kanawatvector from Getty Images via Canva
What is the TRM High Security Cloud and how does it support the numerous cybersecurity standards that are either available or required depending upon the industry you are in? The quick answer is TRM has been providing high-security cloud solutions, across industries, for several years, starting with FedRAMP sponsored by IBM. The regulations and/or best practices of the industry your organization does business within may dictate the cybersecurity rules that need to be followed… or they may be optional. Before we discuss what TRM has to offer, it is important to understand what some of the cybersecurity standards and requirements are and how they may impact your adoption of cloud environments for your software solutions. Let’s get into NERC CIP and NIST CSF.
NERC is the North American Electric Reliability Corporation, a not-for-profit international regulatory authority, subject to oversight by the Federal Energy Regulatory Commission (FERC) in the USA, and governmental authorities in Canada.
NERC develops reliability standards using an industry-driven and ANSI-accredited process. The standards focus on a results-based approach of which elements are performance, risk management, and the capabilities of the utility.
CIP, the Critical Infrastructure Protection family of NERC standards, is focused on the management of security of the Bulk Electric System (BES) in North America. This family of standards is required by law and compliance is mandatory.
CIP standards require adherence to a baseline set of cybersecurity controls that are used to protect not only the BES, but also its users and other stakeholders. Reducing the risks to the system from compromises due to cybersecurity breaches is the primary goal.
Identifying critical assets and performing risk assessments
Establishing and following cybersecurity policies and performing risk management
Implementing electronic access controls
Managing and reporting cybersecurity incidents, response, and recovery
For example, a critical asset is nearly anything that if destroyed, degraded, or made unavailable would affect the reliability or operability of the BES.
Given the acceleration of regulated organizations moving their IT systems and software to the Cloud, it is imperative that the cloud host be able to provide the same (or higher) levels and controls as required by NERC CIP, for example, as those with on-premises environments.
NIST CSF has its own framework for organizing the approach to cybersecurity risk. Specifically:
Identification
Protection
Detection
Response
Recovery
For example, a system component inventory (Identification) would include all components of the system to the level necessary for tracking and reporting.
NIST Special Publications 800-53 (revision 5) and 800-171 are of interest to not only federal government agencies, but also those commercial entities who wish to adopt these standards. NIST compliance is more than just an interest of government agencies and contractors, it is a requirement. However, it is a structured and cost-effective approach to cloud security for commercial entities who have elevated security needs. It is well suited for non-government entities, such as utilities, pharmaceutical companies, and other regulated industries.
Cloud hosts, such as TRM, have had NIST CSF controls in place for several years. This experience and process discipline is directly applicable to the ability to work with clients and their specific cybersecurity needs. Much time and effort can be saved by adopting proven measures that are already in place vs. having to develop your own.
Are NERC CIP and NIST CSF the Same?
Yes and no. Yes, in the sense that they have similar goals… reducing the potential and risks of cybersecurity breaches. No, in the sense that they take slightly different approaches in achieving those goals… and NERC CIP is required by law for those entities in the electricity industry while NIST is not.
For example, the NERC CIP-002 is focused on Asset Inventory (the list of assets that play a role in the BES that could be affected by a cyber-attack). Related NIST CSF elements are the AM 1-4, (Physical devices) BE-4 (Dependencies), and RA-4 (Risk assessment). The list goes on as the spreadsheet shows, but there is a clear mapping between these two approaches to cybersecurity. If you are following one, with a little focused work you will be able to follow the other and vice versa.
Here is a link to the publicly available mapping of NIST CSF and NERC CIP from NIST. It clearly shows how the two standards relate.
Image courtesy kanawaTH via Canva
How Does the TRM High Security Cloud Solution Support These Standards?
Note that the NERC CIP and the NIST CSF approaches may use slightly different terminology, the framework and the desired results are nearly the same. Both are risk and results based. Both have been and continue to be developed with a high level of industry involvement.
As a side note, TRM was instrumental in the establishment and accreditation of the FedRAMP high-security cloud solution offered by IBM. Further, TRM continues to manage that environment on behalf of IBM. As such, TRM is uniquely qualified to host high-security cloud solutions for not only the federal government, but also for commercial concerns looking to maintain or increase their cybersecurity posture as they move into the cloud.
In case you were not aware, FedRAMP is a program designed to satisfy NIST CSF compliance enabling the rapid deployment of a secure solution in the cloud. FedRAMP solutions are already certified. A list of FedRAMP approved solutions is available on the FedRAMP marketplace.
However, FedRAMP approved solutions may not satisfy your unique requirements for access, control, or 3rd party addons – these may not be permitted. In these situations, organizations need to deploy their own cloud solution that meets their security requirements, such as TRM’s High Security Cloud.
Wrap up
While considering a move to the cloud, be sure you have a clear understanding of the cyber security requirements you organization wishes to or is required to follow. Given that clear picture, you need to engage with an experienced cloud host to ensure that not only are the requirements met on paper but are also followed and auditable over time.
John Q. Todd
John Q. Todd has nearly 30 years of business and technical experience in the Project Management, Process development/improvement, Quality/ISO/CMMI Management, Technical Training, Reliability Engineering, Maintenance, Application development, Risk Management, & Enterprise Asset Management fields. His experience includes work as a Reliability Engineer & RCM implementer for NASA/JPL Deep Space Network, as well as numerous customer projects and consulting activities as a reliability and spares analysis expert. He is a Sr. Business Consultant and Product Researcher with Total Resource Management, an an IBM Gold Business Partner – focused on the market-leading EAM solution, Maximo, specializes in improving asset and operational performance by delivering strategic consulting services with world class functional and technical expertise.
