2020-03928. Virtualization and Cloud Computing Services  

  • Start Preamble

    AGENCY:

    Federal Energy Regulatory Commission, Department of Energy.

    ACTION:

    Notice of inquiry.

    SUMMARY:

    The Federal Energy Regulatory Commission (Commission) seeks comments regarding the potential benefits and risks associated with the use of virtualization and cloud computing services in association with bulk electric system operations, as well as whether barriers exist in the Commission-approved Critical Infrastructure Protection Reliability Standards that impede the voluntary adoption of virtualization or cloud computing services.

    DATES:

    Initial Comments are due April 27, 2020, and Reply Comments are due May 27, 2020.

    ADDRESSES:

    Comments, identified by docket number, may be filed in the following ways:

    • Electronic Filing through http://www.ferc.gov. Documents created electronically using word processing software should be filed in native Start Printed Page 11364applications or print-to-PDF format and not in a scanned format.
    • Mail/Hand Delivery: Those unable to file electronically may mail or hand-deliver comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE, Washington, DC 20426.
    • Instructions: For detailed instructions on submitting comments, see the Comment Procedures Section of this document.
    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Patricia Ephraim Eke, (Technical Information), Office of Electric Reliability, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-8388, Patricia.Eke@ferc.gov

    Kevin Ryan, (Legal Information), Office of the General Counsel, Federal Energy Regulatory Commission, 888 First Street NE, Washington, DC 20426, (202) 502-6840, Kevin.Ryan@ferc.gov.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    1. In this Notice of Inquiry (NOI), the Commission seeks comments on the potential benefits and risks associated with the use of virtualization and cloud computing services in association with bulk electric system operations. In addition, the Commission seeks comment on whether barriers exist in the Critical Infrastructure Protection (CIP) Reliability Standards, which are developed by the North American Electric Reliability Corporation (NERC) and approved by the Commission, that impede the voluntary adoption of virtualization or cloud computing services.

    2. This NOI is an outgrowth of discussions concerning the potential benefits and risks associated with the adoption of virtualization and cloud computing services for bulk electric system operations at the Commission's June 27, 2019 Reliability Technical Conference and the March 28, 2019 Commission/Department of Energy (DOE) Security Investments for Energy Infrastructure Technical Conference.[1]

    3. The Commission intends to use the record developed in this proceeding to determine whether it would be appropriate, pursuant to section 215(d)(5) of the Federal Power Act, to direct that NERC develop modifications to the CIP Reliability Standards to facilitate the voluntary adoption of virtualization and cloud computing services by registered entities.[2]

    Background

    A. Virtualization

    4. Virtualization is the process of creating virtual, as opposed to physical, versions of computer hardware to minimize the amount of physical computer hardware resources required to perform various functions.[3] Virtualization is commonly used in business applications and is managed through centralized software, referred to as a hypervisor, that manages multiple virtual computer resources that can be used by different processes, customers, clients, and users. A virtual environment can be a single program and the operating system on which it executes; a combination of multiple programs and associated operating systems, networks, computing environments, storage devices, or other such digital environments.

    5. Virtualization can be used on a stand-alone basis in a bulk electric system control center environment to reduce capital and operating costs, increase the efficiency of existing computing assets, and improve incident recovery, among other reasons. Virtualization offers the potential for cost savings in asset management, including minimizing the need for physical assets, which require building space and procuring and maintaining physical computer hardware. A virtualized system can also be more quickly recovered than physical systems in the event of a malfunction or compromise.

    6. Virtualization is a necessary technical enabler if the functions of BES Cyber Systems are to be moved to a cloud computing environment since a customer choosing to migrate one or more on-premise systems to the cloud will need to virtualize those systems for use in the cloud.[4]

    B. Cloud Computing

    7. The National Institute of Standards and Technology (NIST) Information Technology Laboratory Computer Security Resource Center defines cloud computing as a “model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” [5]

    8. The primary cloud service models include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). These three cloud service models provide different levels of flexibility and control to organizations choosing to use cloud computing services. Entities may use cloud computing services for the simple storage of data or, as discussed above, to host and operate virtual systems used for bulk electric system operations. As a general matter, cloud computing enables entities to focus resources on providing core services, such as transmission or generation of electric energy, while outsourcing the IT infrastructure required to support them.

    9. Leveraging cloud computing services in technology and business processes provides entities the opportunity to realize benefits in their IT operations, including greater scalability, greater flexibility and lower capital investment. Cloud computing services provide computing power and storage at a lower cost than maintaining in-house IT infrastructure while providing the capability for almost instantaneous expansion of services. Other potential benefits from the adoption of cloud computing services include enhanced access to data and applications due to the inherent redundancy and multiple pathways used to access cloud computing services.

