Concerns about cybersecurity in energy systems were brought back to the forefront by the Russian invasion of Ukraine.
CBS reported that the FBI warned the U.S. Energy Sector and critical infrastructure projects about Russian cyberattacks. After detecting “network scanning activity coming from multiple Russia-based IP addresses”, CBS reported.
Many have spent years claiming that cyberspace will be the next world war.
While larger, grid-impacting entities are likelier targets by bad actors — for example, previous attacks targeted SolarWinds and the Colonial Pipeline — experts say cybersecurity vulnerabilities exist among distributed energy resources (DERs) and inverter-based resources (IBRs) due in part to the lack of protection standards.
The National Renewable Energy Laboratory is working with UL, a global safety certification firm, to create a set of consensus standards that address these vulnerabilities. These cybersecurity standards, once adopted, will apply to all grid edge devices such as solar PV inverters, turbines, and energy storage.
“Currently, there are no cybersecurity certification requirements to which manufacturers and vendors can certify their DER devices and IBRs against an established and widely adopted cybersecurity certification program,” said Kenneth Boyce, senior director for Principal Engineering with UL’s Industrial group. He stated that the development cybersecurity certification requirements would provide a “single unified method” to test and certify DERs in the field.
NREL and UL will create standards based on a 2021 report which offered cybersecurity recommendations for interconnected Grid Edge DERs (IBRs) and IBRs.
Solar PV, electric vehicles, and cyber-risks from wind
Advanced software and remote controls make it possible to aggregate DER as a resource for electric utilities, according to the report’s authors. However, aggregation can also open up the possibility of new vulnerabilities and cyber threats.
UL and NREL discovered security gaps in the solar PV industry. They discovered that smart inverters can be hacked to manipulate the voltage, overcharge battery cells, and disrupt the grid.
Because of their connectivity to other devices and communication networks, electric vehicle charging stations can create cybersecurity vulnerabilities. Researchers found that the communication system between EV charging stations is susceptible to malware because it does not use encrypted or authenticated communications channels.
Wind power plants equipped with fiber and Ethernet switches are more vulnerable to man in the middle attacks. These include eavesdropping and altering communications. In the absence of authentication mechanisms, wind turbine SCADA systems could be used to transmit dangerous messages.
Cybersecurity recommendations for DER and IBR
UL and NREL continue to work on cybersecurity certifications for DERs or IBRs. The 2021 Report offered 10 recommendations as a point of departure.
The certification recommendations include two party application association; transport security to secure communications; transportation layer security recovery to minimize interruptions; key upgrade for encryption; message authentication codes that identify if communications are altered; certificate revocation; expired certificate; operating systems security and service version; authentication; password management; and proactive cybersecurity management.
The report notes that internal communications (DER controllers and SCADA systems, DER management system, DER control systems) and external communication (vendors, metering infrastructures, cellular systems), should be kept separate.
Preparing for the Unknown
UL and NREL aren’t the only ones trying to protect inverter systems. Alan Mantooth, an electrical engineering professor and researcher at the University of Arkansas, and nationally-recognized expert on power systems, is constantly thinking about what he doesn’t know.
Mantooth received $3.6million from the U.S. Department of Energy in order to create and lead the National Center for Reliable Electric Power Transmission. He’s currently working to protect solar technologies against cyberattacks.
Mantooth said that the challenge is the unknown about what it is.O And what He’s protecting against the future cyber attacks, which we haven’t yet faced.
“What keeps me up at night… is that I don’t know where we stand as a field,” Mantooth told Renewable Energy WorldInterview. “How do I prove efficacy and detect new algorithms for mitigation or detection?
The DOE-funded project by Mantooth focuses on multilevel cybersecurity for solar farms. This includes everything from inverters to the grid. He says that the same question continues to be asked: “How can I tell if what we’ve done was good?”
Mantooth praised NREL for establishing cybersecurity standards and certifications to DERs, IBRs, and other related areas. He stated that he believes that the effort will lead the industry to further education and training.
He said that certifications can help management “change their posture” towards cybersecurity, even if it’s subtle.
Technology is used by hackers to feed their attacks
Last year, President Biden met with energy executives to discuss his administration’s cybersecurity initiatives and ongoing threats facing critical infrastructure in the U.S.
Attention on cybersecurity in the energy sector was heightened by attacks in recent years against SolarWinds and the Colonial Pipeline. In an executive order signed last May 12, Biden called on the private sector to lead on advances in information technology (IT) and operational technology (OT), arguing government regulation isn’t enough to thwart the attempts of bad actors.
Ian Bramson is the ABS Group’s global head of industrial cybersecurity and a risk management advisor to the energy sector. He stated that developers of renewable energy and asset owners are at greater risk from attacks due to gaps in their cybersecurity plans.
Renewable resources are able to offer more innovation than many other industries. Bramson said, “Well, attackers feed technology.” Renewable Energy World Interview. In an interview.
Bramson said that while most organizations have IT in place, they lack OT protections.
He said, “The OT side is a huge lag behind IT.” He stated that most companies on OT are unable answer his first question: “Does your company know what assets you need?”
Bramson outlined four pieces to a renewable energy cybersecurity plan:
- Asset inventory
- “You need an automated method to inventory assets that are subject to cybersecurity protection. Even that simple step can be a challenge when you’re growing and expanding.
- Management of vulnerability
- “Where are my holes?” Every connection with anything has a point-of-attack–both ways. What are your connections to?
- Management of change or configuration management
- “If a bad guy wants something to change, he’s going change a configuration of the way something works in that system. So you’ll need to know if there’s an unapproved change.”
- “You must understand what (bad) is going on.”
Branson said that many organizations ignore the first three steps and instead focus on monitoring. This can be a mistake. He stated that “all of those pieces fit together.” He explained that if there is an attack and the organization has a complete asset inventory and a good idea of what might be next, “I can respond much faster than if I have just one piece of that equation.”
Cyber security is a fast-paced field.
Watch the complete interview with Ian Bramson of ABS Group and John Engel from Renewable Energy World.