[Federal Register Volume 85, Number 39 (Thursday, February 27, 2020)]
[Notices]
[Pages 11363-11366]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-03928]


-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

Federal Energy Regulatory Commission

[Docket No. RM20-8-000]


Virtualization and Cloud Computing Services

AGENCY: Federal Energy Regulatory Commission, Department of Energy.

ACTION: Notice of inquiry.

-----------------------------------------------------------------------

SUMMARY: The Federal Energy Regulatory Commission (Commission) seeks 
comments regarding the potential benefits and risks associated with the 
use of virtualization and cloud computing services in association with 
bulk electric system operations, as well as whether barriers exist in 
the Commission-approved Critical Infrastructure Protection Reliability 
Standards that impede the voluntary adoption of virtualization or cloud 
computing services.

DATES: Initial Comments are due April 27, 2020, and Reply Comments are 
due May 27, 2020.

ADDRESSES: Comments, identified by docket number, may be filed in the 
following ways:
     Electronic Filing through http://www.ferc.gov. Documents 
created electronically using word processing software should be filed 
in native

[[Page 11364]]

applications or print-to-PDF format and not in a scanned format.
     Mail/Hand Delivery: Those unable to file electronically 
may mail or hand-deliver comments to: Federal Energy Regulatory 
Commission, Secretary of the Commission, 888 First Street NE, 
Washington, DC 20426.
     Instructions: For detailed instructions on submitting 
comments, see the Comment Procedures Section of this document.

FOR FURTHER INFORMATION CONTACT:
Patricia Ephraim Eke, (Technical Information), Office of Electric 
Reliability, Federal Energy Regulatory Commission, 888 First Street NE, 
Washington, DC 20426, (202) 502-8388, [email protected]
Kevin Ryan, (Legal Information), Office of the General Counsel, Federal 
Energy Regulatory Commission, 888 First Street NE, Washington, DC 
20426, (202) 502-6840, [email protected].

SUPPLEMENTARY INFORMATION: 1. In this Notice of Inquiry (NOI), the 
Commission seeks comments on the potential benefits and risks 
associated with the use of virtualization and cloud computing services 
in association with bulk electric system operations. In addition, the 
Commission seeks comment on whether barriers exist in the Critical 
Infrastructure Protection (CIP) Reliability Standards, which are 
developed by the North American Electric Reliability Corporation (NERC) 
and approved by the Commission, that impede the voluntary adoption of 
virtualization or cloud computing services.
    2. This NOI is an outgrowth of discussions concerning the potential 
benefits and risks associated with the adoption of virtualization and 
cloud computing services for bulk electric system operations at the 
Commission's June 27, 2019 Reliability Technical Conference and the 
March 28, 2019 Commission/Department of Energy (DOE) Security 
Investments for Energy Infrastructure Technical Conference.\1\
---------------------------------------------------------------------------

    \1\ The records of the June 27, 2019 Reliability Technical 
Conference and March 28, 2019 Commission/DOE conference are 
available on the Commission's eLibrary document retrieval system in 
Docket Nos. AD19-13-000 and AD19-12-000, respectively.
---------------------------------------------------------------------------

    3. The Commission intends to use the record developed in this 
proceeding to determine whether it would be appropriate, pursuant to 
section 215(d)(5) of the Federal Power Act, to direct that NERC develop 
modifications to the CIP Reliability Standards to facilitate the 
voluntary adoption of virtualization and cloud computing services by 
registered entities.\2\
---------------------------------------------------------------------------

    \2\ 16 U.S.C. 824o(d)(5).
---------------------------------------------------------------------------

Background

A. Virtualization

    4. Virtualization is the process of creating virtual, as opposed to 
physical, versions of computer hardware to minimize the amount of 
physical computer hardware resources required to perform various 
functions.\3\ Virtualization is commonly used in business applications 
and is managed through centralized software, referred to as a 
hypervisor, that manages multiple virtual computer resources that can 
be used by different processes, customers, clients, and users. A 
virtual environment can be a single program and the operating system on 
which it executes; a combination of multiple programs and associated 
operating systems, networks, computing environments, storage devices, 
or other such digital environments.
---------------------------------------------------------------------------