Expert troubleshooters have a good understanding of the operation of electrical components that are used in circuits they are familiar with, and even ones they are not. They use a system or approach that allows them to logically and systematically analyze a circuit and determine exactly what is wrong. They also understand and effectively use tools such as prints, diagrams and test instruments to identify defective components. Finally, they have had the opportunity to develop and refine their troubleshooting skills.
Expert troubleshooters have a good understanding of the operation of electrical components that are used in circuits they are familiar with, and even ones they are not. They use a system or approach that allows them to logically and systematically analyze a circuit and determine exactly what is wrong. They also understand and effectively use tools such as prints, diagrams and test instruments to identify defective components. Finally, they have had the opportunity to develop and refine their troubleshooting skills.
Semiconductor devices are almost always part of a larger, more complex piece of electronic equipment. These devices operate in concert with other circuit elements and are subject to system, subsystem and environmental influences. When equipment fails in the field or on the shop floor, technicians usually begin their evaluations with the unit's smallest, most easily replaceable module or subsystem. The subsystem is then sent to a lab, where technicians troubleshoot the problem to an individual component, which is then removed--often with less-than-controlled thermal, mechanical and electrical stresses--and submitted to a laboratory for analysis. Although this isn't the optimal failure analysis path, it is generally what actually happens.
Semiconductor devices are almost always part of a larger, more complex piece of electronic equipment. These devices operate in concert with other circuit elements and are subject to system, subsystem and environmental influences. When equipment fails in the field or on the shop floor, technicians usually begin their evaluations with the unit's smallest, most easily replaceable module or subsystem. The subsystem is then sent to a lab, where technicians troubleshoot the problem to an individual component, which is then removed--often with less-than-controlled thermal, mechanical and electrical stresses--and submitted to a laboratory for analysis. Although this isn't the optimal failure analysis path, it is generally what actually happens.
In an ideal world, multiple components could be produced in a single piece, or coupled and installed in perfect alignment. However, in the real world, separate components must be brought together and connected onsite. Couplings are required to transmit rotational forces (torque) between two lengths of shaft, and despite the most rigorous attempts, alignment is never perfect. To maximize the life of components such as bearings and shafts, flexibility must be built in to absorb the residual misalignment that remains after all possible adjustments are made. Proper lubrication of couplings is critical to their performance.
In an ideal world, multiple components could be produced in a single piece, or coupled and installed in perfect alignment. However, in the real world, separate components must be brought together and connected onsite. Couplings are required to transmit rotational forces (torque) between two lengths of shaft, and despite the most rigorous attempts, alignment is never perfect. To maximize the life of components such as bearings and shafts, flexibility must be built in to absorb the residual misalignment that remains after all possible adjustments are made. Proper lubrication of couplings is critical to their performance.
The key to realizing greater savings from more informed management decisions is to predetermine the "True" cost of downtime for each profit center category. True downtime cost is a methodology of analyzing all cost factors associated with downtime, and using this information for cost justification and day to day management decisions. Most likely, this data is already being collected in your facility, and need only be consolidated and organized according to the true downtime cost guidelines.
The key to realizing greater savings from more informed management decisions is to predetermine the "True" cost of downtime for each profit center category. True downtime cost is a methodology of analyzing all cost factors associated with downtime, and using this information for cost justification and day to day management decisions. Most likely, this data is already being collected in your facility, and need only be consolidated and organized according to the true downtime cost guidelines.
I use the term RCPE because it is a waste of good initiatives and time to only find the root cause of a problem, but not fixing it. I like to use the word problem; a more common terminology is Root Cause Failure Analysis (RCFA), instead of failure because the word failure often leads to a focus on equipment and maintenance. The word problem includes all operational, quality, speed, high costs and other losses. To eliminate problems is a joint responsibility between operations, maintenance and engineering.
I use the term RCPE because it is a waste of good initiatives and time to only find the root cause of a problem, but not fixing it. I like to use the word problem; a more common terminology is Root Cause Failure Analysis (RCFA), instead of failure because the word failure often leads to a focus on equipment and maintenance. The word problem includes all operational, quality, speed, high costs and other losses. To eliminate problems is a joint responsibility between operations, maintenance and engineering.
The potential-to-functional failure interval (P-F interval) is one of the most important concepts when it comes to performing Reliability-Centered Maintenance (RCM). Remarkably, the P-F interval is also one of the most misunderstood RCM concepts. The failure mode analysis becomes even more complicated when you are dealing with several P-F intervals for one failure mode. This paper will help clarify the P-F interval and the decision-making process when dealing with multiple P-F intervals.
The potential-to-functional failure interval (P-F interval) is one of the most important concepts when it comes to performing Reliability-Centered Maintenance (RCM). Remarkably, the P-F interval is also one of the most misunderstood RCM concepts. The failure mode analysis becomes even more complicated when you are dealing with several P-F intervals for one failure mode. This paper will help clarify the P-F interval and the decision-making process when dealing with multiple P-F intervals.
As many of us strive to improve the reliability of our plants, several comments bemoan how challenging that is to do in an era of continuous deep cost cutting. They say that in their operation, maintenance is seen as a cost, and is one of the first things to arbitrarily cut. Some think their operations have cut too far! What they seek is a way to justify a strong maintenance capability. I submit that one approach is to speak of maintenance as an “investment in capacity.” Use the language that plant managers, controllers and senior management understands: capital investment and return on investment (ROI).
As many of us strive to improve the reliability of our plants, several comments bemoan how challenging that is to do in an era of continuous deep cost cutting. They say that in their operation, maintenance is seen as a cost, and is one of the first things to arbitrarily cut. Some think their operations have cut too far! What they seek is a way to justify a strong maintenance capability. I submit that one approach is to speak of maintenance as an “investment in capacity.” Use the language that plant managers, controllers and senior management understands: capital investment and return on investment (ROI).
