The Russian invasion of Ukraine brought concerns about cybersecurity in energy systems back to the forefront.
The FBI has warned the U.S. energy sector and critical infrastructure projects about the potential for Russian cyberattacks after detecting "network scanning activity from multiple Russia-based IP addresses," CBS reported.
After all, many have spent years declaring that the "next world war" will be cyber.
While larger, grid-impacting entities are likelier targets by bad actors -- for example, previous attacks targeted SolarWinds and the Colonial Pipeline -- experts say cybersecurity vulnerabilities exist among distributed energy resources (DERs) and inverter-based resources (IBRs) due in part to the lack of protection standards.
To address those vulnerabilities, the National Renewable Energy Laboratory (NREL) is working with global safety certification firm UL to develop a set of consensus standards for DER and IBR cybersecurity. Once adopted, the cybersecurity standards are expected to apply to solar PV inverters, wind turbines, and energy storage devices, among other grid edge devices.
“Currently, there are no cybersecurity certification requirements to which manufacturers and vendors can certify their DER devices and IBRs against an established and widely adopted cybersecurity certification program,” said Kenneth Boyce, senior director for Principal Engineering with UL’s Industrial group. He said that developing cybersecurity certification requirements will provide a "single unified approach" that can be used to test and certify DERs before they are deployed in the field.
NREL and UL will craft standards off a 2021 report that offered cybersecurity recommendations for interconnected grid edge DERs and IBRs.
Solar PV, EV, and wind cyber risksDER aggregation as a resource for electric utilities is made possible by advanced software and remote controls, the report's authors wrote. But aggregation also creates the "potential to open the door" for new vulnerabilities and cyber threats.
NREL and UL discovered gaps in cybersecurity standards in the solar PV industry. They noted that smart inverters can be infiltrated to manipulate voltage, overcharge batteries, and cause grid disruptions.
Electric vehicle charging stations, meanwhile, create cybersecurity vulnerabilities because of their connection to communication networks and other devices. The communication system between EV charging units is vulnerable to malware, researchers found, because communications channels are neither encrypted nor authenticated.
Wind power plants with fiber and Ethernet switches that don't make use of port security tools are susceptible to so-called man-in-the-middle attacks, such as eavesdropping or altering communications. Wind turbine SCADA systems could also be used to transmit harmful messages in the absence of authentication mechanisms.
DER and IBR cybersecurity recommendationsNREL and UL are still developing the cybersecurity certification for DERs and IBRs, and the 2021 report offered 10 recommendations as a starting point.
In particular, the certification recommendations include two-party application association; transport layer security to secure communications; transport layer security recovery to mitigate interruptions; key update for encryption; message authentication codes to identify if communications have been altered; certificate revocation list; expired certificate; operating system security and service version; authentication and password management; and proactive security management.
Internal communications (DER controllers, SCADA systems, DER management systems) and external communications (vendors, metering infrastructure, cellular systems) should be separated, the report notes.
Preparing for the unknownAlan Mantooth, right, Distinguished Professor of electrical engineering, with students at the National Center for Reliable Electric Power Transmission. (Courtesy: University of Arkansas)Work by NREL and UL is not the only effort under way to protect inverter-based systems. Alan Mantooth, an electrical engineering professor and researcher at the University of Arkansas, and nationally-recognized expert on power systems, is constantly thinking about what he doesn't know.
Mantooth received $3.6 million from the U.S. Department of Energy to establish and lead the National Center for Reliable Electric Power Transmission, where he's working to protect solar technologies from cyberattacks.
But the challenge, Mantooth says, is the unknown about who and what he's protecting against, since we haven't yet been confronted by the cyber attacks of the future.
"What keeps me up at night… is that I don't know where we stand as a field," Mantooth told Renewable Energy World in an interview. "When I develop a new algorithm for detection or mitigation, how the heck do I test that and demonstrate efficacy?"
Mantooth's DOE-backed project focuses on multi-level cybersecurity for solar farms; everything from the inverters up to the grid. But he says the same question keeps emerging: "How do I know what we've done is good?"
Mantooth commended NREL for working to establish cybersecurity standards and certifications for DERs and IBRs. He said he believes the effort will lead to additional education and training programs in the industry.
Certifications can lead management to "change their posture" toward cybersecurity, he added, "even if it's subtle."
Attackers feed off technologyLast year, President Biden met with energy executives to discuss his administration's cybersecurity initiatives and ongoing threats facing critical infrastructure in the U.S.
Attention on cybersecurity in the energy sector was heightened by attacks in recent years against SolarWinds and the Colonial Pipeline. In an executive order signed last May 12, Biden called on the private sector to lead on advances in information technology (IT) and operational technology (OT), arguing government regulation isn't enough to thwart the attempts of bad actors.
Ian Bramson, the global head of industrial cybersecurity at ABS Group, and a risk management adviser to the energy sector, said renewable energy providers, developers, and asset owners face an increased risk of attacks because of gaps in cybersecurity plans.
Renewable resources offer a lot more new technology than many other sectors. "Well, attackers feed off technology," Bramson told Renewable Energy World in an interview. And when resource deployments are accelerating as they are with inverter-based technology, "it's very hard to manage the cybersecurity risk."
Most organizations have IT nailed down, Bramson said, but are lacking in OT protections.
"The OT side, there's a giant lag behind the IT side," he said. He said that most companies on the OT side are unable to answer his number one question: "Do you know what assets you need to protect?"
Bramson outlined four pieces to a renewable energy cybersecurity plan:
- Asset inventory
- "You need to figure out an automated way (to inventory assets that need cybersecurity protection). When you're expanding and growing, even that basic step is a challenge -- it's not always done."
- Vulnerability management
- "Where are my holes? Any time you connect with anything, there's a point of attack-- both ways. What are you connected to?"
- Configuration management or management of change
- "If a bad guy wants to change something, he's going to change a configuration of how something works in that system and so you're going to have to know if there's an unauthorized change going on."
- Monitoring
- "You need to understand if something (bad) is happening."
Branson said that some organizations skip the first three steps and focus on monitoring, which can be a mistake. "All of those pieces fit together," he said. After all, if an attack happens and the organization has a comprehensive asset inventory and a good sense of what might be attacked next, "I'm a lot faster in my response than if I just have one piece of that equation."
And in the realm of cyber security, speed is of the essence.
Watch the full interview with ABS Group's Ian Bramson and Renewable Energy World's John Engel.