Citing “general agreement” within the electric industry about the potential benefits of virtualization and cloud computing services, FERC on Thursday ordered NERC to make an informational filing on possible modifications to the critical infrastructure protection (CIP) reliability standards to allow their use (RM20-8).
Thursday’s order follows a Notice of Inquiry issued by FERC in February and a separate order requiring NERC to provide regular updates on two existing standard development projects — 2016-02 (Modifications to CIP standards) and 2019-02 (BES cyber system information access management) — relating to the same issues (RD20-2). (See FERC Sets Inquiry on Virtualization, Cloud Services.)
The commission requested comment from industry players on four topics:
- The scope of potential use of virtualization and cloud computing services;
- Potential benefits and risks associated with these services;
- Potential obstacles to adopting virtualization and cloud computing, including barriers posed by existing CIP standards; and
- Potential use of new and emerging technologies in the current CIP standard framework.
FERC said the 26 comments and three reply comments “generally [supported] the voluntary use of virtualization and cloud computing services provided the risks associated with these technologies are mitigated.” It also said it was satisfied that projects 2016-02 and 2019-02 will “facilitate [their use] by clarifying their compliance treatment” in the CIP standards.
However, the commission questioned whether applications that the standard drafting teams (SDTs) for the projects are considering permitting would meet the needs that respondents envisioned.
Industry Wants Freer Hand in Cloud
In particular, industry participants indicated they would like to use third-party cloud services “for purposes beyond data storage (i.e., to perform [bulk electric system] reliability operating services).” But many complained that their ability to utilize such services is hampered by the current CIP standards, and is likely to remain so even after the SDTs complete their work.
For example, the American Public Power Association and the Large Public Power Council said in a joint filing that their members have “experienced objections by certain regional entities at the compliance level to evidence of security practices undertaken by CSPs [cloud service providers],” on the grounds that the CSPs are outside the members’ control. The organizations urged NERC to consider expanding the scope of the CIP standards to provide entities more flexibility in the tools they can use.
The National Rural Electric Cooperative Association (NRECA) agreed that “many … support services could be implemented in a cloud computing environment” beyond data storage. Examples include electronic access control or monitoring systems and physical access control and monitoring systems, endpoint detection and response tools, and security information and event management tools.
NRECA acknowledged risks associated with the use of cloud computing for these purposes — most notably the potential to expose an entity’s network assets to outside risks. It also acknowledged the potential loss of control over the CSP’s services, reliance on internet connectivity and the possibility of increased outage time when a cloud-based system goes down. However, the organization said many of its members believed that with appropriate infrastructure and security measures they “could utilize the cloud at least as effectively as private infrastructure, if not more so.”
NERC and the regional entities filed a joint comment recognizing that there “may be benefits to using these technologies,” though they also reminded the commission that many risks would need to be mitigated before they are implemented, “particularly with respect to BES reliability operating services.” The ERO emphasized its willingness to work with industry groups to improve reliability standards and said the NOI comments should help with these efforts.
Commission Seeks More Information
In its order, FERC agreed that expanding cloud computing services to include BES reliability operating services and other uses could bring benefits including “cost savings and enhanced security and resilience features” that registered entities may not be able to achieve otherwise. But it also agreed with NERC that the risks and benefits of permitting such use should be fully evaluated before any serious attempts to facilitate them are made.
As a result, the commission ordered NERC to “assess the feasibility of voluntarily conducting BES operations in the cloud in a secure manner” and how the CIP standards could be modified to allow this. Commissioners urged NERC to take the NOI comments into consideration — including potential security benefits of off-site virtualization and cloud computing, risks of storage of bulk electric system cyber system information outside a registered entity’s country, and allowing entities to conduct their own reliability risk assessments related to cloud computing. FERC also told NERC to consider whether a new audit process may be necessary to ensure that entities using CSPs are still in compliance with CIP standards.
The informational filing is due to the commission by Jan. 1, 2022.