Skip to main content
Microsoft Security

NERC CIP compliance in Azure

When I did my first North American Electric Reliability Corporation—Critical Infrastructure Protection (NERC CIP) compliance project it was 2009. NERC CIP was at version 3. It was the first mandatory cybersecurity standard that the utility I was working for had to meet. As it does today, the Bulk Electric System (BES) had the responsibility to keep North America powered, productive, and safe with near 100 percent uptime. Critical infrastructure for us is not email and payroll systems, it’s drinking water and hospitals. Leading the way to the cloud was not top of mind. The NERC CIP standards were written for on-premise systems.

NERC CIP compliance was a reason many participants in the BES would not deploy workloads to the cloud. NERC CIP version 6 is now in force. NERC has recognized the change in the technology landscape including the security and operational benefits that well architected use of the cloud has to offer.

Microsoft has made substantial investments in enabling our BES customers to comply with NERC CIP in Azure. Microsoft engaged with NERC to unblock NERC CIP workloads from being deployed in Azure and Azure Government.

All U.S. Azure regions are now approved for FedRAMP High impact level. We use this to establish our compliance to NERC and the Regional Reliability Councils.

In June 2019, NERC Electric Reliability Organization (ERO) conducted an audit of Azure in Redmond, Washington. NERC, NERC regional auditor organizations, and the NERC CIPC (Critical Infrastructure Protection Committee) were represented.

We prepared a NERC CIP compliance guide for Azure, and a Cloud Implementation Guide for NERC Audits, which includes pre-filled Reliability Standard Audit Worksheet (Reliability Standard Audit Worksheet (RSAW)) responses. This will help our customers save time and resources in responding to audits.

NERC’s BES Cyber Asset 15-minute rule is important to deploying appropriate NERC CIP workloads to Azure. This rule sets out requirements for BES Cyber Assets that perform real-time functions for monitoring or controlling the BES under the current set of CIP standards and the NERC Glossary of Terms. BES Cyber Assets, under the 15-minute rule, are those that would affect the reliable operation of the BES within 15 minutes of being impaired.

Under the current rules, BES Cyber Assets—like Supervisory Control and Data Acquisition Systems (SCADA) and Energy Management Systems (EMS)—are not good candidates a for move to the cloud for this reason.

Importantly, the NERC CIP standards also recognize that the needs of Bulk Electric System Cyber System Information (BCSI) are different from BES Cyber Assets. BCSI is information that could be used to gain unauthorized access or pose a security threat to the Bulk Electric Cyber System. BCSI is not subject to the 15-minute rule.

Many of the workloads that will benefit most from the operational, security, and cost savings benefits of the cloud are BCSI.

Machine learning, multiple data replicas across fault domains, active failover, quick deployment, and pay for use benefits are now available for BCSI NERC CIP workloads when they’re moved to or born in Azure.

Examples include:

We can use information retention and protection on confidential documents with BCSI sensitive information. Azure’s machine learning helps us improve smart grid and do predictive maintenance on plant equipment. We can experiment, fail fast, and stand up infrastructure in hours, not months. The powerful tools and agile technologies that other industries rely on are now available for many NERC CIP workloads.

There are currently over 100 U.S. power and utility companies that use Azure. NERC CIP regulated companies can enjoy the benefits of the cloud in Azure.

In my next post, I’ll discuss the use of Azure public cloud and Azure Government for NERC CIP compliance.

Thanks to Larry Cochrane and Stevan Vidich for their excellent work on Microsoft’s NERC CIP compliance viewpoint and architecture. Some of their documents are linked above.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.