Building BCSI Solutions in the ServiceNow Cloud

Building BCSI Solutions in the ServiceNow Cloud

In July of 2022, I left a wonderful career with a Independent System Operator in the US to join the ServiceNow family. Prior to my arrival at ServiceNow, myself and many other utilities, had numerous meetings with ServiceNow and urged more cybersecurity capabilities be built into the platform so we could develop BCSI solutions into the ServiceNow cloud. BCSI?means Bulk Electric System Cyber System Information in any form (whether printed or electronic) including data, files, and file attributes. BCSI is information about a BES Cyber System that could be used to gain unauthorized access or pose a security threat to the BES Cyber System, as determined by PG&E. BCSI is classified as “NERC CIP Confidential – BCSI” or “Restricted – BCSI”.

What is so fantastic about ServiceNow is that they listened and significantly invested in making this happen for us! The cybersecurity capabilities were delivered in September 2022 in the ServiceNow Tokyo release.

Since the release, let me just say, life has been busy. The number of NERC registered entities I am working with is absolutely enormous and the use cases we are building are game changing for our industry. I continue to get many of the same questions around these cyber capabilities so I decided to blog about what we know and how ServiceNow can help your organization do what many utilities are now doing.

What are the solutions utilities are building with BCSI information in the ServiceNow cloud?

The fastest growing capability right now is Operational Technology (OT) Management. This is a natural area for utilities to explore because at the end of the day OT is an asset albeit with different metadata attributes but still an asset. Imagine the power of having all assets in one system going through the same rigorous change process together.

No alt text provided for this image

Utilities have a tremendous challenges maintaining and patching assets, especially assets which need to adhere to NERC CIP. These regulatory assets must be patched and maintained ever 30+ days and managing and reporting on this process is a total headache. With ServiceNow OT Visibility we can ingest these assets with technology vendors like Dragos, Forescout or Tenable for example. Then we can automate ticketing with ServiceNow Security Incident Response to manage the patching process with ServiceNow OT Vulnerability Response.

No alt text provided for this image

For more information on ServiceNow Operational Technology Management, see my recent blog: OT | IT convergence creates game changing strategies for Energy & Utility Organizations

The next transition from OT is Field Service Management (FSM). Having the ability in one platform to manage that asset and then dispatching field personnel to repair, replace or patch that asset all within the same system brings with it tremendous efficiencies and oversight capability.

No alt text provided for this image

Managing risks around these assets is absolutely imperative for NERC Registered Entities. Should an asset be end of life or have a vulnerability it is essential that we manage this risk through mitigation action plans and have the ability to track and report on this information in alignment with NERC CIP. ServiceNow's Integrated Risk Management can help manage this process end to end for customers.

The other areas where we are now helping our customers use the capabilities of the platform to are tracking safety incidents and observations, environmental, social, and corporate governance.

The possibilities of the solutions we can build utilizing low code, no code, application engine and automation means our options are endless. Imagine having a enterprise citizen development program which is governed that allows our business to develop the solutions they need!

No alt text provided for this image

How does Tokyo change the game for NERC CIP registered entities?

To me, NERC CIP is a two way street. It is the registered entities responsibility to adhere to NERC CIP. ServiceNow is not required to meet NERC CIP. What we can do is ensure our platform has the appropriate security controls built into our platform and processes to help our customers adhere to NERC CIP. The Tokyo release provided a strong set of capabilities which allow our customers to encrypt data in transit and at rest at the application and database level which helps prevent the unauthorized access to data for people who should not have it. This is core of NERC CIP 11.

ServiceNow calls this service, Platform Encryption. Platform Encryption includes two fundamental components; Cloud Encryption and Column Level Encryption Enterprise.

Cloud Encryption is a new data-at-rest encryption offering from ServiceNow that customers can access via the Platform Encryption paid bundle. It brings our encrypted data-at-rest offering in line with NIST 800-57 compliant Key Lifecycle Management.

