With the potential benefits of leveraging cloud technology, what exactly is bogging down adoption of cloud computing in the utilities sector? Despite the other benefits that include cost reduction, increased computing power, and near real-time scalability, virtualization still presents a problem, particularly for the public utilities sector. Primarily due to the risks involved in virtualizing any infrastructure critical to national security, economic security, and/or public health and safety, the utilities sector has thus far seen a slower adoption of cloud technology. In fact, according to the North American Electric Reliability Corporation (NERC), the primary inhibitors of cloud adoption by electric utilities remain concerns surrounding cybersecurity, data privacy, and regulatory compliance.
Cyber-attacks are increasing in frequency and magnitude, and the utilities sector is not immune. In fact, electric utilities in particular may be at even greater risk. Though there has not yet been a catastrophic cyber event—e.g., major loss of life, significant economic impact, etc.—that has involved public utilities to date, there have been several recent attacks that, if left unchecked, could possibly reach catastrophic proportions.
In March 2019, hackers exploited a firewall vulnerability at a U.S. electric utility, during which they repeatedly rebooted firewall devices and effectively caused a denial-of-service for over 10 hours. While this event did not cause any blackouts, each time a firewall was rebooted, the control center lost contact with that part of the grid, creating communication outages between the control center and multiple remote power generation sites. It was reported that the utility had not installed a firmware update that would have patched the vulnerability, but once the patch was applied, the outages stopped.
Blackouts were triggered five years ago in 2015, when hackers compromised the Ukraine electrical grid, leaving over 225,000 customers without power for several hours. To infiltrate the three electric utilities, hackers utilized a variety of techniques, including targeted phishing campaigns, theft of credentials to gain access to the VPN network and subsequently to the utilities’ production environment, firmware attacks on communication devices, scheduled disconnects of the utilities’ uninterrupted power supply (UPS), and the flooding of one utility’s customer service line to cause a denial-of-service, thereby frustrating customers further.
"The lessons learned from both events reiterate the need for both preventive and detective controls regarding cybersecurity"
The lessons learned from both events reiterate the need for both preventive and detective controls regarding cybersecurity, including network segmentation, logging and monitoring, multifactor authentication, encrypted backups of critical systems and data, a limit on remote access, patches for known vulnerabilities on the most critical assets, and up-to-date antivirus tools, among others. These are the same controls that any organization with a cybersecurity mindset should implement, though there is certainly a degree of urgency for the utilities sector.
Because, the unfortunate reality is that if grid data is compromised during a cyber event, then the entire electrical grid could be vulnerable. In the Ukraine attack, after gaining access to the system, hackers used exfiltrated data and information to devise a plan to bring down the grid. As such, grid data is both operational, and perhaps just as sensitive as trade secrets and classified information.
Regardless of whether this data is residing in the cloud, three important considerations for any organization that handles sensitive data—public utility or otherwise—are the confidentiality, integrity, and availability of that data. But public utilities must also consider data criticality, particularly when it comes to grid data. While availability is more concerned with the timeliness and reliability of data, criticality goes a step further with an added emphasis on evaluating the potential risks and consequences related to data loss and data exfiltration—e.g., the impact on customers, the environment, public safety, etc.—all things that mightily affect the business of a public utility.
Though it is increasingly apparent just how much public utilities need the added protection and efficiency of cloud tech, perhaps the biggest inhibitor of cloud adoption by those in the industry is regulatory compliance. Currently, the NERC Critical Infrastructure Protection (CIP) standards do not explicitly prohibit Bulk Electric System cyber systems (BCS) and cyber assets in the cloud. In their information protection program(s), registered entities must specify requirements to protect BCS, including any BCS in the cloud, against compromises that could lead to inoperability or instability in the electrical grid. Additionally, the registered entity must be able to assess the cloud service provider’s (CSP) compliance with those specified requirements.
However, NERC CIP standards must be considered collectively. While a registered entity may easily comply with the less prescriptive NERC CIP standards related to maintaining an information protection program, the compliance nightmare occurs when a registered entity must evidence that a control was performed each time it was required, as specified in the more rigid requirements of the NERC CIP standards. When a CSP is utilized, how can a registered entity possibly evidence that a control was performed each time it was required at the CSP? Undoubtedly, most CSPs would not contractually agree to provide this level of assurance.
Given this difficulty in the reconciliation of standards, NERC’s Compliance Input Working Group and Standards Drafting Team have been researching and developing implementation guidance related to cloud security and virtualization since 2016. However, as of March 2020, no official guidance or standards have been promulgated.
"critical questions must be answered regarding how cloud adoption can help utilities achieve specific business objectives"
But before compliance difficulties can even be addressed, cloud adoption must even be attempted, and such a transition must be attempted properly in order to actually glean the many benefits of such a shift in infrastructure. Rather than taking a holistic, enterprise-wide approach, companies may underestimate the complexity of cloud migration or adopt cloud technology without considering organizational interdependencies. In reality, critical questions must be answered regarding how cloud adoption can help utilities achieve specific business objectives, as the lack of careful consideration of such could, at best, lead to operational inefficiency, and at worst, have detrimental public health and safety consequences—not only that, but ineffective or inefficient adoption of cloud technology could also wipe out any potential cost savings that the idea presents.
Financial efficiency is not the only advantage to possible cloud adoption, and despite the compliance hurdles to leap, public utilities could stand to benefit substantially in other ways as well, particularly in capturing, analyzing, and storing big data generated by smart grid technologies. Additionally, the ability to quickly and easily scale up and scale down computing resources in response to changes in demand has distinct cost-saving advantages over traditional IT capacity forecasting and planning.
Provided that appropriate service level agreements are established and periodically assessed for compliance, CSPs may also help public utilities increase operational efficiency, especially in areas that tend to be common pain points such as vulnerability management and patch management. With the shared-responsibility model of cloud computing, public utilities may then focus more of their resources on what they do best– providing energy resources to the public. In turn, CSPs can focus on what they do best – providing and maintaining varying levels of infrastructure and systems, depending on the cloud model chosen.
Right now, NERC-registered entities are ultimately responsible for their own CIP compliance obligations. However, in a cloud model, registered entities inherit the CSP’s security controls for the underlying infrastructure, and a typical CSP undergoes at least one, and more often, multiple independent third-party assessments—including SOC 2 and FedRAMP. The SOC 2 examination provides assurances relating to the CSP’s ability to achieve its principal service commitments and system requirements, while FedRAMP is utilized by federal agencies to assess, authorize, and continuously monitor security compliance for cloud products and services. Additionally, the AICPA recently introduced the new SOC for Cybersecurity examination that can be utilized to report on the effectiveness of an organization’s cybersecurity risk management program. If an organization opts for SOC for Cybersecurity, they may choose from a number of benchmarks to evaluate the effectiveness of its cybersecurity risk management controls, including perhaps, NERC CIP. As a result, there may not need to be a need to re-invent the third-party assessment compliance wheel.
Though, to date, the industry itself has been slow to adopt, the public utilities sector stands to benefit immensely from cloud computing. While complications remain in terms of virtualization and compliance, the recent uptick in cyberattacks suggests that the good certainly outweighs the potential headache if the process and transition are attempted with a holistic approach, especially since compliance options already exist and continue to emerge.
About the AuthorMore Content by Schellman Compliance