As of October 2023, the Office of Energy Efficiency and Renewable Energy (EERE) estimated that 20% of energy produced in the U.S. is from renewable sources. Another 20% comes from nuclear power, with traditional coal and natural gas generation plants making up the rest. By 2035, the U.S. climate goal is 100% energy generation from non-carbon-polluting sources and by 2050, to have a net-zero economy.
The final mix of assets comprising the new renewable energy system is unpredictable. But those assets will include thousands of inverter-based resources and distributed energy resources, operating at small businesses, medium businesses and even residences, feeding power into the electrical grid. When this change occurs, it’s possible that the renewable energy system at even your local dentist’s office will play a role in regional power generation.
Inverter-Based Resources
An inverter-based resource (IBR) is a power interface between a renewable energy system and the electrical grid that we use every day. IBRs take the energy generated by wind, solar and geothermal sources and convert it into a form usable by everyday households and businesses. The modular devices that make up a renewable energy system are sometimes called distributed energy resources (DERs).
Critical Infrastructure
Conventional power generation produced with coal, gas and nuclear is considered critical infrastructure by the Cybersecurity & Infrastructure Security Agency (CISA), which states: “Their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
In North America, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards are the guidelines that protect critical electrical infrastructure. These standards are impactful because they reject the assumption that other frameworks make where site owners evaluate their risks and decide on a mitigation plan. Instead, entities subject to NERC CIP must implement minimum standards according to risks to the national grid as assessed by NERC. NERC develops these standards through committees that share industry best practices.
One of the problems with the CIP standards is that they are slow to develop and may lag behind new technologies. For example, cloud, virtualization and artificial intelligence (AI) are areas where CIP standards are still being worked on or considered. Renewables may be an area where the CIP standards must adapt more quickly when applied through a distributed network of small owners.
Critical infrastructure will begin to include renewable energy systems as we move forward into a renewable energy future. Soon, renewable energy systems will make up a large enough piece of the energy-generating portfolio to impact grid operations. Once this happens, what controls will authorities place on them? How can we get individuals to protect these systems for their own safety and the safety of those around them?
Challenges of Applying Critical Infrastructure Cybersecurity to Renewable Energy
- Lack of Industrial Control Systems (ICS)/Operational Technology (OT) Design Expertise — During commissioning, architecture design decisions and configuration choices will significantly impact the system’s security moving forward. Architecture and configuration mistakes are tiny and nuanced but can dramatically impact the system’s security.
- Cost of ICS/OT Monitoring — Having a skilled individual monitor the health and security of a site will be financially out of the question for all but the largest of sites. How will small owners maintain and monitor their assets?
- Cloud Management — Many of these devices are cloud managed. The CIP standards need to address cloud computing for large operations before meaningful recommendations for small owners can be made.
- Homogenous Environment — Many components that make up a renewable system are standard components from a handful of suppliers. Once an attacker discovers a vulnerability against an IBR or DER asset, the attackers can quickly scale that attack because the systems are very similar.
- DER Aggregation — While a single renewable system having an incident may not impact the grid, several hundred sites aggregated across a city may be another matter. With most renewable systems being privately owned, who controls the physical and cyber security of the aggregate system?
- Lack of Agile Governance — The rapid pace of technology continues to increase and outstrip the ability of regulating entities to create standards. For example, NERC has been working on a Virtualization standard since 2016. The standards development, regulation, auditing and reporting model will need to increase pace to keep up with the rapid rollout of renewable systems.
Cybersecurity Risks to IBRs/DERs
Several risks to renewable energy systems could impact the national grid. Supply chain compromises and remote service exploits are challenging for any organization to control and have significant impacts. Malware delivered by transient cyber assets is controllable with good network architecture and engineering controls, but in the case of smaller organizations, this can be challenging to achieve.
- Supply Chain Compromise — This is likely the risk with the highest impact and severity due to the difficulty around detection and the ability to impact many devices. In this case, compromised software or firmware would cause unexpected behavior. The challenge is that it can occur at any point of the supply cycle, including during updates after installation. CISA and the National Security Agency (NSA) routinely warn about supply-side attacks from foreign-made chips and devices.
- Remote Services — Cloud-based applications that manage and aggregate DER assets are another risk with high impact and severity. Even the most prominent companies experience cloud hacks occasionally. Several IBRs/DERs are cloud-managed and will continue to grow under a software-as-a-service (SaaS) business model.
- Transient Cyber Assets (TCAs) — TCAs are computers, tablets or phones that move back and forth between sites and network zones. Malware picked up when reading emails or websites can hop over to impact the renewable energy system. TCAs would likely facilitate a malware worm targeting a specific device within a renewable energy system over loosely managed networks. A worm could spread quickly to other sites in a homogenous environment.
These and other security issues can affect renewable energy systems. To learn more about safeguarding your energy and communications systems, contact us today.
If you enjoyed this blog article, please subscribe to stay up to date on the latest industry news from our experts at FTI.