Cloud Encryption is designed to be database agnostic which future proofs our customers from additional database types ServiceNow might offer. This is different from Database Encryption since Database Encryption only works with MariaDB. Cloud Encryption ensures that our customers can continue to keep their data encrypted at rest.

Platform Encryption offers options for customers to bring and manage their own key or to manage a key that ServiceNow provides. Finally, the key management operations, such as key rotation, are completely managed by the customer from within their instance. There is no need to involve ServiceNow Support personnel.?

No alt text provided for this image

Along with the Tokyo release, ServiceNow released a package offering called ServiceNow Vault. This includes Platform Encryption as well as other advanced capabilities many NERC entities desperately need.

Including in ServiceNow Vault are the following capabilities:

No alt text provided for this image

Platform Encryption which allows organizations to comply with mandates & protect sensitive data

Data Anonymization to ensure data privacy by classifying & anonymizing?specific data fields containing personal identifiable information

Secrets Management to securely store & control access to credentials?

Code Signing with Circle of Trust to validate authenticity & integrity of

software on the MID Server

Log Export Service which improve security threat monitoring with easy integration of ServiceNow system logs into larger enterprise security analytics system.

This comprehensive Vault security solution has been packaged to make it easy for organizations to order & consume the solution.

ServiceNow Vault Resources:

The last thing that is important to mention is that ServiceNow has other kinds of encryption that is offered, such as Edge Encryption and Database Encryption.

Edge Encryption?is a network encryption system that resides on your network and that encrypts and decrypts sensitive data as it travels between your data center and the?ServiceNow?cloud. Edge Encryption?has the side effect that the server or platform can't decrypt the data to perform any manipulation of the decrypted data. As a consequence, functionality and data processing on the?Now Platform?may be broken or restricted when encrypting columns with Edge Encryption.

Database Encryption enables all data to be protected with symmetric AES-256 encryption, whether the database is online or offline. Database Encryption supports all stored data to be encrypted in real time providing protection for data online and offline with no loss of functionality.

Given my understanding of NERC CIP, I recommended that customers use Platform Encryption in their environment to secure BCSI information for two primary reasons. First, Platform Encryption encrypts both the application and the database. Second, the customer has the ability to control the keys within the ServiceNow instance. Should your organization need other capabilities such as code signing, secrets management and data anonymization, you will need the ServiceNow Vault package. Log Export Service is available to customers via the ServiceNow Store. I encourage each registered entity to partner with their regional regulators, cybersecurity leadership and auditors to review these options to determine the right approach for your organization.

Determining the right instance options for your organization

Now with all of these available options for our customers to encrypt their information in the cloud, organizations must also choose what is the right instance path for them.

ServiceNow hosts two types of instances:

  • Commercial Instance
  • FedRAMP ServiceNow GovCommunityCloud (GCC)

All federal agencies ?(and some associated organizations) are able to use our FedRAMP environment:

  • US federal, state, local, and tribal government with registered .gov or .mil domain addresses
  • Government consultants
  • Federally funded research and development centers (FFRDCs)?

Can non-federal customers use the GCC environment?

Approval for organizations other than US federal government entities or instrumentalities to access the GCC environment is solely at ServiceNow’s discretion. Such organizations must demonstrate that they qualify for this environment by being validated through ServiceNow’s GCC approval program. Specifically, any organization other than US federal government entities or instrumentalities must meet the following criteria before ServiceNow can consider provisioning such organizations in the GCC environment:

The organization must demonstrate they have a requirement to meet US federal government security standards by contractually agreeing to the terms in the ServiceNow US government (USG) contract addendum.

Below are examples of US federal government data types, contract clauses, and security standards that may demonstrate that an organization other than US federal government entities or instrumentalities are required to be included in the ServiceNow GCC environment:

  • International Traffic in Arms (ITAR)
  • Covered Defense Information
  • Controlled Unclassified Information (CUI)
  • Department of Defense (DoD) Unclassified Controlled Nuclear Information (UCNI)
  • Department of Energy (DoE) UCNI
  • Criminal Justice Information (CJI)
  • Department of Defense Impact Level Data (up to DoD Impact Level 4) ? FedRAMP Data (up to FedRAMP High)
  • North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP)
  • Requirements imposed on organizations from US federal government agencies (i.e., Department of Homeland Security, Department of the Treasury, Office of the Comptroller of the Currency, Centers for Medicare and Medicaid Services, etc.)
  • Federal Acquisition Regulation and agency supplement (e.g., DFARS) clauses

What are the fundamental differences between Commercial and FedRAMP GCC?

