EPRI published the first comprehensive cybersecurity guidelines for the networks that connect distributed energy resources (DER) with utility grid systems. The guidelines are intended to inform utilities, installers, integrators, aggregators, and manufacturers on securing solar power systems, wind turbines, energy storage, microgrids, and other DER.
Utilities are increasingly deploying systems (such as Distributed Energy Resources Management Systems and Advanced Distribution Management Systems) that remotely manage and control grid-connected DER via public or private communication networks. These systems send commands to smart inverters, sensors, and other devices, which may reply with information on their operational status or other data. The growing prevalence of new, interconnected devices across the energy system requires continued diligence to mitigate cybersecurity risks.
“A cyberattack on a smart inverter could compromise a utility server that controls hundreds or even thousands of devices connected the distribution grid—and that could lead to an outage,” said Candace Suh-Lee, an EPRI cyber security expert who developed the guidelines with input from dozens of utilities and other industry stakeholders. “It is also important to secure the cloud-based systems that DER aggregators use to communicate with devices.”
The guidelines focus on network communications between utility systems and DER connected to the distribution grid. They categorize DER as high-risk, medium-risk, or low-risk, recommending the strictest security measures for high-risk systems. For example, a 100-megawatt solar power plant might be considered high-risk because a security breach could lead to a significant loss of grid power. On the other hand, a kilowatt-scale, residential rooftop solar installation would likely be low-risk. The risk-based approach enables utility cybersecurity teams to allocate resources effectively. The guidelines provide a 60-point implementation checklist along with examples of technologies that can be deployed to secure networks.
To develop the guidelines, EPRI’s Suh-Lee identified techniques and approaches applicable to DER in 10 power industry cyber security standards published by organizations including the International Organization for Standardization (ISO), International Electrotechnical Commission (IEC), National Institute of Standards and Technology (NIST), and North American Electric Reliability Corporation (NERC). Suh-Lee gathered input from more than 100 staff at the 31 utilities participating in EPRI’s Cyber Security Task Force for DER and Grid-Edge Systems. The SunSpec Alliance, an industry group of solar component manufacturers, integrators, and aggregators, also provided feedback on the guidelines.
Suh-Lee offers an example of how these guidelines might improve security. If a high school installs a large solar panel canopy on its parking lot, and the installer connects the system’s smart inverter to the school’s Wi-Fi network, any student on the school’s network could connect into the inverter and manipulate data or settings.
“It’s a common practice for solar installers to manage inverters via public Internet. To provide the Internet connectivity to the inverter, they may resort to using an insecure network such as a home or school Wi-Fi network. Today, there are no standards to prevent them from doing so,” said Suh-Lee. “In the high school example, the EPRI guidelines would categorize the school’s solar system as high-risk or medium-risk and recommend configuring the inverter on a network that is appropriately segregated from the school’s network.”
Suh-Lee expects the guidelines to inform cyber security standards such as IEEE 1547, which defines the requirements and capabilities at the interface between DER and the power grid. Following a discussion about the guideline’s recommendations, an IEEE 1547 working group has started to draft a section of the standard (IEEE 1547.3) that provides cyber security guidelines for DER.
Utilities are considering how to apply the EPRI guidelines to their DER integration activities. “All utilities can implement EPRI’s simple, practical guidelines for DER network integration,” said Mark Johnson-Barbier, senior principal analyst at Salt River Project. “The guidelines should be considered as myriad devices, systems, and microgrids are connected to the distribution power grid in the near future.”
“It’s important to get ahead of DER security risks now—when DER are not yet widespread,” said Suh-Lee. “I expect it to be much cheaper to design and build secure DER networks today than to retrofit utility systems and DER with network security five years from now.”
EPRI’s guidelines address only one facet of DER cyber security risks: communication networks. According to Suh-Lee, the power industry needs a comprehensive cybersecurity standard that covers many other areas, including device-level security (such as anti-virus software), monitoring, incident response, physical security, and management of cryptographic keys.
Key EPRI Technical Experts:
Candace Suh-Lee, Xavier Francia
For more information, contact techexpert@eprijournal.com.
Additional Resources:
- EPRI Security Architecture for the Distributed Energy Resources Integration Network: Risk-Based Approach for Network Design
- Cybersecurity Considerations for Distributed Energy Storage
- Cyber Security Implications for an Integrated Grid
- Grid Security of Connected Devices: Communications and Cybersecurity Assessment
- Security Architecture for Distribution Systems: Reference Architectures and Attack Modeling
Artwork by Ariel Davis
