The headline for this blog post is not a trick question or the beginning of a bad joke. I asked this question — maybe a bit facetiously — when I met the National Cybersecurity Center of Excellence (NCCoE) energy sector team in late 2018. The NCCoE had just purchased a solar panel to install in the lab. I had spent 20 years in various roles supporting energy technology research and development, but renewable energy technology was not my strength. I genuinely wanted to know: what vulnerabilities exist when solar panels connect to the distribution grid, and how can we mitigate them?
We set out in search of answers. We met with industry experts, cybersecurity solution companies, utility managers, and researchers from NIST, academia, and the U.S. Department of Energy’s national labs. Those interactions helped us scope a cybersecurity project that is relevant, with a proposed solution that would be standards-based, practical, and actionable for electric utilities, electric cooperatives, and campus microgrid operators, among others. The final project scope is detailed in the NCCoE project description, Securing the Industrial Internet of Things: Cybersecurity for Distributed Energy Resources.
Distributed energy resources (DERs) — such as wind and solar photovoltaics — are growing rapidly and transforming the traditional power grid. As the use of DERs expands, the distribution network is changing from a single-source radial network to a multisource grid of devices and systems driven by two-way data and power flows. These data and power flows often employ industrial internet of things (IIoT) technologies that may lack communications security. Additionally, the distribution utility does not always own or configure the DERs, and timely management of DER capabilities often requires a higher degree of automation. Added automation into DER management and control systems can also introduce cybersecurity risks. Managing the automation, the two-way data flows, and the cybersecurity associated with these presents significant challenges.
Cybersecurity solution vendors and advisors who bring strong cybersecurity capabilities and experience across many critical infrastructure sectors such as energy, communications, and the defense industrial base sectors are taking part in the project. Our collective goal is to document an approach for improving the overall security of IIoT in a DER environment that will address these cybersecurity capabilities:
So how many engineers does it take to digitally secure a solar panel? I cannot answer for every organization, but I am privileged to work with a talented team of engineers and project collaborators whose sole aim is to help demystify cybersecurity for DERs by supplying an example solution accompanied by a “how to” guide.
The bottom line is, more and more DER devices and technology will be connecting to the distribution grid. We hope this upcoming NCCoE guide will begin to help companies, large and small, accelerate adoption of standards-based cybersecurity solutions and best practices for DERs.
Follow our progress and contribute to future NCCoE energy sector projects by joining our Community of Interest by emailing us at energy_nccoe [at] nist.gov.