By Amanda Durish Cook
INDIANAPOLIS — State regulators should establish standards to ensure the cybersecurity of distributed energy resources, experts said at the National Association of Regulatory Utility Commissioners’ 2019 Summer Policy Summit last week.
More DERs means more consumers joining the grid — and “more credit card numbers, more identifying personal data” at risk, said Tobias Whitney, technical executive for the Electric Power Research Institute, during a July 23 panel.
To address cybersecurity risks, Whitney recommended those in the industry do more to understand vulnerabilities in the supply chain and train a “cross-functional” workforce fluent in IT, operational technology, devices and connectivity. He also suggested industry players maintain security metrics to understand what cybersecurity measures are working.
Colleen Glenn, control systems cybersecurity analyst for the Idaho National Laboratory, said current DER technology is designed for functionality and not cybersecurity.
“Cyber vulnerabilities and cyber threats are inextricably linked. You can’t have one without the other,” Glenn said.
She cited the steps of the Industrial Control System Cyber Kill Chain as a common progression of events when a bad actor hacks the grid: reconnaissance, weaponization, targeting, delivery, exploitation, installation, control and action.
Glenn said hackers often use open-source, Internet-based information to begin a cyberattack. She said a popular starting point is the search engine Shodan, which identifies control systems connected to the Internet.
Web-accessible platforms are common with DERs, Glenn said, adding that she once accessed a solar array and its micro inverters through a webpage — all without a single prompt for login credentials. Sometimes, equipment passwords are contained in public operating manuals, and wind turbines are even “daisy-chained” together so cyber access to one means access to all, she said.
“So often vendors are the ones that really control what is designed. … Unless there’s a widespread demand for this, cybersecurity is not a major concern because it’s expensive and requires research,” Glenn said.
Danish Saleem, DER cybersecurity standards lead for the National Renewable Energy Laboratory, said vendors and utilities will not develop a requirement to include cybersecurity controls on their own.
Instead, cybersecurity controls should be required in utilities’ request for proposals, Saleem said.
“[Utilities] say, ‘Yeah but we don’t need another thing in our system to manage,’” he said. “This has to come from regulatory bodies. You have to fine them.”
Beyond that, regulatory bodies should include basic cybersecurity standards in the approval process, Saleem said. Cybersecurity should be baked into utilities’ design-level work, including plans to periodically update the controls.
Saleem also said he’s looking for regulators’ input on the SunSpec/Sandia DER Cybersecurity Workgroup, which is examining how the IEEE 1547 DER interconnection standard can be revised to include more cybersecurity.
Glenn urged regulators to participate in cybersecurity conferences and stay abreast of cybersecurity topics. “I think one of the greatest things you can do is be a champion of cyber hygiene,” she said.
DER Forecasting Essentials
Later in the day, another panel discussed the need for improved DER forecasting.
Juliet Homer, senior energy research engineer for Pacific Northwest National Laboratory, said DERs traditionally relied on historical trends for forecasts, excluding predictive factors.
“Going forward, there’s a need to move beyond these into more advanced forecasting,” Homer said. She said forecasting could consider growth projections, DER cost decreases and carbon goals. She also said commissions might use the Bass Diffusion Model, which gives a starting point picture of market penetration based on the theory that early adopters of a new technology influence subsequent adopters.
“With the democratization of our grid, customers are more in control, and they can be sneaky,” joked DER expert Patrick McCoy, of the Sacramento Municipal Utility District.
McCoy said regulators need transparency into DER load data, but that data can be proprietary or veiled behind privacy agreements.
“You’ve got third parties now that control their own [DER] data. … It’s not just about utilities anymore. It’s third parties and customers that are part of the equation,” he warned.
McCoy said commissions should draw distinctions between “need-to-have” data versus “nice-to-have” data and go after necessary data first. He said regulators should pursue reports on resource planning, distribution planning, DER studies, cost trajectories and economic studies. He also said regulators should gain insights into utilities’ customer research.
“It’s a moving target,” McCoy admitted of DER forecasting. “There’s a lot of work to be done.”