    C. Commission Technical Conferences

    10. On June 27, 2019, the Commission held its annual Reliability Technical Conference to discuss four fundamental topics, including the impact of cloud-based services and virtualization on bulk electric system operations, planning and security.[6] The technical conference addressed, among other things: (1) Evolution of cloud computing and virtualization of cloud computing and virtualization technologies; (2) outsourcing risk; (3) Reliability Standards modifications; (4) appropriate systems for a cloud environment; and Start Printed Page 11365(5) security and non-security related benefits.

    11. In general, panelists at the Reliability Technical Conference acknowledged the emergence of virtualization and cloud computing services and indicated that the Commission should take some action to address the use of these technologies for bulk electric system data management. Midcontinent Independent System Operator (MISO) recommended that the Commission further engage industry and cloud service providers in one or more technical conferences to clarify issues and direct timely industry action to establish a way forward with changes to CIP Reliability Standards specifically to accommodate the use of cloud computing services.[7] MISO explained that the benefits of virtualization include enhanced system recovery. In particular, MISO noted that during the past year it was able to recover virtual assets quicker than traditional computing assets when testing backup and recovery processes. American Public Power Association and Large Public Power Council, moreover, stated that if done with care, cloud computing solutions can reduce risk, increase flexibility and improve the security posture of the bulk electric system.[8]

    12. During the Commission/DOE Security Investments for Energy Infrastructure Technical Conference on March 28, 2019, Southwest Power Pool (SPP) urged more flexibility regarding the use of cloud computing. SPP stated that it evaluated a number of products that would enable it to do a better job of protecting system data. SPP asserted the view that the currently-effective CIP Reliability Standards do not allow cloud-based technologies despite the fact that the vast majority of new products from many of its vendors are cloud-based. As an example, SPP stated that it:

    believes that it cannot deploy the required CIP controls for certain system information were it to be stored on externally-hosted servers (i.e., “the cloud”). Yet, we are finding that more and more vendors have flagship products that require all or a portion of CIP system information to be stored off-premises. This was a driving factor in our recent replacement of our service management software and has also been a complicating factor in the evaluation of vulnerability scanning and vulnerability management solutions. Hence, SPP has given weight to solutions that are more expensive or do not provide as much value as some cloud alternatives. The standards should not be so prescriptive as to force SPP to avoid industry trends that have proven to be secure, but not necessarily compliant.[9]

    13. The concerns reflected in the comments from the two recent technical conferences have prompted the issuance of this NOI to seek additional comments on the benefits and risks associated with the use of virtualization and cloud computing services in association with bulk electric system operations. Further, to the extent that there are barriers in the currently-effective CIP Reliability Standards to their use, the Commission seeks comment on whether it is appropriate for the Commission to direct action to facilitate the voluntary adoption of virtualization and cloud computing services.

    II. Request for Comments

    14. In this proceeding, the Commission seeks comments on the potential benefits and risks associated with the use of virtualization and cloud computing services, as well as whether barriers may exist in the CIP Reliability Standards that impede the adoption of virtualization or cloud computing. Specifically, the Commission seeks comments on four general topics as part of this inquiry: (A) Scope of potential use of virtualization and cloud computing services; (B) potential benefits and risks associated with virtualization and cloud computing services; (C) potential impediments to adopting virtualization and cloud computing services; and (D) potential use of new and emerging technologies in the current CIP standards framework.

    15. In the following sections, we pose questions that commenters should address in their submissions. However, commenters need not address every topic or answer every question identified below.

    A. Scope of Potential Use of Virtualization and Cloud Computing Services

    16. As discussed above, virtualization and cloud computing services offer a wide variety of potential uses in the context of users, owners and operators of the bulk electric system. Some entities may choose to utilize the cloud simply for data storage. Other entities may rely on virtualization and cloud storage to operate systems that control one or more core functions. Potential uses may include one or more of the BES reliability operating services described in the Guidelines and Technical Basis section of Reliability Standard CIP-002-5.1a (Cyber Security—BES Cyber System Categorization).[10] Specifically, it is possible that either virtualization or cloud computing services could be leveraged for the following reliability operating services:

    Dynamic Response to BES conditions

    Balancing Load and Generation

    Controlling Frequency (Real Power)

    Controlling Voltage (Reactive Power)

    Managing Constraints

    Monitoring & Control

    Restoration of BES

    Situational Awareness

    Inter-Entity Real-Time Coordination and Communication

    17. Using BES reliability operating services as a point of reference to distinguish among possible applications of virtualization and cloud computing services in bulk electric system operations:

    A1. Identify and discuss which BES reliability operating services referenced above could be implemented in a virtualized environment.

