Cybersecurity Certification

Standard for Distributed Energy

& Inverter-Based Resources
Danish Saleem, National Renewable Energy Laboratory
Michael Slowinske, UL

NASEO/NARUC Cybersecurity Advisory Team for State Solar (CATSS)

01/24/2022
 Presenters

Michael Slowinske Danish Saleem

Director of Principal Engineering Senior Energy Systems Cybersecurity Researcher
UL National Renewable Energy Laboratory

• UL is a global safety science company that has • NREL is a national laboratory of the U.S. Department of Energy,
certified tens of billions of products. Office of Energy Efficiency and Renewable Energy.
• UL has expertise in cybersecurity and safety, global • NREL has about 900 partnerships works with industry, academia
standards and frameworks, IoT security solutions, and government.
and hardware and software-based security • Researchers at NREL work with utilities, vendors, certification
evaluations. labs, and standard development organizations to research,
• As an independent, trusted third party, UL will lead identify, and establish interoperability and cybersecurity
the program to develop the cybersecurity requirements for distributed energy resources.
certification standard. • NREL is supporting this effort with expertise on integrated energy
systems and laboratory evaluation and testing platforms.

NREL | 2
 Agenda

The new security challenge

Benefits of a cybersecurity certification standard
Previous initiatives
Role of electric utilities and state energy offices
The UL expertise
2023 National Electrical Code (NEC) proposals on cybersecurity
Process from Outline of Investigation to Certification Standard
NREL | 3
 Industry Cybersecurity Challenges
Embed Understand
security into and minimize
development the risk of
process integration

Ensure
Differentiate Determine Differentiate
Component System purchase of
products right level of systems
secure
based on Manufacturers security for based on Integrators systems and
security products security
products

Demonstrate Integrate
validation of with existing
security to insecure
customers systems
NREL | 4
 The New Security Challenge

Grid and
Enterprise IT

Remote
Access

Office utility
connectivity
Communication
Use of public and Automation
networks

Increasing
usage of IT
components

Field devices
sensors and Illustration by Alfred Hicks, NREL
protection

NREL | 5
 Many Standards and Guides Exist – Why a New One?
The UL cybersecurity NISTIR
NIST CSF
certification standard will: 7628
IEC 62443
UL 1741
• Build on past work
• Map and leverage
security requirements IEC 62351-
8,-9,-11,-12 IEEE 1547.3
from industry best
practices for hardware
and software IEEE
C37.240- CTA-2088
• Provide an information 2014
hub for DER Industry
stakeholders UL
CSIP
• Establish “security by Cybersecurity
2030.5 Others
Certification
design” Guide
Standard

Note: All these standards serve a different purpose.

NREL | 6
The UL cybersecurity certification standard will not replace them by any means.
 • Ensures DER devices have all
five pillars of cybersecurity:
confidentiality, integrity,
availability, authentication
and non-repudiation
• Supports federal and state
Photo from iStock, 1185245180

mandates
• Establishes security by design
in new DER systems
• Creates an environment
where the baseline security
posture of the DER industry
will be elevated
Benefits of a Cybersecurity
Certification Standard
NREL | 7
 Cybersecurity Certification – Why Now?
• Why should we care about developing
DER/IBR cybersecurity certification now?
• Solar is 3% of Today’s Electricity Generation A national or international cybersecurity
• Rooftop and small solar in the Western certification standard can aid industry
Interconnection is approximately 30,000 stakeholders to evaluate and validate the
MW cybersecurity posture of their DER or IBR devices
• This represents about 65% of all solar in the
before they are connected to the electric grid
west, none of which is required to follow
NERC CIP
CNN Reuters
Photo by Dennis Schroeder, NREL 22168

Biden administration says solar Solar energy can account for

energy has the potential to power 40% of U.S. electricity by 2035,
40% of US electricity by 2035 according to DOE
Nilsen, Ella. CNN.com, September 8, 2021. url Volcovici, Valeri. Reuters.com, September 8, 2021. url

NBC NERC
Nearly half of U.S. electricity could Variable-energy resources
come from solar by 2050, Biden ….continue to be a significant
administration component of new capacityNREL | 8
Lederman, Josh. NBC.com, September 8, 2021. url NREC Planning Committee Meeting, June 6, 2017. url
Solar Futures Study

This EERE study explored

pathways for solar energy to
drive decarbonization of the

Graphic by Eric O’Shaughnessy, NREL

U.S. electric grid by 2035,
weighing factors such as:
• integrating solar onto the
electric grid
• synergies between solar and
storage
• necessary technological
advancements, and
• supply chain and Solar currently provides 3% (80 GWac) of total U.S. electricity
environmental demand. It is estimated to grow to 40% (1,000 GWac) by
considerations 2035 and 45% by 2050 (1,600GWac).
Full report: Solar Futures Study report. NREL | 9
DOE Website: https://www.energy.gov/eere/solar/solar-futures-study
 Recommended Cybersecurity Testing and Commissioning

Per IEEE 1547.3, “Testing

should be viewed as a risk
mitigation activity and
should be integrated with
the overall cybersecurity
risk management
framework.”

