We are entering a new world where renewable energy will be the primary source of energy on the grid. The largest renewable energy projects used to only make up a fraction of a fossil fuel power plant’s operating capacity. Now, some solar or wind projects alone can rival the size of a gas or coal plant. Renewable energy accounted for 72 percent of all new global energy capacity additions in 2019. These new clean energy power plants are coming as we transition away from fossil fuel power plants. The United States expects to interconnect over 30 gigawatts (GW) of solar and wind in 2020, while retiring 5 GW of coal and 3 GW of natural gas.
Embracing renewable generation and ambitious renewable energy goals is just the beginning. What needs to happen next is ensuring that renewables are set for the most optimal transition on the grid. As we continue to build utility-scale solar, wind and flexible energy storage projects, they will play a bigger role in grid stability and present an opportunity for utilities and independent power producers (IPPs) to include added cybersecurity protocols to ensure continuous power supply, while upgrading the security of the larger grid.
The Role of Cybersecurity in Industrial Energy Management Systems
Security for industrial-scale energy management systems is different from commonly understood enterprise security. For enterprise security, the high priority is secrecy: protecting a company’s intellectual property. In contrast, there is little proprietary information when it comes to energy power plants. Instead, the most secure industrial control systems leverage open and publicly recognized cyber security standards where all the practices are well listed. With industrial controls, the vulnerabilities are different; the main task is to prevent a shutdown.
The 2015 Global State of Information Security Survey reported that power companies and utilities around the world saw a six-fold increase in the number of detected cyber incidents over the previous year. As we look to modernize the aging energy infrastructure, it is critical we ensure that the renewable energy plants that come online adhere to the most rigorous standards to bring added value to protecting against a potential breach. Researchers find that throughout the world most of the transmission and distribution networks are 50 or more years old and are nearing the end of their intended lifespans.
As renewables increase as a proportion of the overall power delivered, renewable projects are increasingly adding distributed intelligence and flexible power to help manage the intermittency associated with weather impacts. These additional tools provide support in the delicate balance that ties generation to natural resource availability, and also the need to match supply with demand in real-time. The electric grid cannot handle more or less supply than needed because it could overload the system and cause frequency issues that result in blackouts. This is why grid operators curtail excess renewable energy. Just as renewable energy projects deploy tools to support real-time balancing against nature, renewable energy projects can deploy tools that balance cybersecurity threats and offer security benefits to other larger processes like protecting the security, integrity and reliability of bulk-power system.
The Digitization of Energy
Renewable energy plants like wind projects and solar arrays are significantly more automated than their fossil fuel counterparts that largely still rely on humans to be onsite for operation. The IEA estimates global investment in digital electricity infrastructure and software grew by over 20 percent annually since 2014, reaching USD 47 billion in 2016. The decarbonization of energy is an opportunity to bring about the digitization of energy to modernize outdated and insecure infrastructure.
Renewable energy applies digital applications, including communications, digital controls, data analytics and cloud computing. Digitized energy enables diversification of supply sources and creates a new structure for energy management that allows assets to be added and synchronized as needed via a network-type structure. Digitized energy ushers in grid resiliency because these networks come with advanced functionalities, feature-rich energy solutions and value-added services, such as distributed energy resources (DERs) that can rapidly respond to grid distress signals like demand response events or frequency regulation.
However, to guarantee the security of this new energy infrastructure at scale, standardized security protocols and structure are needed across the renewable generation ecosystem, from asset owners and operators to equipment and service providers. Standardization will resolve any ambiguity and the current patchwork of security protocols and guarantees quality control.
Energy Security Best Practices
The increasing value of feature-rich distributed energy resources has led to a proliferation in advanced software and control platform technologies for energy products that integrate DERs with the grid and maximize their value. These technologies, like Wärtsilä’s GEMS energy management system, provide a unifying platform to manage single power plants or, sometimes, an entire grid.
For guidance on standardization in this area, the International Electrotechnical Commission (IEC) develops international standards for all electrical, electronic and related products, systems and services, referred to as “electrotechnology.” This covers technologies from power generation, transmission and distribution to home appliances and office equipment.
Critically important to the integration of renewable energy on the grid is IEC Standard 62443, which provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems. The IEC developed IEC 62443 for operational technology found in industrial and critical infrastructure, including power utilities, water management, healthcare and transportation. Its criteria and auditing process is rigorous and thorough and sets a new benchmark for the future of the industry. Wärtsilä’s GEMS Power Plant Controller is certified to the standard; Wärtsilä is only the first manufacturer to have a hybrid power plant certified in the energy industry to the standard that is likely to become adopted industry-wide.
IEC 62443’s criteria covers attributes from a company’s organizational policies and procedures to the technology’s system and components. The framework ensures rigorous and dedicated cybersecurity testing -- from stress tests that bombard the software with excess load to see how the system performs, to scans that search the platform for viruses and threats. IEC 62443 examines the company’s software development practices to determine whether cybersecurity best practices are incorporated into the design and implementation -- for example, when developing a new feature. It certifies the design of entire systems for security, like a technology’s automation network. IEC 62443 and the control technologies it certifies do not cover the entire energy landscape since these technologies still operate within the context of an energy system provider’s own network.
For utilities and IPPs themselves, the cybersecurity standard North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP 006-6) governs how to secure power generation systems. It establishes guidance on how to protect providers’ networks with internet firewalls and gateways or run a system on a company’s own proprietary network. Both NERC CIP and IEC 62443 standards overlap and harmonize; for example, utilities and IPPs deploying technology that is certified to IEC 62443 covers much of the equipment requirements upon which NERC CIP adds physical security and business processes.
The future energy system is vastly more complex as we need to weave together a complex fabric of multiple generation sources and DERs. Digital tools will streamline collaboration and regulate the complexities unique to this new system. New infrastructure technologies necessitate a new set of rigorous and standardized cybersecurity protocols and systems to ensure security continuity and will help energy systems operators securely transition renewable power supply to dominate the grid.