As utilities seek to decarbonize and digitize their grids while managing accelerating numbers of grid-connected devices, they need more powerful tools to process and analyze large amounts of data for grid planning and operations. Many utilities view cloud computing as an important enabler of these efforts.
“The cloud represents a paradigm shift in how utilities manage their data and computing abilities,” said Xavier Francia, an EPRI expert in grid cybersecurity. “By working with cloud service providers, utilities can potentially avoid the large expense of operating their own data centers and other computing infrastructure, enabling them to focus more resources on their primary mission—operating the grid safely, reliably, and affordably. Innovation in cloud computing capabilities can drive innovation in how utilities manage their grids.”
A key potential benefit of the cloud is elastic computing — the ability to rapidly expand or decrease computer processing and data storage resources according to real-time need. For example, the need for these resources may increase significantly during a major storm when a utility is addressing outages and informing customers about restoration. In this way, utilities can avoid paying for computing infrastructure that is not used all the time.
According to a 2019 Zpryme survey, 71% of utilities indicated that they are using cloud applications—up from 45% in 2016. In an EPRI poll of 22 utilities in 2020, half said that they expected to use cloud-based transmission and distribution planning applications within the next five years, and 30% expected to use cloud-based tools to manage and control distributed energy resources, such as electric vehicle charging infrastructure, energy storage, and distributed rooftop solar.
Despite the rapid move toward cloud computing in the electric power industry, cybersecurity is a major concern. By migrating grid applications to the cloud, utilities are relinquishing some security responsibilities to a third party. Indeed, 79% of respondents in the Zpryme survey said that security is barrier to expanding cloud applications. The EPRI poll revealed that a main challenge was compliance with the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection Standards, which are regulations that address the cybersecurity of assets essential to grid reliability. In addition, recent cyber events—such as the SolarWinds software hack that impacted government and corporate computer networks—point to a need for closer coordination among organizations and their vendors to broaden cybersecurity assurances across supply chains.
Recognizing these concerns, EPRI has launched research to advance the security state-of-the-art for utility applications hosted in the cloud. In April 2020, EPRI started a working group for utilities, cloud service providers, and vendors to discuss how they can work together to protect these applications and enhance supply-chain security and how NERC security standards may apply to cloud-based platforms. Participants include 22 power companies as well as major cloud service providers such as IBM, Microsoft, and Amazon Web Services. They collaborated on a white paper that identifies clarifications needed in the NERC standards, determines necessary updates to utility security plans, and examines how cloud service providers’ tools can support security.
“The cloud service providers understand the importance of cybersecurity in utility grid applications and are engaged with the working group to find solutions,” said Francia. “There’s agreement among the group members that responsibility for security needs to be shared among utilities, cloud service providers, and vendors. It’s essential that all parties involved understand the exact delineation of responsibilities and that utilities are equipped with the tools and knowledge to carry out cybersecurity requirements in the cloud.”
As part of a new project, EPRI plans to create cloud security reference architectures, which include security guidance and diagrams that describe how a utility and a cloud service provider can work together, using processes and technologies to secure particular grid applications. The architectures will recommend security controls, the entity responsible for those controls, approaches to implement them, NERC compliance considerations, and existing cloud service provider tools that could help.
If a utility wants to pursue a particular application in the cloud, it can use the results of this research to identify the risks and determine the security measures that it needs to implement to meet its business objectives, operational requirements, and compliance obligations. The idea is to inform utilities in selecting the most appropriate cloud services for their applications.
“For a successful cloud journey, it is important for a utility to carefully select cloud services and understand their implications for security and compliance,” said Francia. “The security considerations we identify in this project can reveal what security investments must be made to migrate a particular application to the cloud.”
Key EPRI Technical Experts:
Xavier Francia
For more information, contact techexpert@eprijournal.com.
Additional Resources:
- Project Description: Cloud Security Reference Architecture for Real-time Utility-Based Applications
- Managing Cloud Storage and Bulk Electric System Cyber System Information
- Secure Cloud Reference Architecture for Real-Time Utility-Based Applications
- Zpryme Survey: The Acceleration of Cloud Computing for Utilities
- EPRI Whitepaper: Understanding Low-impact BES Cyber System NERC CIP Requirements for Cloud