Source: Cybersecurity Information Sharing Act of 2015. NREL | 10

2015. S. 754, 114th Congress.
 Outcomes of Cybersecurity Standards Initiatives
Provides test Provides practical Examines the Provides near- Provides
cases that can be cybersecurity cybersecurity and long-term cybersecurity
used to check, requirements requirements for recommendations guidelines for
verify and pertaining to the DER comms to improve trust DERs that
validate network protocols, per and encryption interconnect with
cybersecurity components IEEE 1547-2018 mechanisms for electric power
posture of DERs supporting DERs revision DER comms system

NREL | 11
 Outcomes of Cybersecurity Standards Initiatives (contd.)
Provides a baseline Provides certification Provides engagement Provides three-year-long
for device-level testing through activities to bring program to prepare
security and informs SunSpec-authorized together individuals industry professionals
the development of test labs for product across industry, and military veteran job
a cybersecurity compliancy to CA academia, and seekers for the next
certification standard rule 21 and CSIP government to exchange wave of DER technology
for DER stakeholders standard ideas and learn

NREL | 12
Think Before You Connect
Implement security by design and Incorporate security at the design level
1
practice basic cyber hygiene.
• Change default passwords. Advance security updates and
• Use two-factor authentication. 2 vulnerability management
• Install updates, i.e., authentication,
TLS1.2 or higher, etc.
• Consider security of underlying Build on proven security measures
3
infrastructure during patch
management or remote connection.
Prioritize security measures according
• Monitor both consumer devices and to potential impact
4
vendor-managed devices.
• If possible, add code-signing and roll-
back firmware. Promote transparency across the grid
5
• Use vendors with cyber hygiene.
• DO NOT connect printers or other
similar devices to the operations Connect carefully and deliberately
network. 6
Source: “Strategic Principles for Securing the Internet
NRELof |Things,”
13
U.S. Department of Homeland Security (2016)
Blind spots and
Messaging challenges
+ Blue
forInfographic
electric utilities
Content

Lack of visibility into Lack of investment Lack of security Pace of Accessibility of

operating assets in workforce alignment between advancements in threat and risk
development OT and IT technology and information
threats.

NREL | 14
How can state energy offices
support cybersecurity standard
development efforts?

• Support risk mitigation and resiliency.

• Promote cyber best practices and policies
with good governance, such as NIST CSF
and/or NERC CIP
• Coordinate within state government.
• Engage across public andprivate stakeholders.
• Contribute and/or actively support the
development of DER cybersecurity
certification standards.
• Proactively develop cyberattack response
and mitigation plans.

NREL | 15
Understanding DER Systems

Graphic by Anthony Castellano, NREL

NREL | 16
 Projected Future
DER Systems

The Cybersecurity Information

Sharing Act of 2015 authorizes
and encourages private
companies to take defensive
measures to protect against
and mitigate cyber threats.

Graphic by NREL

Source: Cybersecurity Information Sharing Act of 2015. NREL | 17

2015. S. 754, 114th Congress.
 UL will lead development of the cybersecurity
certification standard.

As an independent third party, UL will manage the Certification

steps to standard development. Testing
The process will be guided by UL expertise in: Auditing and
• Cybersecurity and safety inspection

• Global standards and frameworks Verification

• IoT security solutions Learning and
development
• Hardware and software-based security evaluations
Advisory
• Regulated security markets
Software
• Learning and development
• Data insights Data insights

UL and the UL logo are trademarks of UL LLC © 2022. Proprietary & Confidential. NREL | 18
 2023 National Electrical Code® (NEC®)
Proposals on Cybersecurity

NEC Section 110.3(A): Section 240.6(D):

Cybersecurity is added to Cyber evaluation is required
the list of considerations for remotely-adjustable circuit
for equipment acceptance. breakers.
 Outline of Investigation (OOI)
• The requirements will provide a
single unified approach for testing
and certification of DERs in
advance of deployment.
• The certification will be applicable January X, 2022
to generation and energy storage
technologies.
UL x12345x

• UL and NREL are actively Outline of Investigation for

developing the OOI. Cybersecurity of Distributed Energy
• We will welcome participation and Inverter-Based Resources
from industry.
• To receive news and information,
please visit UL news.
Issue No: 1

NREL | 20
Process from OOI to Certification Standard
Research existing Define and translate
standards, guides, and industry needs into Draft the Outline of
competitive technologies requirements for Investigation (OOI).
in the market. inclusion in the standard.

Request an American
Publish the Outline of Circulate draft OOI with
National Standard
Investigation. relevant experts.
designation from ANSI.

Assemble a balanced
committee for a STP edits OOI and votes Draft is published as an
Standards Technical on the draft. ANSI Standard
Panel (STP).

NREL | 21
 UL and ISA

UL is a founding member of the International

Society of Automation (ISA) Global Cybersecurity
Alliance (ISAGCA), formed in late 2020.

UL will serve on the advisory board and help drive

select committees and working groups to advance
key cybersecurity objectives.

UL’s goal is to structure cybersecurity and promote

adoption of the cybersecurity certification
standard.