    \3\ See National Institute of Standards and Technology, Guide to 
Security for Full Virtualization Technologies, Special Publication 
800-125 (Jan. 2011), https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-125.pdf.
---------------------------------------------------------------------------

    5. Virtualization can be used on a stand-alone basis in a bulk 
electric system control center environment to reduce capital and 
operating costs, increase the efficiency of existing computing assets, 
and improve incident recovery, among other reasons. Virtualization 
offers the potential for cost savings in asset management, including 
minimizing the need for physical assets, which require building space 
and procuring and maintaining physical computer hardware. A virtualized 
system can also be more quickly recovered than physical systems in the 
event of a malfunction or compromise.
    6. Virtualization is a necessary technical enabler if the functions 
of BES Cyber Systems are to be moved to a cloud computing environment 
since a customer choosing to migrate one or more on-premise systems to 
the cloud will need to virtualize those systems for use in the 
cloud.\4\
---------------------------------------------------------------------------

    \4\ BES Cyber System is defined as ``[o]ne or more BES Cyber 
Assets logically grouped by a responsible entity to perform one or 
more reliability tasks for a functional entity.'' Glossary of Terms 
Used in NERC Reliability Standards, http://www.nerc.com/files/glossary_of_terms.pdf. The acronym BES refers to the bulk electric 
system.
---------------------------------------------------------------------------

B. Cloud Computing

    7. The National Institute of Standards and Technology (NIST) 
Information Technology Laboratory Computer Security Resource Center 
defines cloud computing as a ``model for enabling convenient, on-demand 
network access to a shared pool of configurable computing resources 
(e.g., networks, servers, storage, applications, and services) that can 
be rapidly provisioned and released with minimal management effort or 
service provider interaction.'' \5\
---------------------------------------------------------------------------

    \5\ NIST, The NIST Definition of Cloud Computing, Special 
Publication 800-145 (Sept. 2011), https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf.
---------------------------------------------------------------------------

    8. The primary cloud service models include Infrastructure as a 
Service (IaaS), Platform as a Service (PaaS), and Software as a Service 
(SaaS). These three cloud service models provide different levels of 
flexibility and control to organizations choosing to use cloud 
computing services. Entities may use cloud computing services for the 
simple storage of data or, as discussed above, to host and operate 
virtual systems used for bulk electric system operations. As a general 
matter, cloud computing enables entities to focus resources on 
providing core services, such as transmission or generation of electric 
energy, while outsourcing the IT infrastructure required to support 
them.
    9. Leveraging cloud computing services in technology and business 
processes provides entities the opportunity to realize benefits in 
their IT operations, including greater scalability, greater flexibility 
and lower capital investment. Cloud computing services provide 
computing power and storage at a lower cost than maintaining in-house 
IT infrastructure while providing the capability for almost 
instantaneous expansion of services. Other potential benefits from the 
adoption of cloud computing services include enhanced access to data 
and applications due to the inherent redundancy and multiple pathways 
used to access cloud computing services.

C. Commission Technical Conferences

    10. On June 27, 2019, the Commission held its annual Reliability 
Technical Conference to discuss four fundamental topics, including the 
impact of cloud-based services and virtualization on bulk electric 
system operations, planning and security.\6\ The technical conference 
addressed, among other things: (1) Evolution of cloud computing and 
virtualization of cloud computing and virtualization technologies; (2) 
outsourcing risk; (3) Reliability Standards modifications; (4) 
appropriate systems for a cloud environment; and

[[Page 11365]]

(5) security and non-security related benefits.
---------------------------------------------------------------------------

    \6\ FERC, Notice Inviting Post-Technical Conference Comments, 
Docket No. AD19-13-000 (Jul. 23, 2019).
---------------------------------------------------------------------------

