Updated guide: Understanding NERC CIP compliance for power and utilities
Power and utility companies recognize the benefits of cloud technology to meet the demands of the changing grid landscape and digital transformation. For use cases in scope under the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards, the industry is working to accommodate the use of cloud technology through proposed modifications to CIP-004 and CIP-011 for BES Cyber System Information (BCSI) and a Primer for Cloud Solutions and Encrypting BCSI, as well as NERC Committee and Subcommittee work on use of cloud for other in-scope workloads. AWS supports these efforts and actively helps support customers’ NERC CIP compliance programs.
Accordingly, AWS has released an update to the AWS User Guide to Support Compliance with North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards. Download the guide here. The User Guide helps utilities understand how the cloud can help support business and security objectives while also helping to support a NERC CIP compliance program.
The NERC CIP compliance obligations apply to US and Canadian entities, yet the security objectives embodied in the standards apply globally. This updated version of the User Guide covers key discussion areas such as security, shared responsibility, and inheriting controls, and includes new sections on governance at scale, logical isolation and secure networking, and automation. Governance at scale helps you to centrally manage and govern your environment through AWS services, allowing you to log, monitor, and control access, implement common security controls, and simplify evidence collection.
We understand that each customer’s cloud adoption journey is unique, so to get you started, we developed the AWS services section that aligns AWS services to the CIP Standards they help support and describes the roles and responsibilities for the customer and AWS.
The User Guide describes key concepts for customers considering CIP regulated workloads in the cloud:
- How customers inherit security of the cloud infrastructure.
- How independent certifications validate the security controls managed by AWS.
- How responsibilities are shared in managing and protecting workloads.
- How the cloud can fulfill CIP security objectives for identity and access management, data protection, patching and vulnerability management, security event monitoring, incident response, resilience and system recovery, and physical security.
- How the cloud can help entities improve resiliency through automation of security controls and governance at scale.
- Details on applicable AWS services and the associated shared responsibilities, by CIP standard and requirement (appendix).
For more information about AWS supporting customer compliance needs, contact us.