    A2. Identify and discuss which BES reliability operating services referenced above could be implemented in a cloud computing environment.

    A3. Identify and discuss any other BES reliability operating or support services that could be implemented in a virtualized environment.

    A4. Identify and discuss any other BES reliability operating, data storage or support services that could be implemented in a cloud computing environment.

    B. Potential Benefits and Risks Associated With Virtualization and Cloud Computing Services

    18. The Commission seeks comment on the potential benefits and risks associated with virtualization and cloud computing services:

    B1. What are the potential benefits associated with adopting virtualization for the BES reliability operating services identified in response to Questions A1 and A3?

    B2. Are there risks associated with adopting virtualization for the BES reliability operating services identified in response to Questions A1 and A3? If risks exist, discuss whether these risks can be effectively mitigated by a responsibility entity.

    B3. What are the potential benefits associated with adopting cloud computing services for the BES reliability operating services, data storage and support services identified in response to Questions A2 and A4?

    B4. Are there risks associated with adopting cloud computing services for the BES reliability operating services data storage Start Printed Page 11366and support services identified in response to Questions A2 and A4? If risks exist, discuss whether these risks can be effectively mitigated by a responsible entity.

    B5. What are the potential benefits of relying on third-party assessments to ensure the secure use of virtualization and cloud computing services for BES reliability operations and support services?

    B6. Discuss any risks associated with relying on third party assessments to ensure the secure use of virtualization and cloud computing services for BES reliability operations and support services and potential solutions to mitigate those risks.

    C. Potential Impediments to Adopting Virtualization and Cloud Computing Services

    19. As discussed above, during the Commission's 2019 annual Reliability Technical Conference, several commenters alluded to the fact that cloud-based offerings continue to increase as vendors are moving more of their services to the cloud.[11] Commenters further asserted that there is uncertainty on how virtualization and cloud computing services can be leveraged within the existing CIP framework. Similarly, at the March 2019 Commission/DOE Security Investments for Energy Infrastructure Technical Conference, a panelist asserted that there is uncertainty among registered entities on whether the CIP Reliability Standards allow cloud-based technologies “despite the fact that the majority of new products from many vendors are cloud-based.” [12]

    20. In light of the concerns expressed at these technical conferences, the Commission seeks comment on potential challenges with how the implementation of virtualization and cloud computing technologies will fit into the framework of the CIP Reliability Standards, and possible solutions to those challenges:

    C1. Provide comment on the validity of the panelists' concern discussed above and discuss the extent to which the trend toward cloud-based services could affect reliable and secure bulk electric system operations.

    C2. Are there any technical challenges in implementing virtualization technology for the BES reliability operating services identified in response to Question A1 that result from the current CIP Reliability Standards? Discuss how the CIP Reliability Standards could be augmented to address these challenges.

    C3. Are there any challenges in implementing virtualization technology for the BES reliability operating services identified in response to Question A1 that result from compliance obligations associated with the CIP Reliability Standards? Discuss how the CIP Reliability Standards could be augmented to address these challenges.

    C4. Are there any technical challenges in implementing cloud computing technology for the BES reliability operating services identified in response to Question A2 that result from the current CIP Reliability Standards? Discuss how the CIP Reliability Standards could be augmented to address these challenges.

    C5. Are there any challenges in implementing cloud computing technology for the BES reliability operating services identified in response to Question A2 that result from compliance obligations associated with the CIP Reliability Standards? Discuss how the CIP Reliability Standards could be augmented to address these challenges.

    D. Potential Use of New and Emerging Technologies in the Current CIP Standards Framework

    21. The Commission seeks comment on potential new and emerging technologies beyond virtualization and cloud computing that responsible entities may be interested in adopting for the BES reliability operating services and if the CIP Reliability Standards would allow these technologies to be adopted.

    D1. In addition to virtualization and clouding computing, discuss whether the CIP Reliability Standards limit the ability to take full advantage of new and emerging technologies for BES reliability operating services. Explain the types of new technologies, the potential benefits and how the CIP Reliability Standards may limit their use.

    III. Comment Procedures

    22. The Commission invites interested persons to submit comments on the matters and issues proposed in this notice, including any related matters or alternative proposals that commenters may wish to discuss. Comments are due April 27, 2020, and Reply Comments are due May 27, 2020. Comments must refer to Docket No. RM20-8-000, and must include the commenter's name, the organization they represent, if applicable, and their address.