NREL | 22
https://www.ul.com/news/ul-joins-isa-global-cybersecurity-alliance-founding-member-advance-industrial-cybersecurity
 What
What Needs
NeedsTo
ToBe
BeDone
Done
What Needs To Be Done

Better coordination Acceleration of public Identification of risks Development of a

between government awareness, education, and addition of cybersecurity
agencies and industry and training for incentives-based certification to ensure
stakeholders to enhance stakeholders about risks programs to incorporate “security by design” for
DER Security. associated with DERs. DER security. new DER systems.

NREL | 23
Roadmap of Next Steps

• Publish the Outline of Investigation.

• Develop white papers, a press release,
industry webinars, and related activities to
increase awareness.
• Develop appropriate third-party conformity
assessment programs for DER cybersecurity
testing and certification.
• Organize and host a DER cybersecurity
summit for thought leaders and key
stakeholders from national laboratories,
utilities, and the energy and renewables
industries to establish practical and
actionable plans to move forward.
Questions?
 Thank You!
Let’s Work together!
www.nrel.gov
[email protected]

This work was authored by the National Renewable Energy

[email protected]
Laboratory, operated by Alliance for Sustainable Energy, LLC,
for the U.S. Department of Energy (DOE) under Contract No. NREL/PR-5R00-81827
DE-AC36-08GO28308. Funding provided by U.S. Department
of Energy Office of Energy Efficiency and Renewable Energy
Solar Energy Technologies Office. The views expressed in the
article do not necessarily represent the views of the DOE or
the U.S. Government. The U.S. Government retains and the
publisher, by accepting the article for publication,
acknowledges that the U.S. Government retains a
nonexclusive, paid-up, irrevocable, worldwide license to
publish or reproduce the published form of this work, or
allow others to do so, for U.S. Government purposes.
Additional Slides
 Essential DER and Cybersecurity Terms
Distributed Energy Resources (DERs) - Controllable electric generation, storage, or load devices
that are interconnected to the electric grid and typically are behind a customer’s meter. DERs are
intelligent energy devices, from smart lighting and thermostats, to electric vehicles and rooftop
solar photovoltaics.
Inverter Based Resources (IBRs) – Resources that are asynchronously connected to the grid and
are either completely or partially interfaced with the BPS through power electronics.
Internet of Things (IoT) devices vs DERs - DERs are subject to performance requirements of the
Institute of Electrical and Electronics Engineers, the IEEE 1547-2018 standard, and each DER is
certified for conformity to interconnect with the grid. Smaller devices, especially adjustable home
or business loads and smart phone-enabled home automation devices, are IoT devices.
Harmonizing IoT and DER performance requirements, including cyber, is a challenge.
DER Aggregator - An entity that groups together DER resources for the purposes of operating it as
a group for grid services.
DER Owner/Operators – The entity (or entities) that is responsible for the regular care and
maintenance of a particular DER resource or group of resources.
DER Vendor – The entity that originally built the DER resource, or components of the DER
resource.
 Essential DER and Cybersecurity Terms
Likelihood and Opportunity: Assessment of the “hack value” notion among hackers that something
is worth doing.
Vulnerability: Existence of a weakness, design, or implementation error that can lead to an attacker
gaining access.
Zero-day attack: An attack that exploits vulnerabilities before the vendor releases a patch for that
vulnerability.
DER Ransomware: An attack that takes control of a DER and encrypts its operational software until a
ransom is paid. While a financial frustration to the DER owner, a ransomware attack on a single DER
is not likely to be noticed by a grid operator.
DER Botnet: An attack infecting enough DER, controlled by the attacker, that enables grid instability
at a larger scale than previously possible.
DER Worm: DER attack on a single DER that could propagate to higher level systems belonging to a
grid operator or aggregator or laterally to other DER systems.
 Emerging Technologies

Named data networking (NDN)

is a new Internet architecture
that enables secure end-to-end
communications without
depending on the security or
topology of underlying channels.

Instead of defending only data channels, NDN secures the data directly by uniquely naming the data
packets and by securely binding those names to the data packets using cryptographic signatures.
Source: https://operantnetworks.com/
 Relevant Standards, Guides, and Best Practices

• IEEE C37.240-2014 – IEEE Standard Cybersecurity Requirements for Substation Automation, Protection, and
Control Systems
• NIST SP 800-82 Revision 2: Guide to Industrial Control Systems (ICS) Security
• NIST interagency/internal report 7628: Guidelines for Smart Grid Cybersecurity
• NIST Cybersecurity Framework:
• IEEE 2030.5-2018 – IEEE Standard for Smart Energy Profile Application Protocol
• NERC Reliability Guideline: Cyber Intrusion Guide for System Operators
• IEC 62351: Information Security for Power System Control Operations
• IEC 62443: Industrial Automation and Control Systems Security
• DOE/DHS ES-C2M2: Electricity Subsector Cybersecurity Capability Maturity Model
• DOE/NIST/NERC risk management process: Electricity Subsector Cybersecurity Risk Management Process
Guideline
• SEPA Cybersecurity Working Group: Identify and address the gaps and challenges to ensure the security of
hardware and software, and to create reference cybersecurity policies.