    11. In general, panelists at the Reliability Technical Conference 
acknowledged the emergence of virtualization and cloud computing 
services and indicated that the Commission should take some action to 
address the use of these technologies for bulk electric system data 
management. Midcontinent Independent System Operator (MISO) recommended 
that the Commission further engage industry and cloud service providers 
in one or more technical conferences to clarify issues and direct 
timely industry action to establish a way forward with changes to CIP 
Reliability Standards specifically to accommodate the use of cloud 
computing services.\7\ MISO explained that the benefits of 
virtualization include enhanced system recovery. In particular, MISO 
noted that during the past year it was able to recover virtual assets 
quicker than traditional computing assets when testing backup and 
recovery processes. American Public Power Association and Large Public 
Power Council, moreover, stated that if done with care, cloud computing 
solutions can reduce risk, increase flexibility and improve the 
security posture of the bulk electric system.\8\
---------------------------------------------------------------------------

    \7\ See Reliability Technical Conference, Docket No. AD19-13-
000, Tr. 118:6-12 (Rosenthal).
    \8\ Tr. 114:12-14 (Jacobs).
---------------------------------------------------------------------------

    12. During the Commission/DOE Security Investments for Energy 
Infrastructure Technical Conference on March 28, 2019, Southwest Power 
Pool (SPP) urged more flexibility regarding the use of cloud computing. 
SPP stated that it evaluated a number of products that would enable it 
to do a better job of protecting system data. SPP asserted the view 
that the currently-effective CIP Reliability Standards do not allow 
cloud-based technologies despite the fact that the vast majority of new 
products from many of its vendors are cloud-based. As an example, SPP 
stated that it:

believes that it cannot deploy the required CIP controls for certain 
system information were it to be stored on externally-hosted servers 
(i.e., ``the cloud''). Yet, we are finding that more and more 
vendors have flagship products that require all or a portion of CIP 
system information to be stored off-premises. This was a driving 
factor in our recent replacement of our service management software 
and has also been a complicating factor in the evaluation of 
vulnerability scanning and vulnerability management solutions. 
Hence, SPP has given weight to solutions that are more expensive or 
do not provide as much value as some cloud alternatives. The 
standards should not be so prescriptive as to force SPP to avoid 
industry trends that have proven to be secure, but not necessarily 
compliant.\9\
---------------------------------------------------------------------------

    \9\ See Nick Brown, Prepared Statement for Commission/DOE 
Security Investments for Energy Infrastructure Technical Conference, 
Docket No. AD19-12-000, at 3 (filed Apr. 2, 2019).

    13. The concerns reflected in the comments from the two recent 
technical conferences have prompted the issuance of this NOI to seek 
additional comments on the benefits and risks associated with the use 
of virtualization and cloud computing services in association with bulk 
electric system operations. Further, to the extent that there are 
barriers in the currently-effective CIP Reliability Standards to their 
use, the Commission seeks comment on whether it is appropriate for the 
Commission to direct action to facilitate the voluntary adoption of 
virtualization and cloud computing services.

II. Request for Comments

    14. In this proceeding, the Commission seeks comments on the 
potential benefits and risks associated with the use of virtualization 
and cloud computing services, as well as whether barriers may exist in 
the CIP Reliability Standards that impede the adoption of 
virtualization or cloud computing. Specifically, the Commission seeks 
comments on four general topics as part of this inquiry: (A) Scope of 
potential use of virtualization and cloud computing services; (B) 
potential benefits and risks associated with virtualization and cloud 
computing services; (C) potential impediments to adopting 
virtualization and cloud computing services; and (D) potential use of 
new and emerging technologies in the current CIP standards framework.
    15. In the following sections, we pose questions that commenters 
should address in their submissions. However, commenters need not 
address every topic or answer every question identified below.

A. Scope of Potential Use of Virtualization and Cloud Computing 
Services

    16. As discussed above, virtualization and cloud computing services 
offer a wide variety of potential uses in the context of users, owners 
and operators of the bulk electric system. Some entities may choose to 
utilize the cloud simply for data storage. Other entities may rely on 
virtualization and cloud storage to operate systems that control one or 
more core functions. Potential uses may include one or more of the BES 
reliability operating services described in the Guidelines and 
Technical Basis section of Reliability Standard CIP-002-5.1a (Cyber 
Security--BES Cyber System Categorization).\10\ Specifically, it is 
possible that either virtualization or cloud computing services could 
be leveraged for the following reliability operating services:
---------------------------------------------------------------------------

    \10\ See Reliability Standard CIP-002-5.1a (Cyber Security--BES 
Cyber System Categorization), Guidelines and Technical Basis at 17-
18.

