Taking on solar’s cybersecurity challenges

File pic: Solar

Solar generation could provide nearly half of the United States of America's electricity supply by 2050. 

Those solar power plants, including the power electronic devices that communicate with utility control and automation systems, could pose significant cybersecurity challenges to power system operation. It’s time that the solar industry becomes fully integrated in the cybersecurity planning and incident response processes of the power sector.

To enable that integration, the U.S. Department of Energy is working to increase cyber resilience of solar technologies through research and development (R&D) and by establishing standards and best practices, but the solar industry must also increase its cybersecurity awareness and maturity.

Unlike enterprise information technology (IT) systems, the electric power grid is a cyber-physical system that is governed by laws of physics. Generation, transmission, and distribution equipment are operation technologies (OT) that control the power flows on the grid.

Any changes in system operation resulting from intentional manipulation through IT and communication networks, like cyberattacks, can cause OT equipment damage and/or safety and health hazards. Sophisticated attackers may have the ability to manipulate groups of physical equipment, creating abnormal power flow in a large area and causing regional instabilities and major disruptions.

Utility companies and bulk power system operators have made cybersecurity one of their top priorities. Today, large-scale solar photovoltaic (PV) systems must meet the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection standards before they can operate. However, smaller PV systems and other distributed energy resources (DERs) – their numbers are in the millions today and increasing rapidly – are not currently required to follow cybersecurity standards.

DER devices, such as PV inverters, communicate directly with a utility’s control system or indirectly through DER aggregators. Usually, monitoring and control messages are routed through the open internet. Remote access to DER devices from cloud-based servers is also permitted. While this provides convenience for equipment maintenance and troubleshooting, it increases vulnerabilities in the power system. In many cases, solar PV equipment is designed and built outside the United States or uses commercial off-the-shelf components that are manufactured globally. The management of supply chain cybersecurity is a major challenge.

The U.S. Department of Energy has been supporting cyber resilience R&D for solar technologies for many years. These efforts include improving cybersecurity defenses and resilience, mitigating vulnerabilities, developing next-generation cyber resilient technologies, improving situational awareness, enhancing solar technology cybersecurity maturity, and identifying opportunities for solar stakeholder participation in cyber incident response.

We have taken an integrated and collaborative approach in these efforts, building on the National Institute of Standards and Technology’s cybersecurity framework, and leverages DOE’s Cybersecurity Capability Maturity Model.  First, we partnered with Sandia National Laboratories (SNL) to develop the “Cybersecurity Primer for DER Vendors, Aggregators, and Grid Operators” and “Roadmap for Photovoltaic Cyber Security” reports. We then launched several funding programs to support the development of technologies, standards, and risk assessment tools to identify, detect, protect, respond, and recover from a cyberattack – specifically focusing on solar and DER technologies.

One successful project, “Proactive Intrusion Detection and Mitigation System,” won a R&D100 award in 2022. This SNL-led team uses intrusion monitoring tools and machine-learning algorithms to identify abnormal correlations of cyber and physical events that happen at the grid edge. Another DOE-funded project, “Firmware Command and Control,” uses advanced machine learning methods to baseline DER device firmware and detect unexplained changes. A suite of tools is used to analyze the structured threats and share the information with upstream grid security operations for awareness and mitigation actions. The project team is led by Idaho National Laboratory (INL) and National Renewable Energy Laboratory (NREL).

In our latest collaboration with the national labs, we are developing a comprehensive knowledge base and tools to address cybersecurity gaps in the solar industry—for equipment design, plant-level monitoring, and power system operation. These efforts have already resulted in the publication of the Institute of Electrical and Electronics Engineers (IEEE) 1547.3 draft guide and certification recommendations for Cybersecurity of Distributed Energy Resources, led by NREL and the Underwriter Laboratories. These tools support the annual collegiate CyberForce Competition, which this year features a simulated cyberattack on an up-and-coming electric vehicle manufacturer’s new solar installation. In addition, DOE’s solar office has also teamed up with National Association of State Energy Offices, National Association of Regulatory Utility Commissioners, and Solar Energy Industries Association to raise cybersecurity awareness and share best practices with decision-makers to ensure solar is one of the most secure fuels on the grid.

To address the impacts of climate change, the U.S. electric grid must integrate large amounts of renewable generation such as solar and wind. These efforts will be accelerated with the recent passage of the Infrastructure Investment and Jobs Act and the Inflation Reduction Act. Further, electric customers will continue to adopt intelligent energy devices, including smart lighting and thermostats, that will be able to communicate with rooftop solar, electric vehicles, and more. These efforts are critical to combat climate change and provide resilience before, during, and after major events.  However, as the U.S. electric grid undergoes these changes, it is important to ensure that cybersecurity is incorporated into new devices, systems, and infrastructure and that “security by design” is a core component of these systems.

 — renewableenergyworld.com

Related Topics