As cyber risks rise with increasing deployment of distributed energy resources, the government and industry are defining the steps needed to ensure cybersecurity.
The U.S. Department of Energy (DOE) is working with four national laboratories and industry participants to propose cybersecurity requirements for distributed energy resources, said Guohui Yuan, a program manager with DOE’s Solar Energy Technologies Office, on a webinar. The requirements could involve standards, best practices, and procedures for testing and analysis.
The DOE initiative, which also encompasses cybersecurity for large-scale solar, is known as “Securing Solar for the Grid.” A DOE report on the topic calls for the distributed energy resource (DER) industry to engage in such discussions.
As deployment of rooftop solar, batteries and other DERs increases, the potential damage from a cyberattack on DERs also increases, says DOE’s report. DERs now total 90 GW of capacity in the U.S., and are expected to grow to 380 GW by 2025, the report said.
Past cyberattacks on renewable generation indicate the risk of attacks on DERs, said Meg Egan, a control systems cybersecurity analyst with the Idaho National Laboratory, on the webinar. Three nations are capable of cyberattacks, as are criminal groups, she said, noting 10 cyberattacks on large-scale renewable generators or renewables firms since 2019 worldwide.
In two potential scenarios of a cyber attack, an attacker could use ransomware to take control of multiple DERs, or could use a supply chain attack on an aggregator, or on another party that sends directions or updates to DERs, to influence the operation of the DERs.
In two other scenarios, a “botnet” could infect enough DERs with malware to enable the attacker to create unanticipated power swings on the grid, or a “worm” could spread from one DER to a higher-level distributed energy resource management (DERM) system, which could then send a false command to many DERs and instigate power instability.
To be resilient against attacks, DER systems “should be designed, built and operated by means of an enforced zero-trust model,” where data and commands are validated “using cryptographically secure mechanisms informed by standards, testing and vulnerability assessment,” said the DOE report. A key step toward that goal, the report said, is to publish and implement DER cybersecurity guidelines being developed as IEEE Standard 1547.3, once that standard is finalized.
DERs are increasingly participating in stabilizing regional grids and ensuring reliability, said the DOE report. This role of DERs is the result of both the smart inverter standard known as IEEE 1547-2018, and the Federal Energy Regulatory Commission (FERC) Order 2222 that opens wholesale markets to aggregated DERs. Yet the two-way capabilities that enable DERs to help support the grid also open opportunities for cyberattacks, the report said.
Guohui Yuan of DOE said that both states and FERC will have a role in adopting DER cybersecurity standards.
The DOE report is titled “Cybersecurity considerations for distributed energy resources on the U.S. electric grid.” DOE said it would post the webinar slides on the report’s landing page.