DER Vendors Are Pressed to Act on Cybersecurity

Cybersecurity outside of the traditional IT limelight is having its moment. Industrial control system experts have revealed how software supply chain hacks like SolarWinds might impact operational technology. In February, an intruder nearly poisoned the water supply of 15,000 residents in Florida by hijacking remote access software. Recognizing energy infrastructure’s fragility in cyberspace, President Biden renewed emphasis on the cybersecurity of US energy infrastructure and its supply chain. Similarly, the US Department of Energy’s National Renewable Energy Laboratory announced a new office dedicated to distributed energy resources (DER) cybersecurity. 

Instead of energy being generated as it is consumed, transactive energy with DER localizes generation, improves efficiency, stabilizes demand and outages, and reduces single points of failure to create more resilient operations. Rather than a highway system where a breakdown causes widespread impacts and delays, DER technologies provide alternate routes for consumers and prosumers to store and sell excess capacity back to energy providers. However, DER technology and transactive energy are new conduits for cyberattacks on the energy grid. Many unregulated technologies, widely distributed Internet of Things devices, and domestic generation operations either cannot afford cybersecurity or consider it as an afterthought.

To manage additional nodes and generation routes, the grid needs to support more communications between traditional entities and DER quickly and safely. Information needs to be verified, aggregated, automated, and controlled to allow operators to perform oversight and make informed day-to-day decisions. 

New Ways for Vendors to Create Technology with Cybersecurity in Mind

1. Software-Defined Networking: Software-defined networking is a way of interconnecting Ethernet networks that predetermines data flows to manage the instructions for what data gets sent where. Users define primary and backup communications pathways and can designate separate paths for different applications or data. Any packet on the network that is not identifiable by the set instructions will be dropped. This provides a layer of defense and control for critical processes that require high speed decision-making and is adaptable for individual DER technologies and potentially broader grid integration. 
   
2. Software Bill of Materials (SBOM): Given the increase in supply chain cyberattacks, calls for a standard system for tracking software and its metadata in critical operations are gaining traction. In industrial control systems, inventory and asset management for digital components is retroactive. For DER, a proactive approach to SBOM that characterizes and tracks all components of each software in use can enhance the integrity of the DER supply chain. There is a push to require vendors to implement an SBOM framework to engender trustworthy suppliers and services. Doing so will promote competition for trust among vendors, create a standard of integrity across DER technology providers, and standardize technologies that interact with the grid. 
   
3. DER Cybersecurity Maturity Model: The rapid deployment and democratization of new technologies has given security practitioners pause as insecure and untested products are sometimes rushed to market. Working to harden the grid, researchers at the Pacific Northwest National Laboratory developed leading practices for the DER industry to evaluate the cybersecurity of their products. The model provides an assessment mechanism for vendors’ hardware, software, and firmware based on management priorities, core assessments, and comparative analysis. The assessment is online and can be repeated over time to track improvements. 
   

As the Energy Cloud 4.0 transforms value chains for power generation and utilities, the frequency and sophistication of cyberattacks are increasing. The good news is that it’s not too late to course correct. DER vendors can take steps to control data flows, micromanage software components, and continually self-evaluate to enhance security, making the grid safer. For energy providers integrating DER technologies, Guidehouse offers iDER—a platform for ambitious ventures into system orchestration and value creation in the future energy system.