FedRAMP security controls are generally implemented in the same manner in both commercial and federal environments. This simplifies management and operations. While functionality and application code are the same in both environments, there are some differences.

It is important to note that FedRAMP goes through a rigorous control process. These controls are directly tied to NIST and the documentation used to support this process is complimentary to auditing processes for NERC CIP.

Below is a table which describes at high level the differences between the two instance offerings.

No alt text provided for this image

For more details on the differences between FedRAMP and GCC see: ServiceNow’s FedRAMP Cloud Platform and Frequently Asked Questions

Please see the list of the functionality not available in the FedRAMP GCC environment which is located in the ServiceNow Core Directory. ServiceNow Knowledge Base Article 0743854.

For instructions on how to access the ServiceNow Core Directory please click here: Instructions on how to access ServiceNow Core Directory

Balancing NERC CIP posture with costs

ServiceNow customers will need to choose what instance is appropriate for their organization as well as what encryption options they wish to use. I think about this in terms of compliance posture versus costs.

Encryption is expensive but the stronger your compliance posture, the more protected your organization will be. I would keep in mind that while cloud encryption has added costs, that is minimal compared to managing and supporting these solutions on premise along with the challenges to keep the technology upgraded and patched. In the diagram below, you can see where the instance and encryption options compare with each other which is based on my view and understanding of NERC CIP however it is your organization that is accountable for assessing these variables and making the right determination.

No alt text provided for this image

Using the ServiceNow platform to help your organization adhere to NERC CIP

As I mentioned before, NERC registered entities are required to meet NERC CIP but I think of our partnership as a two way street. While ServiceNow can help secure the information, the platform can also help your organization ensure that it is complying to NERC CIP standards by leveraging the ServiceNow technology to enable, report and manage the process.

In the table below, each of the NERC CIP requirements are listed. In the green flag above I have aligned how each of the ServiceNow modules and help aid in the support of NERC CIP.

No alt text provided for this image
No alt text provided for this image

One notable point on some recent changes coming from FERC is possible funding that entities can use to secure our critical assets. A proactive stance on Security Operations could potentially be funded at the Federal level so I encourage you to explore this further. For more information see: FERC approves incentive framework for voluntary cybersecurity investments

As you explore how each of these solutions can assist in helping you comply with NERC CIP, please do not hesitate to reach out to me directly if you want to dig in with me on each of these areas. I hope this was a helpful blog for those of you considering using ServiceNow to help you with your BCSI in the cloud journey.

Below is more helpful information on our FedRAMP instance should you want to research further.

Additional Resources:

Note: Many of the links in this blog direct you to the ServiceNow Core repository. Please follow the instructions below for access or reach out to your ServiceNow Account Executive for access. Instructions on how to access ServiceNow Core Directory

Raj Arutperunjothi

Global ITAM Transformation Leader - Technology Asset Management *Views expressed are my own*

1 年

Amanda Justice "AJ" - Hi Amanda, Could you please share content on how we can get the BCSI discovery for SAM Pro? For the Effective license positions.

回复
Andrew Ronneberg

CIO/CTO | Transformation Executive | Executive IT Consultant | Healthcare | Manufacturing | ITO | Finance | Leadership | Transform Tenacious Technology Professional passionate about solving problems and helping people!

1 年

Powerful!

Dan Voytovech ????

Streamlining Business Operations with ServiceNow | Unifying IT and the Enterprise

1 年

要查看或添加评论,请登录

Amanda Justice "AJ"的更多文章

社区洞察

其他会员也浏览了