As the United States government, the energy industry, and individual consumers work toward cleaner and more sustainable energy solutions, it is crucial to consider how new and advancing technologies affect, and are affected by, cybersecurity concerns. Increasing use of smart energy devices can be useful for consumers to have more control over their energy consumption, but can also pose a security risk if the devices and systems are not adequately protected. The United States Department of Energy (DOE) recently released a report discussing certain trends and challenges to consider as the plan for sustainable energy goes forward over the following years.
The Current State of Grid Security
The report explains that in its current state, the grid is not especially vulnerable to potential attacks on distributed energy resources (DER). Of course, this is not meant to lull us into a false sense of security or disregard the very real dangers present in attacks on the grid itself, but merely to point out that a compromised DER “generally does not register” on a larger scale. However, as the grid is modernized and more DER deployed, cybersecurity must be at the forefront of the discussion.
The current model of grid security is based on a principle of “implied trust,” where the communications between industrial systems are assumed to be reliable and accurate. This sort of infrastructure is already not ideal in terms of cybersecurity, but the risks and challenges will continue to increase as DER infrastructure grows and evolves. On the scale that the DOE intends this growth to take place, implied trust is incompatible with DER infrastructure, and would open up a world of opportunities for attackers to take advantage of. Because the DER deployment and its impacts on the electrical grid can have far-reaching and dynamic consequences, it is important to account for as many factors and variables as possible when planning for the future.
Grid Transformation and Industry Trends
At the moment, the electrical grid is changing in big ways. Smart grid technology, grid modernization, environmentally-minded upgrades, and even fundamental changes to the structure and function of the grid are all taking place. It is important to keep in mind how these changes intersect with the growth of DER and other steps forward. Solar energy and other DER “pose emerging cybersecurity challenges for the electrical grid” as increasingly digital and automated systems leave vulnerabilities that attackers can take advantage of.
In addition to these growing threats, there has been an increase in attackers experimenting with their methodology in order to gain access to electrical infrastructure. They have targeted electrical substations, industrial systems, and the supply chain. As attackers advance with their techniques, they are capable of overcoming what security measures are in place, and those measures must be stepped up and fortified to protect against these attacks.
Cybersecurity as a Design Consideration
Because attackers are constantly adapting and advancing their tactics, the energy industry, governmental bodies, and consumers must do the same. Adapting over time is vital, but it is also necessary to start with a solid foundation. The report notes that it will be “cheaper and more effective to design cybersecurity measures early in the process rather than experience the consequences of inadequate security.” Energy infrastructure is critical to the functioning of most areas of society, and as the industry moves forward into a new era of clean and sustainable energy, it is absolutely essential to use DER and other growing technologies as part of the security solution, rather than letting them contribute to the problem.
The electric grid relies on many interconnected computers and machines communicating with each other as they perform their respective functions. Machines on the industrial level are operated by professionals, but this is not the case for all DER. Since consumers will have smart devices, solar panels, and electric cars in their own hands, the security considerations must be built into the devices themselves, rather than expecting all individuals to observe cybersecurity best practices (though that would be ideal).
Recommendations and Conclusions
The initiatives of the DOE in moving toward clean and sustainable energy must necessarily be undertaken with consideration for the state of cybersecurity as it pertains to the energy industry and everything associated with it or dependent on it – which, in today’s world, is most things. Pushing toward wind and solar energy changes a lot about energy usage and storage, and DER can be used to fortify security and function by keeping power running in the case of any incident that may impact the grid. As the electrical grid has been transforming rapidly and significantly, cybercriminals have been evolving as well, and without the proper security measures and practices in place, it may be all too easy for them to use DER to their advantage in disabling or otherwise attacking the electrical grid.
The DOE recommends that those planning defenses against potential attacks focus on “surviving an attack while maintaining critical functionality.” This includes implementing measures based on best practices aligning with governmental and industry guidelines, as well as including cybersecurity in the design of devices and software to be used. Another recommendation is for the industry to incentivize “cyber resilience” and go beyond what is required to create a proactive zero-trust framework. The hope of this report is to open a conversation about DER and cybersecurity in the context of the changing infrastructure of the grid; it may not be comprehensive, but it provides a good foundation of what to know and what to expect.
About the Author:
PJ Bradley is a writer on a wide variety of topics, passionate about learning and helping people above all else. Holding a bachelor’s degree from Oakland University, PJ enjoys using a lifelong desire to understand how things work to write about subjects that inspire interest. Most of PJ’s free time is spent reading and writing. PJ is also a regular writer at Bora.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.