Contributed by Guohui Yuan, Systems Integration Program Manager, U.S. Department of Energy Solar Energy Technologies Office
Solar generation could provide nearly half of the nation’s electricity supply by 2050. Those solar power plants, including the power electronic devices that communicate with utility control and automation systems, could pose significant cybersecurity challenges to power system operation. It’s time that the solar industry becomes fully integrated in the cybersecurity planning and incident response processes of the power sector. To enable that integration, the U.S. Department of Energy is working to increase cyber resilience of solar technologies through research and development (R&D) and by establishing standards and best practices, but the solar industry must also increase its cybersecurity awareness and maturity.
Cybersecurity is a top priority
Unlike enterprise information technology (IT) systems, the electric power grid is a cyber-physical system that is governed by laws of physics. Generation, transmission, and distribution equipment are operation technologies (OT) that control the power flows on the grid. Any changes in system operation resulting from intentional manipulation through IT and communication networks, like cyberattacks, can cause OT equipment damage and/or safety and health hazards. Sophisticated attackers may have the ability to manipulate groups of physical equipment, creating abnormal power flow in a large area and causing regional instabilities and major disruptions.
Utility companies and bulk power system operators have made cybersecurity one of their top priorities. Today, large-scale solar photovoltaic (PV) systems must meet the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection standards before they can operate. However, smaller PV systems and other distributed energy resources (DERs) – their numbers are in the millions today and increasing rapidly – are not currently required to follow cybersecurity standards.
DER devices, such as PV inverters, communicate directly with a utility’s control system or indirectly through DER aggregators. Usually, monitoring and control messages are routed through the open internet. Remote access to DER devices from cloud-based servers is also permitted. While this provides convenience for equipment maintenance and troubleshooting, it increases vulnerabilities in the power system. In many cases, solar PV equipment is designed and built outside the United States or uses commercial off-the-shelf components that are manufactured globally. The management of supply chain cybersecurity is a major challenge.
Join us on Feb. 6, 2023 in San Diego for the inaugural GridTECH Connect Forum, the only event that brings together utility leaders and distributed energy resource developers to overcome the challenges associated with interconnection. Learn more about the new, regional event from Clarion Energy today.
Join us for discussions on virtual power plants, fleet electrification, interconnection, demand response, and more, with a focus on the California market. Register today!
Taking an integrated approach
The U.S. Department of Energy has been supporting cyber resilience R&D for solar technologies for many years. These efforts include improving cybersecurity defenses and resilience, mitigating vulnerabilities, developing next-generation cyber resilient technologies, improving situational awareness, enhancing solar technology cybersecurity maturity, and identifying opportunities for solar stakeholder participation in cyber incident response.
We have taken an integrated and collaborative approach in these efforts, building on the National Institute of Standards and Technology’s cybersecurity framework, and leverages DOE’s Cybersecurity Capability Maturity Model. First, we partnered with Sandia National Laboratories (SNL) to develop the “Cybersecurity Primer for DER Vendors, Aggregators, and Grid Operators” and “Roadmap for Photovoltaic Cyber Security” reports. We then launched several funding programs to support the development of technologies, standards, and risk assessment tools to identify, detect, protect, respond, and recover from a cyberattack – specifically focusing on solar and DER technologies.
One successful project, “Proactive Intrusion Detection and Mitigation System,” won a R&D100 award in 2022. This SNL-led team uses intrusion monitoring tools and machine-learning algorithms to identify abnormal correlations of cyber and physical events that happen at the grid edge. Another DOE-funded project, “Firmware Command and Control,” uses advanced machine learning methods to baseline DER device firmware and detect unexplained changes. A suite of tools is used to analyze the structured threats and share the information with upstream grid security operations for awareness and mitigation actions. The project team is led by Idaho National Laboratory (INL) and National Renewable Energy Laboratory (NREL).
In our latest collaboration with the national labs, we are developing a comprehensive knowledge base and tools to address cybersecurity gaps in the solar industry—for equipment design, plant-level monitoring, and power system operation. These efforts have already resulted in the publication of the Institute of Electrical and Electronics Engineers (IEEE) 1547.3 draft guide and certification recommendations for Cybersecurity of Distributed Energy Resources, led by NREL and the Underwriter Laboratories. These tools support the annual collegiate CyberForce Competition, which this year features a simulated cyberattack on an up-and-coming electric vehicle manufacturer’s new solar installation. In addition, DOE’s solar office has also teamed up with National Association of State Energy Offices, National Association of Regulatory Utility Commissioners, and Solar Energy Industries Association to raise cybersecurity awareness and share best practices with decision-makers to ensure solar is one of the most secure fuels on the grid.
Subscribe today to the all-new Factor This! podcast from Renewable Energy World. This podcast is designed specifically for the solar industry and is available wherever you get your podcasts.
Keeping the future grid secure
To address the impacts of climate change, the U.S. electric grid must integrate large amounts of renewable generation such as solar and wind. These efforts will be accelerated with the recent passage of the Infrastructure Investment and Jobs Act and the Inflation Reduction Act. Further, electric customers will continue to adopt intelligent energy devices, including smart lighting and thermostats, that will be able to communicate with rooftop solar, electric vehicles, and more. These efforts are critical to combat climate change and provide resilience before, during, and after major events. However, as the U.S. electric grid undergoes these changes, it is important to ensure that cybersecurity is incorporated into new devices, systems, and infrastructure and that “security by design” is a core component of these systems.
In a recently published report, “Cybersecurity Considerations for Distributed Energy Resources on the U.S. Electric Grid”, DOE provides an overview of cybersecurity challenges that should be considered by the electric sector, including utilities and distributed energy resource (DER) operators, providers, integrators, developers, and vendors (collectively, “DER industry”), as well as policymakers as we embark on this transformational change to the U.S. electric grid. While this report is not meant to be a comprehensive review of cybersecurity considerations in the DER industry, it encourages a deeper conversation between DER industry, federal and local government, and other stakeholders. We want to hear your voice!
