By Holden Mann

FERC on Thursday issued a Notice of Inquiry seeking industry comments on the “potential benefits and risks” to the bulk electric system posed by virtualization and cloud computing services (RM20-8). Separately, the commission ordered NERC to provide information on two existing draft critical infrastructure protection (CIP) reliability standards relating to the same topics (RD20-2).

The NOI issued at the commission’s open meeting builds off of discussions at the commission’s annual technical conference on reliability last year, as well as a tech conference on security investments for energy infrastructure in March 2019 sponsored by FERC and the Department of Defense. (See Reliability Conference: Deterrence or Collaboration?)

Industry Input Sought on Cloud Services

FERC is requesting comment from industry players on four topics:

• The scope of potential use of virtualization and cloud computing services;
• Potential benefits and risks associated with these services;
• Obstacles to adopting virtualization and cloud computing posed by existing CIP standards; and
• Possible uses of new and emerging technologies in the current CIP standards framework.

FERC said comments submitted will inform its decision on whether to direct NERC to modify CIP standards to facilitate the use of virtualization and cloud computing by operators, addressing a key shortcoming identified by commissioners in the existing framework.

“The currently effective CIP reliability standards were developed in an era when registered entities would procure, manage and use their own computing systems to facilitate reliable bulk electric system operations,” Patricia Eke, with the Office of Electric Reliability, said in a presentation to the commission at its open meeting. “Thus, the development of the reliability standards did not contemplate explicitly how such computing systems could be deployed in a cloud computing environment.”

Comments are due 60 days after the NOI’s publication in the Federal Register.

NERC to Provide CIP Standard Updates

In conjunction with the NOI, the commission also directed NERC to make an informational filing describing work on Projects 2016-02 and 2019-02, including their current status, interim target dates and anticipated filing dates for new standards. NERC must submit its informational filing within 30 days of the issuance of the order, with quarterly status updates until new standards are filed.

Project 2016-02 was started in 2016 in response to a directive in FERC Order 822 relating to the protection of transient electronic devices used in low-impact BES cyber systems. Eke said FERC sought more information on it because “the standard authorization request for the project … includes matters beyond Order 822 directives, including industry-requested revisions to support the use of virtualization technologies by registered entities.”

Project 2019-02 launched last year and is intended to improve BES reliability by providing entities with more options for managing their BES cyber system information. FERC required the informational filing because of its mandate to address third-party storage and analysis systems and clarify protections expected when using such solutions.

“It’s pretty clear from the two technical conferences we’ve had on this issue that this is where the industry is heading: towards more cloud computing, more virtualization. And I think it’s just as important from our perspective to make sure this transition is done in a safe and secure and, obviously, reliable manner,” Commissioner Richard Glick said.