Energy & Utilities Blueprint
In Development
This blueprint is in active design. No committed timeline. Content reflects planned architecture based on platform foundation capabilities.
Purpose: For platform engineers and compliance teams, explains the planned Energy blueprint for NERC CIP compliance, SCADA isolation, and OT/IT segregation.
Overview
Energy and utility operators manage critical infrastructure under strict regulatory requirements (NERC CIP). This blueprint extends the platform foundation with Electronic Security Perimeter controls, OT/IT workload segregation, and audit evidence collection mapped to specific NERC CIP standards.
Key Capabilities
| Capability | Description | Foundation Component |
|---|---|---|
| Electronic Security Perimeter | Network isolation between OT and IT zones | NetworkPolicies + Kyverno + namespace isolation |
| OT/IT Segregation | Hard separation of operational and information technology workloads | Node taints + dedicated namespaces + policy enforcement |
| SCADA Isolation | Control system workloads in dedicated, restricted zones | NetworkPolicies + Pod Security Admission |
| Audit Evidence | Change and access logs mapped to NERC CIP evidence requirements | Loki + Kubernetes audit logs + Git history |
| Air-Gap Operation | Disconnected sites with signed deployment packages | openCenter-AirGap (three-zone model) |
| Change Management | CIP-010 compliant configuration change workflow | GitOps (FluxCD) + PR review + drift detection |
NERC CIP Mapping
| Standard | Title | openCenter Control |
|---|---|---|
| CIP-003 | Security Management Controls | Kyverno policies + RBAC Manager + documented procedures |
| CIP-004 | Personnel & Training | Keycloak access control + audit logs (evidence) |
| CIP-005 | Electronic Security Perimeter | NetworkPolicies + namespace isolation + ingress controls |
| CIP-006 | Physical Security | Out of scope (platform does not manage physical) |
| CIP-007 | System Security Management | Pod Security Admission + Kyverno + image scanning (Harbor) |
| CIP-008 | Incident Reporting | Alertmanager + Loki + defined escalation paths |
| CIP-009 | Recovery Plans | Velero backup + Git-based rebuild + tested restore procedures |
| CIP-010 | Configuration Change Management | FluxCD + Git commit history + drift detection |
| CIP-011 | Information Protection | SOPS encryption + TLS (cert-manager) + at-rest encryption |
| CIP-013 | Supply Chain Risk Management | Harbor image scanning + Cosign signatures + SBOM |
Composition
Prerequisites
This blueprint builds on the Platform Foundation. Additional requirements:
- Network architecture supporting OT/IT zone separation (physical or VLAN-based)
- Dedicated node pools for OT workloads
- Air-gap deployment capability for disconnected substations/plants
- Organizational NERC CIP compliance program (blueprint provides technical controls, not policy documentation)
Further Reading
- Platform Foundation — base services and security controls
- Telco Blueprint — similar edge/fleet patterns
- Blueprint Catalog — all blueprints with status