Panelists Seek FERC OK to Move to Cloud

Jun 29, 2019

Registered entities asked FERC to clear the use of cloud computing, which they said could improve system visibility and security while saving money.

By Rich Heidorn Jr.

WASHINGTON — Registered entities asked FERC on Thursday to clear the way for their use of cloud computing, which they said could improve system visibility, security and availability while saving money.

Speaking at FERC’s annual reliability technical conference, representatives of the American Public Power Association, MISO, Berkshire Hathaway Energy and PPL all said registered entities should be able to use cloud service providers (CSPs) and virtualization for some functions subject to NERC reliability standards.

“Current NERC rules of procedure and NERC critical infrastructure protection standards do not explicitly address the use of cloud services and virtualization, leaving the industry uncertain as to how to approach related security and compliance risks as they explore the use of these technologies,” said Antiwon Jacobs, chief information security officer for the Sacramento Municipal Utility District (SMUD), who testified on behalf of APPA and the Large Public Power Council (LPPC).

From left: Ashley Mahan, FedRAMP; Antiwon Jacobs, Sacramento Municipal Utility District; David Rosenthal, MISO; Michael Ball, Berkshire Hathaway Energy; Brenda Truhe, PPL; and Michael South, Amazon Web Services. | © *ERO Insider*

MISO is piloting some cloud services, though not for operations or NERC CIP functions. Current CIP standards “were not developed with cloud services in mind, and they offer no guidance as to whether and how cloud services may be NERC CIP compliant,” said David Rosenthal, MISO’s director of incident response and systems recovery.

“It is no longer a question of whether cloud services have a place in our industry,” Rosenthal said. “Rather, it is a question of when, what and how cloud services will work in our industry. Major software vendors have moved quickly from a ‘cloud first’ to a ‘cloud only’ mindset, and that tells us that older, non-cloud technologies will not be supported indefinitely.”

Brenda Truhe, NERC CIP senior manager for PPL, said her chief information officer recently attended an all-CIO meeting where “he was one of the few who did not have his main applications in the cloud. He was talking to the financial industry and they said, ‘We do trillions of dollars in banking every day in the cloud. You can make it work.’”

“We’re seeing all critical infrastructures use the cloud in some way shape or form,” said Michael South, Amazon Web Services’ Americas regional leader for public sector security and compliance. “In my experience, the financial sector is probably the most mature and advanced.”

Benefits

In April, a NERC standards drafting team (Project 2016-02) released a draft white paper that it called “the case for change.” The team said virtualization offers the kind of benefits for computing infrastructure that the interconnected power grid does for bulk electric system reliability.

“As individual utilities interconnected their power systems to form a power grid to share spare capacity for meeting demand peaks and surviving contingencies such as generating unit and transmission line outages, so virtualization connects processors, networks and storage into ‘computing grids’ that allow our vital systems and applications to meet peak demands and survive outages of individual components,” they wrote.

MISO said cloud services can provide redundant and resilient data and systems and potential cost savings compared to the legacy practices of procuring and supporting hardware.

“It takes quite a long time to provision servers and get them ready for use. One of the things that virtualization does is it allows us to build from templates — pre-hardened — that are ready to go immediately,” Rosenthal said. “When you want to do a recovery, it makes it very simple and very quick. … When we had to recover our physical servers, it took a significant amount of time, and sometimes we failed.”

Truhe said cloud services also help registered entities deal with the shortage of qualified IT candidates, who may find working for AWS or Google more attractive than working for a utility.

Current Rules

Jacobs said NERC CIP standards “do not address the concept of virtual infrastructure” and that registered entities need “a signal or some form of endorsement from NERC and FERC” to provide them regulatory certainty.

He also requested FERC and NERC endorse external accreditations of CSPs, such as those provided by the Federal Risk and Authorization Management Program (FedRAMP), to address entities’ compliance risk.

Michael Ball, chief security officer for Berkshire Hathaway Energy, agreed that third-party accreditation is “an essential foundation” for a move to the cloud.

But he said “it is not the service provider that provides the security. … It still relies on me as an entity. You know they can build the best house, the most secure doors. But when they hand me the keys, do I lock the door?”

Off Limits?

Jacobs said APPA and LPPC oppose the use of cloud-based technology for controlling energy management systems and supervisory controls and data acquisition “at this time.”

The groups also said CSPs should not result in the removal of “critical layers of defense to [physical access control systems] and [electronic access control or monitoring systems] such as operational security (physical), access points, authentication servers and key management servers.”

MISO and PPL agreed that those functions should not go to the cloud without more experience.

Truhe said the cloud could have a role in those functions in the future. “I wouldn’t want to take anything off the table at this point,” she said.

CIP FERC & Federal NERC & Committees