With distributed energy resources (DER) playing a growing role in electric reliability, ensuring their protection from cybersecurity threats has become increasingly vital, the Texas Reliability Entity heard last week.
Rebekah Barber, a cyber and physical security analyst for Texas RE, says now is the time to look ahead at the threats this emergency technology will face. While she focused primarily on smart devices, Barber said DERs, whose deployments are expected to triple by 2025, will not be exceptions.
“These devices can pose a risk to the average network as these devices are typically not designed with security in mind,” she said during a Talk with Texas RE webinar Thursday. “Traffic is often not encrypted from these devices, default [administrative] passwords aren’t changed and sometimes, vendors don’t push out firmware updates or security patches.”
Barber said DERs may face “zero-day attacks,” when hackers exploit software flaws before developers are able to address them.
“While they are specifically targeted towards industrial systems, they prey on the vulnerabilities found in those newer technologies,” she said.
The threats don’t stop there, Barber said.
“As cybersecurity defenses have evolved, attackers have shifted their focus upstream to ‘contaminate the water,’ so to speak,” she said. “Attackers are now focusing more on trusted suppliers and vendors to add backdoors or weaken the overall security of products and services to gain access to an otherwise protected system.”
Barber cited the SolarWinds hack of 2020, in which the Texas software company sent an update to its customers that was infected with a malicious code. About 18,000 SolarWinds customers downloaded the update, unwittingly helping spread one of the largest cyberattacks against the U.S.
“Many companies, including some federal agencies, were affected by this attack, which gave attackers access to the victim’s network, and then from there allowed the attackers to compromise other systems,” Barber said.
She said protecting DERs should begin with a skilled and empowered security team and that “other best practices will naturally follow.”
They include: endpoint detection and response to understand what is being communicated with and to quickly respond to threats; a zero-trust model that verifies and authenticates every access attempt; encrypting communications between operators and resources to ensure confidentiality and prevent data tampering; and multi-factor authentication beyond passwords to strengthen user accounts and prevent unauthorized access.
Barber referred her audience to a report released last fall by the Department of Energy that gives a high-level overview of the expected cybersecurity challenges with DERs’ increased deployment in the coming years.
The report defines DERs as small-scale power generation, flexible load or storage technologies between 1 kW and 10,000 kW that can provide an alternative to or improve the traditional electric power system. They can be located on a utility’s distribution system, a subsystem or behind the customer’s meter. DERs may also include electric storage, variable generation, distributed generation, demand response, energy efficiency, thermal storage or electric vehicles and their charging equipment.
In 2020, NERC created the System Planning Impacts from DER Working Group (SPIDERWG) to address “key points of interest” related to system planning, modeling, and reliability impacts to the bulk power system .
