I have been writing for years about the fact that NERC entities with high and/or medium impact BES systems cannot implement those systems in the cloud while remaining compliant with the NERC CIP standards, or utilize those systems if already located there (e.g., as SaaS). The most immediate manifestation of this problem is that cloud based security services (e.g. SecureWorks) that meet the definition of Electronic Access Control or Monitoring System (EACMS) or Physical Access Control System (PACS) are currently unavailable to the NERC entities that need them most.
However, there is another cloud CIP problem which is rapidly growing in importance; this has to do with the fact that medium and high impact Control Centers - which consist of medium or high impact BES Cyber Systems (BCS) - also cannot be located or used in the cloud. If you work for an electric utility now, this statement may seem odd to you, since you probably realize that many systems found in a normal utility Control Center, e.g. serial I/O with substations and satellite-synchronized clocks, would be quite hard to replicate in the cloud. Why is it a problem that a full Control Center can’t be located in the cloud?
By far the fastest growing type of Control Center is generation Control Centers for renewable power plants (primarily wind and solar farms); these can be easily located in the cloud, since they don’t have the real-time dependencies that utility (or fossil generation) Control Centers have. In fact, since most renewable energy producers “grew up” in the cloud era, they are already quite comfortable with utilizing cloud-based systems, including for their Control Center. I don’t have any statistics on this, but I know there are already some low impact renewable energy Control Centers located in the cloud, due mainly to the cost savings that can be realized by doing that.
But here’s the problem: When a renewables Control Center passes 1500 MW under control (and that isn’t hard. In fact, the highest-output wind farm in the US is 1548 MW, while the highest-output solar farm is 1,300 MW. String together a small number of 3-500 MW farms and you quickly have 1500 MW), it becomes medium impact. The Control Center then needs to comply with all applicable CIP requirements at the medium impact level (you can get an idea of the relative burdens of low and medium impact CIP compliance by considering NERC’s Evidence Request Tool version 10. It requires fewer than thirty types of compliance evidence for low impact systems vs. over 300 types for medium impact systems).
What will happen when a low impact renewables Control Center, currently implemented in the cloud, surpasses 1500 MW under control? Will its operator be forced to bite the bullet and build out an onsite control room, along with all the equipment needed for it? In theory they will, even though the disruption this causes may well have a negative impact on grid reliability. In practice, at least some NERC Regional Entities are likely to bend over backwards to allow the Control Center to remain in the cloud, but regularly bending the rules for one group of entities isn’t fair to other entities that don’t get the same treatment, even though their circumstances are different.
You may wonder about the Standards Drafting Team that’s supposed to be addressing all aspects of the Cloud CIP problem. Their original Standards Authorization Request (SAR) was approved by the NERC Standards Committee in December 2023; the team has been hard at work since about July 2024. Are they close to having this problem solved? Unfortunately not. Moreover, I don’t know when that situation will change – except perhaps for the worse.
Ironically, I realized last December that completely fixing the Cloud CIP problem will require just about eight simple changes to the CIP standards and definitions. These changes could be drafted and approved very quickly. If there’s an early implementation provision, at least some NERC entities could be utilizing cloud-based medium impact Control Centers sometime next year. However, I see little chance that this proposal will be taken seriously anytime soon.
It may be that NERC will need to come up with some ad hoc temporary “fix” to this problem, which will allow renewables Control Centers to remain in the cloud at the low impact level, even after they have grown past 1500 MW under control. This isn’t a great solution, but it may be the best available currently. It certainly won’t be the first thing a CIP problem has been “solved” in this way.
Tom Alrich’s Blog, too is a reader-supported publication. You can view new posts for two months after they come out by becoming a free subscriber. You can also access all my 1300 existing posts dating back to 2013, as well as support my work, by becoming a paid subscriber for $30 for one year (and if you feel so inclined, you can donate more than that or become a founding subscriber for $100). Whichever option you choose, please subscribe.
If you would like to comment on what you have read here, I would love to hear from you. Please comment in my chat or email me at [email protected].