Federal Regulators: Should Energy Companies Be Allowed to Use Cloud for Power Delivery?

The Federal Energy Regulatory Commission is aware of the potential cloud computing could have on the energy sector but is wary of allowing utilities to adopt these technologies without a full understanding of the risks involved.

American power companies are using cloud services for many back-office processes but have yet to utilize the technology for power delivery and management systems. The overriding standards governing power companies’ use of technology—the Critical Infrastructure Protection, or CIP, Reliability Standards—don’t offer any guidance on the use of cloud and virtualization for bulk energy systems. FERC is interested in changing that and wants energy sector experts to weigh in on exactly what changes should be made.

As with the rest of government, FERC is interested in moving to the cloud to reap the benefits of “scalability, greater flexibility and lower capital investment,” according to a notice of inquiry posted Thursday to the Federal Register. “Other potential benefits from the adoption of cloud computing services include enhanced access to data and applications due to the inherent redundancy and multiple pathways used to access cloud computing services.”

With regard to virtualization, FERC officials see promise in the ability to “reduce capital and operating costs, increase the efficiency of existing computing assets and improve incident recovery,” according to the notice. Virtualization is also necessary for implementing modern cloud-based cybersecurity systems, “since a customer choosing to migrate one or more on-premise systems to the cloud will need to virtualize those systems for use in the cloud.”

However, as with anything new, FERC officials are wary of implementing these technologies without fully understanding the risk. Further, all U.S. power utilities are required to follow the CIP reliability standards, which does not provide any guidance on cloud or virtualization.

The CIP reliability standards were developed by the North American Electric Reliability Corporation, or NERC, and adopted by FERC. The commission does not plan to supersede NERC’s standards. But, depending on the responses gathered through the Federal Register notice and other feedback outlets, the commission plans to make recommendations to NERC on ways the CIP standards should be updated to allow for virtualization and cloud computing.  

In addition to the request for comments from the public, the commission has been discussing potential cloud uses for the past year, including at technical conferences held in March and June 2019.

“Current NERC rules of procedure and NERC Critical Infrastructure Protection standards do not explicitly address the use of cloud services and virtualization, leaving the industry uncertain as to how to approach related security and compliance risks as they explore the use of these technologies,” Antiwon Jacobs, chief information security officer for the Sacramento Municipal Utility District, said in prepared comments for the Reliability Technical Conference held in June, speaking on behalf of the American Public Power Association and the Large Public Power Council.

In his remarks, Jacobs noted many utilities currently use cloud services for business operations but not for power systems or operations.

“The potential to use [cloud service providers] to support power delivery systems is upon us,” he said. “If done with care and prudence, a technology and security architecture that incorporates cloud solutions can reduce risk, increase flexibility and improve the security posture of the Bulk Electric Systems.”

That said, Jacobs warned against pushing the envelope too far at this time.

“I also want to strike a cautionary note,” he added. “The use of a cloud-based technology to control energy management systems should not be considered at this time. In addition, the use of CSPs should not remove or circumvent critical layers of defense already in place to protect the BES.”

David Rosenthal, a consultant from Utilicast speaking for Midcontinent Independent System Operator, said the utility had conducted tests of backup and recovery processes using cloud systems that proved more effective than when using “traditional computing assets.”

“It is no longer a question of ‘whether cloud services have a place in our industry; rather, it is a question of when, what and how cloud services will work in our industry,” he said.

Rosenthal said MISO has already adopted cloud computing for most of its processes, “with the exception of operations, NERC and NERC CIP.”

These and other comments shared at the two conferences prompted NERC to issue the notice of inquiry to obtain more feedback from the energy sector.

“Further, to the extent that there are barriers in the currently-effective CIP Reliability Standards to their use, the commission seeks comment on whether it is appropriate for the commission to direct action to facilitate the voluntary adoption of virtualization and cloud computing services,” the notice adds.

FERC divided its request into four specific asks:

• Scope of potential use of virtualization and cloud computing services.
• Potential benefits and risks associated with virtualization and cloud computing services.
• Potential impediments to adopting virtualization and cloud computing services.
• Potential use of new and emerging technologies in the current CIP standards framework.

Those with feedback to offer must submit their comments by April 27.