DOE reports on cybersecurity considerations for distributed energy resources across US electric grid

The U.S. Department of Energy (DOE) released on Thursday a report detailing its long-term evaluation of the cybersecurity considerations associated with distributed energy resources (DER), such as distributed solar, storage, and other clean energy technologies, and the potential risks to the electric grid over the next ten years. The goal is to mitigate current risks to the energy grid and be prepared for the threats and vulnerabilities of the future. These mitigations form the base of a new framework for defining the defensive posture of the future grid.

The DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) works with the DOE’s Office of Electricity and the DOE’s Office of Energy Efficiency and Renewable Energy (EERE). Electric utilities also are concerned about cybersecurity threats to electric power infrastructure and are taking action to improve the cybersecurity of their equipment. 

The report, titled “Cybersecurity Considerations for Distributed Energy Resources on the U.S. Electric Grid,” developed by these agencies, provides recommendations for the DER industry, energy sector, and government to take action and secure current and future systems. The report also acknowledges the ongoing need to engage with DER industry stakeholders to develop cybersecurity standards and best practices, provide education and training, and establish information-sharing mechanisms. Broad industry involvement is key to developing robust DER cybersecurity standards. 

The report provides an overview of cybersecurity considerations that should be considered by the electric sector, including utilities and DER operators, providers, integrators, developers, and vendors, apart from policymakers, as it carries out a transformational change to the U.S. electric grid. It is not meant to be a comprehensive review of cybersecurity considerations in the DER industry but rather to encourage dialogue and further conversations between industry and government stakeholders. 

The report also warns that depending on systems conditions, a fleet of DER aggregated to significant size could pose a reliability challenge if under the control of an advanced, capable attacker and if cybersecurity considerations and threat mitigation strategies are ignored. 

As outlined in the report, DOE also intends to fund research on next-generation DER defenses, including security-by-design and the recently released Cyber-Informed Engineering strategy, to ensure security in a decarbonized grid. Deployment of wind, solar, and energy storage will help to achieve the nation’s clean energy goals, diversify the electricity supply, and make the grid more resilient to outages, making an investment in security for DER essential to safeguarding the nation’s energy infrastructure, it added.

“The future of DER on the electric grid will involve hundreds of thousands of distributed resources providing many thousands of megawatts, all operated by an overarching system that interfaces with hierarchical grid operations,” the report identified. “Today, cyber compromise of a single or even multiple DER is inconvenient to the owner/operator of that resource, but generally does not register to a grid operator concerned with orders of magnitude more resource supply.” 

However, if a cyberattack could affect many thousands or more DER or the overarching systems controlling DER, then such an attack would reach a level that concerns grid operators, the report said. “While that attack capability and potential impact are currently low for most regions, the trendline for cyber attackers is that they increase their capabilities over time and target new systems in novel ways.”

Grid owners and operators have several reasons to be concerned about cybersecurity. Most reasons are directly tied to the number of DER and the total amount of power that a cyberattack can influence. While the critical number varies depending on the size of DER installations, real-time load conditions on the grid, the number and geographical distribution of those installations, and the communication/trust relationships, approximately 30 percent of DER deployment relative to peak load begins to show infrequent but potential grid-level consequences.

Some potential attack vectors for DER include DER ransomware, DER supply chain compromise, DER botnet, and DER worm. Other more common attack vectors, such as phishing, ransomware, denial-of-service, Trojan horses, data-in-flight and man-in-the-middle attacks, malicious rootkit attacks, and zero-day exploits, also could contribute as links in a long attack chain that result in DER compromise.

The report said that an implied trust relationship is common for the communications infrastructure in electric power control systems. If industrial systems can talk to one another, they trust each other to provide accurate information and commands. Attackers who have inserted themselves into this trust relationship can poison these systems, causing them to act counter to reliability and resilience requirements. 

Additionally, the implied trust relationship is not a good model for DER systems. The sheer scale of DER deployment, the range of communications options, and the level of access required by various stakeholders will show that implied trust does not scale resiliently for DER. Compromises to an implied trust relationship are difficult to discern or reliably block.

The report also pointed out that the energy sector has seen an increase in the frequency and severity of cyberattacks that are largely independent of historical DER deployment. Advanced attackers are already capable and resourced for current power grid systems and are anticipated to add to their capability with DER understanding. There is a converging risk associated with sophisticated attacks on power grid systems and expansion of the attack surface. The need to understand and address that risk is critical to establishing defense systems for the modern grid.

Another industry trend highlighted in the report is increased attacker experimentation and exploitation targeting operational technology (OT) systems. For example, advanced attackers shut down Ukraine’s power grids manually in December 2015 and specialized malware targeting electric substations in December 2016. In 2017, an attacker was discovered interfacing directly with the industrial systems responsible for petrochemical safety in Saudi Arabia to install malicious software that would permit undetectable alterations. The malicious modifications, dubbed the TRITON/TRISYS malware, were found only when the attacker inadvertently triggered the safety system, leading to an investigation that identified the malware. 

The report said that supply chain attacks would continue to be a major theme in cybersecurity. An attacker also could compromise a development environment to taint new software as it comes out of production or compromises authorized updates for software or hardware already deployed. Or an advanced attacker, for instance, may add a chip onto the printed circuit board design that duplicates data in memory and sends it to the attacker, giving the attacker credentials and login data to the compromised devices.

As DER deployments grow, securing them will require methods and ways of understanding the supply chain associated with their creation; the development of standards to secure that supply; and assurances that suppliers, aggregators, and utilities are assigned the appropriate responsibility and accountability for securing their hardware and software. Supply chain standards are the main driver for assigning this responsibility and accountability.

The report identifies that best practices for cybersecurity include multi-factor authentication, endpoint detection and response, encryption, and a skilled and empowered security team. Many cybersecurity standards do exist; however, they may need refinement to address specific DER deployment use cases.

Its key recommendations include adopting best practices and meeting minimum security requirements. DER providers can utilize multi-factor authentication encryption and other tools to secure their devices. Many cybersecurity standards exist and can be used to develop security technologies and measures appropriate for their use. Additionally, they can implement good governance by designing security into utility and DER systems from the beginning and making security a priority for all employees, suppliers, and customers. Further, providers can incentivize cyber resilience by going beyond the standards and working to actively detect threats and adopt a zero-trust approach to verify commands and data.

Last month, the DOE announced that it is accepting applications for the next cohort of its OT Defender Fellowship, which aims to expand the cybersecurity knowledge and capabilities of U.S. energy sector cyber defenders. The OT Defender Fellowship program enables OT security managers from the energy sector to build relationships with their peers.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.