Increased use of cloud computing could boost cyber risks: MISO stakeholders

Energy industry officials in the Midcontinent Independent System Operator region are hesitant to increase the use of cloud computing in the sector because they are uncomfortable with cybersecurity risks the technology poses, stakeholders told the MISO board of directors Sept. 15.

While other industries, such as finance and healthcare, are increasingly using cloud technology, the energy industry may need to have a higher bar for security because so many other sectors rely on electricity to continue functioning, stakeholders said during a meeting of MISO's Advisory Committee.

An electricity outage could knock out the cloud itself, noted Phyllis Currie, chairman of the MISO board. "When there is some massive outage, everything goes down. Maybe we as an industry have an obligation to be even stricter than others," she said.

FERC action

The Federal Energy Regulatory Commission has directed the North American Electric Reliability Corporation to submit an informational filing that considers the feasibility of modifying its critical infrastructure protection reliability standards to facilitate increased use of cloud computing.

NERC supports the use of cloud computing for data storage, and some entities already use it this way, according to the FERC order. But FERC asked NERC to weigh the use of virtualization and cloud computing beyond data storage, for example, to perform bulk electric system reliability operating services.

The informational filing (RM20-8) is due to FERC Jan. 1, 2022.

MISO stakeholders are weighing in on the issue. Securing the cloud for such uses could increase costs, and mergers and acquisitions of cloud ventures could increase risks, said Nelson Brandao from Manitoba Hydro. And if the entire energy industry relies on a single vendor, an attack on a cloud provider could have far-reaching effects, he said.

Industry concerns

Brandao said his company would hesitate to use the cloud for its industrial control systems at this time. And for Manitoba Hydro, the BES systems would likely always remain on-premises, he said.

While other sectors like the health care and financial industries are increasingly relying on cloud computing, they are also experiencing major breaches, noted Megan Wisersky from Madison Gas and Electric. Speaking for herself, not her company, Wisersky said she would tell those sectors, "Yeah, you are promoting cloud technology, but you are also getting hacked out the wazoo."

The stakes are different for the electric sector, Nelson noted. Financial and health care sector breaches may lead to a loss of data, but losing electricity in the middle of the winter when the temperature is thirty below zero is a loss-of-life situation, he said.

Stacie Hebert from Otter Tail Power said that transmission owners have similar concerns. The risks of the technology at this point outweigh the advantages, she said, noting that there is a residual risk for cloud computing that does not exist for on-site computing.

In August, NERC issued a report on the state of reliability of the bulk power system in 2020. NERC noted that there were increasing cyber threats to the supply chain that culminated with the disclosure of a complicated supply chain attack that used SolarWinds' Orion software and Microsoft's Azure cloud environment.

While there was no loss of load in North America from SolarWinds or any other cybersecurity incident, the industry must remain vigilant, NERC said.

NERC noted that the number of cybersecurity events reported to NERC's Electricity Information Sharing and Analysis Center jumped 96% in 2020 compared to 2019. The coronavirus pandemic increased telework and opportunities for a cyberattack, NERC said. The increase in voluntary reporting is encouraging, but must continue as threats increase, NERC said.