NERC CIP Compliance in Azure vs. Azure Government cloud

As discussed in my last blog post on North American Electric Reliability Corporation—Critical Infrastructure Protection (NERC CIP) Compliance in Azure, U.S. and Canadian utilities are now free to benefit from cloud computing in Azure for many NERC CIP workloads. Machine learning, multiple data replicas across fault domains, active failover, quick deployment and pay for use benefits are now available for these NERC CIP workloads.

Good candidates include a range of predictive maintenance, asset management, planning, modelling and historian systems as well as evidence collection systems for NERC CIP compliance itself.

It’s often asked whether a utility must use Azure Government Cloud (“Azure Gov”) as opposed to Azure public cloud (“Azure”) to host their NERC CIP compliant workloads. The short answer is that both are an option.  There are several factors that bear on the choice.

U.S. utilities can use Azure and Azure Gov for NERC CIP workloads. Canadian utilities can use Azure.

There are some important differences that should be understood when choosing an Azure cloud for deployment.

Azure and Azure Gov are separate clouds, physically isolated from each other. They both offer U.S. regions. All data replication for both can be kept within the U.S.

Azure also offers two Canadian regions, one in Ontario and one in Quebec, with data stored exclusively in Canada.

Azure Gov is only available to verified U.S. federal, state, and local government entities, some partners and contractors. It has four regions: Virginia, Iowa, Arizona and Texas. Azure Gov is available to U.S.-based NERC Registered Entities.

We are working toward feature parity between Azure and Azure Gov. A comparison is provided here.

The security controls are the same for Azure and Azure Gov clouds. All U.S. Azure regions are now approved for FedRAMP High impact level.

Azure Gov provides additional assurances regarding U.S. government-specific background screening requirements. One of these is verification that Azure Gov operations personnel with potential access to Customer Data are U.S. persons. Azure Gov can also support customers subject to certain export controls laws and regulations. While not a NERC CIP requirement, this can impact U.S. utility customers.

Azure Table 1

Under NERC CIP-004, utilities are required to conduct background checks.

Microsoft U.S. Employee Background Screening

Microsoft US Employee Background Screening

Microsoft’s background checks for both Azure and Azure Gov exceed the requirements of CIP 004.

NERC is not prescriptive on the background check that a utility must conduct as part of its compliance policies.

A utility may have a U.S. citizenship requirement as part of its CIP-004 compliance policy which covers both its own staff and the operators of its cloud infrastructure. Thus, if a utility needs U.S. citizens operating its Microsoft cloud in order to meet its own CIP-004 compliance standards, it can use Azure Gov for this purpose.

A utility may have nuclear assets that subject it to U.S. Department of Energy export control requirements (DOE 10 CFR Part 810) on Unclassified Controlled Nuclear Information. This rule covers more than the export of nuclear technology outside the United States, it also covers the transmission of protected information or technology to foreign persons inside the U.S. (for example, employees of the utility and employees of the utility’s cloud provider).

Since access to protected information could be necessary to facilitate a support request, this should be considered if the customer has DOE export control obligations. Though the NERC assets themselves may be non-nuclear, the utility’s policy set may extend to its entire fleet and workforce regardless of generation technology. Azure Gov, which requires that all its operators be U.S. citizens, would facilitate this requirement.

Azure makes the operational advantages, increased security and cost savings of the cloud available for many NERC CIP workloads. Microsoft provides Azure and Azure Gov clouds for our customers’ specific needs.  Microsoft continues its work with regulators to make our cloud available for more workloads, including those requiring compliance with NERC CIP standards. The utility (Registered Entity) is ultimately responsible for NERC CIP compliance and Microsoft continues to work with customers and partners to simplify the efforts to prepare for audits.

Thanks to Larry Cochrane and Stevan Vidich for their leadership on Microsoft’s NERC CIP compliance viewpoint and architecture. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. To learn more about our Security solutions visit our website.

(c) 2020 Microsoft Corporation. All rights reserved. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document is not intended to communicate legal advice or a legal or regulatory compliance opinion. Each customer’s situation is unique, and legal and regulatory compliance should be assessed in consultation with their legal counsel.