Distributed resources like solar and batteries open growing pathway to cyberattacks: DOE

Dive Brief:

Distributed energy resources, or DERs, “pose emerging cybersecurity challenges to the electric grid” and they should be designed with security as a “core component,” the U.S. Department of Energy concluded in an Oct. 6 report.
An attack on distributed solar or battery storage resources would have “negligible impact” on grid reliability today, DOE said, but the capacity of DERs on the electric system is expected to quadruple by 2025 and the agency warned that each of those systems could be hacked.
The Federal Energy Regulatory Commission has been considering developing new cybersecurity rules for DERs on the bulk electric system, but experts say safeguarding the grid will require exceeding any baseline standards.

Dive Insight:

DOE officials say designing security into the growing fleet of DERs is a “strategic opportunity like we’ve never had before.”

“We can address both climate risks by deploying clean energy solutions and integrate cybersecurity into those systems from the ground-up,” Puesh Kumar, director of DOE’s Office of Cybersecurity, Energy Security, and Emergency Response, said in a statement.

DOE’s report is meant to start “critical conversations” between the clean energy sector and the cybersecurity community, Kumar said.

The report concludes future DER systems “must be designed, built and operated in an enforced zero-trust model where data are validated using cryptographically secure mechanisms informed by standards, testing, and vulnerability assessments.”

It also says broad industry involvement “is key to the development, approval, and implementation of robust DER cybersecurity standards, trust models and best practices that would raise the bar for foundational DER defenses.”

Whether and how critical infrastructure protection standards managed by the North American Electric Reliability Corp. could be modified to better protect DERs is an open question. FERC Chariman Richard Glick has said NERC’s prescriptive standards for broad categorizations of low-, medium- and high-impact facilities may not be the right approach.

The utility sector has been skeptical of the need for new or stronger CIP standards, while security vendors have favored stricter rules. Regardless, there is broad agreement that going beyond baseline energy security requirements is necessary to protect the grid.

”A cyberattack targeting distributed energy resources systems could have a massive impact,” Vaultree co-founder and Chief Operating Officer Tilo Weigandt said in an email. “Becoming proactive instead of reactive and exceeding current security standards is the key.”

While the grid reliability threat posed by DER vulnerabilities is low for now, DOE warned aggregated resources could scale up the threat.

“Depending on systems conditions, a fleet of DER aggregated to significant size could pose a reliability challenge if under the control of an advanced, capable attacker, and if cybersecurity considerations and threat mitigation strategies are ignored,” the agency said in a statement.

FERC issued Order 2222 in September 2020, ordering regional grid operators to enable DER aggregators to compete in wholesale markets. The commission is currently reviewing grid operator implementation plans.

The DER industry must partner with the energy sector and government over the next decade to address cybersecurity challenges, DOE concluded in its report.

“This means ensuring that new controls and software interfaces for these smart devices are cybersecure and standardized to mitigate emerging cyber risks,” the report said. “Securing DER also will require addressing the varying ways that DER operate, including their different controls and the fact that owner/operator entities do not have a defined role in securing the grid.”