The Need for Cybersecurity for Distributed Energy Resources

March 12, 2017

Are cybersecurity standards necessary for distributed energy resources?

Taking just one sip, or CIP in this case, and we might find ourselves drowning as we are forced to continue to sip from what might become a firehose. At least that is a concern I hear from individuals who fear that the cost of cyber protection could engulf us without providing us with sufficient protection. Is it possible to evolve our critical infrastructure protection (CIP) rapidly enough to secure our grid?

I have been thinking about grid security a lot lately. We have a remarkable grid that was the driver of the early growth of our global economy and that is now foundational for everything we do in our increasingly connected world. With the rapid growth in distributed energy resources (DERs) — including solar, storage, fuel cells, combined heat and power, and home energy management — we are far less reliant on central station power plants. In addition to supporting significant reductions in greenhouse gasses, DERs have, in many cases, enabled the deferral of the construction of new transmission and substation facilities, while leading to better utilization of existing assets and investments. The proliferation of DERs is increasing connectivity, improving utilization of data and creating new business opportunities and services. Clearly, the growth in DERs brings many benefits to society and to the electric utility industry. I believe that it also brings a new set of risks.

Whenever I ask proponents about the need for cybersecurity on DERs, the most common response is that cybersecurity standards are not necessary for most DERs, as they have limited reach and it would take a significant amount of time on the part of hackers to locate the vulnerabilities on a widely distributed set of resources. They also express valid concerns that applying the same cybersecurity standards to DERs that are now applied to utility-owned facilities would add significant costs, thus undermining the economics.

While I see the logic in these answers, I find them unsettling as DERs become an increasingly critical component of our electric infrastructure. We already see constant attacks on our generation plants, substations and control centers. We have taken steps to address this situation in the U.S. through the FERC-approved NERC CIP standards. New CIP standards apply to control centers that control an aggregation of DERs of at least 1500 MW in a single interconnection. I believe this is a clear indication that FERC and NERC recognize that protecting generation, including DERs, plays a role in grid security.

Are we evolving fast enough? I thought we were until I considered the Distributed Denial of Service attack that took place across the U.S. in October 2016. This attack shut down access for thousands of users of Twitter, Spotify, Netflix, Amazon and others. By all accounts, it was a sophisticated attack that adapted to defend itself against attempts to stop it. It lasted several hours, causing significant disruption for many of these businesses.

This suggests that hackers are willing to invest the time and effort to perpetrate large-scale hacks with big impact. If they can do this to nanny cams, could they do it to any grid-connected DER? If they did succeed at shutting down DER sites, it would result in significant lost revenue but an even higher cost to add additional security after the hack(s) for the suppliers and owners of the DERs.

We should also remember gaps in grid security were exploited during the 2015 Ukraine grid blackout caused by hackers who found small exploratory vulnerabilities very much in advance of the actual attack. This was the first known widespread grid blackout caused by cyber terrorists. The lesson here is not about the details of this event, but that there is intent, motive and focus behind all the effort it takes to infiltrate and gain knowledge prior to causing a large effect.

Just as the “Internet of Things” grows our use of data and new services, the “Internet of the Grid” that includes DERs gives rise to technical abilities to connect very disparate things together such as residential and commercial grid assets. We see innovative companies aggregating solar sites for performance and asset management purposes, essentially putting many megawatts of rolled up capacities into a “cloud” environment that may or may not be protected. This makes it fertile ground for hackers to quietly look for exploits and creative ways to think about how to create a much larger impact than any given site.

CIP is a “floor” of protection that FERC/NERC have been struggling with utilities to adopt nationwide. The DER jurisdiction for putting mandatory controls in place is not part of FERC or NERC, and it may be falling into somewhat of a regulatory “hole” that could become the next unprotected vulnerability that gets exploited by those with intent and motive to do our society harm.

For me, this comes down to the question: When do we reach the tipping point where there are sufficient grid-connected DERs that grid security is vulnerable to coordinated attacks on DERs? At what point do we conclude that we need more than just one CIP? I expect it may be sooner than we think.

About the Author

Stewart Ramsay | Senior Partner

Stewart Ramsay is a senior partner with Vanry and Associates. He has more than 30 years of experience in leadership, consulting and engineering roles engineering in the global utility industry and manufacturing industry. He is an experienced utility and technology executive hired for his “startup” and “turnaround” capabilities. He has extensive expertise in strategic planning, organizational effectiveness, and asset and performance management. He is a frequent speaker at industry conferences and is well known for his perspectives on industry strategic directions and the nexus of technology, processes and people/culture. He has contributed to the development of regulatory strategy at both a national and state/provincial level in several countries, including providing expert witness testimony before federal and state utility commissions on technology, asset investment requirements, transmission access and territorial boundaries as well as growth and expansion policies.

As the CEO of Smart Wire Grid Inc., a manufacturer of advanced power flow control technology, Ramsay led a startup organization that partnered with ARPA-e and took technology from laboratory to pilot project in eight months and from laboratory to commercial sales in less than one year. Ramsay provided the vision and leadership for the groundbreaking technology and worked with industry and regulators to hasten its acceptance and adoption. In addition to CEO, Ramsay held a seat on the board of directors of Smart Wire Grid.

As the president of CTC Cable, the manufacturer of advanced high-temperature – low sag conductor, Ramsay provided the leadership necessary to turn around the technical, operational and financial performance of the company. He worked with industry to build the trust and acceptance of the advanced conductor technology and provided the strategy and leadership that rebuilt the global sales of the product. Ramsay also held a seat on the board of CTC Cable.

As an officer at both American Electric Power and Pacific Gas and Electric, Ramsay was heavily involved in innovative approaches to modernizing the grid. He has been a strong proponent of the creation of adaptive, self-healing grids using a range of smart grid technologies on both the utility and customer side of the meter.

Ramsay has served in several external board and advisory positions. He was elected to the Member Advisory Committee of Peak Reliability Coordinator organization that serves the Western Interconnection of North America (population of 78 million in the U.S., Canada and Baja, Mexico). Ramsay serves on the board of expert advisors to the California Emerging Technology Fund. He served on the board of the WECC and as the WECC representative to the NERC MRC. Ramsay was a member of the California Energy Commission’s Public Interest Energy Research Program’s Policy Advisory Committee, where he was a proponent of rapid development and deployment of intelligent technologies. He served two three-year terms on the board of Coro Northern California, a non-profit focused on developing civic leaders in youth and young professionals. Mr. Ramsay served for four years as treasurer and chair of the finance committee of the board.

Ramsay earned a BSEE degree from Northeastern University in Boston, Massachusetts, and is a professional engineer licensed in the state of Florida.