When I did my first North American Electric Reliability Corporation—Critical Infrastructure Protection (NERC CIP) compliance project it was 2009. NERC CIP was at version 3. It was the first mandatory cybersecurity standard that the utility I was working for had to meet. As it does today, the Bulk Electric System (BES) had the responsibility to keep North America powered, productive, and safe with near 100 percent uptime. Critical infrastructure for us is not email and payroll systems, it’s drinking water and hospitals. Leading the way to the cloud was not top of mind. The NERC CIP standards were written for on-premise systems.
NERC CIP compliance was a reason many participants in the BES would not deploy workloads to the cloud. NERC CIP version 6 is now in force. NERC has recognized the change in the technology landscape including the security and operational benefits that well architected use of the cloud has to offer.