- Utility security experts interested in utilizing cloud-based solutions are asking the Federal Energy Regulatory Commission (FERC) to certify proposed standards that would shift cybersecurity focus away from onsite data storage.
- "I'd like to see the Commission drive toward directing the cloud" transition, David Rosenthal, director of incident response and systems recovery at Midcontinent ISO (MISO) said at the 2019 Reliability Technical Conference in Washington, D.C. last Thursday. Currently, utilities rely on their own data centers for secure storage, but the process of relying on internal servers is often more expensive and less reliable when used for disaster recovery, as opposed to cloud storage or "virtualization," panelists said.
- The North American Electric Reliability Corporation (NERC) is in the process of crafting a standard to address utility cloud access. The process and subsequent FERC approval is expected to take a year, according to NERC CEO and president Jim Robb.
The plea for action from utilities and grid operator experts highlights the importance of NERC's ongoing project as more actors in the electric power sector see potential benefits from various applications and cost savings of virtual data storage.
While cloud providers like Microsoft Azure or Amazon Web Services (AWS) benefit from economies of scale with their large and geographically diverse data centers, utility-housed data centers are expensive to run and vulnerable to physical damage as well, particularly for smaller utilities, according to Antiwon Jacobs, Chief Information Security Office for the Sacramento Municipal Utility District (SMUD). Southwest Power Pool also brought up the issue of accessing cloud-based solutions at the 2018 Reliability Technical Conference.
Cloud-based solutions could also lead to opportunities in pooling utility cybersecurity experiences and resources, according to panelists at FERC's technical conference. The Pennsylvania-based investor-owned power company, PPL Electric Utilities, has been internally looking at getting more people involved in analyzing cybersecurity incidents through expanded cloud access, Brenda Lyn Truhe, the company's CIP senior manager, told FERC.
If there are "a lot of different companies using the same cloud service provider and ... security appliances deployed, it could almost be crowdsourcing certain types of information" for a potential breach, cyber attack or data loss, she said.
"If you read our standards narrowly, they make it very difficult or impossible for utilities to use cloud services in many areas, and we don't think that's particularly productive," Robb told reporters last week.
NERC has assigned a drafting team to create a standard for protecting data or revising an existing standard to focus more on securing utility information, "which leads you then to be very careful about how you encrypt information," as opposed to securing servers onsite, Robb said. "That would enable utilities to use cloud services in certain areas."
New standards will need to ensure that the programs stored in the cloud are encrypted securely.
"In some cases, cloud-based solutions have inherently strong capabilities in the security space to leverage," Michael Ball, chief security officer of Berkshire Hathaway Energy, told Utility Dive. Cloud-based access is "really not a security-first focus, but it's an enablement, and then we have to apply strong security practices that leverage security capabilities."
As more high-tech solutions are being sought for cybersecurity in the utility sector, the U.S. Senate passed a bill on June 27 as part of the National Defense Authorization Act to enable the use of low-tech, including adding manual controls to the grid, and therefore making it harder to hack. Michael South, Americas regional leader in public sector security for AWS said he is a reformed skeptic of cloud-based security after he was tasked with leading the nation's capitol in a transition to the cloud as Washington DC's deputy chief information security officer two years ago.
"Whether it's a server failure or an old data center failure, you're able to load balance across that through your application, and your customers never see an outage. And then within seconds, the actual infrastructure provides a self-healing opportunity so that when a server fails in one data center, or [the] whole data center failed, everything will bounce over," South said, explaining the benefits of cloud storage. "This allows you to shift from a reactive disaster recovery risk model to a proactive resilient service model."