Article

The NERC Risk Management for Third-Party Cloud Services Standards Drafting Team (SDT) is revising NERC CIP standards to enable larger electric utilities and independent power producers to monitor and operate the North American Bulk Electric System (BES) in the cloud. However, a critical assessment suggests the drafting team is on an ineffective path, potentially leading to non-compliance with requirements.

The current CIP definitions, established in 2011-2012, do not adequately address cloud-based systems, leading to compliance challenges for entities transitioning to cloud services. To resolve these issues, three key changes to definitions and requirements are proposed: defining 'System' to include both on-premises and cloud-based systems, establishing a new definition for 'Cloud Electronic Access Control or Monitoring System,' and revising the definition of 'Electronic Access Control or Monitoring System' to exclude cloud data centers. The SDT's current strategy may extend the timeline for compliance without addressing the core problems.