Foundational Innovations for Secure Grid Data Exchange (SGDX)Posted to GridBright in the Digital Utility Group
image credit: ID 97086665 © Leowolfert | Dreamstime.com
- Jan 27, 2021 5:15 pm GMTJan 18, 2021 11:49 pm GMT
- 640 views
This item is part of the Special Issue - 2021-01 - State of the Industry, click here for more
Exchanging grid data securely, efficiently, and compliantly is undoubtedly a norm in the future utility industry. It is needed to operate an ever more dynamic renewable heavy grid safely. It is foundational to the expansion and animation of markets. And It is critical to the innovation the industry must embrace, and leverage as the grid of the future is built.
GridBright, in the development of the Secure Grid Data Exchange (SGDX) named GRIDEON under a DOE ARPA-E grant, identified a set of core capabilities for efficient, compliant, and secure grid data exchanges. These foundational capabilities are cornerstones of secure data grid exchange as the grid future becomes the grid present.
Cloud computing is now well established as a core technology for this and future computing eras. Respected analysis predicts that up to 80% of organizations plan to migrate to the cloud by 2025.
Cloud adoption within the utility industry is historically muted relative to other sectors driven by security concerns, direct implications of the financial regulatory framework for utilities (i.e., the capital versus expense issue), and the historical statutory definition of what a capital asset is versus what it might be in the future particularly regarding digital assets.
However, there is a growing record of evidence that points to the fact that the traditional obstacles in the industry to cloud adoption are waning. Some of that evidence includes:
- FERC's Notice of Inquiry (NOI RM20-8-000) into Virtualization and Cloud Computing Services. It outlines the Commission is seeking "comments on the benefits and risks associated with the use of virtualization and cloud computing services in association with the bulk electric system (BES), … it intends to use the record developed in this proceeding to … develop modifications to the CIP Reliability Standards to facilitate the voluntary adoption of virtualization and cloud computing services by registered entities." This NOI set the foundation for FERC's late 2020 order directing NERC to "begin a formal process to assess the feasibility of voluntarily conducting BES operations in the cloud securely…". Does anyone believe there will be a short line of volunteers? Not likely.
- The proposed landmark state regulatory proceeding in the recent Illinois Commerce Commission (ICC) published proposed rulemaking (second notice order) for the Regulatory Accounting treatment of cloud-based solutions. In it, they proposed to treat 80% of cloud service fees as a regulatory asset (meaning in the rate base)! Twenty percent would remain operating expenses. Although the final order was voted down in July 2020 by the ICC over cost concerns, the proceeding will undoubtedly serve as a foundation for other regulatory forums to address this pressing industry issue.
- Two recent (end of 2020) FERC rulemaking actions also impact and amplify cloud adoption. The first is the Cyber Incentives NOPR (RM21-3-000) Order, which proposes to set up incentive-based rate treatment for cybersecurity investments. Cybersecurity is, of course, a key concern in cloud adoption discussions, and this rulemaking at least provides incentives to seek and adopt solutions vs. "waiting and seeing." And Order 2222 aimed at animating DER participation in markets will necessarily have a heavy cloud component for the simple reason new energy market players such as DERs have already embraced the cloud computing paradigm. The genie is out of the bottle, so to speak.
In these examples, key remaining and formidable obstacles to cloud adoption in utilities have started to erode in short order. Cloud may be used in more critical operational scenarios, and utilities can capitalize it. These are a start not yet codified in law and regulation but do lay a path forward for the eventual adoption of cloud in the utility industry.
“People and circumstances changes; your data exchange security management process should provide for these changes”
A best practice principle of compliance management, which originates from the seminal legislation of Dodd-Frank that was enacted in the wake of the financial crisis of 2008, is the process of "know your counterparty." Although aimed initially at financial transaction elements, the idea has more recently been appropriately applied to security and secure data exchange. Compliance management leaders have extended the idea to include knowing your counterparty continually—the idea that at appropriate intervals, counterparties to data exchanges need to be revalidated across all the elements that permitted them to exchange initially. People and circumstances change; your data exchange security management process should provide for these changes. We call this capability Active Classification. It is instantiated through authentication capabilities, End-to-End (E2E) encryption, intelligent compliance, monitoring and reporting, and active registration and background check processes and services. The operative element of realizing this capability is embedded in the word continually.
Data exchanges occur across various time domains, and thus providing the ability to apply GRIDEON capabilities across all time domains is the second precept. The underlying principles of security, nonrepudiation, legal compliance, etc., are relevant to all grid data exchanges regardless of what exchange time pattern is being employed—person-to-person (P2P), machine-to-person (M2P), and machine-to-machine (M2M).
However, different exchange patterns may require different technical approaches to effectively and efficiently implement the capabilities of SGDX. Accordingly, GRIDEON employs harmonized approaches, designs, and microservices designed to render the capabilities needed to ensure secure grid data exchanges appropriate to the time domain that the exchange is completed. Such a diverse and multi-faceted approach lends itself well to the SaaS design and delivery models. It also ensures that new elements to provide those capabilities are cost and operationally efficient as the art and science of security and compliance advance.
Remediating presently instantiated integrations within the enterprise that require secure grid data exchange is an emerging and vital issue. Integrations, and processes that operate through them, that are insufficient to meet current and future security and compliance requirements are pervasive in utility IT and OT systems. Each of these integrations will require review, remediation, and in some cases refactoring to mitigate the present and future threats and risks of grid data exchange.
Affecting the required remediation may be complex. It is rising in urgency for the considerations mentioned above of active classification and the need to support all-time data exchange domains. SGDX such as GRIDEON provides an alternative to this refactoring in some cases and a reference in those instances where a service-based instantiation is not possible for technical or operational reasons.
Sooner Than Later
The new industry norm of secure grid data exchange will likely come faster than many might expect. As the trends outlined indicate, here is a growing convergence of technology, regulation, and commercial pull, making this future obvious and timely.