Cloud technologies could provide significant cost, security and reliability benefits to the U.S. electric grid but critical infrastructure rules do not allow them to be used for certain larger assets, multiple speakers said Thursday at the Federal Energy Regulatory Commission’s annual reliability conference.
The Critical Infrastructure Protection rules, or CIP, are managed by the North American Electric Reliability Corp. and currently require grid asset owners to have certain control or knowledge of the devices operating their software. Cloud computing makes that difficult or impossible, experts agreed, in particular for what are known as high- or medium-impact grid assets.
Current NERC standards “do not provide clear guidance” on how regulated entities can implement new technologies that may not have been envisioned by the current CIP rules, Joseph Mosher, portfolio manager at EDF Renewables, told the commission. “Attempts to incorporate newer technology into the NERC CIP standards can be painful and time consuming,” he said.
Experts expressed concerns over the outdated CIP rules, at a time when grid officials say they face growing threats.
“One can definitely make the argument that the grid is less secure today than it would be” if cloud computing solutions were allowed, “and that gap is growing every day,” security consultant Tom Alrich said. “This is the biggest problem with NERC CIP today.”
A related problem — that important information about those systems can't today be stored in the cloud — will be fixed beginning next year when two revised CIP standards come into effect, he said.
A sector under attack
The cyber threat to the electric power sector is growing, and grid officials say they must utilize new tools to counter it.
“The electricity sector is under constant attack by nation states and organized criminals. We see billions of attempts a day to survey our networks, identify vulnerabilities or gaps in protection, steal credentials or data, or exact a ransom,” Manny Cancel, senior vice president and CEO of the Electricity Information Sharing and Analysis Center, told regulators Thursday. The E-ISAC is operated by NERC.
China is the biggest cyber threat to the U.S. grid, Cancel said, followed by Russia.
“China will continue to target critical infrastructure here in the U.S., to grow their knowledge and identify access points for future use,” he said. Hackers are constantly looking to exploit vulnerabilities in enterprise software platforms “that are used pervasively across the electricity industry,” he added.
The database of cyber vulnerabilities maintained by the National Institutes of Standards and Technology is on pace to report over 27,000 vulnerabilities in 2023, Cancel said, representing a 25% increase over 2022, and "many of them are critical.”
Those vulnerabilities can combine with the rapid expansion of grid-connected assets to create a threat-rich environment, experts agreed.
The rate at which smaller generators, such as solar, wind and batteries, are connecting to the grid is multiplying not only the number of generators but also the vendors necessary to support the infrastructure, Mosher added. “In many cases” these new vendors may not fully support on-premise solutions “and instead require a full or partial cloud implementation, potentially making the generator owner noncompliant with NERC CIP,” he said.
‘These tools cannot be used’
Some of ISO New England’s most robust security tools are not allowed to protect certain electric system assets because they use cloud technology, said Rudolf Pawul, vice president of information and cyber security services for the grid operator.
“Traditional log monitoring and malware detection is insufficient in the face of modern threats,” Pawul said. The ISO “has augmented its traditional security tools with learning-enabled endpoint detection, backed by world class threat hunters, and similar tools for application performance monitoring that aids with anomaly detection. Unfortunately, these tools cannot be used for several ISO New England systems, including some of the most important ones.”
ISO New England has submitted a standards authorization request to NERC “with the hope that the standards can be revised to allow the use of cloud-based services,” Pawul said. “Despite the broad support and a positive reception from both NERC and [the Northeast Power Coordinating Council] the CIP revision process will take years.”
Pawul also said the process of integrating new technologies — not just cloud computing — should be reviewed.
“Whether it is artificial intelligence, quantum computing or the next disruptive technology, the industry will again be at a disadvantage unless it adapts. ... the energy industry must assess the ramifications of the CIP standards on disruptive technology sooner [and] reduce the time spent to make revisions, or create a process for compliance exceptions within the CIP reliability standards,” Pawul said.
The need for cloud computing solutions on the power grid extends beyond security, experts said.
Decarbonization will require cloud computing
Cloud technologies “are key in augmenting security teams’ abilities, with increased visualization, automation and resilience,” Maggy Powell, security assurance principal for the power and utility sector at Amazon Web Services, told the commission. But beyond that, the operational demands of decarbonization, decentralization and digitalization “translate to a more than 100 times increase in data volumes to reliably operate the grid, making computing capacity essential,” she said.
Cloud computing can offer utilities opportunities to gather instructive information from the new data “and create value for applications such as predictive maintenance, outage management, power flow analysis and other operational applications,” Powell said.
The last complete update of NERC CIP standards was finished in 2017, and that endeavor took more than eight years, Alrich said. Because of the critical nature of cloud computing, he said a solution will likely be developed much sooner.
“This is one of those cases where the vendors’ interests and the users’ interests and the regulators’ interests are all the same,” Alrich said. “There's got to be a way this can be done sooner than eight or nine years ... Pretty soon there's not going to be any software to run on premises anymore.”