UL and NREL released a report on cybersecurity certification recommendations and are actively developing requirements to create cybersecurity certification standards.
UL, a global safety science leader, released a report, co-authored with the US Department of Energy’s (DOE) National Renewable Energy Laboratory (NREL), titled “Cybersecurity Certification Recommendations for Interconnected Grid Edge Devices and Inverter Based Resources.”
Cyber threats have become commonplace. For example, just two weeks ago thousands of internet users in Europe lost service when a satellite operator experienced a “cyber event”. The same attack also knocked nearly 6,000 wind turbines offline in Germany and Central Europe, with a combined output of 11GW. The growth in grid edge distributed energy resources (DER) offers a potential new target for cyberattacks, hence the need for certification testing procedure that identifies gaps in DER cybersecurity functionality and mandates secure features at the device, network, and system level.
Distributed energy resources include any grid-connected energy storage and generation technologies and their associated flexible loads such as solar, battery storage, wind turbines, and fuel cells, among other resources essential to grid operations. The cyber-threat increases when the resources have communication capabilities.
The certification testing procedure can potentially be used in a US industry standard to help manufacturers develop effective approaches to cybersecurity and to help in the development of third-party conformity assessment programs for cybersecurity testing and certification. While standards are not yet in place, this report includes recommendations.
In the meantime, the report acknowledges that “utilities, aggregators, and equipment manufacturers could consider implementing and testing against appropriate elements of existing cybersecurity standards and guidelines as they become available. As a start, they could align their cyber defenses to NIST’s Framework for Improving Critical Infrastructure Cybersecurity.”
Currently, there are no cybersecurity certification requirements to which manufacturers and vendors can certify their DER and IBR devices against an established and widely adopted cybersecurity certification program. The development of these new cybersecurity certification requirements will provide a single unified approach that can be taken as a reference for performing the testing and certification of DERs before being deployed and while in the field, said Kenneth Boyce, senior director for Principal Engineering, Industrial, group at UL.
With support from DOE’s Solar Energy Technologies Office, UL will continue working with NREL on developing requirements to support cybersecurity certification standards for DERs and IBRs. NREL and UL are currently working on an Outline of Investigation for a standard that will apply to energy storage and generation technologies on the distribution grid, including inverters, EV chargers, wind turbines, fuel cells, and other resources essential to advancing grid operations.
The new requirements will prioritize cybersecurity enhancements for power systems dealing with high penetration inverter-based resources, including those interfacing with bulk power systems for periods of instantaneous high wind, solar and hybrid/storage generation. It will also help ensure cybersecurity is designed into new IBR and DER systems.
“UL supports the development of a cybersecurity certification program because, not only will robust cybersecurity be introduced to the electric grid, but it will also help to ensure the concept of security by design is being followed for new DER systems,” said Danish Saleem, senior researcher for energy cyber-physical system security at NREL.
The North American Electric Reliability Corporation (NERC)’s Critical Infrastructure Protection (CIP) standards now include cybersecurity requirements with hefty consequences for violations, but having cybersecurity standards and certification will enable corporate security specialists to implement best practices to prevent violations in the first place.
(Read “Key cybersecurity considerations for renewable energy plant operators in 2022“)