[ssquf] Dynamic Response to BES conditions
[ssquf] Balancing Load and Generation
[ssquf] Controlling Frequency (Real Power)
[ssquf] Controlling Voltage (Reactive Power)
[ssquf] Managing Constraints
[ssquf] Monitoring & Control
[ssquf] Restoration of BES
[ssquf] Situational Awareness
[ssquf] Inter-Entity Real-Time Coordination and Communication

    17. Using BES reliability operating services as a point of 
reference to distinguish among possible applications of virtualization 
and cloud computing services in bulk electric system operations:

    A1. Identify and discuss which BES reliability operating 
services referenced above could be implemented in a virtualized 
environment.
    A2. Identify and discuss which BES reliability operating 
services referenced above could be implemented in a cloud computing 
environment.
    A3. Identify and discuss any other BES reliability operating or 
support services that could be implemented in a virtualized 
environment.
    A4. Identify and discuss any other BES reliability operating, 
data storage or support services that could be implemented in a 
cloud computing environment.

B. Potential Benefits and Risks Associated With Virtualization and 
Cloud Computing Services

    18. The Commission seeks comment on the potential benefits and 
risks associated with virtualization and cloud computing services:

    B1. What are the potential benefits associated with adopting 
virtualization for the BES reliability operating services identified 
in response to Questions A1 and A3?
    B2. Are there risks associated with adopting virtualization for 
the BES reliability operating services identified in response to 
Questions A1 and A3? If risks exist, discuss whether these risks can 
be effectively mitigated by a responsibility entity.
    B3. What are the potential benefits associated with adopting 
cloud computing services for the BES reliability operating services, 
data storage and support services identified in response to 
Questions A2 and A4?
    B4. Are there risks associated with adopting cloud computing 
services for the BES reliability operating services data storage

[[Page 11366]]

and support services identified in response to Questions A2 and A4? 
If risks exist, discuss whether these risks can be effectively 
mitigated by a responsible entity.
    B5. What are the potential benefits of relying on third-party 
assessments to ensure the secure use of virtualization and cloud 
computing services for BES reliability operations and support 
services?
    B6. Discuss any risks associated with relying on third party 
assessments to ensure the secure use of virtualization and cloud 
computing services for BES reliability operations and support 
services and potential solutions to mitigate those risks.

C. Potential Impediments to Adopting Virtualization and Cloud Computing 
Services

    19. As discussed above, during the Commission's 2019 annual 
Reliability Technical Conference, several commenters alluded to the 
fact that cloud-based offerings continue to increase as vendors are 
moving more of their services to the cloud.\11\ Commenters further 
asserted that there is uncertainty on how virtualization and cloud 
computing services can be leveraged within the existing CIP framework. 
Similarly, at the March 2019 Commission/DOE Security Investments for 
Energy Infrastructure Technical Conference, a panelist asserted that 
there is uncertainty among registered entities on whether the CIP 
Reliability Standards allow cloud-based technologies ``despite the fact 
that the majority of new products from many vendors are cloud-based.'' 
\12\
---------------------------------------------------------------------------

    \11\ See June 27, 2019 annual Reliability Technical Conference, 
Transcript pages 113 and 115-116.
    \12\ See March 28, 2019, Commission/DOE Security Investments for 
Energy Infrastructure Technical Conference, Transcript page 128.
---------------------------------------------------------------------------

    20. In light of the concerns expressed at these technical 
conferences, the Commission seeks comment on potential challenges with 
how the implementation of virtualization and cloud computing 
technologies will fit into the framework of the CIP Reliability 
Standards, and possible solutions to those challenges:

