The Federal Energy Regulatory
Commission (FERC) is seeking comments on the potential benefits and risks
associated with the use of virtualization and cloud computing services in the
operation of the nation’s bulk electric system. Today’s Notice of Inquiry (NOI)
asks whether the Commission’s Critical Infrastructure Protection (CIP)
Reliability Standards allow for these technology advancements and balance the
innovations with security requirements.
The Commission will use the NOI to decide whether to direct the North American Electric Reliability Corporation (NERC) to develop modifications to the CIP reliability standards to facilitate the use of virtualization and cloud computing by grid users and operators. The NOI is an outgrowth of discussions at the Commission’s June 2019 technical conference on reliability and the March 2019 joint technical conference with the Department of Energy on security investments for energy infrastructure.
“We want to create an environment that allows and encourages innovation and new technologies to flourish,” said Chairman Neil Chatterjee. “At the same time, our cybersecurity standards must clearly address new technologies and help define when and where they could be used.”
Virtualization is the process of creating virtual versions of computer hardware to minimize the amount of physical computer hardware resources needed to perform various functions. It is considered necessary if the functions of grid cyber systems are to be moved to a cloud computing environment. While some entities might use the cloud simply for data storage, others may rely on virtualization and cloud storage in tandem to operate systems that control one or more core functions of the power grid.
The NOI poses questions on four general topics: the scope of potential use of virtualization or cloud computing, their associated benefits and risks, possible impediments to their implementation, and potential new and emerging technologies beyond virtualization and cloud computing that responsible entities may be interested in adopting.
Comments are due 60 days after publication of the NOI in the Federal Register. Reply comments are due 30 days later. In conjunction with today’s NOI issuance, the Commission directed NERC to make an informational filing, to be followed by quarterly updates, describing work on two draft CIP standards pertaining to virtualization and cloud computing services. The initial filing is due within 30 days, with additional updates required on a quarterly basis.