US grid rules preclude reliability, security benefits of cloud computing, experts warn

/in


Cloud technologies could provide significant cost, security and reliability benefits to the U.S. electric grid but critical infrastructure rules do not allow them to be used for certain larger assets, multiple speakers said Thursday at the Federal Energy Regulatory Commission’s annual reliability conference.

The Critical Infrastructure Protection rules, or CIP, are managed by the North American Electric Reliability Corp. and currently require grid asset owners to have certain control or knowledge of the devices operating their software. Cloud computing makes that difficult or impossible, experts agreed, in particular for what are known as high- or medium-impact grid assets.

Current NERC standards “do not provide clear guidance” on how regulated entities can implement new technologies that may not have been envisioned by the current CIP rules, Joseph Mosher, portfolio manager at EDF Renewables, told the commission. “Attempts to incorporate newer technology into the NERC CIP standards can be painful and time consuming,” he said.

Experts expressed concerns over the outdated CIP rules, at a time when grid officials say they face growing threats.

“One can definitely make the argument that the grid is less secure today than it would be” if cloud computing solutions were allowed, “and that gap is growing every day,” security consultant Tom Alrich said. “This is the biggest problem with NERC CIP today.”

A related problem — that important information about those systems can’t today be stored in the cloud — will be fixed beginning next year when two revised CIP standards come into effect, he said.

A sector under attack

The cyber threat to the electric power sector is growing, and grid officials say they must utilize new tools to counter it.

“The electricity sector is under constant attack by nation states and organized criminals. We see billions of attempts a day to survey our networks, identify vulnerabilities or gaps in protection, steal credentials or data, or exact a ransom,” Manny Cancel, senior vice president and CEO of the Electricity Information Sharing and Analysis Center, told regulators…

Source…