A new toolkit from the National Association of State Energy Officials (NASEO) and the National Association of Regulatory Utility Commissioners (NARUC) aims to help state regulators grapple with cybersecurity concerns with distributed solar resources that “have not been fully addressed.”
The toolkit was produced by the Cybersecurity Advisory Team for State Solar (CATSS), which NARUC and NASEO launched in June 2020 with the U.S. Department of Energy’s Solar Energy Technologies Office. (See NARUC, NASEO Launch Solar Cybersecurity Resource.) CATSS includes experts on digital security, the electric grid and photovoltaic technologies, with leadership drawn from state-level policymakers and regulators and additional support from the federal government and private sector.
CATSS’ focus is on distributed solar because, as the document states, “less attention has been given” to it from cybersecurity efforts than to “legacy assets and bulk power” despite the “significant forecasted growth” of distributed energy resources as part of the overall generation mix. This attention deficit is particularly concerning because DERs rely on remote communication tools to a degree that traditional resources do not, meaning a successful cyberattack could lead to serious consequences.
“As the leaders in state energy policy and program development in support of their governors’ and legislators’ cybersecurity and DER goals, state energy offices are increasingly engaged in cybersecurity actions,” said NASEO President David Terry in a statement. “This toolkit will help states achieve their energy and resilience goals by creating more cyber-secure distributed energy resources.”
The kit comprises 10 tools divided into two areas of focus. The first is education and risk awareness to inform state energy officials and public utility commissions of the underlying issues around distributed solar and other DERs.
The category includes four documents. Photovoltaic solar engineering and system overview covers the components of a local solar panel network and their communication with each other and grid controllers. The Standards quick guide provides relevant standards from regulators like FERC and NERC, along with industry groups such as the Institute of Electrical and Electronics Engineers.
Assessing solar cybersecurity is a list of discussion prompts for energy officials and commissions to discuss cybersecurity issues with utilities. The final tool in the section, Hypothetical solar cyberattack scenarios and impacts, discusses “approachable, plausible scenarios of cyberattacks affecting [solar] assets and interconnected infrastructure.”
In the second set, NARUC and NASEO provide practical actions to address cyber threats. The Decision support tool for solar energy cybersecurity policy and regulation includes a probable risk assessment to help users understand the risks and ownership of a solar network’s physical assets. Next, the Case studies and model guidance tool assists states with forming working groups, a “critical first step to establishing state cybersecurity programs.”
In Cybersecurity and the solar workforce, the writers suggest competencies and skillsets that should be looked for in solar-related cybersecurity professionals, along with tactics that energy offices and commissions can use to encourage good hiring practices. Cybersecurity considerations for state procurement of solar assets offers sample language for procurement agreements, contracts and grants, as well as models for setting up state solar cybersecurity practices.
Exercise design guidance for solar cybersecurity provides recommendations for designing energy emergency exercises, drills and other solar cybersecurity-focused simulations. Finally, the last tool approaches the cybersecurity issue from the perspective of state legislatures, offering example bills for “states seeking legislative options to help mitigate these risks.”