Energy Community Cloud
Cumulys is transforming the adoption of cloud technology in the energy sector through its innovative Community Cloud Solution. We’ve developed a security and compliance framework specifically aligned with NERC CIP standards, ensuring regulatory compliance without compromising the benefits of cloud innovation.
Our Compliance AI application proactively assesses and documents risks, while our Security and Requirements Exchange application provides real-time operational transparency for regulators and stakeholders alike.
We hold our cloud vendors to the highest standards, requiring vetting and ongoing evaluation. With Cumulys, utilities can confidently embrace cloud technology, knowing that security, compliance, and accountability are our foundation.
Technology Stack – Through the Lens of Energy
In the eyes of NERC/FERC, there is no differentiation of compliance for 3rd party Cloud Service Providers and Registered System Operators:
01
If Command and Control is performed, it is generally considered a BES Cyber System.
02
All BES Operators must become Registered and be compliant with the NERC Standards.
03
Cumuly will become a Registered Entity in order to manage the technology stack of electric power utilities.
The Cumulys Community Cloud Charter has been established to provide guidance, structure, and oversight for secure and resilient cloud practices within the energy sector, especially as they relate to compliance and regulatory responsibilities.
Key Charter Elements
01
Monthly Meetings
Frequency and Purpose
Cumulys will convene monthly to facilitate discussions, review key issues, and advance the security framework of the Cumulys Community Cloud model.
Agenda and Topics
The meetings will cover a range of topics critical to the energy sector, including the security management and cloud-based architectural design of non-BES OT systems, low-impact Bulk Electric Systems (BES) and cyber assets, medium-impact BES cyber systems (including EACMS, PC, and BCS) in the cloud, and high-impact BES cyber systems, such as electronic access control monitoring systems, physical access control systems, and protected cyber assets.
02
Role and Responsibility of Cloud Service Providers
Cloud service providers (whether IaaS, PaaS, or SaaS) must be registered and recognized to perform any operations that align with regulatory responsibilities traditionally managed by utilities.
Cumulys advocates for a shared compliance model whereby regulatory obligations are distributed between registered utilities and their registered cloud providers. This model ensures cloud providers inherit the regulatory responsibilities relevant to the services they deliver, thereby enhancing accountability and security across operational environments.
03
Participation and Collaboration
Industry Involvement
The Cumulys Community Cloud Charter invites active participation from industry stakeholders, with the goal of developing robust scenarios that outline shared compliance for energy workloads in cloud environments.
Educational and Commercial Objectives
While participation in the meetings is open and free, Cumulys seeks to identify potential partners interested in collaborating and developing a cloud operating model and associated facilities, ultimately advancing the objective of a registered asset model for cloud service providers.
04
Collaboration with Regulators
Operational Support for Energy Workloads
Cumulys aims to support a model that allows energy sector entities to operate critical workloads and applications within a secure, compliant cloud environment. The Community Cloud Charter seeks to drive this transformation by establishing clear compliance and operational frameworks for cloud providers and their customers.
Long-term Mission
To create a sustainable, secure, and scalable model for cloud operations in the energy sector, ensuring that all relevant compliance obligations are met within the shared responsibility framework.Focus on Industry Needs
