The U.S. Department of Energy (DOE) released a long-term evaluation of the cybersecurity considerations associated with distributed energy resources (DER), such as distributed solar, storage and other clean energy technologies, and the potential risks to the electric grid over the next ten years. The study finds that while a cyberattack on today’s DER systems would have a negligible impact on grid reliability depending on grid conditions and regional DER installation and integration, the projected growth and evolution in DER deployment could pose cybersecurity challenges for future electric power grid operations if cybersecurity is not taken into consideration. The report presents strategies that DER operators and electric power entities could undertake to make the grid more secure, as well as policy recommendations for decision-makers.
“We have a strategic opportunity like we’ve never had before,” said Puesh Kumar, director of DOE’s Office of Cybersecurity, Energy Security and Emergency Response (CESER). “We can address both climate risks by deploying clean energy solutions and integrate cybersecurity into those systems from the ground-up. This is good for U.S. energy security and U.S. national security. This report is meant to start these critical conversations between the clean energy and cybersecurity communities, particularly as we begin to make historic investments in the U.S. electric grid through the Infrastructure Investment and Jobs Act (IIJA).”
“To scale up clean energy deployment, we must ensure that our electricity systems are secure and resilient to disruption,” said Alejandro Moreno, Acting Assistant Secretary for Energy Efficiency and Renewable Energy (EERE). “This crucial report lays out key cybersecurity challenges associated with wide-scale distributed energy deployment so clean energy industries and other stakeholders can work to reduce risks and protect American families.”
DOE has maintained the importance of ensuring power grid cybersecurity while achieving critical decarbonization goals essential to addressing climate change. DOE’s goal is to ensure that cybersecurity is fully engineered from ideation to deployment in relevant clean energy research, development and deployment efforts. This “cyber by design” strategy leverages opportunities early in the design lifecycle to proactively reduce cyber risk rather than attempt expensive aftermarket bolt-on efforts.
Large energy resources, like a utility-scale wind or solar plant, are connected to the transmission grid, while DER are smaller in scale and are connected to the distribution grid where residences and businesses are also connected. There are about 90 GW of DER installed today, half of which are rooftop solar systems — accounting for over 3 million systems. DER deployment is expected to quadruple by 2025 to approximately 380 GW. Each of those systems uses software and networks to integrate with electric power operations, and those systems could be hacked. Depending on systems conditions, a fleet of DER aggregated to significant size could pose a reliability challenge if under the control of an advanced, capable attacker and if cybersecurity considerations and threat mitigation strategies are ignored.
The Cybersecurity Considerations for Distributed Energy Resources on the U.S. Electric Grid report, developed by CESER and EERE, provides recommendations for the DER industry, energy sector and government to take action and secure current and future systems. The report also acknowledges the ongoing need to engage with DER industry stakeholders to develop cybersecurity standards and best practices, provide education and training and establish information sharing mechanisms. Broad industry involvement is key to developing robust DER cybersecurity standards. As outlined in the report, DOE also intends to fund research on next-generation DER defenses, including security-by-design and the recently released Cyber-Informed Engineering Strategy, to ensure security in a decarbonized grid.
Deployment of wind, solar and energy storage will help to achieve the nation’s clean energy goals, diversify the electricity supply and make the grid more resilient to outages, making investment in security for DER essential to safeguarding the nation’s energy infrastructure.
The study’s key recommendations include:
- Adopt best practices and meet minimum security requirements. DER providers can utilize multifactor authentication encryption, and other tools to secure their devices. Many cybersecurity standards exist and can be used to develop security technologies and measures appropriate for their use.
- Implement good governance. Design security into utility and DER systems from the beginning and make security a priority for all employees, suppliers, and customers.
- Incentivize cyber resilience. Go beyond the standards and work to actively detect threats and adopt a zero-trust approach to verify commands and data.
- Investment in clean energy technology needed to address climate change presents a massive opportunity to both innovate and secure our national grid simultaneously. Not only can we build new technologies that will produce power cleaner and cheaper, we can also have physical and cyber security built into the design from the start. DOE’s work on cyber-informed engineering and the Clean Energy Cyber Accelerator are meant to seize that opportunity and address considerations mentioned in this report.
To learn more about DOE’s recommendations, read the report.
News item from DOE
“This “cyber by design” strategy leverages opportunities early in the design lifecycle to proactively reduce cyber risk rather than attempt expensive aftermarket bolt-on efforts.”
The DOE is proffering safety by pronouncing “from the ground up” inclusion of proactive cyber security. This claim of “…aftermarket bolt on efforts”, is disingenuous and smacks of ignorance. Technology is still changing at a fast pace, designing in security today will be abrogated by technology tomorrow. Look at electronics firm Huawei, the NIC chips in the bulk of its devices have been called out as a (possible) security risk. It seems there is a third data stream in the NIC chips that could be used to do an end run around encryption. Huawei has balked at explaining what this data stream is for.
In the industrial controls sector, there is a “concept” that is decades old. The concept is where does one want to put the overhead? At the controller site or at the SCADA headquarters? Basically when one uses Occam’s razor having the local process controller holding the [sensors and control programming] in what one would call “local emergency mode” has allowed a system to continue functioning without communications from the “control center” or communications network.