Promise and peril line utilities’ path to cloud computing

By Blake Sobczak | 07/03/2019 06:50 AM EDT

U.S. power utilities are crafting strategies for shifting their operations to the cloud, a once-unthinkable move filled with promise but dogged by questions about security.

U.S. power utilities are shifting away from dedicated data centers like this one to "cloud" computing spread across multiple sites and virtual machines.

U.S. power utilities are shifting away from dedicated data centers like this one to "cloud" computing spread across multiple sites and virtual machines.

U.S. power utilities are crafting strategies for shifting their operations to the cloud, a once-unthinkable move filled with promise but dogged by questions about security and compliance.

Cloud technology uses a virtual layer of software to marshal physical computing resources like data servers, allowing users to quickly draw the exact amount of processing power they need.

"Utilities are seeing benefits to using virtual machines, virtualization and cloud computing in other parts of their IT areas, so the question is being asked: Can’t we also achieve these efficiencies in the grid?" said Howard Gugel, vice president and director of engineering and standards at the North American Electric Reliability Corp., the nonprofit grid overseer that sets and enforces binding security and reliability standards for U.S. utilities. "That’s causing people to scratch their heads."


For decades, energy companies have relied on fenced-in networking environments like data centers to house sensitive data on grid operations and reliability.

Cloud computing wipes away physical and logical boundaries, boosting flexibility at the expense of simplicity.

"You have shared data, shared processing power, shared [central processing unit] cycles. Everything that was a physical function within a traditional networking environment is now abstracted out," said Tobias Whitney, technical executive for cybersecurity at the Electric Power Research Institute. "While [the cloud] creates tremendous value as it relates to resiliency, operational and technological efficiency, it remains to be seen what unique vulnerability now exists in a heavily virtualized world."

Tobias Whitney, a cybersecurity executive at the Electric Power Research Institute.
 Photo credit: EPRI
Tobias Whitney. | Electric Power Research Institute

Whitney said he sees interest in cloud computing reaching a "fever pitch" in the utility industry and that he expects some form of regulatory clarity on the issue within the next one or two years.

A committee at NERC is now researching how power companies would apply the technology to the bulk electric grid, building a case for cloud computing before pursuing tweaks to security standards.

In the near term, utilities could tap into the vast computing resources of cloud service providers like Amazon or Microsoft to store and analyze historic grid reliability data, or dive deep into cybersecurity events in a way that can’t be replicated with traditional on-site network infrastructure.

On a longer time frame, experts say utilities could consider cloud hosting for their supervisory control and data acquisition systems, the sensitive networks that monitor and control the flow of electricity on the grid.

At a recent NERC meeting in Orlando, Fla., "there were some pretty constructive critiques saying: ‘Hey, we have to go farther, we have to think through a cloud-based SCADA [supervisory control and data acquisition] system,’" said Bryan Owen, cybersecurity manager at technology vendor OSIsoft, which offers some cloud-based products to energy firms. "The challenge out there for everyone is to be more nimble and agile, and get through this faster. But it’s a pretty conservative industry: I think they want to take it one step at a time."

Gugel said NERC is aiming to be "nimble," but added "we also want to be extra cautious."

"We understand that our grid is being attacked by external forces, and we want to make sure that we maintain reliability and security," he said. "The more you connect that grid into the [internet], the more concern you have about some unknown vulnerability being opened up."

Why not?

At a Federal Energy Regulatory Commission meeting last Thursday, several utility industry executives threw their weight behind the cloud concept, urging regulators at the independent agency to accelerate a shift that’s already underway.

"It’s no longer a question of whether cloud services have a place in industry. Rather, the question is when," said David Rosenthal, director of incident response and systems recovery at the Midcontinent Independent System Operator, which manages bulk power grid operations across 15 states and swaths of central Canada. "FERC and NERC both have a role in this effort."

Michael Ball, chief security officer for utility holding company Berkshire Hathaway Energy, said his organization has been "very conservative about how we embrace [cloud]" but added that the technology is "clearly a path to the future."

NERC’s Critical Infrastructure Protection (CIP) standards put perhaps the biggest question mark over cloud adoption.

While safety rules are written in blood, NERC’s CIP standards are written in blackouts.

When it comes to the crucial control systems that keep the lights on around the United States, regulators at NERC and FERC leave little to chance. Auditors expect large power utilities to carefully monitor and protect their critical "cyber assets," from SCADA workstations to the routers acting as traffic cops for vital data. Grid operators who slip up can incur multimillion-dollar fines.

Cloud technology undercuts a touchstone of the CIP standards: the ability to trace an operational mishap or cyberattack back to a specific, tangible computer.

Many cloud computers exist only as software, with no one discrete computer at their core.

"I could have an environment in my utility where I would have a processor that has the ability to spin up virtual machines, run a process, and then the process is done. It’s gone," Gugel explained.

Asking who last had physical access to a virtual machine is not a meaningful question — on par with asking which Facebook employee got your vacation photos uploaded to Instagram.

NERC has yet to decide how it can audit an abstract technology, and large utilities have so far shied away from hosting sensitive data in the cloud.

The nonprofit regulator, whose cybersecurity rules are set by industry panels and ultimately approved by FERC, could also determine that existing cybersecurity precautions at cloud service providers are adequate, or even lean on existing cloud security standards, such as the Federal Risk and Authorization Management Program for agencies like the Department of Energy.

"The utility industry is saying, ‘Why not us? If it’s good enough for the government, why isn’t it good enough for us?’" Whitney said.

Another way to clear the sky for cloud technology could be to convince cloud service providers to hire CIP consultants and agree to subject themselves to NERC’s standards, becoming "registered entities" on par with large power utilities and transmission operators, Whitney suggested.

In the event of a security breach — say, from the APT10 or CloudHopper threat — cloud service providers would be held responsible, and their utility customers would be off the hook (Energywire, Jan. 4).

‘Better, cheaper, faster’

Cloud technology has already found widespread adoption at the grid’s edge, from electric vehicle charging stations to "smart" solar panels that chat with one another along virtualized channels.

Gas pipelines — with their perceived lower cyber risk profile than the electric transmission grid — could also provide an early testing ground for cloud technology in operational environments, according to Tamara Anderson, vice president of corporate strategy and general counsel at industrial cybersecurity firm PAS Global.

"Internet of things" devices along pipeline routes are already channeling information back to corporate hubs for further analysis.

"The flow of data from IoT devices and sensors monitoring pipelines will overtake the flow of fuel running through them," Anderson predicted. "All that big data is prime for leveraging the computing power that cloud services can provide."

Power utilities haven’t trusted cloud computing that far. A 2015 study from EPRI, while lauding the service’s potential benefits, called cloud computing "as much a research topic as it is a market offering," warning that "complex computing systems are prone to failure and security compromise."

Utilities may soon use cloud computing to house encrypted grid operational data, although regulators are still taking a slow-and-steady approach.

"You’ve got to look at it with that skeptical eye," Gugel said. "Sometimes ‘better, cheaper, faster’ isn’t always more secure."

Brenda Lyn Truhe, senior manager for NERC CIP at Pennsylvania Power & Light, told FERC commissioners last Thursday that cloud technologies "can have major benefits" if used securely. That means frequent monitoring of any cloud service providers and careful contract language.

"We have to make sure we don’t have that ‘Wizard of Oz’ situation where somebody’s just behind the curtain saying, ‘Trust me,’" she said.