Dive Brief:

• Advanced Energy Economy Institute (AEE Institute) has issued a new report focused on cybersecurity challenges on a distributed grid, identifying key hurdles and best practices the group says state and federal policy makers will need to address to ensure a secure power system.
• Among the recommendations is the development of a short list of "mandatory and standardized requirements" that could be implemented at little to no expense, and for cybersecurity to be embedded as part of standard security practices impacting manufacturers.
• The utility industry has stepped up its focus on cybersecurity in recent years as threats have become more sophisticated and persistent. This month, two new widespread cybersecurity vulnerabilities have been identified, with solar inverters in particular at possible risk.

Dive Insight:

Securing the electric grid is a complicated challenge that becomes even more difficult as more resources are connected and the system becomes increasingly reliant on flows of data. 

Lisa Frantzis, a senior vice president at Advanced Energy Economy, said the industry must prepare for "new vulnerabilities" as the grid evolves.

“As we transition to more advanced and intelligent technologies that improve our energy system and benefit customers, we must take into account and prepare for new vulnerabilities to the security of our nation’s energy infrastructure,” Frantzis said in a statement announcing the new report.

The paper focuses on several areas, including: cybersecurity threats to the economy and energy sector; best practices for a distributed, intelligent grid; cybersecurity policy and regulatory frameworks at the state and national level; and protective measures and protocols for grid operators.

According to the report, cybersecurity for grid-edge devices creates new challenges, in part due to their limited capabilities. Such devices are "high in number and limited in bandwidth, memory, and storage space," the report notes. "As a result, standard industry solutions for other technology areas such as malware protection, file integrity monitoring, firewalls, and whitelisting, have not been viable for edge devices." 

Network infrastructure has also had similar limitations, AEE added. Kenneth Lotterhos, managing director of energy at Navigant Consulting, said in a statement that recent events show that the level of cyber threats is "increasing and targeting a broader range of assets, including advanced distributed energy technologies and smart grid applications."

Specialized applications for edge devices and critical network infrastructure have been developed in the past, the report notes, "but they have not been widely adopted." While some of that has been related to cost and complexity, AEE Institute also says that until recently there has been a perception that the threat was relatively low.

That perception has changed significantly in recent years, and cybersecurity is now a major focus of the industry.

A 2015 attack on Ukraine resulted in widespread power outages, serving as a wakeup call. Last summer, cybersecurity firm Dragos issued a report concluding the malware used in that attack could be modified by developers to target the United States.

The newest vulnerabilities identified, possibly impacting solar inverters, are known as Spectre and Meltdown, and leverage processing techniques known as speculative execution and caching, in order to access data that should be off limits. 

One problem thus far, however, is that patches to address the vulnerability are significantly slowing down operating systems. The features Spectre and Meltdown attack were created to speed up computer processors, and plugging the leak has resulted in performance slowdowns of up to 30%.