Cybersecurity is a growing issue for the U.S. economy, especially for the critical infrastructure that keeps the nation’s energy system operating — the interconnected and interdependent systems of natural gas, water, communications, and fuel distribution, and especially the highly dynamic electric power sector, which is seeing the widespread introduction of advanced and intelligent energy technologies. But that doesn’t mean the intelligent and distributed grid of the future need be more vulnerable to cyberattack than the closed and centralized electric power system it is in the process of replacing.
The transition to advanced and intelligent energy technologies will create a wide range of security and economic benefits for the energy system and for consumers. The National Academies, for example, recently found that advanced controls and a more distributed energy generation architecture have the potential to prevent or limit widespread electric grid outages by enhancing power quality and allowing problematic components to be isolated.
At the same time, the modern grid, with its growing use of distributed energy resources (DER), will open new modes of communication and interaction between increasingly diverse and numerous participants and devices. For this reason, modern grid technologies expose existing security vulnerabilities in new ways, as well as introduce new benefits. Fortunately, there are protections currently available or under development that can make an increasingly complex, interactive, and distributed electricity system more resilient against cyber threats.
A new white paper from the Advanced Energy Economy Institute, Cybersecurity in a Distributed Energy Future: Addressing the Challenges and Protecting the Grid from a Cyberattack, identifies key challenges, best practices, and strategies for consideration by state and federal policymakers and regulators, as well as utilities and technology providers.
"We really believe that distributed energy resources can make the grid much more resilient and reliable," Lisa Frantzis, AEE vice president of 21st Century Electricity System, told E&E News, in coverage of the new report. "There are steps that can be taken right away, with minimal effort, to help secure the network."
The AEE Institute paper was a collaborative effort, with contributions from experts at Advanced Energy Economy (AEE), BRIDGE Energy Group, Converge Strategies LLC, Direct Energy (Centrica), EnergyHub, Enphase Energy, Ingersoll Rand, Landis+Gyr, Navigant Consulting, Oracle Utilities, Schneider-Electric, and Siemens. AEE Institute also consulted with utility experts who participate on AEE’s Utility Advisory Committee.
Recent events have shown that cyber threats are “increasing and targeting a broader range of assets, including advanced distributed energy technologies and smart grid applications,” said Kenneth Lotterhos, managing director, energy, at Navigant Consulting, and a contributor to the report, quoted in Utility Dive.
Intended to inform decision makers about ways to make a power grid characterized by abundant advanced energy technologies secure against cyberattack, the paper highlights:
- Cybersecurity threats to the economy and to the energy sector;
- Eight cybersecurity best practices for a distributed, intelligent grid;
- Policy and regulatory frameworks on cybersecurity that are in place at the national level and in some states;
- Seven specific protective measures and protocols for grid operators; and
- Six overall recommendations to encourage adoption of best practices.
As noted by Bloomberg, manufacturers should program devices so people are forced to change default passwords when they connect to the grid. Utilities also could deter attacks by requiring and issuing software keys to protect connected devices.
To encourage adoption of best practices, AEE Institute recommends several concepts for consideration by industry and policymakers:
- Development of a short list of mandatory and standardized requirements that are no-cost or low-cost to implement. This could include, for example, drawing on existing industry standards that encourage end-to-end protection of both DER devices and the management systems that control them.
- Creation of guidelines for implementing reliable and secure DER systems, with illustrative use cases.
- Cybersecurity embedded as part of standard security practices for manufacturers (e.g., UL Listing or ISASecure) and/or end-use adopters (e.g., factory default password reset requirements).
- Coordination and unification of DER cybersecurity efforts. There are numerous ongoing policy and standards developments that would benefit from closer coordination and support.
- Due consideration for international standards bodies, with a vision for platform integration and interoperability.
- Support for ongoing innovation in the face of emerging threats. New endpoint protection technology needs to be developed for critical infrastructure devices.
“A lot of this is basic stuff, but a lot of it hasn't really been applied to the operational technology areas of the utility space,” Todd Wiedman, director of security at the Swiss smart meter developer Landis+Gyr and a contributor to the AEE Institute report, told E&E News. This is especially true of older devices still in the field, he said. “We’re in a situation where 101-level IT security — things that we do on our computers every day, or on our mobile devices — has not really been extended to the meters yet, or to the endpoints.”
Still, we believe that the outlook on grid edge security should be positive. There are technologies, processes and operational strategies currently available that will reduce exposure to cyberattack. With appropriate application of these protective measures, the risk of a major service outage resulting from a breach at the grid edge can be minimized.
“People have been attacking the grid for years, from a cyber perspective, and we have not seen any major incidents,” Chris King, chief policy officer for the digital grid business unit at Siemens, also a contributor to the report, said to E&E News. “That doesn’t mean we should lower our guard — in fact, we should raise our guard, because we’re getting into new areas with distributed resources.”