- UL Solutions, which provides testing, inspection and certification services across a range of industries, has published the basis for a cybersecurity standard for distributed energy resources, or DERs. The “outline of investigation” was developed in partnership with the National Renewable Energy Laboratory, known as NREL, and the U.S. Department of Energy’s Solar Energy Technologies Office.
- The standard includes requirements for access control, user authentication and cryptography for inverter-based resources and equipment including monitoring and controller devices.
- A cybersecurity standard for DERs is a part of the secure by design approach to the modern, distributed grid, said Kenneth Boyce, senior director for principal engineering in UL’s industrial group. The standard “gives you a level of confidence that there is a level of rigor associated with its cybersecurity posture,” he said.
The outline of investigation reflects certification requirements and will be converted into standard UL 2941 once it has been reviewed by the company’s standard technical panel. The requirements are rooted in research NREL and UL completed in 2021, developing DER security recommendations.
“The publication marks a milestone toward securing the distributed-generation industry,” NREL said in a statement.
The increasingly distributed and interconnected nature of the grid “really extends the attack surface for cyber attacks,” Boyce said in an interview. The new standard will include a series of requirements for evaluations of DER equipment.
“And that's really important for the people integrating these assets now,” Boyce said. “It could be an electric utility or a large-scale energy project owner. But they can now start to say ‘we want equipment that complies with these requirements as a baseline.’”
Equipment manufacturers, asset owners, regulators and the federal government “now have an established baseline for strengthening the security of their devices, such as network-connected [inverter-based resources], monitoring devices and parts of IBR systems that provide software-based and firmware-based controls,” Danish Saleem, senior energy systems cybersecurity engineer at NREL, said in a statement.
UL and NREL are using the outline of investigation to test devices in NREL’s research environment, and NREL will continue to support development of the standard by soliciting formal industry feedback on the listed requirements, developing test procedures and performing beta testing of devices, Saleem said.
UL has seen “a lot of interest from electric utilities” in the development of a standard, said Boyce. “They’re paying attention.”
“There are thousands of utilities that all have their own resources and their own operating models and geographic threats. But this is a really powerful tool,” he said. Adopting a cybersecurity standard for DERs is a “proactive” move the electric sector can take “to give them an extra level of competence that there isn't a very wide-open backdoor in the equipment.”