    C1. Provide comment on the validity of the panelists' concern 
discussed above and discuss the extent to which the trend toward 
cloud-based services could affect reliable and secure bulk electric 
system operations.
    C2. Are there any technical challenges in implementing 
virtualization technology for the BES reliability operating services 
identified in response to Question A1 that result from the current 
CIP Reliability Standards? Discuss how the CIP Reliability Standards 
could be augmented to address these challenges.
    C3. Are there any challenges in implementing virtualization 
technology for the BES reliability operating services identified in 
response to Question A1 that result from compliance obligations 
associated with the CIP Reliability Standards? Discuss how the CIP 
Reliability Standards could be augmented to address these 
challenges.
    C4. Are there any technical challenges in implementing cloud 
computing technology for the BES reliability operating services 
identified in response to Question A2 that result from the current 
CIP Reliability Standards? Discuss how the CIP Reliability Standards 
could be augmented to address these challenges.
    C5. Are there any challenges in implementing cloud computing 
technology for the BES reliability operating services identified in 
response to Question A2 that result from compliance obligations 
associated with the CIP Reliability Standards? Discuss how the CIP 
Reliability Standards could be augmented to address these 
challenges.

D. Potential Use of New and Emerging Technologies in the Current CIP 
Standards Framework

    21. The Commission seeks comment on potential new and emerging 
technologies beyond virtualization and cloud computing that responsible 
entities may be interested in adopting for the BES reliability 
operating services and if the CIP Reliability Standards would allow 
these technologies to be adopted.

    D1. In addition to virtualization and clouding computing, 
discuss whether the CIP Reliability Standards limit the ability to 
take full advantage of new and emerging technologies for BES 
reliability operating services. Explain the types of new 
technologies, the potential benefits and how the CIP Reliability 
Standards may limit their use.

III. Comment Procedures

    22. The Commission invites interested persons to submit comments on 
the matters and issues proposed in this notice, including any related 
matters or alternative proposals that commenters may wish to discuss. 
Comments are due April 27, 2020, and Reply Comments are due May 27, 
2020. Comments must refer to Docket No. RM20-8-000, and must include 
the commenter's name, the organization they represent, if applicable, 
and their address.
    23. The Commission encourages comments to be filed electronically 
via the eFiling link on the Commission's website at http://www.ferc.gov. The Commission accepts most standard word-processing 
formats. Documents created electronically using word-processing 
software should be filed in native applications or print-to-PDF format 
and not in a scanned format. Commenters filing electronically do not 
need to make a paper filing.
    24. Commenters that are not able to file comments electronically 
must send an original of their comments to: Federal Energy Regulatory 
Commission, Secretary of the Commission, 888 First Street NE, 
Washington, DC 20426.
    25. All comments will be placed in the Commission's public files 
and may be viewed, printed, or downloaded remotely as described in the 
Document Availability section below. Commenters on this proposal are 
not required to serve copies of their comments on other commenters.

IV. Document Availability

    26. In addition to publishing the full text of this document in the 
Federal Register, the Commission provides all interested persons an 
opportunity to view and/or print the contents of this document via the 
internet through the Commission's Home Page (http://www.ferc.gov) and 
in the Commission's Public Reference Room during normal business hours 
(8:30 a.m. to 5:00 p.m. eastern time) at 888 First Street NE, Room 2A, 
Washington, DC 20426.
    27. From the Commission's Home Page on the internet, this 
information is available on eLibrary. The full text of this document is 
available on eLibrary in PDF and Microsoft Word format for viewing, 
printing, and/or downloading. To access this document in eLibrary, type 
the docket number excluding the last three digits of this document in 
the docket number field.
    28. User assistance is available for eLibrary and the Commission's 
website during normal business hours from the Commission's Online 
Support at (202) 502-6652 (toll free at 1-866-208-3676) or email at 
[email protected], or the Public Reference Room at (202) 502-
8371, TTY (202) 502-8659. Email the Public Reference Room at 
[email protected].

    By direction of the Commission.

    Issued: February 20, 2020.
Nathaniel J. Davis, Sr.,
Deputy Secretary.
[FR Doc. 2020-03928 Filed 2-26-20; 8:45 am]
 BILLING CODE 6717-01-P