Danielle Jablanski is an OT cybersecurity strategist at Nozomi Networks.
According to the 2021 ERO Reliability Risk report from the North American Electric Reliability Corporation, or NERC, electric power stakeholders listed the changing energy resource mix in the U.S. and cybersecurity as the most critical risks to their businesses and operations. The recently released U.S. Cybersecurity Strategy emphasizes the need to embrace security and resilience by design throughout, specifically highlighting the urgent requirement to secure our clean energy future. Unfortunately, the document does not directly outline a desire to shape market forces to drive security and resilience for the development and interconnection of distributed energy resources.
DER technologies include solar, wind, combined heat and power, microgrids, energy storage, microturbines and diesel generators. Energy efficiency, demand response and electric vehicles (EVx) are also sometimes considered DERs. EV charging can both consume and generate power. Whereas DERs can sometimes be likened to existing IoT platforms and use-cases, inverter-based DER (solar, wind and battery storage) are increasingly directly connected to transmission and distribution systems on the electric grid.
The energy transition is moving away from centralized generation and command and control to a new model of decentralization. It could take decades to truly benefit from more secure by design hardware and software systems from original equipment manufacturers in control systems and medical devices arenas. However, strategic imperatives for today’s DER ecosystem — vendors, operators, integrators and utilities — could introduce a more secure and resilient grid tomorrow.
Responsibility for more secure infrastructure
The push for a clean energy future is two-fold, partly to reduce carbon emissions and partly to build redundancy for the load and demand on our bulk power systems. According to NERC, the mix is “transforming from large, remotely-located coal-fired and nuclear power plants, towards natural gas-fired, renewable, and distributed energy resources … [introducing] micro- and smart-grids, demand response technologies as well as an increasing reliance on just-in-time delivery of natural gas to fuel new generating capacity.”
The changing resource mix comes with a highly fragmented manufacturing ecosystem, and potential high consequence cyber events potentially impacting the bulk power system. Despite the infrastructure bill’s $65 billion projected for investment in renewable energy, there is no clear indication of who is responsible for securing the energy transformation by design. There are no specific cybersecurity requirements for the connectivity of DER. Further, there are no clear standards or mandates to incentivize the procurement of more secure by design technologies if developers and manufacturers are left to pursue the cause in good faith.
Paul Stockton recently underscored in his Congressional testimony for the U.S. House of Representatives Subcommittee on Oversight and Investigations, “the very measures we take to enhance the reliability of an IBR-heavy grid may inadvertently jeopardize the grid’s cyber resilience.” As Stockton describes, inverter-based systems, which can trip offline or reduce output in response to changes in grid frequency, provide a new attack surface and have the potential to impact the bulk power system due to “systemic deficiencies.”
While many entities have a stake in the cybersecurity of DER technologies (NERC, NIST, IEC, DOE, CISA, etc.), there are no current cybersecurity requirements for vendors or asset owners. The IEEE DER communications standard 1547, last updated in 2018, decidedly states that cybersecurity is out of scope, though the National Renewable Energy Laboratory, or NREL, is working on optional recommendations. Instead, it reminds stakeholders that security requirements are based on “mutual agreements specific to deployments and subject to regulatory restrictions of the corresponding jurisdiction.”
Potential for cyber manipulation and sabotage
Today, the penetration of both inverter-based and non-inverter-based DER technologies is minimal, with solar technologies being the most prevalent. In 2022, there were approximately 90 gigawatts of installed DER in the U.S, projected to reach ~380 gigawatts by 2025. As researchers have previously articulated, some devices are easier than others to control at scale. More recently, the industry has contemplated the impacts of corrupting, destroying or hijacking public and home EV charging stations to degrade or invade electricity networks.
The NERC 2023 State of Reliability Report outlines five main concerns:
- The need for standards to provide oversight for connected and distributed DER technologies
- The need for DER integration planning to be incorporated into broader cyber-informed engineering plans and strategies
- Supply chain risks are exacerbated with increased DER, and a more diversified future grid does not dispel supply chain security concerns
- Though no cyber incidents have caused grid disturbances, there were 8 CIP-008-06 reported incidents in 2022
- The most common issue seen by NERC in 2022 continues to be the exploitation of known common vulnerabilities and exposures in vendor systems
It is worth noting that utilities do have a robust and defined application and review process for interconnection, despite the absence of mandated cybersecurity considerations. Yet still, a number of legitimate ways to target and compromise DER technologies could produce scenarios with the potential to disrupt localized power generation or distribution. While the increased attack surface may lead to more access vectors across the grid, it could likewise yield more redundancy than our current reliance on a small number of critical bulk systems.
The most overwhelmingly agreed upon risk by all stakeholders remains the potential compromise of utility-connected systems. NREL articulates additional cybersecurity concerns mainly focused on the heavy reliance of DER on ubiquitous, bi-directional communications for remote control and monitoring, sometimes leveraging internet connectivity. Their 2019 overview document on DER also describes how some DER metering technologies can be manipulated to impact pricing of energy for customers and consumers.
It is the dawn of the prosumer era. Prosumers are individuals, homes or businesses that both consume energy and produce it, providing surpluses back to connected distribution networks. One challenge for governing the future of the secure clean energy transformation is an economic one. There needs to be a way to incentivize more secure technology development that does not stifle the innovation of the DER start up communities, and also does not limit DER development to market monopolies.
There is a strategic opportunity to proactively secure the energy transformation as it unfolds. Similar to recent efforts like the Cybersecurity and Infrastructure Security Agency Cyber Trust Mark and recent Food and Drug Administration cybersecurity requirements for medical device manufacturers, DER development and deployment will require cybersecurity standards that are not bolted on in five to ten years. The scrutiny for testing cannot be isolated to government labs, but instead should be consistently applied to those who develop, own and operate these technologies as a shared mission in securing precious and life altering resources.
Some organizations like the Sunspec Alliance, the Center for Internet Security and UL Solutions have been developing cybersecurity standards and specifications for internet of things and DER devices. This fragmented ownership of standard and guidance is directly in conflict with the U.S. national cybersecurity strategy’s goal to harmonize and streamline new and existing regulations. The administration would be hard pressed to find another sector more in need of gap analysis to drive better cybersecurity requirements than the distributed energy future.
Without a secure by design emphasis on the full ecosystem of emerging DER and clean energy technologies, there exists a future in which the mixed and distributed energy grid is just as, if not more, at risk for cyber manipulation than it is today. As the NREL report stipulated in 2019, “having uniform standards and enforcing them for vendors before connecting devices, rather than lowering requirements according to current vendor capabilities, is critical for minimizing cybersecurity risk.”