REPORT: Shoring Up Cybersecurity Protocols for Distributed Energy Resources
Tuesday, Nov 01 2022
Photo courtesy of SunPower
For grid planners and operators working in today’s digital age, there are few words more frightening than cyberattack.
In the energy sector, breaches by bad actors can cause infrastructure to shut down and quickly disrupt daily life, which occurred during the infamous cyberattack on the Colonial Pipeline in May 2021 that cut off half of the gasoline and jet fuel supply to the east coast. This caused a massive fuel shortage and a mad dash for gasoline, resulting in long lines, higher prices and chaos that triggered government intervention.
Done right, distributed energy resources (DERs) such as rooftop solar and energy storage can be part of the solution. These technologies are helping to modernize and decentralize the U.S. power grid. But as a new U.S. Department of Energy (DOE) report emphasizes, cybersecurity must be built into DERs from the start — and remain top of mind throughout their deployment — in order to build the most reliable, resilient and secure grid possible.
There’s No Time Like the Present
The United States’ 90 gigawatts of installed DER capacity, half of which is rooftop solar, is expected to quadruple by 2025. DOE’s report underscores that cybersecurity best practices must be followed in the industry before DERs become a significant portion of U.S. energy supply.
This includes taking a “cyber by design” approach that proactively incorporates cybersecurity measures early in the product design process. This is cheaper and more effective than offering security fixes once the product is already on the market.
Cyber by design means that every part of a product must be cyber secure, including the materials and inputs used for products. Bad actors may try to infiltrate products as early as the manufacturing stage to get around today’s more advanced cybersecurity defenses. The DOE report calls for developing standards that assign clear responsibility to companies for securing the supply chains of their products.
New Technology Requires New Thinking
DERs are driving an exponential increase in the number of energy systems in operation on the U.S. grid. This requires rethinking which models work best to enhance security.
Devices on the grid today typically follow an “implied trust” model when communicating with other devices. For example, the vast majority of rooftop solar systems interface with the local electric grid to import energy when solar production is low and to export energy back to the grid when the system produces more energy than a household needs. Under an implied trust model, information shared between the system and the grid — such as how much energy is being imported and exported — is presumed to be secure without verification.
As more home solar and storage systems are deployed, this open communication creates opportunities for attacks that provide inaccurate information or false commands. Device manufacturers can no longer assume that everyone in the communication chain is a trusted partner. The DOE report recommends instead shifting to a “zero-trust” model where communication between devices is only assumed to be safe and accurate once it has been verified using cryptographically secure mechanisms.
The sheer size and dispersed nature of the DER market also requires a new approach to technology fixes and updates. Repairs to a traditional energy resource, like a coal-fired power plant, are typically handled by the resource’s owner. For DERs, security updates and other fixes must be applied to thousands of different systems installed across the country and involve multiple parties such as the device’s manufacturer, owner and aggregator. Companies must lock down their protocols for coordinating updates to ensure they can be carried out smoothly when it matters most.
The Role of Industry
The solar and storage industry must play a key role in ensuring that distributed clean energy technologies are secure and resilient by design. SEIA is at the forefront of strengthening the industry’s response to cyberthreats and is working with companies to implement cybersecurity best practices. This past spring, SEIA hosted the inaugural Secure Renewables conference, dedicated to exploring the infrastructure and processes required to securely operate renewables on the grid.
The DOE report finds that continued industry involvement and partnerships with government agencies will be essential to establishing clear and universal cybersecurity standards.
Clean energy companies must prioritize cybersecurity and act quickly to implement safety protocols. Rooftop solar just set its fifth-straight quarterly record for installations and the recently passed Inflation Reduction Act will only speed up the rate of deployment. When best practices like those outlined in DOE’s report are followed, the coming wave of DERs can serve as a shield in the fight against increasingly bold cyberattacks.
With the right preparation in place, the solar and storage industry stands ready to lead the way.
To learn more about DOE’s report, register for a webinar hosted with the Office of Cybersecurity, Energy Security, and Emergency Response and DOE’s Solar Energy Technologies Office on Nov. 7.