    23. The Commission encourages comments to be filed electronically via the eFiling link on the Commission's website at http://www.ferc.gov. The Commission accepts most standard word-processing formats. Documents created electronically using word-processing software should be filed in native applications or print-to-PDF format and not in a scanned format. Commenters filing electronically do not need to make a paper filing.

    24. Commenters that are not able to file comments electronically must send an original of their comments to: Federal Energy Regulatory Commission, Secretary of the Commission, 888 First Street NE, Washington, DC 20426.

    25. All comments will be placed in the Commission's public files and may be viewed, printed, or downloaded remotely as described in the Document Availability section below. Commenters on this proposal are not required to serve copies of their comments on other commenters.

    IV. Document Availability

    26. In addition to publishing the full text of this document in the Federal Register, the Commission provides all interested persons an opportunity to view and/or print the contents of this document via the internet through the Commission's Home Page (http://www.ferc.gov) and in the Commission's Public Reference Room during normal business hours (8:30 a.m. to 5:00 p.m. eastern time) at 888 First Street NE, Room 2A, Washington, DC 20426.

    27. From the Commission's Home Page on the internet, this information is available on eLibrary. The full text of this document is available on eLibrary in PDF and Microsoft Word format for viewing, printing, and/or downloading. To access this document in eLibrary, type the docket number excluding the last three digits of this document in the docket number field.

    28. User assistance is available for eLibrary and the Commission's website during normal business hours from the Commission's Online Support at (202) 502-6652 (toll free at 1-866-208-3676) or email at ferconlinesupport@ferc.gov, or the Public Reference Room at (202) 502-8371, TTY (202) 502-8659. Email the Public Reference Room at public.referenceroom@ferc.gov.

    Start Signature

    By direction of the Commission.

    Issued: February 20, 2020.

    Nathaniel J. Davis, Sr.,

    Deputy Secretary.

    End Signature End Supplemental Information

    Footnotes

    1.  The records of the June 27, 2019 Reliability Technical Conference and March 28, 2019 Commission/DOE conference are available on the Commission's eLibrary document retrieval system in Docket Nos. AD19-13-000 and AD19-12-000, respectively.

    Back to Citation

    3.  See National Institute of Standards and Technology, Guide to Security for Full Virtualization Technologies, Special Publication 800-125 (Jan. 2011), https://nvlpubs.nist.gov/​nistpubs/​Legacy/​SP/​nistspecialpublication800-125.pdf.

    Back to Citation

    4.  BES Cyber System is defined as “[o]ne or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.” Glossary of Terms Used in NERC Reliability Standards, http://www.nerc.com/​files/​glossary_​of_​terms.pdf. The acronym BES refers to the bulk electric system.

    Back to Citation

    5.  NIST, The NIST Definition of Cloud Computing, Special Publication 800-145 (Sept. 2011), https://nvlpubs.nist.gov/​nistpubs/​Legacy/​SP/​nistspecialpublication800-145.pdf.

    Back to Citation

    6.  FERC, Notice Inviting Post-Technical Conference Comments, Docket No. AD19-13-000 (Jul. 23, 2019).

    Back to Citation

    7.  See Reliability Technical Conference, Docket No. AD19-13-000, Tr. 118:6-12 (Rosenthal).

    Back to Citation

    8.  Tr. 114:12-14 (Jacobs).

    Back to Citation

    9.  See Nick Brown, Prepared Statement for Commission/DOE Security Investments for Energy Infrastructure Technical Conference, Docket No. AD19-12-000, at 3 (filed Apr. 2, 2019).

    Back to Citation

    10.  See Reliability Standard CIP-002-5.1a (Cyber Security—BES Cyber System Categorization), Guidelines and Technical Basis at 17-18.

    Back to Citation

    11.  See June 27, 2019 annual Reliability Technical Conference, Transcript pages 113 and 115-116.

    Back to Citation

    12.  See March 28, 2019, Commission/DOE Security Investments for Energy Infrastructure Technical Conference, Transcript page 128.

    Back to Citation

    [FR Doc. 2020-03928 Filed 2-26-20; 8:45 am]

    BILLING CODE 6717-01-P

Document Information

Published:
02/27/2020
Department:
Federal Energy Regulatory Commission
Entry Type:
Notice
Action:
Notice of inquiry.
Document Number:
2020-03928
Dates:
Initial Comments are due April 27, 2020, and Reply Comments are due May 27, 2020.
Pages:
11363-11366 (4 pages)
Docket Numbers:
Docket No. RM20-8-000
PDF File:
2020-03928.Pdf