Online tools and technology can increase the efficiency and effectiveness of many utility tasks, but when it comes to operating the electric grid, cooperatives believe flexibility to use either physical hardware or cloud computing services is a must for prioritizing cybersecurity.

That's the message NRECA sent the Federal Energy Regulatory Commission, which is studying whether to specifically permit the use of virtualization and cloud computing services to comply with Critical Infrastructure Protection Reliability Standards. These standards are developed and enforced by the North American Electric Reliability Corp., the commission's grid watchdog.

“We received feedback from cooperatives explaining that many of them and other utilities are using virtualization today in secure and cost-effective ways. However, while cloud computing services can be useful today for some data storage needs, cooperatives are not yet ready to use the cloud for any real-time operational needs," said Barry Lawson, NRECA senior director, regulatory affairs.

“Cooperatives support NERC standards permitting the use of virtualization and cloud computing services as long as the standards can also be complied with using methods other than virtualization and the cloud."

Virtualization refers to software-based applications, servers, data storage and networks that can help reduce the cost of IT services, while cloud computing serves as the infrastructure based on shared software and hardware.

Co-ops say that while proper training, network security, authentication security and controls can mitigate risk, relying on more internet and third-party services can require multiple links and agreements to ensure reliability, which can drive up costs and create new vulnerabilities.

NRECA outlined the benefits and risks identified by co-ops in July 1 comments to FERC. Benefits include faster disaster recovery as a virtualized server can be created much quicker than procuring a new physical server. Plus, virtualized servers can be significantly less expensive than their hardware counterparts.

Yet the increased resources or infrastructure shared across internet service providers may provide additional paths for a cyberattack. Also, a cloud-based provider would be entrusted with maintenance and cybersecurity upkeep, and that means less control for co-ops to mitigate operational issues.

FERC is also interested in learning of any barriers to voluntary adoption of virtualization or cloud computing services for the bulk electric system. The commission has not specified when it might act on the comments.

Explore NRECA's resources on cybersecurity.