A recent report prepared by the U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response and the Office of Energy Efficiency and Renewable Energy highlights the cybersecurity considerations to be taken into account for distributed energy resources (DER), such as solar, storage, and other clean energy technologies. The report also outlines the growing risks that will emerge at a grid level in the next decade.
With the proliferation of diffused and distributed clean energy resources, sites are being set up with a sense of urgency around the world. The ongoing conflict in Ukraine and the rising prices of fossil fuel products are pushing governments and other players to look at renewable energy as a short- and long-term solution to reduce resilience on costly and carbon-intensive fuels.
Also Read: How to get started with OT security
Without adequate security, such systems could serve as entry points for hackers or end up facilitating a cyberattack. It is therefore essential to secure these systems from origin, deployment, integration, use, and maintenance standpoints to minimize any risks to power grids or other assets or the reliability of the power supply.
Definition of Distributed Energy Resources
The report defines DERs as “small-scale power generation, flexible load, or storage technologies (typically from 1 kilowatt to 10,000 kilowatts) that can provide an alternative to, or an enhancement of, the traditional electric power system”. DERs can be located “on an electric utility’s distribution system, a subsystem of the utility’s distribution system, or behind a customer’s meter.” Due to changing power generation models, DERs can now be connected to the grid at various points and it is pertinent to take the threats posed by them to the grid into account while planning operational resilience measures and overall availability of the grid at all times.
Key trends mentioned by the report
- Cyber attackers are frequently evolving their tactics and techniques to attack information and operational technology (OT) systems.
- Supply chain attacks: securing them will require methods of understanding various parameters related to their creation and sustenance. Securing them will also require the development of standards to secure that supply; and assurances that suppliers, aggregators, and utilities are assigned the appropriate responsibility and accountability for securing their hardware and software. Supply chain standards are the main driver for assigning this responsibility and accountability
- Contextualizing threat stratification: not all threats come with the same level of disruptive impact. Some involve high levels of sophistication and targeting while others may just create a low-level breach. However, the latter may create an opportunity for the former to breach the network.
- Increasing experimentation and exploitation of Operational Technology: Another industry trend is increased attacker experimentation and exploitation targeting OT systems. Improved tactics deployed in the traditional technology sphere could also be used to target DERs.
- Threats are already DER aware and ready: Advanced attackers are already capable and resourced for current power grid systems and are anticipated to add to their capability with DER understanding. There is a converging risk associated with sophisticated attacks on power grid systems and the expansion of the attack surface that DER requires. Understanding and addressing that risk is critical to establishing defense systems for the modern grid.
- Cybersecurity threats as a design consideration: The energy sector has seen an increase in the frequency and severity of cyberattacks that are largely independent of historical DER (distributed energy resources) deployment. Advanced attackers are already capable and resourced for current power grid systems and are anticipated to add to their capability with DER understanding. There is a converging risk associated with sophisticated attacks on power grid systems and the expansion of the attack surface that distributed energy resources requires. Understanding and addressing that risk is critical to establishing defense systems for the modern grid. It is cheaper and more effective to design cybersecurity measures early in the process rather than experience the consequences of inadequate security and fix things later.
- Implied trust and attacker ingenuity: all systems operate with a certain level of trust that enables collaboration and coordination for the execution of commands. If industrial systems can talk to one another, they trust each other to provide accurate information and commands. Attackers who have inserted themselves into this trust relationship can poison these systems, causing them to act counter to reliability and resilience requirements.
The main recommendations proposed by the report for improving distributed energy resources security include:
- Adoption best practices, and standards and compliance with baseline (or minimum) security requirements at all times. Distributed Energy Resources providers can also rely on multifactor authentication, encryption practices, and security tools to secure their devices.
- Security standards are already in place and DERs can use these standards as benchmarks to improve their security practices
- Pay more attention to OT security and legacy security challenges that persist
- Deploy good governance measures. Bake security considerations into all utility and Distributed Energy Resources systems at the design stage itself so that security priorities are integrated into every aspect of operation across stakeholders
- Prioritize cyber resilience goals: minimize trust sharing while prioritizing approaches that go well beyond standards or compliance to harden security and minimize the scope for a breach
- Pay more attention to supply chains in terms of security
- Invest in cyber-informed engineering and practices that maximize cyber resilience
- The report recommends the following resources for “development and harmonization for secure DER scenarios”
- The North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection Standards
- The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST 2018)
- The Cybersecurity and Infrastructure Security Agency’s Securing Industrial Control Systems: A Unified Initiative FY 2019–2021
- The draft IEEE Standard 1547.3 for Distributed Energy Resources cybersecurity interconnected with electric power systems
- If approved, an IEEE P2800 standard for securing IBR interconnected with transmission electric power systems
- NERC’s Reliability and Security Technical Committee working groups
- The Sandia/SunSpec Distributed Energy Resources cybersecurity working group
- The International Electrotechnical Commission’s (IEC) standards, especially the IEC 62351 standards for securing power system communications
- IEEE 2030 standards, especially the 2030.5 standards for smart energy profile application protocol • NIST SP 800-82, Guide to Industrial Control Systems Security
- V2G – Bidirectional V2G SAE Suite 3778 (New SAE 3000 Series of V2G) • NIST SP800-213, IoT Device Cybersecurity Guidance for the Federal Government
- The U.S. DOE Office of Scientific and Technical Information’s Cyber Security Primer for Distributed Energy Resources Vendors, Aggregators, and Grid Operators (SAND2017-13113)
Want to learn more about OT security? Talk to an OT cybersecurity expert from your industry now.
Join us at the Sectrio OT security conference in Bucharest in November, sign up now
We are giving away threat intelligence for free for the next 2 weeks. Find out how you can sign up and try out our threat intelligence feeds
Download our cybersecurity awareness kits
Find out what is lurking in your network. Go for a comprehensive 3-layer threat assessment now
See our solution in action through a free demo