The energy transition is driving a shift toward the increasing use of distributed energy resources (DERs). DERs are smaller power-generation resources, usually located on the consumer side, that provide energy where it is needed. Examples of DERs include rooftop solar photovoltaic panels, combined heating and power (CHP) systems, electric vehicles and chargers, wind turbines, generators and energy storage, among others.
From a cybersecurity perspective, DERs pose new and unique challenges for utilities. This is primarily because while DERs connect to electricity grid operators, they may not always be owned by these operators or support the necessary security features. Consequently, they could post a significant risk and directly impact power systems.
In the European Union, the European Commission Regulation (EU) 2016-631 that covers “establishing a network code on requirements for grid connection of generators” now includes smaller “Type A” and “Type B” assets that need switching or control capabilities, i.e., the ability to turn type A assets on and off, and controlling the power generation of Type B assets. These two categories consist of assets ranging from 800 watts or the equivalent power of eight strong lightbulbs, up to 50 megawatts for continental Europe (one of five regional groups), which is enough to power a small city.
Asking the big questions
To enable switching or power control capabilities for these assets, millions of devices will need to be connected via the Internet to the systems that control the energy networks. While the IEEE-1547 standard provides a set of criteria and requirements for the interconnection of DERs with electric power systems, there is much more to consider than just enabling the connection. Some of the important questions to ask are: who will own and control these devices, which protocols will be used, and through which networks, and perhaps, most important of all, how can these DERs be implemented securely and safely?
Current control systems comprise of the control centers of distribution system operators (DSOs) and transmission system operators (TSOs) and the software they use. At present, these systems are not set up or able to securely control the growing numbers of devices that are on diverse communication networks and protocols in real time.
An important responsibility
Disruptions to the electricity network directly impact lives and livelihoods―and continuous disruptions pose a serious risk. For example, a 2016 power cut in the Ukrainian capital, Kiev has been linked to a hack and blackout in 2015 that affected 225,000 households. In a related blog, I discuss the importance of understanding the unique industrial control systems (ICS) environment of a utility in order to secure the electricity network.
In the case of DERs, it is not merely the responsibility of utilities to integrate them securely, the onus is also on installation partners that are building new DER systems like solar parks, heat pump installations and micro-CHP systems. They need to have the necessary insight to not only safely install these systems, but also to do so securely.
Today, DERs represent an increasing portion of available generation capacity. The Mirai IoT botnet incident crippled many major websites, demonstrating the damage that can occur due to insecure IoT devices. Compromising thousands or millions of Type A or B assets in a similar way would not only impact operational technology (OT) networks, but also raise the specter of large-scale impacts on society.
Security is no longer just an IT responsibility
It is critical to have proper security measures in place to secure the grid and the supply of electricity. This is why it is necessary to ask and answer several key questions about DER security:
- Governance: Who has what responsibility for DER security? Who assures installations are not only safe, but also secure?
- Standards: Who defines the standards for interfaces, protocols and procedures and who tests them?
- Technology: Which platform(s) will be used within the service area of DSOs and TSOs for this connectivity?
Similar to platforms or datahubs for central market facilitation, such as CGI’s Central Market Solutions (CMS), we foresee the need for a central balancing facilitation platform where near real-time OT information and control statements can be securely exchanged between connected assets, DSOs and TSOs.
To address this need, and by drawing on our deep experience in the energy and utilities markets, CGI has developed a platform for shared OT aimed specifically at securely connecting assets for vertical and horizontal integration. This platform, together with the CGI’s CMS, enables aggregators, DSOs and TSOs to securely integrate assets and central markets.
To know more about how we work with utilities and other ICS industries to understand and assess the criticality of their OT-IT security environments and enable a secure energy transition, please feel free to get in touch with me.